Skip to:
Content

bbPress.org


Ignore:
Timestamp:
08/15/2025 05:18:54 PM (7 months ago)
Author:
johnjamesjacoby
Message:

Forums/Topics/Replies: Add capability checks for parent object IDs when users are creating & editing content theme-side.

This change introduces a series of matching capability checks to the new/edit handler functions, that ensure the currently logged in user can read the proposed parent location for their content.

This change includes checks for anonymous users (when enabled) mapping "read" checks for public forums/topics/replies to exist so they can continue to post the same as before.

It also removes a few private/hidden error messages and replaces them with more generic phasing, to minimize leakage about content that is not publicly accessible.

The intent with these changes is to account for and trap any mismatches between where content handler functions are listening vs. what the user has access to create new content inside of – if they cannot read it, they cannot create new content in it, and will now see errors letting them know.

In trunk, for 2.7.

Fixes #3650.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/includes/replies/capabilities.php

    r6975 r7350  
    5252
    5353            // User cannot spectate
    54             if ( ! user_can( $user_id, 'spectate' ) ) {
     54            if ( ! user_can( $user_id, 'spectate' ) && ! bbp_is_anonymous() ) {
    5555                $caps = array( 'do_not_allow' );
    5656
     
    7272                    // Post is public
    7373                    if ( bbp_get_public_status_id() === $_post->post_status ) {
    74                         $caps = array( 'spectate' );
     74
     75                        // Anonymous users do not have caps, but can 'exist'
     76                        if ( bbp_is_anonymous() ) {
     77                            $caps = array( 'exist' );
     78
     79                        // Registered users need the 'spectate' cap
     80                        } else {
     81                            $caps = array( 'spectate' );
     82                        }
    7583
    7684                    // User is author so allow read
Note: See TracChangeset for help on using the changeset viewer.