Added password reset limit and other fixes

core/um-actions-password.php

@@ -40,6 +40,7 @@
 		
 		delete_user_meta( $args['user_id'], 'reset_pass_hash');
 		delete_user_meta( $args['user_id'], 'reset_pass_hash_token');
+		delete_user_meta( $args['user_id'], 'password_rst_attempts');
 
 		do_action('um_after_changing_user_password', $args['user_id'] );
 		
@@ -105,7 +106,19 @@
 		$user = $_POST['username_b'];
 		
 		if ( ( !is_email( $user ) && !username_exists( $user ) ) || ( is_email( $user ) && !email_exists( $user ) ) ) {
-			$ultimatemember->form->add_error('username_b', __(' We can\'t find an account registered with that address or username ','ultimatemember') );
+			$ultimatemember->form->add_error('username_b', __('We can\'t find an account registered with that address or username','ultimatemember') );
+		} else {
+			if ( is_email( $user ) ) {
+				$user_id = email_exists( $user );
+			} else {
+				$user_id = username_exists( $user );
+			}
+			$attempts = (int)get_user_meta( $user_id, 'password_rst_attempts', true );
+			if ( $attempts >= 3 ) {
+				$ultimatemember->form->add_error('username_b', __('You have reached the limit for requesting password change for this user already. Contact support if you cannot open the email','ultimatemember') );
+			} else {
+				update_user_meta( $user_id, 'password_rst_attempts', $attempts + 1 );
+			}
 		}
 		
 	}

core/um-actions-register.php

@@ -105,7 +105,9 @@
 			$role = um_get_option('default_role');
 		}
 		
-		$ultimatemember->user->is_secure_role( $user_id, $role );
+		if ( !in_array( $role, $ultimatemember->query->get_roles( false, array('admin') ) ) ) {
+			$role = um_get_option('default_role');
+		}
 
 		$ultimatemember->user->set_role( $role );
 		
@@ -231,7 +233,7 @@
 	***	@Register user with predefined role in options
 	***/
 	add_action('um_after_register_fields', 'um_add_user_role');
-	function um_add_user_role($args){
+	function um_add_user_role( $args ){
 		
 		global $ultimatemember;
 		

core/um-form.php

@@ -73,13 +73,26 @@ class UM_Form {
 				$this->post_form = $_POST;
 				
 				$this->post_form = $this->beautify( $this->post_form );
-				
+
 				$this->form_data = $ultimatemember->query->post_data( $this->form_id );
 				
 				$this->post_form['submitted'] = $this->post_form;
 				
 				$this->post_form = array_merge( $this->form_data, $this->post_form );
 
+				if ( isset( $this->form_data['role'] ) && $_POST['role'] != $this->form_data['role'] ) {
+					wp_die( __( 'This is not possible for security reasons.','ultimatemember') );
+				} else {
+					if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) {
+						// In this case, admin allowed users to choose a role during registration
+					} else {
+						$role = um_get_option('default_role');
+						if ( $role != $_POST['role'] ) {
+							wp_die( __( 'This is not possible for security reasons.','ultimatemember') );
+						}
+					}
+				}
+
 				if ( isset( $_POST[ $ultimatemember->honeypot ] ) && $_POST[ $ultimatemember->honeypot ] != '' )
 					wp_die('Hello, spam bot!');
 

core/um-user.php

@@ -273,25 +273,6 @@ class UM_User {
 		$this->set(0, $clean);
 	}
 	
-	/***
-	***	@Security check for roles
-	***/
-	function is_secure_role( $user_id, $role ) {
-		
-		if ( is_admin() ) return;
-		
-		if ( $role == 'admin' ) {
-			$this->delete( false );
-			wp_die( __('This is not allowed for security reasons.','ultimatemember') );
-		}
-		
-		if ( um_get_option('advanced_denied_roles') && strstr( um_get_option('advanced_denied_roles'), $role ) ) {
-			$this->delete( false );
-			wp_die( __('This is not allowed for security reasons.','ultimatemember') );
-		}
-		
-	}
-	
 	/***
 	***	@Clean user profile
 	***/

um-config.php

@@ -1898,14 +1898,6 @@ $this->sections[] = array(
 				'off'			=> __('Off','ultimatemember'),
         ),
 
-        array(
-                'id'      		=> 'advanced_denied_roles',
-                'type'     		=> 'text',
-                'title'    		=> __( 'Do not allow registering these roles','ultimatemember' ),
-                'default'  		=> '',
-				'desc' 	   		=> __('Comma seperate roles (role slugs) that can not be registered from frontend ever for security.','ultimatemember'),
-        ),
-
         array(
                 'id'       		=> 'enable_timebot',
                 'type'     		=> 'switch',