Ticket #7048: 7048-4.diff

src/bp-activity/bp-activity-functions.php

@@ -3077 +3077 @@
         return apply_filters_ref_array( 'bp_activity_get_permalink', array( $link, &$activity_obj ) );
 }
 
+/**
+ * Can a user see a particular activity item?
+ *
+ * @since 3.0.0
+ *
+ * @param  BP_Activity_Activity $activity Activity object.
+ * @param  integer              $user_id  User ID.
+ * @return boolean True on success, false on failure.
+ */
+function bp_activity_user_can_read( $activity, $user_id = 0 ) {
+        $bp     = buddypress();
+        $retval = false;
+
+        // Fallback.
+        if ( empty( $user_id ) ) {
+                $user_id = bp_loggedin_user_id();
+        }
+
+        // Admins and moderators can see everything.
+        if ( bp_current_user_can( 'bp_moderate' ) ) {
+                $retval = true;
+        }
+
+        // If activity author match user, allow access as well.
+        if ( $user_id === $activity->user_id ) {
+                $retval = true;
+        }
+
+        // If activity is from a group, do an extra cap check.
+        if ( ! $retval && bp_is_active( 'groups' ) && $activity->component === $bp->groups->id ) {
+                $group_id = $activity->item_id;
+
+                // Check to see if the user has access to the activity's parent group.
+                $group = groups_get_group( $group_id );
+                if ( $group ) {
+                        $retval = $group->user_has_access;
+                }
+
+                // Group admins and mods have access as well.
+                if ( groups_is_user_admin( $user_id, $group_id ) || groups_is_user_mod( $user_id, $group_id ) ) {
+                        $retval = true;
+                }
+        }
+
+        /**
+         * Filters whether the current user has access to an activity item.
+         *
+         * @since 3.0.0
+         *
+         * @param bool                 $retval   Return value.
+         * @param int                  $user_id  Current user ID.
+         * @param BP_Activity_Activity $activity Activity object.
+         */
+        return apply_filters( 'bp_activity_user_can_read', $retval, $user_id, $activity );
+}
+
 /**
  * Hide a user's activity.
  *

src/bp-activity/bp-activity-screens.php

@@ -195 +195 @@
  *
  * @since 1.2.0
  *
+ * @return bool|string Boolean on false or the template for a single activity item on success.
  */
 function bp_activity_screen_single_activity_permalink() {
-        $bp = buddypress();
-
         // No displayed user or not viewing activity component.
-        if ( !bp_is_activity_component() )
+        if ( ! bp_is_activity_component() ) {
                 return false;
+        }
 
-        if ( ! bp_current_action() || !is_numeric( bp_current_action() ) )
+        $action = bp_current_action();
+        if ( ! $action || ! is_numeric( $action ) ) {
                 return false;
+        }
 
         // Get the activity details.
-        $activity = bp_activity_get_specific( array( 'activity_ids' => bp_current_action(), 'show_hidden' => true, 'spam' => 'ham_only', ) );
+        $activity = bp_activity_get_specific( array(
+                'activity_ids' => $action,
+                'show_hidden'  => true,
+                'spam'         => 'ham_only',
+        ) );
 
         // 404 if activity does not exist
         if ( empty( $activity['activities'][0] ) || bp_action_variables() ) {
@@ -218 +224 @@
                 $activity = $activity['activities'][0];
         }
 
-        // Default access is true.
-        $has_access = true;
-
-        // If activity is from a group, do an extra cap check.
-        if ( isset( $bp->groups->id ) && $activity->component == $bp->groups->id ) {
-
-                // Activity is from a group, but groups is currently disabled.
-                if ( !bp_is_active( 'groups') ) {
-                        bp_do_404();
-                        return;
-                }
-
-                // Check to see if the user has access to to the activity's parent group.
-                if ( $group = groups_get_group( $activity->item_id ) ) {
-                        $has_access = $group->user_has_access;
-                }
-        }
-
-        // If activity author does not match displayed user, block access.
-        if ( true === $has_access && bp_displayed_user_id() !== $activity->user_id ) {
-                $has_access = false;
-        }
-
         /**
-         * Filters the access permission for a single activity view.
+         * Check user access to the activity item.
          *
-         * @since 1.2.0
-         *
-         * @param array $access Array holding the current $has_access value and current activity item instance.
+         * @since 3.0.0
          */
-        $has_access = apply_filters_ref_array( 'bp_activity_permalink_access', array( $has_access, &$activity ) );
+        $has_access = bp_activity_user_can_read( $activity, bp_displayed_user_id() );
 
         /**
          * Fires before the loading of a single activity template file.
@@ -273 +254 @@
                 } else {
                         $url = sprintf(
                                 wp_login_url( 'wp-login.php?redirect_to=%s' ),
-                                esc_url_raw( bp_activity_get_permalink( bp_current_action() ) )
+                                esc_url_raw( bp_activity_get_permalink( $action ) )
                         );
                 }
 
@@ -287 +268 @@
          *
          * @param string $template Path to the activity template to load.
          */
-        bp_core_load_template( apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' ) );
+        $template = apply_filters( 'bp_activity_template_profile_activity_permalink', 'members/single/activity/permalink' );
+
+        // Load the template.
+        bp_core_load_template( $template );
 }
 add_action( 'bp_screens', 'bp_activity_screen_single_activity_permalink' );
 

tests/phpunit/testcases/activity/functions.php

@@ -1475 +1475 @@
                 $this->assertSame( array(), $found['activities'] );
         }
 
+        /**
+         * @group bp_activity_user_can_read
+         */
+        public function test_user_can_access_their_own_activity() {
+                $u = self::factory()->user->create();
+
+                $a = self::factory()->activity->create( array(
+                        'user_id' => $u,
+                ) );
+
+                $o = self::factory()->activity->get_object_by_id( $a );
+
+                $this->assertTrue( bp_activity_user_can_read( $o, $u ) );
+        }
+
+        /**
+         * @group bp_activity_user_can_read
+         */
+        public function test_user_cant_access_someone_elses_activity() {
+                $u = self::factory()->user->create();
+                $u2 = self::factory()->user->create();
+
+                $a = self::factory()->activity->create( array(
+                        'user_id' => $u2,
+                ) );
+
+                $o = self::factory()->activity->get_object_by_id( $a );
+
+                $this->assertFalse( bp_activity_user_can_read( $o, $u ) );
+        }
+
+        /**
+         * @group bp_activity_user_can_read
+         */
+        public function test_group_admin_access_to_someone_elses_activity() {
+                $u = self::factory()->user->create();
+
+                $g = self::factory()->group->create( array(
+                        'status' => 'public',
+                ) );
+
+                $a = self::factory()->activity->create( array(
+                        'component' => buddypress()->groups->id,
+                        'user_id'   => $u,
+                        'item_id'   => $g,
+                ) );
+
+                $o = self::factory()->activity->get_object_by_id( $a );
+
+                $c = self::factory()->user->create();
+                self::add_user_to_group( $c, $g );
+
+                $m1 = new BP_Groups_Member( $c, $g );
+                $m1->promote( 'admin' );
+
+                $this->assertTrue( bp_activity_user_can_read( $o, $c ) );
+        }
+
+        /**
+         * @group bp_activity_user_can_read
+         */
+        public function test_admin_access_to_someone_elses_activity() {
+                $u = self::factory()->user->create();
+                $u2 = self::factory()->user->create( array( 'role' => 'administrator' ) );
+
+                $a = self::factory()->activity->create( array(
+                        'user_id' => $u,
+                ) );
+
+                $o = self::factory()->activity->get_object_by_id( $a );
+
+                $this->set_current_user( $u2 );
+                $this->assertTrue( bp_activity_user_can_read( $o, $u2 ) );
+        }
+
         public function check_activity_caches() {
                 foreach ( $this->acaches as $k => $v ) {
                         $this->acaches[ $k ] = wp_cache_get( $k, 'bp_activity' );