From 03fad04a432cb8a5bc3a7ba2d01ca588ba41b2a9 Mon Sep 17 00:00:00 2001
From: Boone B Gorges <boonebgorges@gmail.com>
Date: Thu, 25 Apr 2019 14:12:34 +0000
Subject: [PATCH] Activity: Ensure items can only be favorited by those with
 read access.

git-svn-id: https://buddypress.svn.wordpress.org/trunk@12365 cdf35c40-ae34-48e0-9cc9-0c9da1808c22
---
 src/bp-activity/actions/favorite.php                   | 5 +++++
 src/bp-templates/bp-legacy/buddypress-functions.php    | 6 ++++++
 src/bp-templates/bp-nouveau/includes/activity/ajax.php | 6 ++++++
 3 files changed, 17 insertions(+)

diff --git a/src/bp-activity/actions/favorite.php b/src/bp-activity/actions/favorite.php
index 297ee96f57..02cd10f080 100644
--- a/src/bp-activity/actions/favorite.php
+++ b/src/bp-activity/actions/favorite.php
@@ -21,6 +21,11 @@ function bp_activity_action_mark_favorite() {
 	// Check the nonce.
 	check_admin_referer( 'mark_favorite' );
 
+	$activity_item = new BP_Activity_Activity( bp_action_variable( 0 ) );
+	if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
+		return false;
+	}
+
 	if ( bp_activity_add_user_favorite( bp_action_variable( 0 ) ) )
 		bp_core_add_message( __( 'Activity marked as favorite.', 'buddypress' ) );
 	else
diff --git a/src/bp-templates/bp-legacy/buddypress-functions.php b/src/bp-templates/bp-legacy/buddypress-functions.php
index 75bdbeaae0..a4a1d1f4c4 100644
--- a/src/bp-templates/bp-legacy/buddypress-functions.php
+++ b/src/bp-templates/bp-legacy/buddypress-functions.php
@@ -1242,6 +1242,12 @@ function bp_legacy_theme_mark_activity_favorite() {
 		return;
 	}
 
+	$activity_id   = (int) $_POST['id'];
+	$activity_item = new BP_Activity_Activity( $activity_id );
+	if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
+		return;
+	}
+
 	if ( bp_activity_add_user_favorite( $_POST['id'] ) )
 		_e( 'Remove Favorite', 'buddypress' );
 	else
diff --git a/src/bp-templates/bp-nouveau/includes/activity/ajax.php b/src/bp-templates/bp-nouveau/includes/activity/ajax.php
index 759032ce65..11c988fddb 100644
--- a/src/bp-templates/bp-nouveau/includes/activity/ajax.php
+++ b/src/bp-templates/bp-nouveau/includes/activity/ajax.php
@@ -101,6 +101,12 @@ function bp_nouveau_ajax_mark_activity_favorite() {
 		wp_send_json_error();
 	}
 
+	$activity_id   = (int) $_POST['id'];
+	$activity_item = new BP_Activity_Activity( $activity_id );
+	if ( ! bp_activity_user_can_read( $activity_item, bp_loggedin_user_id() ) ) {
+		wp_send_json_error();
+	}
+
 	if ( bp_activity_add_user_favorite( $_POST['id'] ) ) {
 		$response = array( 'content' => __( 'Remove Favorite', 'buddypress' ) );