From 663b061b1dc2adbb5ebe427b4ae75d839cb2505d Mon Sep 17 00:00:00 2001
From: Kartik Suthar <kartik@buddyboss.com>
Date: Tue, 17 Dec 2024 18:37:31 +0530
Subject: [PATCH] PROD-8149 - Pulled API changes

---
 ...lass-bp-rest-activity-comment-endpoint.php | 26 +++++++++++++++++++
 .../class-bp-rest-activity-endpoint.php       | 15 +++++++++++
 src/endpoints/api_project.js                  |  2 +-
 src/endpoints/api_project.json                |  2 +-
 4 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php b/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php
index 55909adaea..65bbdc54ec 100644
--- a/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php
+++ b/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php
@@ -214,6 +214,16 @@ public function get_items_permissions_check( $request ) {
 			);
 		}
 
+		if ( true === $retval && ! $this->can_see( $request ) ) {
+			$retval = new WP_Error(
+				'bp_rest_authorization_required',
+				__( 'Sorry, you cannot view the activity comment.', 'buddyboss' ),
+				array(
+					'status' => rest_authorization_required_code(),
+				)
+			);
+		}
+
 		/**
 		 * Filter the activity comment permissions check.
 		 *
@@ -1151,6 +1161,22 @@ public function validate_activity_comment_request( $request ) {
 	 * @since 0.1.0
 	 */
 	protected function can_see( $request ) {
+
+		// Check if the user can read the activity as per privacy settings.
+		if ( ! empty( $request['id'] ) && function_exists( 'bb_validate_activity_privacy' ) ) {
+			$privacy_check = bb_validate_activity_privacy(
+				array(
+					'activity_id'     => $request['id'],
+					'validate_action' => 'view_activity',
+					'user_id'         => bp_loggedin_user_id(),
+				)
+			);
+
+			if ( is_wp_error( $privacy_check ) ) {
+				return false;
+			}
+		}
+
 		$activity_comment = $this->get_activity_comment_object( $request );
 
 		return ( ! empty( $activity_comment ) && bp_activity_user_can_read( $activity_comment, bp_loggedin_user_id() ) );
diff --git a/src/bp-activity/classes/class-bp-rest-activity-endpoint.php b/src/bp-activity/classes/class-bp-rest-activity-endpoint.php
index 299a6c737f..02c9e75556 100644
--- a/src/bp-activity/classes/class-bp-rest-activity-endpoint.php
+++ b/src/bp-activity/classes/class-bp-rest-activity-endpoint.php
@@ -2540,6 +2540,21 @@ protected function prepare_links( $activity ) {
 	 * @since 0.1.0
 	 */
 	protected function can_see( $request ) {
+		// Check if the user can read the activity as per privacy settings.
+		if ( ! empty( $request['id'] ) && function_exists( 'bb_validate_activity_privacy' ) ) {
+			$privacy_check = bb_validate_activity_privacy(
+				array(
+					'activity_id'     => $request['id'],
+					'validate_action' => 'view_activity',
+					'user_id'         => bp_loggedin_user_id(),
+				)
+			);
+
+			if ( is_wp_error( $privacy_check ) ) {
+				return false;
+			}
+		}
+
 		$activity = $this->get_activity_object( $request );
 
 		return ( ! empty( $activity ) ? bp_activity_user_can_read( $activity, bp_loggedin_user_id() ) : false );
diff --git a/src/endpoints/api_project.js b/src/endpoints/api_project.js
index 4d2451b10a..294e6f95c3 100644
--- a/src/endpoints/api_project.js
+++ b/src/endpoints/api_project.js
@@ -13,7 +13,7 @@ define({
   "apidoc": "0.3.0",
   "generator": {
     "name": "apidoc",
-    "time": "2024-11-22T13:04:15.023Z",
+    "time": "2024-12-17T13:06:44.549Z",
     "url": "http://apidocjs.com",
     "version": "0.22.1"
   }
diff --git a/src/endpoints/api_project.json b/src/endpoints/api_project.json
index 9f53dc28cd..dc617c2f7e 100644
--- a/src/endpoints/api_project.json
+++ b/src/endpoints/api_project.json
@@ -13,7 +13,7 @@
   "apidoc": "0.3.0",
   "generator": {
     "name": "apidoc",
-    "time": "2024-11-22T13:04:15.023Z",
+    "time": "2024-12-17T13:06:44.549Z",
     "url": "http://apidocjs.com",
     "version": "0.22.1"
   }