Feedback security / optimizations
-
has_required_level()always returns true regardless of user role
In class-bp-toolkit-report.php (line 75), has_required_level() is hardcoded to always return true. The function name implies a permission check, but no actual check is performed. This means the “Block” button is shown to every logged-in user with no way to restrict it by role or capability.This is not necessarily a bug if unrestricted blocking is the intended behaviour, but the misleading function name creates a false sense of security and makes future role-based restrictions impossible without a code change. We’d suggest either implementing an actual capability check (e.g.
current_user_can()), or renaming/documenting the function to make the intentional behaviour explicit.Admin AJAX handlers missing explicit capability check
Handlers such astoggle_uphold,toggle_suspension,toggle_moderation,quick_moderate,toggle_readandrebuild_blocksvalidate requests usingcheck_ajax_referer()but do not explicitly verify that the requesting user has the required admin capability (BPTK_ADMIN_CAPormanage_options).Under current WordPress this is transitively safe, the nonce is only available from admin pages. However, if a nonce were ever exposed (e.g. via a cached page or REST endpoint), there would be no capability check as a fallback.
Suggested fix: add
if ( ! current_user_can( BPTK_ADMIN_CAP ) ) { wp_die( -1, 403 ); }at the top of each handler, before any other logic.
You must be logged in to reply to this topic.