Commit 27c8d94a authored by samba's avatar samba

[auto] plugin: buddypress 4.3.0

parent 620a1808
......@@ -21,6 +21,11 @@ function bp_activity_action_mark_favorite() {
// Check the nonce.
check_admin_referer( 'mark_favorite' );
$activity_item = new BP_Activity_Activity( bp_action_variable( 0 ) );
if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
return false;
}
if ( bp_activity_add_user_favorite( bp_action_variable( 0 ) ) )
bp_core_add_message( __( 'Activity marked as favorite.', 'buddypress' ) );
else
......
......@@ -44,6 +44,12 @@ function bp_activity_action_post_comment() {
bp_core_redirect( wp_get_referer() . '#ac-form-' . $activity_id );
}
$activity_item = new BP_Activity_Activity( $activity_id );
if ( ! bp_activity_user_can_read( $activity_item ) ) {
bp_core_add_message( __( 'There was an error posting that reply. Please try again.', 'buddypress' ), 'error' );
bp_core_redirect( wp_get_referer() . '#ac-form-' . $activity_id );
}
$comment_id = bp_activity_new_comment( array(
'content' => $content,
'activity_id' => $activity_id,
......
......@@ -15,7 +15,6 @@ defined( 'ABSPATH' ) || exit;
// Apply WordPress defined filters.
add_filter( 'bp_get_activity_action', 'bp_activity_filter_kses', 1 );
add_filter( 'bp_get_activity_content_body', 'bp_activity_filter_kses', 1 );
add_filter( 'bp_get_activity_content', 'bp_activity_filter_kses', 1 );
add_filter( 'bp_get_activity_parent_content', 'bp_activity_filter_kses', 1 );
add_filter( 'bp_get_activity_latest_update', 'bp_activity_filter_kses', 1 );
add_filter( 'bp_get_activity_latest_update_excerpt', 'bp_activity_filter_kses', 1 );
......@@ -205,6 +204,14 @@ function bp_activity_check_blacklist_keys( $activity ) {
* @return string $content Filtered activity content.
*/
function bp_activity_filter_kses( $content ) {
$activity_allowedtags = bp_get_allowedtags();
// Don't allow 'class' or 'id'.
foreach ( $activity_allowedtags as $el => &$atts ) {
unset( $atts['class'] );
unset( $atts['id'] );
}
/**
* Filters the allowed HTML tags for BuddyPress Activity content.
*
......@@ -212,7 +219,7 @@ function bp_activity_filter_kses( $content ) {
*
* @param array $value Array of allowed HTML tags and attributes.
*/
$activity_allowedtags = apply_filters( 'bp_activity_allowed_tags', bp_get_allowedtags() );
$activity_allowedtags = apply_filters( 'bp_activity_allowed_tags', $activity_allowedtags );
return wp_kses( $content, $activity_allowedtags );
}
......
......@@ -297,6 +297,119 @@ function bp_groups_filter_activity_scope( $retval = array(), $filter = array() )
}
add_filter( 'bp_activity_set_groups_scope_args', 'bp_groups_filter_activity_scope', 10, 2 );
/**
* Enforces group membership restrictions on activity favorite queries.
*
* @since 4.3.0
* @param array $retval Query arguments.
* @param array $filter
* @return array
*/
function bp_groups_filter_activity_favorites_scope( $retval, $filter ) {
// Only process for viewers looking at their own favorites feed.
if ( ! empty( $filter['user_id'] ) ) {
$user_id = (int) $filter['user_id'];
} else {
$user_id = bp_displayed_user_id() ? bp_displayed_user_id() : bp_loggedin_user_id();
}
if ( ! $user_id || ! is_user_logged_in() || $user_id !== bp_loggedin_user_id() ) {
return $retval;
}
$favs = bp_activity_get_user_favorites( $user_id );
if ( empty( $favs ) ) {
return $retval;
}
$user_groups = bp_get_user_groups(
$user_id,
array(
'is_admin' => null,
'is_mod' => null,
)
);
$retval = array(
'relation' => 'OR',
// Allow hidden items for items unconnected to groups.
'non_groups' => array(
'relation' => 'AND',
array(
'column' => 'component',
'compare' => '!=',
'value' => buddypress()->groups->id,
),
array(
'column' => 'hide_sitewide',
'compare' => 'IN',
'value' => array( 1, 0 ),
),
array(
'column' => 'id',
'compare' => 'IN',
'value' => $favs,
),
),
// Trust the favorites list for group items that are not hidden sitewide.
'non_hidden_groups' => array(
'relation' => 'AND',
array(
'column' => 'component',
'compare' => '=',
'value' => buddypress()->groups->id,
),
array(
'column' => 'hide_sitewide',
'compare' => '=',
'value' => 0,
),
array(
'column' => 'id',
'compare' => 'IN',
'value' => $favs,
),
),
// For hidden group items, limit to those in the user's groups.
'hidden_groups' => array(
'relation' => 'AND',
array(
'column' => 'component',
'compare' => '=',
'value' => buddypress()->groups->id,
),
array(
'column' => 'hide_sitewide',
'compare' => '=',
'value' => 1,
),
array(
'column' => 'id',
'compare' => 'IN',
'value' => $favs,
),
array(
'column' => 'item_id',
'compare' => 'IN',
'value' => wp_list_pluck( $user_groups, 'group_id' ),
),
),
'override' => array(
'display_comments' => true,
'filter' => array( 'user_id' => 0 ),
'show_hidden' => true,
),
);
return $retval;
}
add_filter( 'bp_activity_set_favorites_scope_args', 'bp_groups_filter_activity_favorites_scope', 20, 2 );
/**
* Record an activity item related to the Groups component.
*
......
......@@ -33,7 +33,7 @@ function groups_screen_group_admin_edit_details() {
if ( empty( $_POST['group-name'] ) || empty( $_POST['group-desc'] ) ) {
bp_core_add_message( __( 'Groups must have a name and a description. Please try again.', 'buddypress' ), 'error' );
} elseif ( ! groups_edit_base_group_details( array(
'group_id' => $_POST['group-id'],
'group_id' => bp_get_current_group_id(),
'name' => $_POST['group-name'],
'slug' => null, // @TODO: Add to settings pane? If yes, editable by site admin only, or allow group admins to do this?
'description' => $_POST['group-desc'],
......
......@@ -40,18 +40,20 @@ function groups_screen_group_admin_settings() {
if ( !check_admin_referer( 'groups_edit_group_settings' ) )
return false;
$group_id = bp_get_current_group_id();
/*
* Save group types.
*
* Ensure we keep types that have 'show_in_create_screen' set to false.
*/
$current_types = bp_groups_get_group_type( bp_get_current_group_id(), false );
$current_types = bp_groups_get_group_type( $group_id, false );
$current_types = array_intersect( bp_groups_get_group_types( array( 'show_in_create_screen' => false ) ), (array) $current_types );
if ( isset( $_POST['group-types'] ) ) {
$current_types = array_merge( $current_types, $_POST['group-types'] );
// Set group types.
bp_groups_set_group_type( bp_get_current_group_id(), $current_types );
bp_groups_set_group_type( $group_id, $current_types );
// No group types checked, so this means we want to wipe out all group types.
} else {
......@@ -63,10 +65,10 @@ function groups_screen_group_admin_settings() {
$current_types = empty( $current_types ) ? '' : $current_types;
// Set group types.
bp_groups_set_group_type( bp_get_current_group_id(), $current_types );
bp_groups_set_group_type( $group_id, $current_types );
}
if ( !groups_edit_group_settings( $_POST['group-id'], $enable_forum, $status, $invite_status ) ) {
if ( ! groups_edit_group_settings( $group_id, $enable_forum, $status, $invite_status ) ) {
bp_core_add_message( __( 'There was an error updating group settings. Please try again.', 'buddypress' ), 'error' );
} else {
bp_core_add_message( __( 'Group settings were successfully updated.', 'buddypress' ) );
......
......@@ -15,7 +15,7 @@
* Description: BuddyPress adds community features to WordPress. Member Profiles, Activity Streams, Direct Messaging, Notifications, and more!
* Author: The BuddyPress Community
* Author URI: https://buddypress.org/
* Version: 4.2.0
* Version: 4.3.0
* Text Domain: buddypress
* Domain Path: /bp-languages/
* License: GPLv2 or later (license.txt)
......
......@@ -1056,8 +1056,14 @@ function bp_legacy_theme_new_activity_comment() {
exit( '-1<div id="message" class="error bp-ajax-message"><p>' . esc_html( $feedback ) . '</p></div>' );
}
$activity_id = (int) $_POST['form_id'];
$activity_item = new BP_Activity_Activity( $activity_id );
if ( ! bp_activity_user_can_read( $activity_item ) ) {
exit( '-1<div id="message" class="error bp-ajax-message"><p>' . esc_html( $feedback ) . '</p></div>' );
}
$comment_id = bp_activity_new_comment( array(
'activity_id' => $_POST['form_id'],
'activity_id' => $activity_id,
'content' => $_POST['content'],
'parent_id' => $_POST['comment_id'],
'error_type' => 'wp_error'
......@@ -1242,6 +1248,12 @@ function bp_legacy_theme_mark_activity_favorite() {
return;
}
$activity_id = (int) $_POST['id'];
$activity_item = new BP_Activity_Activity( $activity_id );
if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
return;
}
if ( bp_activity_add_user_favorite( $_POST['id'] ) )
_e( 'Remove Favorite', 'buddypress' );
else
......
......@@ -73,7 +73,7 @@ do_action( 'bp_before_create_group_page' ); ?>
<div>
<label for="group-name"><?php _e( 'Group Name (required)', 'buddypress' ); ?></label>
<input type="text" name="group-name" id="group-name" aria-required="true" value="<?php bp_new_group_name(); ?>" />
<input type="text" name="group-name" id="group-name" aria-required="true" value="<?php echo esc_attr( bp_get_new_group_name() ); ?>" />
</div>
<div>
......
......@@ -21,7 +21,7 @@
do_action( 'bp_before_group_details_admin' ); ?>
<label for="group-name"><?php _e( 'Group Name (required)', 'buddypress' ); ?></label>
<input type="text" name="group-name" id="group-name" value="<?php bp_group_name(); ?>" aria-required="true" />
<input type="text" name="group-name" id="group-name" value="<?php echo esc_attr( bp_get_group_name() ); ?>" aria-required="true" />
<label for="group-desc"><?php _e( 'Group Description (required)', 'buddypress' ); ?></label>
<textarea name="group-desc" id="group-desc" aria-required="true"><?php bp_group_description_editable(); ?></textarea>
......
......@@ -1869,7 +1869,7 @@ function bp_filter_request( object, filter, scope, target, search_terms, page, e
// Get directory preferences (called "cookie" for legacy reasons).
var cookies = {};
cookies['bp-' + object + '-filter'] = bp_get_directory_preference( object, 'filter' );
cookies['bp' + object + '-scope'] = bp_get_directory_preference( object, 'scope' );
cookies['bp-' + object + '-scope'] = bp_get_directory_preference( object, 'scope' );
var cookie = encodeURIComponent( jq.param( cookies ) );
......
......@@ -4,6 +4,7 @@
*
* @since 3.0.0
* @version 3.0.0
* @version 4.3.0
*/
bp_nouveau_before_loop(); ?>
......@@ -63,7 +64,7 @@ bp_nouveau_before_loop(); ?>
<?php else : ?>
bp_nouveau_user_feedback( 'blogs-loop-none' );
<?php bp_nouveau_user_feedback( 'blogs-loop-none' ); ?>
<?php endif; ?>
......
......@@ -23,7 +23,7 @@
<?php endif; ?>
<label for="group-name"><?php esc_html_e( 'Group Name (required)', 'buddypress' ); ?></label>
<input type="text" name="group-name" id="group-name" value="<?php bp_is_group_create() ? bp_new_group_name() : bp_group_name(); ?>" aria-required="true" />
<input type="text" name="group-name" id="group-name" value="<?php if ( bp_is_group_create() ) : echo esc_attr( bp_get_new_group_name() ); else : echo esc_attr( bp_get_group_name() ); endif; ?>" aria-required="true" />
<label for="group-desc"><?php esc_html_e( 'Group Description (required)', 'buddypress' ); ?></label>
<textarea name="group-desc" id="group-desc" aria-required="true"><?php bp_is_group_create() ? bp_new_group_description() : bp_group_description_editable(); ?></textarea>
......@@ -101,6 +101,12 @@ function bp_nouveau_ajax_mark_activity_favorite() {
wp_send_json_error();
}
$activity_id = (int) $_POST['id'];
$activity_item = new BP_Activity_Activity( $activity_id );
if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
wp_send_json_error();
}
if ( bp_activity_add_user_favorite( $_POST['id'] ) ) {
$response = array( 'content' => __( 'Remove Favorite', 'buddypress' ) );
......@@ -354,6 +360,12 @@ function bp_nouveau_ajax_new_activity_comment() {
wp_send_json_error( $response );
}
$activity_id = (int) $_POST['form_id'];
$activity_item = new BP_Activity_Activity( $activity_id );
if ( ! bp_activity_user_can_read( $activity_item ) ) {
wp_send_json_error( $response );
}
$comment_id = bp_activity_new_comment( array(
'activity_id' => $_POST['form_id'],
'content' => $_POST['content'],
......
......@@ -97,6 +97,10 @@ function bp_nouveau_ajax_joinleave_group() {
switch ( $_POST['action'] ) {
case 'groups_accept_invite':
if ( ! groups_check_user_has_invite( bp_loggedin_user_id(), $group_id ) ) {
wp_send_json_error( $response );
}
if ( ! groups_accept_invite( bp_loggedin_user_id(), $group_id ) ) {
$response = array(
'feedback' => sprintf(
......@@ -444,14 +448,30 @@ function bp_nouveau_ajax_remove_group_invite() {
$user_id = (int) $_POST['user'];
$group_id = bp_get_current_group_id();
$response = array(
'feedback' => __( 'Group invitation could not be removed.', 'buddypress' ),
'type' => 'error',
);
// Verify nonce
if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'groups_invite_uninvite_user' ) ) {
wp_send_json_error(
array(
'feedback' => __( 'Group invitation could not be removed.', 'buddypress' ),
'type' => 'error',
)
);
wp_send_json_error( $response );
}
// Verify pending invite.
$invites_args = array(
'is_confirmed' => false,
'is_banned' => null,
'is_admin' => null,
'is_mod' => null,
);
$invites = bp_get_user_groups( $user_id, $invites_args );
if ( empty( $invites ) ) {
wp_send_json_error( $response );
}
if ( ! groups_is_user_admin( bp_loggedin_user_id(), $group_id ) ) {
wp_send_json_error( $response );
}
if ( BP_Groups_Member::check_for_membership_request( $user_id, $group_id ) ) {
......
......@@ -258,6 +258,12 @@ function bp_nouveau_get_group_potential_invites( $args = array() ) {
return false;
}
// Check the current user's access to the group.
$group = groups_get_group( $r['group_id'] );
if ( ! $group->user_has_access && ! bp_current_user_can( 'bp_moderate' ) ) {
return false;
}
/*
* If it's not a friend request and users can restrict invites to friends,
* make sure they are not displayed in results.
......
......@@ -415,7 +415,12 @@ function bp_nouveau_ajax_get_thread_messages() {
wp_send_json_error( $response );
}
$thread_id = (int) $_POST['id'];
$thread_id = (int) $_POST['id'];
if ( ! messages_is_valid_thread( $thread_id ) || ( ! messages_check_thread_access( $thread_id ) && ! bp_current_user_can( 'bp_moderate' ) ) ) {
wp_send_json_error();
}
$bp = buddypress();
$reset_action = $bp->current_action;
......
......@@ -345,7 +345,11 @@ window.bp = window.bp || {};
// Prepend a link to display all
if ( ! i ) {
$( item ).before( '<li class="show-all"><button class="text-button" type="button" data-bp-show-comments-id="#' + activity_item.prop( 'id' ) + '/show-all/"><span class="icon dashicons dashicons-visibility" aria-hidden="true"></span> ' + BP_Nouveau.show_x_comments.replace( '%d', comment_count ) + '</button></li>' );
var activity_id = activity_item.data( 'bpActivityId' );
if ( 'undefined' !== typeof activity_id ) {
activity_id = parseInt( activity_id, 10 );
$( item ).before( '<li class="show-all"><button class="text-button" type="button" data-bp-show-comments-id="#activity-' + activity_id + '/show-all/"><span class="icon dashicons dashicons-visibility" aria-hidden="true"></span> ' + BP_Nouveau.show_x_comments.replace( '%d', comment_count ) + '</button></li>' );
}
}
}
} );
......
......@@ -303,7 +303,7 @@ class BuddyPress {
/** Versions **********************************************************/
$this->version = '4.2.0';
$this->version = '4.3.0';
$this->db_version = 11105;
/** Loading ***********************************************************/
......
......@@ -2,9 +2,9 @@
Contributors: johnjamesjacoby, DJPaul, boonebgorges, r-a-y, imath, mercime, tw2113, dcavins, hnla, karmatosed, slaFFik, dimensionmedia, henrywright, netweb, offereins, espellcaste, modemlooper, danbp, Venutius, apeatling, shanebp
Tags: user profiles, activity streams, messaging, friends, user groups, notifications, community, social networking
Requires at least: 4.6
Tested up to: 5.0
Tested up to: 5.1
Requires PHP: 5.3
Stable tag: 4.2.0
Stable tag: 4.3.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
......@@ -126,6 +126,9 @@ Try <a href="https://wordpress.org/plugins/bbpress/">bbPress</a>. It integrates
== Upgrade Notice ==
= 4.3.0 =
See: https://codex.buddypress.org/releases/version-4-3-0/
= 4.2.0 =
See: https://codex.buddypress.org/releases/version-4-2-0/
......@@ -137,6 +140,9 @@ See: https://codex.buddypress.org/releases/version-4-0-0/
== Changelog ==
= 4.3.0 =
See: https://codex.buddypress.org/releases/version-4-3-0/
= 4.2.0 =
See: https://codex.buddypress.org/releases/version-4-2-0/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment