Skip to:
Content

bbPress.org

Opened 3 years ago

Last modified 2 years ago

#3069 new defect

author metabox shows unfiltered IP address

Reported by: mattiejas Owned by:
Milestone: 2.7 Priority: normal
Severity: normal Version: trunk
Component: General - Administration Keywords: has-screenshots needs-patch
Cc:

Description

This concerns the function bbp_author_metabox in src/includes/admin/metaboxes.php; in that function the 'bbp_get_author_ip' filter is not applied when fetching the author's ip address for display into the user interface:

https://bbpress.trac.wordpress.org/browser/trunk/src/includes/admin/metaboxes.php#L636

I believe that the bbp_author_ip function should be used there, instead of a raw get_post_meta call, as bbp_author_ip applies the filter properly; see

https://bbpress.trac.wordpress.org/browser/trunk/src/includes/users/template.php#L587

The bbp_author_ip function also appears to be used a lot elsewhere in the code to display author's ip addresses.

A screenshot is attached showing an example of where the problem occurs, when editing replies via the admin interface. Actual IP address is blurred out for security reasons.

(I ran into this trying to hide IP addresses from the user interface via the 'bbp_get_author_ip' filter.)

Attachments (1)

author_ip_leak.png (417.1 KB) - added by mattiejas 3 years ago.

Download all attachments as: .zip

Change History (7)

#1 @johnjamesjacoby
3 years ago

  • Component changed from API - Actions/Filters to General - Administration
  • Keywords needs-patch added

Hey @mattiejas, thanks for the ticket here.

The admin-area metaboxes use get_post_meta() intentionally, to expose the data as close as possible to what's present in the database. If you need to filter the data here, you can use the get_post_metadata filter, and check that $meta_key is _bbp_author_ip.

I just noticed we don't have singular wrappers for the other anonymous user meta values, but bbp_author_metabox() is shared across both topics and replies. If we did want to switch to using bbp_author_ip() here, we'd probably want two meta-box functions (one each, for topics/replies.)

#2 @mattiejas
3 years ago

Thanks for the quick and very informative response, John. I wasn't aware that get_post_metadata had a separate filter, and I'm sorry for not reading the docs more closely to figure this out (although as far as I could find, it's not listed in the wordpress codex unfortunately). I'll try it out.

#3 @johnjamesjacoby
3 years ago

No need to apologize. It's great that you thought you spotted something, and took the time to describe what you found in such detail, and included a use-case.

It really could use either approach, as there are pros and cons (like you've discovered) by having specific wrappers for things.

#4 @johnjamesjacoby
2 years ago

  • Milestone changed from Awaiting Review to 2.7

Moving to 2.7 milestone.

This ticket was mentioned in Slack in #bbpress by jjj. View the logs.


2 years ago

#6 @mattiejas
2 years ago

In case anyone stumbles on this, just to post my solution to the problem here:

function wpse59607_remove_meta_box() {
    remove_meta_box( 'bbp_author_metabox', 'topic', 'side' );
    remove_meta_box( 'bbp_author_metabox', 'reply', 'side' );
}

add_action( 'add_meta_boxes', 'wpse59607_remove_meta_box', 999 );

This will hide the entire author meta box (which doesn't contain much information anyway), including the IP address. I found this easier than messing with get_post_metadata, which potentially might have other implications, e.g. for anti spam. Although I have no knowledge of how those actually work I could imagine they might also use get_post_meta.

Note: See TracTickets for help on using tickets.