How to segregate the Buddypress member page on multisite?

Question

I have a BuddyPress social networks in a multi network WordPress install (WordPress multisite), thanks to LH Buddypress Multi Network plugin.

How can I prevent people from accessing to a profile page from another blog?

For example : teacherSite, teacherUser studentSite, studentUser

I have restricted access to site for non-member. teacherUser can only connect on teacherSite. And he can’t see in the directory other users from others blogs.

If studentUser knows the teacherUser username or if he finds or tests…

He can go to:

studentSite.domain.com/members/teacherUser/

And he can see the profile of teacherUser even though teacherUser is not linked to studentSite.

Fortunately, there is no information (because everything else is well segregated) except the name and the gravatar.

But he can still make a connection request or send him a private message! teacherUser will not see any notification on teacherSite. But he will potentially receive an email which will redirect him to studentSite without being able to connect to it.

How to avoid this?

score 0 · Answer 1 · answered May 13 '21 at 21:49

I'm guessing BuddyPress has somewhat the same user management system as WordPress.

We could compare the current user role with the queried user role. If they're different, we block and redirect.

<?php

/**
 * Compare the queried user role with the current user role.
 * If both don't match restrict profile access and redirect to current user profile.
 * 
 * Case exceptions: 
 * - IF the current user IS the queried user. 
 * - IF the current user IS an Admin or Super-Admin.
 */
add_action( 'wp', function() {

    if ( is_author() && get_queried_object() instanceof \WP_User ) {

        if ( reset( get_queried_object()->roles ) === reset( wp_get_current_user()->roles ) || get_current_user_id() === get_queried_object_id() || current_user_can( 'manage_options' ) ) { // ... @see https://wordpress.org/support/article/roles-and-capabilities/#capability-vs-role-table

            return;

        } else {

            header( 'Refresh: 2; ' . esc_url( get_author_posts_url( get_current_user_id() ) ) );

            $args = array(
                'back_link' => true,
            );

            wp_die( "Error, Restricted access. You're not allowed to view this profile.", 'Error, Restricted access', $args );

        };

    };

} );

Thank you for your help. But it doesn't work. – Olivier May 14 '21 at 22:45 — Olivier, May 14 '21 at 22:45

How to segregate the Buddypress member page on multisite?

1 Answers1