10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

- fixed security vulnerability in queries with role attribute;

Browse Source 
- fixed um_can_view_profile function;
This commit is contained in:
nikitasinelnikov
2020-09-28 21:34:14 +03:00
parent 85eb5bbee2
commit 2343a1891e
3 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/admin/core/class-admin-enqueue.php
-4
View File
@@ -505,10 +505,6 @@ if ( ! class_exists( 'um\admin\core\Admin_Enqueue' ) ) {
/**
* create gutenberg blocks
*/
register_block_type( 'um-block/um-user-profile-wall', array(
'editor_script' => 'um-blocks-shortcode-js',
) );
register_block_type( 'um-block/um-forms', array(
'editor_script' => 'um-blocks-shortcode-js',
) );
includes/core/um-actions-profile.php
+13 -9
View File
@@ -367,18 +367,22 @@ function um_user_edit_profile( $args ) {
$to_update[ $description_key ] = $args['submitted'][ $description_key ];
}
if ( ! empty( $args['submitted']['role'] ) ) {
global $wp_roles;
$role_keys = array_map( function( $item ) {
return 'um_' . $item;
}, get_option( 'um_roles' ) );
$exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) );
if ( is_admin() || ( ! is_admin() && ( isset( $fields['role_select'] ) || isset( $fields['role_radio'] ) ) ) ) { // Secure selected role
if ( ! in_array( $args['submitted']['role'], $exclude_roles ) ) {
$to_update['role'] = $args['submitted']['role'];
if ( ! empty( $args['submitted']['role'] ) ) {
global $wp_roles;
$role_keys = array_map( function( $item ) {
return 'um_' . $item;
}, get_option( 'um_roles' ) );
$exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) );
if ( ! in_array( $args['submitted']['role'], $exclude_roles ) ) {
$to_update['role'] = $args['submitted']['role'];
}
$args['roles_before_upgrade'] = UM()->roles()->get_all_user_roles( $user_id );
}
$args['roles_before_upgrade'] = UM()->roles()->get_all_user_roles( $user_id );
}
/**
includes/um-short-functions.php
+7 -6
View File
@@ -1574,10 +1574,6 @@ function um_can_view_field( $data ) {
* @return bool
*/
function um_can_view_profile( $user_id ) {
if ( ! um_user( 'can_view_all' ) && $user_id != get_current_user_id() && is_user_logged_in() ) {
return false;
}
if ( UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
return true;
}
@@ -1589,19 +1585,24 @@ function um_can_view_profile( $user_id ) {
$temp_id = um_user('ID');
um_fetch_user( get_current_user_id() );
if ( ! um_user( 'can_view_all' ) && $user_id != get_current_user_id() && is_user_logged_in() ) {
um_fetch_user( $temp_id );
return false;
}
if ( ! um_user( 'can_access_private_profile' ) && UM()->user()->is_private_profile( $user_id ) ) {
um_fetch_user( $temp_id );
return false;
}
if ( um_user( 'can_view_roles' ) && $user_id != get_current_user_id() ) {
$can_view_roles = um_user( 'can_view_roles' );
if ( ! is_array( $can_view_roles ) ) {
$can_view_roles = array();
}
if ( count( array_intersect( UM()->roles()->get_all_user_roles( $user_id ), $can_view_roles ) ) <= 0 ) {
if ( count( $can_view_roles ) && count( array_intersect( UM()->roles()->get_all_user_roles( $user_id ), $can_view_roles ) ) <= 0 ) {
um_fetch_user( $temp_id );
return false;
}