Skip to:
Content
Pages
Categories
Search
Top
Bottom

Forum Replies Created

Viewing 3 replies - 1 through 3 (of 3 total)
  • @xiaoyao

    Participant

    After checking, I found that the endpoint did not verify user rights at all, and in fact, it did not handle the user_id mentioned in the handbook at all for creating activities.

    As a patch, I asked AI to help me generate a plug-in. Anyone who needs it can directly store the following code as a PHP and upload it to the plugins:

    Allow administrators to create dynamics for other users through API:

    <?php
    /**
     * Plugin Name: Admin API activity creates privilege
     * Description: Allows administrators to create activities on behalf of other users.
     * Version: 1.0.4
     * Author: Google Gemini Pro
     */
    
    //Allow administrators to create activities on behalf of other users
    add_filter( 'bp_rest_activity_create_item_permissions_check', function( $retval, $request ) {
        if ( current_user_can( 'manage_options' ) ) {
            $retval = true;
        }
        return $retval;
    }, 10, 2 );
    
    //Properly handle the user_id parameter when creating an activity
    add_filter( 'bp_activity_before_save', function( $activity_data ) {
        //Get request body content
        $body = file_get_contents('php://input');
    
        //Parse JSON data
        $data = json_decode( $body, true );
    
        //Check whether the user_id parameter exists
        if ( isset( $data['user_id'] ) && get_userdata( $data['user_id'] ) ) {
            //Modify the user_id property of the $activity_data object
            $activity_data->user_id = $data['user_id']; 
        }
    
        return $activity_data;
    } );

    Allow administrators to obtain other users ‘XProfiles through API:

    <?php
    /**
     * Plugin Name: BuddyPress Admin API read XProfile privilege
     * Description: Allows administrators to read any user's XProfile data regardless of field visibility settings.
     * Version: 1.0.0
     * Author: Google Gemini Pro
     */
    
    //Allow administrators to read all XProfile data
    add_filter( 'bp_rest_xprofile_data_get_item_permissions_check', function( $retval, $request ) {
        if ( current_user_can( 'manage_options' ) ) {
            //Check whether the field exists
            $field = xprofile_get_field( $request->get_param( 'field_id' ) );
            if ( $field ) {
                //Check whether the user exists
                $user = get_userdata( $request->get_param( 'user_id' ) );
                if ( $user ) {
                    $retval = true;
                } else {
                    $retval = new WP_Error(
                        'bp_rest_member_invalid_id',
                        __( 'Invalid member ID.', 'buddypress' ),
                        array( 'status' => 404 )
                    );
                }
            } else {
                $retval = new WP_Error(
                    'bp_rest_invalid_id',
                    __( 'Invalid field ID.', 'buddypress' ),
                    array( 'status' => 404 )
                );
            }
        }
        return $retval;
    }, 10, 2 );

    I am pretty sure this is a bug, or the API handbook has not been maintained for many years. In the long run, maybe someone should fix these issues in the core program rather than using the temporary plugins I provide.

    @xiaoyao

    Participant

    The same problem seems to appear at other endpoints. I tried to create an Activity with a different user_id with the admin account, and it also returned the same error message.

    @xiaoyao

    Participant

    Ok, is there a available plugins for this now?

Viewing 3 replies - 1 through 3 (of 3 total)
Skip to toolbar