Skip to:
Content

bbPress.org

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#2119 closed defect (bug) (fixed)

BP group members cannot post in private/hidden groups

Reported by: boonebgorges's profile boonebgorges Owned by:
Milestone: 2.3 Priority: normal
Severity: normal Version: 2.1
Component: Extend - BuddyPress Keywords: has-patch
Cc:

Description

Members of hidden BP groups are not able to post to those groups' forums. Steps to reproduce:

  1. Create a hidden group with User 1
  2. Invite User 2 to join the group. It's important that User 2 not be a super admin, and that he not be a group admin/mod - just a member
  3. Log in as User 2 and accept invitation
  4. Go to the group and try to post a new forum post

The problem is in BBP_Forums_Group_Extension::map_topic_meta_caps(). bbPress checks for group membership using the bp_group_is_member() function, which in turn looks at the $groups_template global. However, at the point in the loading process when bbPress attempts to save the new topic (bbp_new_topic_handler()), this global has not yet been populated. As a result, bp_group_is_member() always returns false.

At bottom, this is a flaw in BuddyPress, but fixing it there could have odd consequences for plugins and themes. So I propose the fix in the attached patch, which uses the groups_is_user_member() series of functions instead.

Attachments (1)

2119.patch (1.5 KB) - added by boonebgorges 12 years ago.

Download all attachments as: .zip

Change History (7)

@boonebgorges
12 years ago

#1 @johnjamesjacoby
12 years ago

  • Milestone changed from Awaiting Review to 2.3

These functions are dangerous when used like this, as they query the DB directly with no caching. When coupled together with map_meta_cap, it can cause thousands of queries depending on the context.

Would like to come up with a better fix than this.

#2 follow-up: @boonebgorges
12 years ago

I don't know about *thousands* of queries, since the queries only happen in the context of groups, and only when an appropriate $cap is passed. But yeah, certainly dozens.

Another option would be to hook bbp_new_topic_handler() a bit later.

#3 @boonebgorges
12 years ago

Another option would be to hook bbp_new_topic_handler() a bit later.

Actually, this is probably a bad idea, because BP is probably populating $groups_template after the template is already loaded. It's pretty crummy to be handling $_POST stuff at this point, after content has already been sent to the browser.

#4 in reply to: ↑ 2 @johnjamesjacoby
12 years ago

Replying to boonebgorges:

I don't know about *thousands* of queries,

...tens of thousands of queries...

After some brainstorming in IRC, the easiest solution is to temporarily cache the current user's group membership status for the current group, using the group_get_ functions, and preventing them from being called more than once per page load.

#5 @johnjamesjacoby
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4633]) Introduce functions for getting and caching the current users current group status. Use these new functions in the Group Forum extension, to remove dependency on $groups_template global. Fixes bugs where regular users could not create content in private/hidden groups. Hat-tip boonebgorges. Fixes #2119.

#6 @johnjamesjacoby
12 years ago

(In [4634]) Add missing type in @return phpdoc tags for current user group status checks. See #2119.

Note: See TracTickets for help on using tickets.