Changeset 7350

Timestamp:

08/15/2025 05:18:54 PM (7 months ago)

Author:

johnjamesjacoby

Message:

Forums/Topics/Replies: Add capability checks for parent object IDs when users are creating & editing content theme-side.

This change introduces a series of matching capability checks to the new/edit handler functions, that ensure the currently logged in user can read the proposed parent location for their content.

This change includes checks for anonymous users (when enabled) mapping "read" checks for public forums/topics/replies to exist so they can continue to post the same as before.

It also removes a few private/hidden error messages and replaces them with more generic phasing, to minimize leakage about content that is not publicly accessible.

The intent with these changes is to account for and trap any mismatches between where content handler functions are listening vs. what the user has access to create new content inside of – if they cannot read it, they cannot create new content in it, and will now see errors letting them know.

In trunk, for 2.7.

Fixes #3650.

Location:

trunk/src/includes

Files:

• forums/capabilities.php (modified) (2 diffs)
• forums/functions.php (modified) (4 diffs)
• replies/capabilities.php (modified) (2 diffs)
• replies/functions.php (modified) (9 diffs)
• topics/capabilities.php (modified) (2 diffs)
• topics/functions.php (modified) (5 diffs)

trunk/src/includes/forums/capabilities.php

@@ -62 +62 @@
 
             // User cannot spectate
-            if ( ! user_can( $user_id, 'spectate' ) ) {
+            if ( ! user_can( $user_id, 'spectate' ) && ! bbp_is_anonymous() ) {
                 $caps = array( 'do_not_allow' );
 
@@ -82 +82 @@
                     // Post is public
                     if ( bbp_get_public_status_id() === $_post->post_status ) {
-                        $caps = array( 'spectate' );
+
+                        // Anonymous users do not have caps, but can 'exist'
+                        if ( bbp_is_anonymous() ) {
+                            $caps = array( 'exist' );
+
+                        // Registered users need the 'spectate' cap
+                        } else {
+                            $caps = array( 'spectate' );
+                        }
 
                     // User is author so allow read

trunk/src/includes/forums/functions.php

@@ -187 +187 @@
     /** Forum Parent **********************************************************/
 
-    // Forum parent was passed (the norm)
-    if ( ! empty( $_POST['bbp_forum_parent_id'] ) ) {
+    // Forum parent is expected for theme-side submissions
+    if ( ! empty( $_POST['bbp_forum_parent_id'] ) && is_numeric( $_POST['bbp_forum_parent_id'] ) ) {
         $forum_parent_id = bbp_get_forum_id( $_POST['bbp_forum_parent_id'] );
     }
@@ -195 +195 @@
     $forum_parent_id = apply_filters( 'bbp_new_forum_pre_parent_id', $forum_parent_id );
 
-    // No forum parent was passed (should never happen)
+    // Forum parent was not passed (required for theme-side BuddyPress support)
     if ( empty( $forum_parent_id ) ) {
         bbp_add_error( 'bbp_new_forum_missing_parent', __( '<strong>Error</strong>: Your forum must have a parent.', 'bbpress' ) );
 
-    // Forum exists
+    // Forum parent exists
     } elseif ( ! empty( $forum_parent_id ) ) {
 
-        // Forum is a category
-        if ( bbp_is_forum_category( $forum_parent_id ) ) {
-            bbp_add_error( 'bbp_new_forum_forum_category', __( '<strong>Error</strong>: This forum is a category. No forums can be created in this forum.', 'bbpress' ) );
-        }
-
-        // Forum is closed and user cannot access
-        if ( bbp_is_forum_closed( $forum_parent_id ) && ! current_user_can( 'edit_forum', $forum_parent_id ) ) {
-            bbp_add_error( 'bbp_new_forum_forum_closed', __( '<strong>Error</strong>: This forum has been closed to new forums.', 'bbpress' ) );
-        }
-
-        // Forum is private and user cannot access
-        if ( bbp_is_forum_private( $forum_parent_id ) && ! current_user_can( 'read_forum', $forum_parent_id ) ) {
-            bbp_add_error( 'bbp_new_forum_forum_private', __( '<strong>Error</strong>: This forum is private and you do not have the capability to read or create new forums in it.', 'bbpress' ) );
-        }
-
-        // Forum is hidden and user cannot access
-        if ( bbp_is_forum_hidden( $forum_parent_id ) && ! current_user_can( 'read_forum', $forum_parent_id ) ) {
-            bbp_add_error( 'bbp_new_forum_forum_hidden', __( '<strong>Error</strong>: This forum is hidden and you do not have the capability to read or create new forums in it.', 'bbpress' ) );
+        // Forum parent not editable by user
+        if ( ! current_user_can( 'edit_forum', $forum_parent_id ) ) {
+
+            // Forum parent is closed
+            if ( bbp_is_forum_closed( $forum_parent_id ) ) {
+                bbp_add_error( 'bbp_new_forum_forum_closed', __( '<strong>Error</strong>: This forum is closed to new forums.', 'bbpress' ) );
+            }
+        }
+
+        // Forum parent not readable by user
+        if ( ! current_user_can( 'read_forum', $forum_parent_id ) ) {
+            bbp_add_error( 'bbp_new_forum_forum_read', __( '<strong>Error</strong>: You do not have the capability to create new forums in this forum.', 'bbpress' ) );
         }
     }
@@ -429 +423 @@
 
     // Forum parent id was passed
-    if ( ! empty( $_POST['bbp_forum_parent_id'] ) ) {
+    if ( ! empty( $_POST['bbp_forum_parent_id'] ) && is_numeric( $_POST['bbp_forum_parent_id'] ) ) {
         $forum_parent_id = bbp_get_forum_id( $_POST['bbp_forum_parent_id'] );
     }
@@ -436 +430 @@
     $current_parent_forum_id = bbp_get_forum_parent_id( $forum_id );
 
-    // Forum exists
+    // Forum parent exists
     if ( ! empty( $forum_parent_id ) && ( $forum_parent_id !== $current_parent_forum_id ) ) {
 
-        // Forum is closed and user cannot access
-        if ( bbp_is_forum_closed( $forum_parent_id ) && ! current_user_can( 'edit_forum', $forum_parent_id ) ) {
-            bbp_add_error( 'bbp_edit_forum_forum_closed', __( '<strong>Error</strong>: This forum has been closed to new forums.', 'bbpress' ) );
-        }
-
-        // Forum is private and user cannot access
-        if ( bbp_is_forum_private( $forum_parent_id ) && ! current_user_can( 'read_forum', $forum_parent_id ) ) {
-            bbp_add_error( 'bbp_edit_forum_forum_private', __( '<strong>Error</strong>: This forum is private and you do not have the capability to read or create new forums in it.', 'bbpress' ) );
-        }
-
-        // Forum is hidden and user cannot access
-        if ( bbp_is_forum_hidden( $forum_parent_id ) && ! current_user_can( 'read_forum', $forum_parent_id ) ) {
-            bbp_add_error( 'bbp_edit_forum_forum_hidden', __( '<strong>Error</strong>: This forum is hidden and you do not have the capability to read or create new forums in it.', 'bbpress' ) );
+        // Forum parent not editable by user
+        if ( ! current_user_can( 'edit_forum', $forum_parent_id ) ) {
+
+            // Forum is closed
+            if ( bbp_is_forum_closed( $forum_parent_id ) ) {
+                bbp_add_error( 'bbp_edit_forum_forum_closed', __( '<strong>Error</strong>: This forum is closed to new forums.', 'bbpress' ) );
+            }
+        }
+
+        // Forum parent not readable by user
+        if ( ! current_user_can( 'read_forum', $forum_parent_id ) ) {
+            bbp_add_error( 'bbp_edit_forum_forum_read', __( '<strong>Error</strong>: You do not have the capability to create new forums in this forum.', 'bbpress' ) );
         }
     }

trunk/src/includes/replies/capabilities.php

@@ -52 +52 @@
 
             // User cannot spectate
-            if ( ! user_can( $user_id, 'spectate' ) ) {
+            if ( ! user_can( $user_id, 'spectate' ) && ! bbp_is_anonymous() ) {
                 $caps = array( 'do_not_allow' );
 
@@ -72 +72 @@
                     // Post is public
                     if ( bbp_get_public_status_id() === $_post->post_status ) {
-                        $caps = array( 'spectate' );
+
+                        // Anonymous users do not have caps, but can 'exist'
+                        if ( bbp_is_anonymous() ) {
+                            $caps = array( 'exist' );
+
+                        // Registered users need the 'spectate' cap
+                        } else {
+                            $caps = array( 'spectate' );
+                        }
 
                     // User is author so allow read

trunk/src/includes/replies/functions.php

@@ -180 +180 @@
         $posted_topic_id = intval( $_POST['bbp_topic_id'] );
 
+        // Topic id is 0
+        if ( 0 === $posted_topic_id ) {
+            bbp_add_error( 'bbp_reply_topic_id', __( '<strong>Error</strong>: Topic ID is missing.', 'bbpress' ) );
+
         // Topic id is a negative number
-        if ( 0 > $posted_topic_id ) {
+        } elseif ( 0 > $posted_topic_id ) {
             bbp_add_error( 'bbp_reply_topic_id', __( '<strong>Error</strong>: Topic ID cannot be a negative number.', 'bbpress' ) );
 
@@ -194 +198 @@
     }
 
+    // User cannot read parent topic ID
+    if ( ! current_user_can( 'read_topic', $topic_id ) ) {
+        bbp_add_error( 'bbp_new_reply_topic_public', __( '<strong>Error</strong>: You do not have the capability to read or create new replies in this topic.', 'bbpress' ) );
+    }
+
     /** Forum ID **************************************************************/
 
@@ -217 +226 @@
             $posted_forum_id = intval( $_POST['bbp_forum_id'] );
 
-            // Forum id is empty
+            // Forum id is 0
             if ( 0 === $posted_forum_id ) {
-                bbp_add_error( 'bbp_topic_forum_id', __( '<strong>Error</strong>: Forum ID is missing.', 'bbpress' ) );
+                bbp_add_error( 'bbp_reply_forum_id', __( '<strong>Error</strong>: Forum ID is missing.', 'bbpress' ) );
 
             // Forum id is a negative number
             } elseif ( 0 > $posted_forum_id ) {
-                bbp_add_error( 'bbp_topic_forum_id', __( '<strong>Error</strong>: Forum ID cannot be a negative number.', 'bbpress' ) );
+                bbp_add_error( 'bbp_reply_forum_id', __( '<strong>Error</strong>: Forum ID cannot be a negative number.', 'bbpress' ) );
 
             // Forum does not exist
             } elseif ( ! bbp_get_forum( $posted_forum_id ) ) {
-                bbp_add_error( 'bbp_topic_forum_id', __( '<strong>Error</strong>: Forum does not exist.', 'bbpress' ) );
+                bbp_add_error( 'bbp_reply_forum_id', __( '<strong>Error</strong>: Forum does not exist.', 'bbpress' ) );
 
             // Use the POST'ed forum id
@@ -246 +255 @@
         } else {
 
-            // Forum is closed and user cannot access
-            if ( bbp_is_forum_closed( $forum_id ) && ! current_user_can( 'edit_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_new_reply_forum_closed', __( '<strong>Error</strong>: This forum has been closed to new replies.', 'bbpress' ) );
+            // Forum not editable by user
+            if ( ! current_user_can( 'edit_forum', $forum_id ) ) {
+
+                // Forum is closed
+                if ( bbp_is_forum_closed( $forum_id ) ) {
+                    bbp_add_error( 'bbp_new_reply_forum_closed', __( '<strong>Error</strong>: This forum is closed to new replies.', 'bbpress' ) );
+                }
             }
 
-            // Forum is private and user cannot access
-            if ( bbp_is_forum_private( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_new_reply_forum_private', __( '<strong>Error</strong>: This forum is private and you do not have the capability to read or create new replies in it.', 'bbpress' ) );
-
-            // Forum is hidden and user cannot access
-            } elseif ( bbp_is_forum_hidden( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_new_reply_forum_hidden', __( '<strong>Error</strong>: This forum is hidden and you do not have the capability to read or create new replies in it.', 'bbpress' ) );
+            // Forum not readable by user
+            if ( ! current_user_can( 'read_forum', $forum_id ) ) {
+                bbp_add_error( 'bbp_new_reply_forum_read', __( '<strong>Error</strong>: You do not have the capability to read or create new replies in this forum.', 'bbpress' ) );
             }
         }
@@ -269 +278 @@
         remove_filter( 'bbp_new_reply_pre_content', 'bbp_encode_bad',  10 );
         remove_filter( 'bbp_new_reply_pre_content', 'bbp_filter_kses', 30 );
+    }
+
+    /** Reply To **************************************************************/
+
+    // Handle Reply To of the reply; $_REQUEST for non-JS submissions
+    if ( isset( $_REQUEST['bbp_reply_to'] ) && is_numeric( $_REQUEST['bbp_reply_to'] ) ) {
+        $reply_to = bbp_validate_reply_to( $_REQUEST['bbp_reply_to'] );
+    }
+
+    // Check the Reply To ID
+    if ( ! empty( $reply_to ) ) {
+
+        // User cannot read parent reply ID
+        if ( ! current_user_can( 'read_reply', $reply_to ) ) {
+            bbp_add_error( 'bbp_new_reply_reply_to', __( '<strong>Error</strong>: You do not have the capability to read or create new replies to this reply.', 'bbpress' ) );
+        }
     }
 
@@ -333 +358 @@
     if ( bbp_is_topic_pending( $topic_id ) || ! bbp_check_for_moderation( $anonymous_data, $reply_author, $reply_title, $reply_content ) ) {
         $reply_status = bbp_get_pending_status_id();
-    }
-
-    /** Reply To **************************************************************/
-
-    // Handle Reply To of the reply; $_REQUEST for non-JS submissions
-    if ( isset( $_REQUEST['bbp_reply_to'] ) ) {
-        $reply_to = bbp_validate_reply_to( $_REQUEST['bbp_reply_to'] );
     }
 
@@ -575 +593 @@
     $topic_id = bbp_get_reply_topic_id( $reply_id );
 
+    // User cannot read parent topic ID
+    if ( ! current_user_can( 'read_topic', $topic_id ) ) {
+        bbp_add_error( 'bbp_edit_reply_topic_read', __( '<strong>Error</strong>: You do not have the capability to read or create new replies in this topic.', 'bbpress' ) );
+    }
+
     /** Topic Forum ***********************************************************/
 
@@ -589 +612 @@
         } else {
 
-            // Forum is closed and user cannot access
-            if ( bbp_is_forum_closed( $forum_id ) && ! current_user_can( 'edit_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_edit_reply_forum_closed', __( '<strong>Error</strong>: This forum has been closed to new replies.', 'bbpress' ) );
+            // Forum not editable by user
+            if ( ! current_user_can( 'edit_forum', $forum_id ) ) {
+
+                // Forum is closed
+                if ( bbp_is_forum_closed( $forum_id ) ) {
+                    bbp_add_error( 'bbp_edit_reply_forum_closed', __( '<strong>Error</strong>: This forum is closed to new replies.', 'bbpress' ) );
+                }
             }
 
-            // Forum is private and user cannot access
-            if ( bbp_is_forum_private( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_edit_reply_forum_private', __( '<strong>Error</strong>: This forum is private and you do not have the capability to read or create new replies in it.', 'bbpress' ) );
-
-            // Forum is hidden and user cannot access
-            } elseif ( bbp_is_forum_hidden( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_edit_reply_forum_hidden', __( '<strong>Error</strong>: This forum is hidden and you do not have the capability to read or create new replies in it.', 'bbpress' ) );
+            // Forum not readable by user
+            if ( ! current_user_can( 'read_forum', $forum_id ) ) {
+                bbp_add_error( 'bbp_edit_reply_forum_read', __( '<strong>Error</strong>: You do not have the capability to read or create new replies in this forum.', 'bbpress' ) );
             }
+        }
+    }
+
+    /** Reply To **************************************************************/
+
+    $reply_to = bbp_get_reply_to( $reply_id );
+
+    // Maybe sanitize Reply To, using $_REQUEST for non-JS submissions
+    if ( isset( $_REQUEST['bbp_reply_to'] ) && is_numeric( $_REQUEST['bbp_reply_to'] ) ) {
+        $reply_to = intval( $_REQUEST['bbp_reply_to'] );
+    }
+
+    // Validate Reply To
+    $reply_to = bbp_validate_reply_to( $reply_to, $reply_id );
+
+    // Check the Reply To ID
+    if ( ! empty( $reply_to ) ) {
+
+        // User cannot read parent reply ID
+        if ( ! current_user_can( 'read_reply', $reply_to ) ) {
+            bbp_add_error( 'bbp_edit_reply_reply_to', __( '<strong>Error</strong>: You do not have the capability to read or create new replies to this reply.', 'bbpress' ) );
         }
     }
@@ -662 +706 @@
             bbp_add_error( 'bbp_edit_reply_status', __( '<strong>Error</strong>: You do not have permission to do that.', 'bbpress' ) );
         }
-    }
-
-    /** Reply To **************************************************************/
-
-    // Handle Reply To of the reply; $_REQUEST for non-JS submissions
-    if ( isset( $_REQUEST['bbp_reply_to'] ) && current_user_can( 'moderate', $reply_id ) ) {
-        $reply_to = bbp_validate_reply_to( $_REQUEST['bbp_reply_to'], $reply_id );
-    } elseif ( bbp_thread_replies() ) {
-        $reply_to = bbp_get_reply_to( $reply_id );
     }
 

trunk/src/includes/topics/capabilities.php

@@ -72 +72 @@
 
             // User cannot spectate
-            if ( ! user_can( $user_id, 'spectate' ) ) {
+            if ( ! user_can( $user_id, 'spectate' ) && ! bbp_is_anonymous() ) {
                 $caps = array( 'do_not_allow' );
 
@@ -92 +92 @@
                     // Post is public
                     if ( bbp_get_public_status_id() === $_post->post_status ) {
-                        $caps = array( 'spectate' );
+
+                        // Anonymous users do not have caps, but can 'exist'
+                        if ( bbp_is_anonymous() ) {
+                            $caps = array( 'exist' );
+
+                        // Registered users need the 'spectate' cap
+                        } else {
+                            $caps = array( 'spectate' );
+                        }
 
                     // User is author so allow read

trunk/src/includes/topics/functions.php

@@ -197 +197 @@
             $posted_forum_id = intval( $_POST['bbp_forum_id'] );
 
-            // Forum id is empty
+            // Forum id is 0
             if ( 0 === $posted_forum_id ) {
                 bbp_add_error( 'bbp_topic_forum_id', __( '<strong>Error</strong>: Forum ID is missing.', 'bbpress' ) );
@@ -226 +226 @@
         } else {
 
-            // Forum is closed and user cannot access
-            if ( bbp_is_forum_closed( $forum_id ) && ! current_user_can( 'edit_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_new_topic_forum_closed', __( '<strong>Error</strong>: This forum has been closed to new topics.', 'bbpress' ) );
+            // Forum not editable by user
+            if ( ! current_user_can( 'edit_forum', $forum_id ) ) {
+
+                // Forum is closed
+                if ( bbp_is_forum_closed( $forum_id ) ) {
+                    bbp_add_error( 'bbp_new_topic_forum_closed', __( '<strong>Error</strong>: This forum is closed to new topics.', 'bbpress' ) );
+                }
             }
 
-            // Forum is private and user cannot access
-            if ( bbp_is_forum_private( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_new_topic_forum_private', __( '<strong>Error</strong>: This forum is private and you do not have the capability to read or create new topics in it.', 'bbpress' ) );
-
-            // Forum is hidden and user cannot access
-            } elseif ( bbp_is_forum_hidden( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_new_topic_forum_hidden', __( '<strong>Error</strong>: This forum is hidden and you do not have the capability to read or create new topics in it.', 'bbpress' ) );
+            // Forum not readable by user
+            if ( ! current_user_can( 'read_forum', $forum_id ) ) {
+                bbp_add_error( 'bbp_new_topic_forum_read', __( '<strong>Error</strong>: You do not have the capability to read or create new topics in this forum.', 'bbpress' ) );
             }
         }
@@ -500 +500 @@
     // Forum id was passed
     } elseif ( is_numeric( $_POST['bbp_forum_id'] ) ) {
-        $forum_id = (int) $_POST['bbp_forum_id'];
+
+        // Get the forum id
+        $posted_forum_id = intval( $_POST['bbp_forum_id'] );
+
+        // Forum id is 0
+        if ( 0 === $posted_forum_id ) {
+            bbp_add_error( 'bbp_topic_forum_id', __( '<strong>Error</strong>: Forum ID is missing.', 'bbpress' ) );
+
+        // Forum id is a negative number
+        } elseif ( 0 > $posted_forum_id ) {
+            bbp_add_error( 'bbp_topic_forum_id', __( '<strong>Error</strong>: Forum ID cannot be a negative number.', 'bbpress' ) );
+
+        // Forum does not exist
+        } elseif ( ! bbp_get_forum( $posted_forum_id ) ) {
+            bbp_add_error( 'bbp_topic_forum_id', __( '<strong>Error</strong>: Forum does not exist.', 'bbpress' ) );
+
+        // Use the POST'ed forum id
+        } else {
+            $forum_id = $posted_forum_id;
+        }
     }
 
@@ -506 +525 @@
     $current_forum_id = bbp_get_topic_forum_id( $topic_id );
 
+    // Forum change
+    if ( $forum_id !== $current_forum_id ) {
+
+        // User cannot edit current forum
+        if ( ! current_user_can( 'edit_forum', $current_forum_id ) ) {
+            bbp_add_error( 'bbp_edit_topic_forum_move_old', __( '<strong>Error</strong>: You do not have the capability to move topics out of this forum.', 'bbpress' ) );
+
+        // User cannot read new forum
+        } elseif ( ! current_user_can( 'read_forum', $forum_id ) ) {
+            bbp_add_error( 'bbp_edit_topic_forum_move_new', __( '<strong>Error</strong>: You do not have the capability to move topics into this forum.', 'bbpress' ) );
+        }
+    }
+
     // Forum exists
-    if ( ! empty( $forum_id ) && ( $forum_id !== $current_forum_id ) ) {
+    if ( ! empty( $forum_id ) ) {
 
         // Forum is a category
@@ -516 +548 @@
         } else {
 
-            // Forum is closed and user cannot access
-            if ( bbp_is_forum_closed( $forum_id ) && ! current_user_can( 'edit_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_edit_topic_forum_closed', __( '<strong>Error</strong>: This forum has been closed to new topics.', 'bbpress' ) );
+            // Forum not editable by user
+            if ( ! current_user_can( 'edit_forum', $forum_id ) ) {
+
+                // Forum is closed
+                if ( bbp_is_forum_closed( $forum_id ) ) {
+                    bbp_add_error( 'bbp_edit_topic_forum_closed', __( '<strong>Error</strong>: This forum is closed to new topics.', 'bbpress' ) );
+                }
             }
 
-            // Forum is private and user cannot access
-            if ( bbp_is_forum_private( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_edit_topic_forum_private', __( '<strong>Error</strong>: This forum is private and you do not have the capability to read or create new topics in it.', 'bbpress' ) );
-
-            // Forum is hidden and user cannot access
-            } elseif ( bbp_is_forum_hidden( $forum_id ) && ! current_user_can( 'read_forum', $forum_id ) ) {
-                bbp_add_error( 'bbp_edit_topic_forum_hidden', __( '<strong>Error</strong>: This forum is hidden and you do not have the capability to read or create new topics in it.', 'bbpress' ) );
+            // Forum not readable by user
+            if ( ! current_user_can( 'read_forum', $forum_id ) ) {
+                bbp_add_error( 'bbp_edit_topic_forum_read', __( '<strong>Error</strong>: You do not have the capability to read or create new topics in this forum.', 'bbpress' ) );
             }
         }