Skip to:

Opened 11 years ago

Closed 11 years ago

#2366 closed defect (bug) (fixed)

Sticky escalation for non-moderators

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: 2.4 Priority: normal
Severity: major Version: 2.1
Component: Component - Topics Keywords: has-patch


Non-moderators are able to escalate the sticky-status of a new topic by spoofing the 'bbp_stick_topic' $_POST parameter, as the _new_ and _edit_ handlers are missing a 'moderator' capability check.

iirc, the long term plan was to use a dedicated 'stick_topics' capability, and map it to moderate (this is how bbPress 1.x handled this) though it seems overkill for core to map this, as a plugin would need to remap it to change the behavior anyways.

Patch imminent, adds cap checks to the _new_ and _edit_ handlers.

Attachments (1)

2336.patch (2.2 KB) - added by johnjamesjacoby 11 years ago.

Download all attachments as: .zip

Change History (2)

#1 @johnjamesjacoby
11 years ago

  • Owner set to johnjamesjacoby
  • Resolution set to fixed
  • Status changed from new to closed

In 5019:

In bbp_new_topic_handler() and bbp_edit_topic_handler(), restrict sticky topic actions to users with 'moderate' capability. Fixes #2366.

Note: See TracTickets for help on using tickets.