diff --git a/includes/core/class-access.php b/includes/core/class-access.php
index 1246b581..a33b28e6 100644
--- a/includes/core/class-access.php
+++ b/includes/core/class-access.php
@@ -204,14 +204,14 @@ if ( ! class_exists( 'um\core\Access' ) ) {
}
}
$restricted_taxonomies = array_values( $restricted_taxonomies );
- }
- if ( ! empty( $post_types ) ) {
- $taxonomies = array();
- foreach ( $post_types as $p_t ) {
- $taxonomies = array_merge( $taxonomies, get_object_taxonomies( $p_t ) );
+ if ( ! empty( $post_types ) ) {
+ $taxonomies = array();
+ foreach ( $post_types as $p_t ) {
+ $taxonomies = array_merge( $taxonomies, get_object_taxonomies( $p_t ) );
+ }
+ $restricted_taxonomies = array_intersect( $taxonomies, $restricted_taxonomies );
}
- $restricted_taxonomies = array_intersect( $taxonomies, $restricted_taxonomies );
}
if ( ! empty( $restricted_taxonomies ) ) {
@@ -327,9 +327,11 @@ if ( ! class_exists( 'um\core\Access' ) ) {
}
}
$restricted_taxonomies = array_values( $restricted_taxonomies );
- }
- $restricted_taxonomies = array_intersect( $query->query_vars['taxonomy'], $restricted_taxonomies );
+ if ( ! empty( $restricted_taxonomies ) ) {
+ $restricted_taxonomies = array_intersect( $query->query_vars['taxonomy'], $restricted_taxonomies );
+ }
+ }
if ( empty( $restricted_taxonomies ) ) {
return $exclude;
diff --git a/includes/core/class-fields.php b/includes/core/class-fields.php
index 80e24674..c3be45e0 100644
--- a/includes/core/class-fields.php
+++ b/includes/core/class-fields.php
@@ -709,6 +709,12 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
return '';
}
+ if ( 'profile' === $this->set_mode ) {
+ if ( ! isset( UM()->form()->post_form['profile_nonce'] ) || UM()->form()->post_form['profile_nonce'] !== UM()->form()->nonce ) {
+ return '';
+ }
+ }
+
return stripslashes_deep( UM()->form()->post_form[ $key ] );
} elseif ( um_user( $key ) && $this->editing == true ) {
@@ -3879,6 +3885,11 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
UM()->form()->form_suffix = '-' . $this->global_args['form_id'];
$this->set_mode = $mode;
+
+ if ( 'profile' === $mode ) {
+ UM()->form()->nonce = wp_create_nonce( 'um-profile-nonce' . UM()->user()->target_id );
+ }
+
$this->set_id = $this->global_args['form_id'];
$this->field_icons = ( isset( $this->global_args['icons'] ) ) ? $this->global_args['icons'] : 'label';
diff --git a/includes/core/class-form.php b/includes/core/class-form.php
index e8aa6c02..e601be2a 100644
--- a/includes/core/class-form.php
+++ b/includes/core/class-form.php
@@ -32,6 +32,9 @@ if ( ! class_exists( 'um\core\Form' ) ) {
var $post_form = null;
+ var $nonce = null;
+
+
/**
* Form constructor.
*/
@@ -331,14 +334,18 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( $http_post && ! is_admin() && isset( $_POST['form_id'] ) && is_numeric( $_POST['form_id'] ) ) {
- $this->form_id = absint( $_POST['form_id'] );
- $this->form_status = get_post_status( $this->form_id );
- $this->form_data = UM()->query()->post_data( $this->form_id );
+ $this->form_id = absint( $_POST['form_id'] );
+ if ( 'um_form' !== get_post_type( $this->form_id ) ) {
+ return;
+ }
+ $this->form_status = get_post_status( $this->form_id );
if ( 'publish' !== $this->form_status ) {
return;
}
+ $this->form_data = UM()->query()->post_data( $this->form_id );
+
/**
* UM hook
*
diff --git a/includes/core/um-actions-profile.php b/includes/core/um-actions-profile.php
index 0233e127..92ccf3e5 100644
--- a/includes/core/um-actions-profile.php
+++ b/includes/core/um-actions-profile.php
@@ -629,7 +629,7 @@ function um_editing_user_id_input( $args ) {
if ( UM()->fields()->editing == 1 && UM()->fields()->set_mode == 'profile' && UM()->user()->target_id ) { ?>
-
+