BuddyPress.org

The last couple months I’ve only worked with the latest SVN. Haven’t even looked at the stable branch once, so if someone else could check this bug, that’d be awesome. Basically, when you handtype in an url to the edit page, that has been created using the extension API, then you get access to that page even though you’re logged out. That shouldn’t happen. Depending on what you use it for, there might be some confidential information present.

It’s easy to fix as well. In bp-groups-classes.php around line 1026, just add

if ( !$bp->is_item_admin )
return false;

right after this line:

if ( $this->enable_edit_item ) {

So yeah, if someone could get back with a confirmation, I’ll open a new ticket.