Skip to:
Content

Opened 5 years ago

Last modified 14 months ago

#2639 new defect

When editing a topic I can select a forum from a private group I'm not part of

Reported by: gcmo Owned by: johnjamesjacoby
Milestone: 2.6.1 Priority: high
Severity: normal Version:
Component: Extend - BuddyPress Keywords: needs-testing
Cc:

Description

BBPress 2.5.3
BuddyPress 2.0.1
Logged in with a contributor role

When editing a topic I can correctly see an input to select a new forum to move the topic to

The issue is that in the list of forums to pick I can see forums belonging to private groups I’m not part of

If I select one of those and submit the post gets moved there correctly and I get redirected to the group->forum page where I correctly see a notice stating I can't see the message

I think I shouldn’t see those forums in the dropdown in the first place

The origin of the problem might be a misalignment between bbPress and BuddyPress visibility system
Private forum in bbPress means visibile only to logged in users
Private group in BuddyPress means visible only to group members

ps. I originally posted on BuddyPress trac but they pointed me here https://buddypress.trac.wordpress.org/ticket/5726

Change History (6)

#1 @netweb
5 years ago

Confirmed

Repro

  • Create a new user with bbPress moderator role
  • Join a BuddyPress public group
  • Open the BuddyPress public group forum
  • Open and select edit for a topic in the forum

Result:

  • Forum dropdown displays all BuddyPress groups, including private, hidden, and groups not a member of

Expected:

  • Forum dropdown display only BuddyPress group forums the user is a member of

When editing a topic in a BuddyPress group forum we call bbp_get_template_part( 'form', 'topic' ); src

Related: #2599, #459

#2 @johnjamesjacoby
4 years ago

  • Milestone changed from Awaiting Review to 2.7

Move from awaiting review to 2.7 milestone.

#3 @KR155E
4 years ago

Confirming this as well, but in slightly different form.

In my custom theme, I included the "New Topic" form on the forums archive. The forum dropdown allows anyone to create a topic in any group. So, neither is the forum list in the dropdown filtered by visibility, nor is there any checks for privileges in the script processing new topic posts.

This ticket was mentioned in Slack in #bbpress by netweb. View the logs.


2 years ago

#5 @boonebgorges
14 months ago

Bump. This has caused a problem for a client.

In theory, this could be solved by passing bp_exclude_forum_ids( 'array' ) to the forum query in bbp_get_dropdown(). But this doesn't work, because the 'read_hidden_forums' and 'read_private_forums' mapping for BP groups is too broad. The logic here seems incorrect: https://bbpress.trac.wordpress.org/browser/tags/2.5.14/includes/extend/buddypress/groups.php?marks=212-213#L204 If a user is viewing a group of which they are an admin, they should be able to read a private/hidden forum *if* it's the one associated with the current group - NOT all private/hidden forums in general.

I think instances of capability-mapping for BP groups should be looked at more generally, as there are likely more cases like this. That said, I'm unsure whether this specifically is the proper (or only) fix for the bbp_dropdown() issue. The eventual fix will not only block users from seeing improper items in the dropdown, but will also do server-side checks to ensure that a user has the ability to link a topic to a forum. Currently, neither appear to happen.

For the time being, here's my clunky and imperfect filter that prevents users from seeing forums they shouldn't be seeing:

add_filter( 'bbp_after_get_dropdown_parse_args', function( $args ) {
	if ( ! current_user_can( 'bp_moderate' ) && 'forum' === $args['post_type'] ) {
		$exclude = array();
		$non_public_ids = array_merge( bbp_get_private_forum_ids(), bbp_get_hidden_forum_ids() );
		foreach ( $non_public_ids as $non_public_id ) {
			$group_ids = bbp_get_forum_group_ids( $non_public_id );
			if ( ! $group_ids ) {
				continue;
			}

			if ( groups_is_user_member( bp_loggedin_user_id(), $group_ids[0] ) ) {
				continue;
			}

			$exclude[] = $non_public_id;
		}

		if ( $exclude ) {
			$args['exclude'] = $exclude;
		}
	}
	return $args;
} );

#6 @johnjamesjacoby
14 months ago

  • Keywords needs-testing added
  • Milestone changed from 2.7 to 2.6.1
  • Owner set to johnjamesjacoby
  • Priority changed from normal to high
Note: See TracTickets for help on using tickets.