How To Secure Buddypress Ajax Tabs

Hi,

I have ajaxified my subnav menu as the page reload was ruining user experience (in my opinion).

It’s first time I have done ajax for secured buddypress pages and not sure how to secure access.

To illustrate problem here is snippet of code:

function bp_legacy_theme_tab_template_loader() {
// Bail if not a POST action
if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
return;

// Sanitize the object
$section = sanitize_title( $_POST['section'] );
$tab = sanitize_title( $_POST['tab'] );

// just doing members section but this would be expanded for all section
$path = 'members/single/'.$section.'/'.$tab; // have to specify like this or menu is loaded twice

// Locate the object template
bp_get_template_part( $path );
exit();
}

This code would be hooked onto ajax action. It just passes the section and tab to load.

In its current form it works fine for my small test and it loads my profile tabs nicely. However, there is no validation so any logged out user can modify the post and view the details of any page such as hidden profile fields or messages and the like.

To be honest I don’t even know why my code works. How is it determining the current user? I tried on a few different profiles I set up and it works. I guess wordpress must set a referrer somewhere for ajax requests that buddypress reads.

What should I do to validate this so it doesn’t show pages that should be hidden? I did some googling and nonces were suggested but that would not stop logged in users viewing other users pages that they should not be, it would just stop logged out users (I think).

Any help appreciated. I know I ask questions that are a bit more awkward than typical how to use a plugin stuff. I am really amazed at the great responses you guys give. Thanks in advance :slight_smile: