Earn achievements ajax function only loads current users achievements

[micaiahwallace]

Description

The badgeos_ajax_get_earned_achievements function passes get_current_user_id() into the database query that loads achievement results. This bypasses and ignores the user_id url query parameter.

Steps to Reproduce

1. Install the following:
   • WordPress 5.4.1
   • BadgeOS 3.5.1
   • BadgeOS Community Add-On 1.2.8
   • Buddypress 6.0.0
2. Create 2 user accounts (user1 and user2)
3. Setup permalink structure for BadgeOS
4. Setup a single badge "badge1" and assign it to user1

Actual result:

• While logged in to user1 you can see badge1 on both user1 and user2's member page.
• While logged in to user2 or not logged in at all, no badges will show for any members.

Expected result:

• Viewing user1's member page from any account or anonymously should display badge1.
• Viewing user2's member page from any account or anonymously should display no badges.

Product Versions

• WordPress 5.4.1
• BadgeOS 3.5.1
• BadgeOS Community Add-On 1.2.8
• Buddypress 6.0.0

Additional Information

N/A

[micaiahwallace]

Temporary fix is to change lines 259-260 on includes/ajax-functions.php

from:

$qry .= " and user_id = '".get_current_user_id()."' ";
$total_qry .= " and user_id = '".get_current_user_id()."' ";

to:

$qry .= " and user_id = '".$user_id."' ";
$total_qry .= " and user_id = '".$user_id."' ";