After checking, I found that the endpoint did not verify user rights at all, and in fact, it did not handle the user_id mentioned in the handbook at all for creating activities.
As a patch, I asked AI to help me generate a plug-in. Anyone who needs it can directly store the following code as a PHP and upload it to the plugins:
Allow administrators to create dynamics for other users through API:
<?php
/**
* Plugin Name: Admin API activity creates privilege
* Description: Allows administrators to create activities on behalf of other users.
* Version: 1.0.4
* Author: Google Gemini Pro
*/
//Allow administrators to create activities on behalf of other users
add_filter( 'bp_rest_activity_create_item_permissions_check', function( $retval, $request ) {
if ( current_user_can( 'manage_options' ) ) {
$retval = true;
}
return $retval;
}, 10, 2 );
//Properly handle the user_id parameter when creating an activity
add_filter( 'bp_activity_before_save', function( $activity_data ) {
//Get request body content
$body = file_get_contents('php://input');
//Parse JSON data
$data = json_decode( $body, true );
//Check whether the user_id parameter exists
if ( isset( $data['user_id'] ) && get_userdata( $data['user_id'] ) ) {
//Modify the user_id property of the $activity_data object
$activity_data->user_id = $data['user_id'];
}
return $activity_data;
} );
Allow administrators to obtain other users ‘XProfiles through API:
<?php
/**
* Plugin Name: BuddyPress Admin API read XProfile privilege
* Description: Allows administrators to read any user's XProfile data regardless of field visibility settings.
* Version: 1.0.0
* Author: Google Gemini Pro
*/
//Allow administrators to read all XProfile data
add_filter( 'bp_rest_xprofile_data_get_item_permissions_check', function( $retval, $request ) {
if ( current_user_can( 'manage_options' ) ) {
//Check whether the field exists
$field = xprofile_get_field( $request->get_param( 'field_id' ) );
if ( $field ) {
//Check whether the user exists
$user = get_userdata( $request->get_param( 'user_id' ) );
if ( $user ) {
$retval = true;
} else {
$retval = new WP_Error(
'bp_rest_member_invalid_id',
__( 'Invalid member ID.', 'buddypress' ),
array( 'status' => 404 )
);
}
} else {
$retval = new WP_Error(
'bp_rest_invalid_id',
__( 'Invalid field ID.', 'buddypress' ),
array( 'status' => 404 )
);
}
}
return $retval;
}, 10, 2 );
I am pretty sure this is a bug, or the API handbook has not been maintained for many years. In the long run, maybe someone should fix these issues in the core program rather than using the temporary plugins I provide.
