[buddypress-trac] [BuddyPress Trac] #8073: process_members_type_updte not checking for 1edit_users' capability

buddypress-trac noreply at wordpress.org
Fri Mar 22 14:05:25 UTC 2019


#8073: process_members_type_updte not checking for 1edit_users' capability
--------------------------+-----------------------------
 Reporter:  Venutius      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Members       |    Version:
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 Whislt checking the permission checks in `buddypress/bp-members/classes
 /class-bp-members-admin.php` I came across line 1228 which seems to omit
 the capability check for 'edit_users':

 `if ( ! bp_current_user_can( 'bp_moderate' ) && $user_id !=
 bp_loggedin_user_id() ) {`

 I think this should be changed to:

 `if ( ! current_user_can( 'edit_users' ) && ! bp_current_user_can(
 'bp_moderate' ) && $user_id != bp_loggedin_user_id() ) {`

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8073>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac


More information about the buddypress-trac mailing list