Merge pull request #4583 from buddyboss/PROD-8149

PROD-8149
buddyboss · Dec 17, 2024 · 36dafce · 36dafce
2 parents 20d5f87 + 663b061
commit 36dafce
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 2 deletions.
diff --git a/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php b/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php
@@ -214,6 +214,16 @@ public function get_items_permissions_check( $request ) {
 			);
 		}
 
+		if ( true === $retval && ! $this->can_see( $request ) ) {
+			$retval = new WP_Error(
+				'bp_rest_authorization_required',
+				__( 'Sorry, you cannot view the activity comment.', 'buddyboss' ),
+				array(
+					'status' => rest_authorization_required_code(),
+				)
+			);
+		}
+
 		/**
 		 * Filter the activity comment permissions check.
 		 *
@@ -1151,6 +1161,22 @@ public function validate_activity_comment_request( $request ) {
 	 * @since 0.1.0
 	 */
 	protected function can_see( $request ) {
+
+		// Check if the user can read the activity as per privacy settings.
+		if ( ! empty( $request['id'] ) && function_exists( 'bb_validate_activity_privacy' ) ) {
+			$privacy_check = bb_validate_activity_privacy(
+				array(
+					'activity_id'     => $request['id'],
+					'validate_action' => 'view_activity',
+					'user_id'         => bp_loggedin_user_id(),
+				)
+			);
+
+			if ( is_wp_error( $privacy_check ) ) {
+				return false;
+			}
+		}
+
 		$activity_comment = $this->get_activity_comment_object( $request );
 
 		return ( ! empty( $activity_comment ) && bp_activity_user_can_read( $activity_comment, bp_loggedin_user_id() ) );

diff --git a/src/bp-activity/classes/class-bp-rest-activity-endpoint.php b/src/bp-activity/classes/class-bp-rest-activity-endpoint.php
@@ -2540,6 +2540,21 @@ protected function prepare_links( $activity ) {
 	 * @since 0.1.0
 	 */
 	protected function can_see( $request ) {
+		// Check if the user can read the activity as per privacy settings.
+		if ( ! empty( $request['id'] ) && function_exists( 'bb_validate_activity_privacy' ) ) {
+			$privacy_check = bb_validate_activity_privacy(
+				array(
+					'activity_id'     => $request['id'],
+					'validate_action' => 'view_activity',
+					'user_id'         => bp_loggedin_user_id(),
+				)
+			);
+
+			if ( is_wp_error( $privacy_check ) ) {
+				return false;
+			}
+		}
+
 		$activity = $this->get_activity_object( $request );
 
 		return ( ! empty( $activity ) ? bp_activity_user_can_read( $activity, bp_loggedin_user_id() ) : false );

diff --git a/src/endpoints/api_project.js b/src/endpoints/api_project.js
@@ -13,7 +13,7 @@ define({
   "apidoc": "0.3.0",
   "generator": {
     "name": "apidoc",
-    "time": "2024-11-22T13:04:15.023Z",
+    "time": "2024-12-17T13:06:44.549Z",
     "url": "http://apidocjs.com",
     "version": "0.22.1"
   }

diff --git a/src/endpoints/api_project.json b/src/endpoints/api_project.json
@@ -13,7 +13,7 @@
   "apidoc": "0.3.0",
   "generator": {
     "name": "apidoc",
-    "time": "2024-11-22T13:04:15.023Z",
+    "time": "2024-12-17T13:06:44.549Z",
     "url": "http://apidocjs.com",
     "version": "0.22.1"
   }