[buddypress-trac] [BuddyPress Trac] #7048: Move permission checks in `bp_activity_screen_single_activity_permalink` into new function

buddypress-trac noreply at wordpress.org
Wed Jan 10 17:37:19 UTC 2018

#7048: Move permission checks in `bp_activity_screen_single_activity_permalink`
into new function
 Reporter:  DJPaul                    |       Owner:
     Type:  enhancement               |      Status:  assigned
 Priority:  high                      |   Milestone:  3.0
Component:  Activity                  |     Version:
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |

Comment (by DJPaul):

 In `bp_activity_screen_single_activity_permalink()`, the following needs
 to be added to prevent a regression:

         // If activity author does not match displayed user, block access.
         if ( true === $has_access && bp_displayed_user_id() !==
 $activity->user_id ) {
                 $has_access = false;

 This prevents accessing someone else's (public) activity item at the wrong

 e.g. http://bpcore.local/members/admin/activity/25/
 activity 25 belongs to "admin"

 - with the patch, this works (incorrectly - duplicating content at
 multiple URLs)
 - without the patch, it redirects you to your profile and says you do not
 have access (correct).

 Locally I tested putting this back in just after the `$has_access =
 apply_filters` line, and it fixed it.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7048#comment:28>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list