Skip to:
Content

bbPress.org

Opened 8 years ago

Closed 8 years ago

#2284 closed defect (fixed)

bbp_get_current_user_id() Doesn't Work Properly

Reported by: alex-ye Owned by:
Milestone: 2.3 Priority: high
Severity: normal Version: 2.2.3
Component: Component - Users Keywords: has-patch
Cc: wordpress@…

Description

Hi , This bug causes a serious problems , because it make functions like bbp_is_user_keymaster() return wrong value as example .

One of those related bugs that you can found the private/hidden topics or replies in the bbPress key-master profile . and ..etc

So what's wrong , I think the bbp_get_current_user_id() should return the current logged in user ID only , nothing else !!

However , The current function return the get_query_var( 'bbp_user_id' ) if the user is not logged in !

Attachments (1)

users-template-tags.patch (993 bytes) - added by alex-ye 8 years ago.

Download all attachments as: .zip

Change History (7)

#1 @johnjamesjacoby
8 years ago

(In [4830]) Remove outdated bbp_get_user_id() phpdoc references. See #2284.

#2 @johnjamesjacoby
8 years ago

Hm. I see how this could be a problem. Do you have a reproduction case where bbp_is_user_keymaster() is returning invalid results? In my imagination, I guess viewing a keymaster profile when there are hidden forums and sidebar widgets might leak links?

Last edited 8 years ago by johnjamesjacoby (previous) (diff)

#3 @johnjamesjacoby
8 years ago

  • Milestone changed from Awaiting Review to 2.3

#4 @MZAWeb
8 years ago

  • Cc wordpress@… added

Why is it considering the query_var in the first place? Seems weird but I'm sure there's a good reason.

#5 @alex-ye
8 years ago

@johnjamesjacoby a function like bbp_is_user_keymaster with empty $user_id should return whether the current logged in user is a keymaster or not , It shouldn't return true if the displayed user is or the if the user in query is ..

You can reproduce this easily by put this code in the head of user-topics-created.php file :

echo ( bbp_is_user_keymaster() ) ? "The current logged-in user is a keymaster" : ":)";

after that go to a key-master topics created page ( make sure you logged out ) , You will find the string "The current logged-in user is a keymaster" in the output !!

Because that a function like bbp_exclude_forum_ids() don't exclude the private and hidden forums topics/replies in the key-master profile ...

Last edited 8 years ago by alex-ye (previous) (diff)

#6 @johnjamesjacoby
8 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4831]) In bbp_get_user_id(), do not fallback to 'bbp_user_id' query variable, to prevent accidentally confusing a Guest (anonymous) user with the displayed user, in situations where empty bbp_get_user_id() checks are made. Fixes #2284.

Note: See TracTickets for help on using tickets.