Skip to:
Content

bbPress.org

Changeset 5808


Ignore:
Timestamp:
07/07/2015 03:47:36 PM (9 years ago)
Author:
johnjamesjacoby
Message:

Admin: Remove _nopriv_ ajax actions.

This commit ensures that admin-area AJAX suggestion results are never presented to logged-out users.

(Note: these requests already have nonce & capability checks on them, so this bit of hardening is only useful to installations that have modified roles & capabilities outside of what is considered to be normal operating parameters, allowing logged-out users to also be forum moderators.)

Hat-tip glynwintle. See #2827. For 2.5.8 (2.5 branch)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.5/includes/admin/admin.php

    r5692 r5808  
    150150        /** Ajax **************************************************************/
    151151
    152         add_action( 'wp_ajax_bbp_suggest_topic',        array( $this, 'suggest_topic' ) );
    153         add_action( 'wp_ajax_nopriv_bbp_suggest_topic', array( $this, 'suggest_topic' ) );
    154 
    155         add_action( 'wp_ajax_bbp_suggest_user',         array( $this, 'suggest_user'  ) );
    156         add_action( 'wp_ajax_nopriv_bbp_suggest_user',  array( $this, 'suggest_user'  ) );
     152        // No _nopriv_ equivalent - users must be logged in
     153        add_action( 'wp_ajax_bbp_suggest_topic', array( $this, 'suggest_topic' ) );
     154        add_action( 'wp_ajax_bbp_suggest_user',  array( $this, 'suggest_user'  ) );
    157155
    158156        /** Filters ***********************************************************/
Note: See TracChangeset for help on using the changeset viewer.