From 6ae7971d00328d7fb4eb2826e261a50f2acaeb6e Mon Sep 17 00:00:00 2001
From: Mohammed Noumaan Ahamed <mohamed.ahamed@rtcamp.com>
Date: Wed, 21 Jan 2026 12:17:57 +0530
Subject: [PATCH 1/4] fix: enhance security for AJAX activity comment retrieval

---
 templates/media/godam-integration.php | 102 +++++++++++++++++++++++++-
 1 file changed, 99 insertions(+), 3 deletions(-)

diff --git a/templates/media/godam-integration.php b/templates/media/godam-integration.php
index b06831e6f..fec1f719c 100644
--- a/templates/media/godam-integration.php
+++ b/templates/media/godam-integration.php
@@ -183,14 +183,15 @@ function ( $content ) {
 
 	/**
 	 * Handle AJAX request for loading a single activity comment's HTML.
+	 * Note: Only registered for logged-in users (wp_ajax_) for security.
 	 */
 	add_action( 'wp_ajax_get_single_activity_comment_html', 'handle_get_single_activity_comment_html' );
-	add_action( 'wp_ajax_nopriv_get_single_activity_comment_html', 'handle_get_single_activity_comment_html' );
 
 	/**
 	 * AJAX handler to fetch and return the HTML for a single activity comment.
 	 *
 	 * Validates the request, loads the activity comment by ID,
+	 * verifies the user has permission to view it,
 	 * renders its HTML using the BuddyPress template, and returns it in a JSON response.
 	 *
 	 * @return void Outputs JSON response with rendered HTML or error message.
@@ -198,15 +199,25 @@ function ( $content ) {
 	function handle_get_single_activity_comment_html() {
 		check_ajax_referer( 'godam-ajax-nonce', 'nonce' );
 
+		// Require user to be logged in.
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( 'Authentication required', 403 );
+		}
+		
 		$activity_id = isset( $_POST['comment_id'] ) ? intval( $_POST['comment_id'] ) : 0;
 
 		if ( ! $activity_id ) {
-			wp_send_json_error( 'Invalid activity ID' );
+			wp_send_json_error( 'Invalid activity ID', 400 );
 		}
 
 		$activity = new BP_Activity_Activity( $activity_id );
 		if ( empty( $activity->id ) ) {
-			wp_send_json_error( 'Activity comment not found' );
+			wp_send_json_error( 'Activity comment not found', 404 );
+		}
+
+		// Verify user has permission to view this activity.
+		if ( ! godam_user_can_view_activity( $activity ) ) {
+			wp_send_json_error( 'You do not have permission to view this activity', 403 );
 		}
 
 		global $activities_template;
@@ -230,6 +241,91 @@ function handle_get_single_activity_comment_html() {
 		wp_send_json_success( array( 'html' => $html ) );
 	}
 
+	/**
+	 * Check if the current user can view a specific activity.
+	 *
+	 * This function implements permission checks for activities from groups and profiles.
+	 * It ensures that private group activities and private profile activities are only
+	 * accessible to users with appropriate permissions.
+	 *
+	 * @param BP_Activity_Activity $activity The activity object to check permission for.
+	 *
+	 * @return bool True if the user can view the activity, false otherwise.
+	 */
+	function godam_user_can_view_activity( $activity ) {
+		$current_user_id = get_current_user_id();
+
+		// User must be logged in to view non-public activities.
+		if ( ! $current_user_id ) {
+			return false;
+		}
+
+		// Admins can view everything.
+		if ( current_user_can( 'manage_options' ) ) {
+			return true;
+		}
+
+		// If activity is from a group, verify user is a member of non-public groups.
+		if ( isset( $activity->component ) && 'groups' === $activity->component ) {
+			// Check if BuddyPress groups component is active.
+			if ( ! function_exists( 'groups_get_group' ) ) {
+				return false;
+			}
+
+			$group = groups_get_group( array( 'group_id' => $activity->item_id ) );
+
+			if ( empty( $group ) ) {
+				// Group not found.
+				return false;
+			}
+
+			// Public groups are accessible to all logged-in users.
+			if ( 'public' === $group->status ) {
+				return true;
+			}
+
+			// For private/hidden groups, user must be a member.
+			if ( ! function_exists( 'groups_is_user_member' ) ) {
+				return false;
+			}
+
+			return groups_is_user_member( $current_user_id, $group->id );
+		}
+
+		// For profile/activity updates, check ownership and privacy.
+		if ( isset( $activity->component ) && 'profile' === $activity->component ) {
+			$activity_author = intval( $activity->user_id );
+
+			// User can always view their own activities.
+			if ( $activity_author === $current_user_id ) {
+				return true;
+			}
+
+			// Check if activity has privacy restrictions.
+			if ( function_exists( 'bp_activity_user_can_read' ) ) {
+				return bp_activity_user_can_read( $activity, $current_user_id );
+			}
+
+			// If privacy is enabled via rtMedia, apply additional checks.
+			if ( function_exists( 'is_rtmedia_privacy_enable' ) && is_rtmedia_privacy_enable() ) {
+				// Check if activity is public or if user has access via friendship.
+				if ( isset( $activity->privacy ) && 'private' === $activity->privacy ) {
+					// Check friendship if friends component is active.
+					if ( function_exists( 'friends_check_friendship' ) ) {
+						return friends_check_friendship( $current_user_id, $activity_author );
+					}
+					return false;
+				}
+			}
+
+			// Default: allow access to public profile activities.
+			return true;
+		}
+
+		// For other components, allow access by default (logged-in users).
+		return true;
+	}
+
 }
 
 /**

From b3aab4a87359c7c0ff25395858729963984f173e Mon Sep 17 00:00:00 2001
From: Mohammed Noumaan Ahamed <mohamed.ahamed@rtcamp.com>
Date: Wed, 21 Jan 2026 12:29:40 +0530
Subject: [PATCH 2/4] fix: update error code in Godam integration

---
 templates/media/godam-integration.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/media/godam-integration.php b/templates/media/godam-integration.php
index fec1f719c..20289c627 100644
--- a/templates/media/godam-integration.php
+++ b/templates/media/godam-integration.php
@@ -201,9 +201,9 @@ function handle_get_single_activity_comment_html() {
 
 		// Require user to be logged in.
 		if ( ! is_user_logged_in() ) {
-			wp_send_json_error( 'Authentication required', 403 );
+			wp_send_json_error( 'Authentication required', 401 );
 		}
-		
+
 		$activity_id = isset( $_POST['comment_id'] ) ? intval( $_POST['comment_id'] ) : 0;
 
 		if ( ! $activity_id ) {

From 045df29b7d3f013bee3a838027d8b47d47b87210 Mon Sep 17 00:00:00 2001
From: Mohammed Noumaan Ahamed <mohamed.ahamed@rtcamp.com>
Date: Wed, 21 Jan 2026 14:39:21 +0530
Subject: [PATCH 3/4] fix: make error message strings translatable

---
 templates/media/godam-integration.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/media/godam-integration.php b/templates/media/godam-integration.php
index 20289c627..4e2049453 100644
--- a/templates/media/godam-integration.php
+++ b/templates/media/godam-integration.php
@@ -201,23 +201,23 @@ function handle_get_single_activity_comment_html() {
 
 		// Require user to be logged in.
 		if ( ! is_user_logged_in() ) {
-			wp_send_json_error( 'Authentication required', 401 );
+			wp_send_json_error( __( 'Authentication required', 'buddypress-media' ), 401 );
 		}
 
 		$activity_id = isset( $_POST['comment_id'] ) ? intval( $_POST['comment_id'] ) : 0;
 
 		if ( ! $activity_id ) {
-			wp_send_json_error( 'Invalid activity ID', 400 );
+			wp_send_json_error( __( 'Invalid activity ID', 'buddypress-media' ), 400 );
 		}
 
 		$activity = new BP_Activity_Activity( $activity_id );
 		if ( empty( $activity->id ) ) {
-			wp_send_json_error( 'Activity comment not found', 404 );
+			wp_send_json_error( __( 'Activity comment not found', 'buddypress-media' ), 404 );
 		}
 
 		// Verify user has permission to view this activity.
 		if ( ! godam_user_can_view_activity( $activity ) ) {
-			wp_send_json_error( 'You do not have permission to view this activity', 403 );
+			wp_send_json_error( __( 'You do not have permission to view this activity', 'buddypress-media' ), 403 );
 		}
 
 		global $activities_template;

From 270596ac47c3217340b2de3e966e94fe1c2f1d52 Mon Sep 17 00:00:00 2001
From: Mohammed Noumaan Ahamed <mohamed.ahamed@rtcamp.com>
Date: Wed, 21 Jan 2026 15:50:25 +0530
Subject: [PATCH 4/4] fix: update activity permission check to rtmedia

---
 templates/media/godam-integration.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/media/godam-integration.php b/templates/media/godam-integration.php
index 4e2049453..a3f46df5d 100644
--- a/templates/media/godam-integration.php
+++ b/templates/media/godam-integration.php
@@ -216,7 +216,7 @@ function handle_get_single_activity_comment_html() {
 		}
 
 		// Verify user has permission to view this activity.
-		if ( ! godam_user_can_view_activity( $activity ) ) {
+		if ( ! rtmedia_user_can_view_activity( $activity ) ) {
 			wp_send_json_error( __( 'You do not have permission to view this activity', 'buddypress-media' ), 403 );
 		}
 
@@ -252,7 +252,7 @@ function handle_get_single_activity_comment_html() {
 	 *
 	 * @return bool True if the user can view the activity, false otherwise.
 	 */
-	function godam_user_can_view_activity( $activity ) {
+	function rtmedia_user_can_view_activity( $activity ) {
 		$current_user_id = get_current_user_id();
 
 		// User must be logged in to view non-public activities.