• has_required_level() always returns true regardless of user role
    In class-bp-toolkit-report.php (line 75), has_required_level() is hardcoded to always return true. The function name implies a permission check, but no actual check is performed. This means the “Block” button is shown to every logged-in user with no way to restrict it by role or capability.

    This is not necessarily a bug if unrestricted blocking is the intended behaviour, but the misleading function name creates a false sense of security and makes future role-based restrictions impossible without a code change. We’d suggest either implementing an actual capability check (e.g. current_user_can()), or renaming/documenting the function to make the intentional behaviour explicit.

    Admin AJAX handlers missing explicit capability check
    Handlers such as toggle_uphold, toggle_suspension, toggle_moderation, quick_moderate, toggle_read and rebuild_blocks validate requests using check_ajax_referer() but do not explicitly verify that the requesting user has the required admin capability (BPTK_ADMIN_CAP or manage_options).

    Under current WordPress this is transitively safe, the nonce is only available from admin pages. However, if a nonce were ever exposed (e.g. via a cached page or REST endpoint), there would be no capability check as a fallback.

    Suggested fix: add if ( ! current_user_can( BPTK_ADMIN_CAP ) ) { wp_die( -1, 403 ); } at the top of each handler, before any other logic.

You must be logged in to reply to this topic.