Security issue

Using this patch resolves:

— includes/buddypress-profile-privacy.php 2018-04-09 18:20:20.000000000 +0100
+++ includes/buddypress-profile-privacy.php 2018-04-09 18:20:26.000000000 +0100
@@ -92,6 +92,7 @@
‘show_for_displayed_user’ => true,
‘parent_url’ => trailingslashit( $bp->loggedin_user->domain . $bp->slug . “settings” ),
‘parent_slug’ => ‘settings’,
+ ‘user_has_access’ => bp_core_can_edit_settings()
) );

}

Well spotted Jose! Could you please tell me where I should paste your patch? I know almost nothing about coding, so I tried it in the bp-custom.php file but obviously that was a mistake because it gave errors.

PS. I don’t want to sound mean, I do appreciate everyone’s effort in providing free plugins, but don’t you think that 3 stars is way too generous and gives the wrong picture? This is a huge security issue for a social network and basically makes the plugin useless until it is fixed.

Thanks

1. You have to edit the file: /wp-content/plugins/simple-buddypress-profile-privacy/includes/buddypress-profile-privacy.php

2. Find the function sbpp04_profile_settings_nav

3. And change for this:
function sbpp04_profile_settings_nav()
{
global $bp;

bp_core_new_subnav_item(array(
‘name’ => __(‘Privacy Settings’, ‘simple-buddypress-profile-privacy’),
‘slug’ => ‘privacy-settings’,
‘position’ => 30,
‘screen_function’ => ‘sbpp04_privacy_screen’,
‘show_for_displayed_user’ => true,
‘parent_url’ => trailingslashit(bp_core_get_user_domain(bp_displayed_user_id()) . “settings”),
‘parent_slug’ => ‘settings’,
‘user_has_access’ => bp_core_can_edit_settings()

));
}

The important part is:
‘user_has_access’ => bp_core_can_edit_settings ()

Do not forget the comma before!

If I can help with anything else, just say so!

As for the three stars, I believe they have been fair at a certain time.
Errors even happen in software such as the Linux Kernel. This is due to the software being in constant development.
However I think it is lack of responsibility not to correct a mistake having knowledge of it.
Also I think we should all rate the plugins we use, this way that develops has some feedback. Keeping software always up to date requires time that is sometimes not even recognized.

Actually I can not modify the settings at the moment. It must have been due to another plugin or else I tested badly.
However, it is still bad to get into the profile of others without permission.

Yes, I agree. I did respond to this thread with that information when you first made the post. I have no idea why it didn’t show up. I’m hoping that @harry74 decides to update his review since a lot of hard work went into this (and still is).

I’ll be posting an incremental update to the plugin with your fix later today. I was trying to push out the larger update I have been working on but updates to BuddyPress got in the way. I’ll post here after I make the update.

OK thank you!

Already updated it. I just wish WP would fix this bug, where in the main plugin screen it still shows the old rating after having updated it.

José I don’t think it’s another plugin, since I tested both times with the same ones activated. BTW, thanks a bunch for explaining how to implement your patch, worked like a charm.

Apart from that, I’m trying to find a way to disable the “Post in” dropdown menu when a user posts something on the activity stream. I find it confusing and I’d like the post to go by default wherever the user is. If he’s in his profile, post to his profile; if he is in a group page, post to the group’s page etc. I’m pretty sure there’s no plugin that does that, I’ve searched for hours. Could you tell me if this is something that could be done fairly easily by a coder or if it requires a lot of work?

Thanks in advance!

@harry74 I appreciate it. I do see the new rating now. I think there is just a delay.

@harry74 I can help about “Post in”, but by email, because it is out of context.
My email is [email protected]

The new update is live. If you guys could test it and confirm it’s working for you I’d appreciate it.

The problem with showing the profile has been resolved.

Thank you!

If the translation into Portuguese is important I can help.

The problem is solved.

Excellent. Thank you for the assist. You both get props in the dev notes for the plugin.

@fencer04 Just tested it myself, with the new BP update 3.1.0 too. Problem solved. Good job. Thanks!

@jomisica I’ll email you asap ([email protected]). Thank you for offering to help!

• This reply was modified 6 years, 9 months ago by harry74.