diff --git a/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php b/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php index 55909adaea..65bbdc54ec 100644 --- a/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php +++ b/src/bp-activity/classes/class-bp-rest-activity-comment-endpoint.php @@ -214,6 +214,16 @@ public function get_items_permissions_check( $request ) { ); } + if ( true === $retval && ! $this->can_see( $request ) ) { + $retval = new WP_Error( + 'bp_rest_authorization_required', + __( 'Sorry, you cannot view the activity comment.', 'buddyboss' ), + array( + 'status' => rest_authorization_required_code(), + ) + ); + } + /** * Filter the activity comment permissions check. * @@ -1151,6 +1161,22 @@ public function validate_activity_comment_request( $request ) { * @since 0.1.0 */ protected function can_see( $request ) { + + // Check if the user can read the activity as per privacy settings. + if ( ! empty( $request['id'] ) && function_exists( 'bb_validate_activity_privacy' ) ) { + $privacy_check = bb_validate_activity_privacy( + array( + 'activity_id' => $request['id'], + 'validate_action' => 'view_activity', + 'user_id' => bp_loggedin_user_id(), + ) + ); + + if ( is_wp_error( $privacy_check ) ) { + return false; + } + } + $activity_comment = $this->get_activity_comment_object( $request ); return ( ! empty( $activity_comment ) && bp_activity_user_can_read( $activity_comment, bp_loggedin_user_id() ) ); diff --git a/src/bp-activity/classes/class-bp-rest-activity-endpoint.php b/src/bp-activity/classes/class-bp-rest-activity-endpoint.php index 299a6c737f..02c9e75556 100644 --- a/src/bp-activity/classes/class-bp-rest-activity-endpoint.php +++ b/src/bp-activity/classes/class-bp-rest-activity-endpoint.php @@ -2540,6 +2540,21 @@ protected function prepare_links( $activity ) { * @since 0.1.0 */ protected function can_see( $request ) { + // Check if the user can read the activity as per privacy settings. + if ( ! empty( $request['id'] ) && function_exists( 'bb_validate_activity_privacy' ) ) { + $privacy_check = bb_validate_activity_privacy( + array( + 'activity_id' => $request['id'], + 'validate_action' => 'view_activity', + 'user_id' => bp_loggedin_user_id(), + ) + ); + + if ( is_wp_error( $privacy_check ) ) { + return false; + } + } + $activity = $this->get_activity_object( $request ); return ( ! empty( $activity ) ? bp_activity_user_can_read( $activity, bp_loggedin_user_id() ) : false ); diff --git a/src/endpoints/api_project.js b/src/endpoints/api_project.js index 4d2451b10a..294e6f95c3 100644 --- a/src/endpoints/api_project.js +++ b/src/endpoints/api_project.js @@ -13,7 +13,7 @@ define({ "apidoc": "0.3.0", "generator": { "name": "apidoc", - "time": "2024-11-22T13:04:15.023Z", + "time": "2024-12-17T13:06:44.549Z", "url": "http://apidocjs.com", "version": "0.22.1" } diff --git a/src/endpoints/api_project.json b/src/endpoints/api_project.json index 9f53dc28cd..dc617c2f7e 100644 --- a/src/endpoints/api_project.json +++ b/src/endpoints/api_project.json @@ -13,7 +13,7 @@ "apidoc": "0.3.0", "generator": { "name": "apidoc", - "time": "2024-11-22T13:04:15.023Z", + "time": "2024-12-17T13:06:44.549Z", "url": "http://apidocjs.com", "version": "0.22.1" }