Skip to:
Content
Pages
Categories
Search
Top
Bottom

Issue with Account Settings Page Access (Admins vs. Subscribers)

  • Avatar of pantone
    pantone
    Participant

    @pantone

    I’ve been testing BuddyPress on a private site of mine and noticed an issue with the Account Settings page. Apologies in advance for the long writeup.

    Some background information that could help:

    First, I have two registered users on the site that I’ve created for testing. Let’s say the users are: Admin1 (administrator role) and Subscriber1 (subscriber role). Second, this is how the Account Settings Page URL looks on my site: “example.com/username/”. The Account Settings Page is where users can change their own email address or password associated with their account.

    The scenarios below:

    If I am logged in as user Admin1 and go to Admin1’s Account Settings Page at “example.com/admin1/”, I can change the email and password associated with Admin1’s account. This is fine because I am in fact logged in as Admin1. However, while I am logged in as Admin1, if I type the following in my browser: “example.com/subscriber1″ (this is the Account Settings Page for the other user, Subscriber1), I notice that I can make changes to the email address and password associated with Subscriber1’s account. I imagine I am able to do this because I am an admin, correct?

    I tried this same scenario, but this time with the Subscriber1 account logged in (keep in mind: Subscriber1 only has a subscriber role) and typed in my browser the Account Settings Page URL for Admin1 (“example.com/admin1/”). However, this time, I receive an error message from my browser with a message that states that the page isn’t redirecting properly. I imagine this is happening because a user with a subscriber role cannot access another user account that is “higher” than their account (in this case, an admin).

    My question is – instead of the subscriber receiving an error, can the page just redirect to the homepage or to their own account settings page? Or would it be possible for the link to redirect to the author page (“example.com/author/username”) of the other user?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Avatar of Andrew Tibbetts
    Andrew Tibbetts
    Participant

    @andrewgtibbetts

    I am experiencing the same thing. If I am logged in as an admin, I can see and visit any user’s settings—but not if I am logged in as an author. Also, I have a few modifications in bp-custom.php (bp_core_remove_subnav_item( 'settings', 'general' );,bp_core_new_nav_default(array('parent_slug' => $bp->settings->slug,'screen_function' => 'bp_core_screen_notification_settings','subnav_slug' => 'notifications'));) that are ignored on the “other user’s” ill-accessed settings nav.

    Avatar of r-a-y
    r-a-y
    Moderator

    @r-a-y

    I just tried to duplicate what both of you were experiencing in BuddyPress 1.6.1.

    I logged in as a regular member and tried to navigate to another member’s settings page.  It redirects me back to the member’s home page.

    I’ve read issues similar to both of you about the redirect issue.

    You can try removing the canonical redirect. Do this by adding one of the following in /wp-content/plugins/bp-custom.php:
    add_filter( 'bp_do_redirect_canonical', '__return_false' );

    remove_action( 'bp_template_redirect', 'bp_redirect_canonical', 2 );

    And see if that helps.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.