Forum Replies Created
-
After checking, I found that the endpoint did not verify user rights at all, and in fact, it did not handle the user_id mentioned in the handbook at all for creating activities.
As a patch, I asked AI to help me generate a plug-in. Anyone who needs it can directly store the following code as a PHP and upload it to the plugins:
Allow administrators to create dynamics for other users through API:
<?php /** * Plugin Name: Admin API activity creates privilege * Description: Allows administrators to create activities on behalf of other users. * Version: 1.0.4 * Author: Google Gemini Pro */ //Allow administrators to create activities on behalf of other users add_filter( 'bp_rest_activity_create_item_permissions_check', function( $retval, $request ) { if ( current_user_can( 'manage_options' ) ) { $retval = true; } return $retval; }, 10, 2 ); //Properly handle the user_id parameter when creating an activity add_filter( 'bp_activity_before_save', function( $activity_data ) { //Get request body content $body = file_get_contents('php://input'); //Parse JSON data $data = json_decode( $body, true ); //Check whether the user_id parameter exists if ( isset( $data['user_id'] ) && get_userdata( $data['user_id'] ) ) { //Modify the user_id property of the $activity_data object $activity_data->user_id = $data['user_id']; } return $activity_data; } );Allow administrators to obtain other users ‘XProfiles through API:
<?php /** * Plugin Name: BuddyPress Admin API read XProfile privilege * Description: Allows administrators to read any user's XProfile data regardless of field visibility settings. * Version: 1.0.0 * Author: Google Gemini Pro */ //Allow administrators to read all XProfile data add_filter( 'bp_rest_xprofile_data_get_item_permissions_check', function( $retval, $request ) { if ( current_user_can( 'manage_options' ) ) { //Check whether the field exists $field = xprofile_get_field( $request->get_param( 'field_id' ) ); if ( $field ) { //Check whether the user exists $user = get_userdata( $request->get_param( 'user_id' ) ); if ( $user ) { $retval = true; } else { $retval = new WP_Error( 'bp_rest_member_invalid_id', __( 'Invalid member ID.', 'buddypress' ), array( 'status' => 404 ) ); } } else { $retval = new WP_Error( 'bp_rest_invalid_id', __( 'Invalid field ID.', 'buddypress' ), array( 'status' => 404 ) ); } } return $retval; }, 10, 2 );I am pretty sure this is a bug, or the API handbook has not been maintained for many years. In the long run, maybe someone should fix these issues in the core program rather than using the temporary plugins I provide.
The same problem seems to appear at other endpoints. I tried to create an Activity with a different user_id with the admin account, and it also returned the same error message.
Ok, is there a available plugins for this now?
