Activity: Ensure items can only be favorited by those with read access.

git-svn-id: https://buddypress.svn.wordpress.org/trunk@12365 cdf35c40-ae34-48e0-9cc9-0c9da1808c22

src/bp-activity/actions/favorite.php

@@ -21,6 +21,11 @@ function bp_activity_action_mark_favorite() {
 	// Check the nonce.
 	check_admin_referer( 'mark_favorite' );
 
+	$activity_item = new BP_Activity_Activity( bp_action_variable( 0 ) );
+	if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
+		return false;
+	}
+
 	if ( bp_activity_add_user_favorite( bp_action_variable( 0 ) ) )
 		bp_core_add_message( __( 'Activity marked as favorite.', 'buddypress' ) );
 	else

src/bp-templates/bp-legacy/buddypress-functions.php

@@ -1242,6 +1242,12 @@ function bp_legacy_theme_mark_activity_favorite() {
 		return;
 	}
 
+	$activity_id   = (int) $_POST['id'];
+	$activity_item = new BP_Activity_Activity( $activity_id );
+	if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
+		return;
+	}
+
 	if ( bp_activity_add_user_favorite( $_POST['id'] ) )
 		_e( 'Remove Favorite', 'buddypress' );
 	else

src/bp-templates/bp-nouveau/includes/activity/ajax.php

@@ -101,6 +101,12 @@ function bp_nouveau_ajax_mark_activity_favorite() {
 		wp_send_json_error();
 	}
 
+	$activity_id   = (int) $_POST['id'];
+	$activity_item = new BP_Activity_Activity( $activity_id );
+	if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
+		wp_send_json_error();
+	}
+
 	if ( bp_activity_add_user_favorite( $_POST['id'] ) ) {
 		$response = array( 'content' => __( 'Remove Favorite', 'buddypress' ) );