[buddypress-trac] [BuddyPress Trac] #8167: Nouveau: Inviter cannot remove group invitation

buddypress-trac noreply at wordpress.org
Tue Nov 26 15:49:05 UTC 2019


#8167: Nouveau: Inviter cannot remove group invitation
--------------------------+------------------------------
 Reporter:  dcavins       |       Owner:  dcavins
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Groups        |     Version:  5.0.0
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |
--------------------------+------------------------------
Changes (by dcavins):

 * owner:  (none) => dcavins
 * status:  new => assigned


Comment:

 Hi @imath-

 This issue is limited to Nouveau--Legacy works as expected.

 The issue was exposed in 5.0, but only through a series of quirks. In BP
 4.4, the user who sent the invite couldn't access the delete button, but
 should have been able to. In a commit from two years ago, djpaul added
 strict checking to an `in_array()` check in
 `bp_nouveau_prepare_group_potential_invites_for_js()`:
 https://github.com/buddypress/BuddyPress/commit/e97284f6f8a772e1bb7f899c1fa10ed0db88ca96
 #diff-1a38eaecaee735b5f109d2057ef15e93

 The function:
 https://github.com/buddypress/BuddyPress/blob/e97284f6f8a772e1bb7f899c1fa10ed0db88ca96/src
 /bp-templates/bp-nouveau/includes/groups/functions.php#L180
 What he didn't know was that the `inviter_ids` param as returned by
 Nouveau was a string value, but the logged-in user id is an integer, so
 the check failed, meaning that the inviter couldn't attempt to delete an
 invitation that he or she sent (though it would have worked at that time
 because the delete action handler was too permissive).

 Boone added the "is_admin" permission check here, which doesn't mirror the
 logic in the `can_edit` check in
 `bp_nouveau_prepare_group_potential_invites_for_js()`:
 https://github.com/buddypress/BuddyPress/commit/82eb8c3d316fc13c4f5ffcc828726374d24b6ce8

 And I changed the logic that returns the `inviter_ids` to use the new API
 logic (they are now integers),
 https://github.com/buddypress/BuddyPress/commit/d38562d6334003984d6382a3145f5d48eefe2f69,
 which, by making the strict check succeed, exposed the mismatch between
 the prepare and delete logic.

 Ha, so it was a series of small changes that added up to the current
 state.

 Anyway, I'll update my patch to add your suggestions, imath, and also
 ensure that the can_delete logic is the same in the prepare and delete
 steps for Nouveau.

 Re a unit test, I'm not sure how to write a unit test following our
 typical conventions for this, since this is an interface + AJAX issue. Any
 ideas?

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8167#comment:3>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac


More information about the buddypress-trac mailing list