Title: Feedback security / optimizations
Last modified: June 27, 2026

---

# Feedback security / optimizations

 *  [wpuser](https://wordpress.org/support/users/forinn/)
 * (@forinn)
 * [1 week, 2 days ago](https://wordpress.org/support/topic/feedback-security-optimizations/)
 * ** `has_required_level()`** **always returns true regardless of user role**
   In
   class-bp-toolkit-report.php (line 75), has_required_level() is hardcoded to always
   return true. The function name implies a permission check, but no actual check
   is performed. This means the “Block” button is shown to every logged-in user 
   with no way to restrict it by role or capability.
 * This is not necessarily a bug if unrestricted blocking is the intended behaviour,
   but the misleading function name creates a false sense of security and makes 
   future role-based restrictions impossible without a code change. We’d suggest
   either implementing an actual capability check (e.g. `current_user_can()`), or
   renaming/documenting the function to make the intentional behaviour explicit.
 * **Admin AJAX handlers missing explicit capability check**
   Handlers such as `toggle_uphold`,`
   toggle_suspension`, `toggle_moderation`, `quick_moderate`, `toggle_read` and `
   rebuild_blocks` validate requests using `check_ajax_referer()` but do not explicitly
   verify that the requesting user has the required admin capability (`BPTK_ADMIN_CAP`
   or `manage_options`).
 * Under current WordPress this is transitively safe, the nonce is only available
   from admin pages. However, if a nonce were ever exposed (e.g. via a cached page
   or REST endpoint), there would be no capability check as a fallback.
 * Suggested fix: add `if ( ! current_user_can( BPTK_ADMIN_CAP ) ) { wp_die( -1,
   403 ); }` at the top of each handler, before any other logic.

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Ffeedback-security-optimizations%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/bp-toolkit/assets/icon-256x256.jpg?rev=2181049)
 * [Block, Suspend, Report for BuddyPress](https://wordpress.org/plugins/bp-toolkit/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/bp-toolkit/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/bp-toolkit/)
 * [Active Topics](https://wordpress.org/support/plugin/bp-toolkit/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bp-toolkit/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bp-toolkit/reviews/)

 * 0 replies
 * 1 participant
 * Last reply from: [wpuser](https://wordpress.org/support/users/forinn/)
 * Last activity: [1 week, 2 days ago](https://wordpress.org/support/topic/feedback-security-optimizations/)
 * Status: not resolved