Opened 10 years ago
Last modified 5 years ago
#2639 new defect (bug)
When editing a topic I can select a forum from a private group I'm not part of
Reported by: | gcmo | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.7 | Priority: | high |
Severity: | normal | Version: | |
Component: | Extend - BuddyPress | Keywords: | needs-testing |
Cc: |
Description
BBPress 2.5.3
BuddyPress 2.0.1
Logged in with a contributor role
When editing a topic I can correctly see an input to select a new forum to move the topic to
The issue is that in the list of forums to pick I can see forums belonging to private groups I’m not part of
If I select one of those and submit the post gets moved there correctly and I get redirected to the group->forum page where I correctly see a notice stating I can't see the message
I think I shouldn’t see those forums in the dropdown in the first place
The origin of the problem might be a misalignment between bbPress and BuddyPress visibility system
Private forum in bbPress means visibile only to logged in users
Private group in BuddyPress means visible only to group members
ps. I originally posted on BuddyPress trac but they pointed me here https://buddypress.trac.wordpress.org/ticket/5726
Change History (8)
#2
@
10 years ago
- Milestone changed from Awaiting Review to 2.7
Move from awaiting review to 2.7 milestone.
#3
@
10 years ago
Confirming this as well, but in slightly different form.
In my custom theme, I included the "New Topic" form on the forums archive. The forum dropdown allows anyone to create a topic in any group. So, neither is the forum list in the dropdown filtered by visibility, nor is there any checks for privileges in the script processing new topic posts.
This ticket was mentioned in Slack in #bbpress by netweb. View the logs.
8 years ago
#5
@
7 years ago
Bump. This has caused a problem for a client.
In theory, this could be solved by passing bp_exclude_forum_ids( 'array' )
to the forum query in bbp_get_dropdown()
. But this doesn't work, because the 'read_hidden_forums' and 'read_private_forums' mapping for BP groups is too broad. The logic here seems incorrect: https://bbpress.trac.wordpress.org/browser/tags/2.5.14/includes/extend/buddypress/groups.php?marks=212-213#L204 If a user is viewing a group of which they are an admin, they should be able to read a private/hidden forum *if* it's the one associated with the current group - NOT all private/hidden forums in general.
I think instances of capability-mapping for BP groups should be looked at more generally, as there are likely more cases like this. That said, I'm unsure whether this specifically is the proper (or only) fix for the bbp_dropdown()
issue. The eventual fix will not only block users from seeing improper items in the dropdown, but will also do server-side checks to ensure that a user has the ability to link a topic to a forum. Currently, neither appear to happen.
For the time being, here's my clunky and imperfect filter that prevents users from seeing forums they shouldn't be seeing:
add_filter( 'bbp_after_get_dropdown_parse_args', function( $args ) { if ( ! current_user_can( 'bp_moderate' ) && 'forum' === $args['post_type'] ) { $exclude = array(); $non_public_ids = array_merge( bbp_get_private_forum_ids(), bbp_get_hidden_forum_ids() ); foreach ( $non_public_ids as $non_public_id ) { $group_ids = bbp_get_forum_group_ids( $non_public_id ); if ( ! $group_ids ) { continue; } if ( groups_is_user_member( bp_loggedin_user_id(), $group_ids[0] ) ) { continue; } $exclude[] = $non_public_id; } if ( $exclude ) { $args['exclude'] = $exclude; } } return $args; } );
Confirmed
Repro
Result:
Expected:
When editing a topic in a BuddyPress group forum we call
bbp_get_template_part( 'form', 'topic' );
srcRelated: #2599, #459