From 5d773256b9dd3b314b2b03721f1d715ffda67382 Mon Sep 17 00:00:00 2001
From: Nikita Sinelnikov <nsinelnikov.work@gmail.com>
Date: Thu, 19 Aug 2021 12:58:13 +0300
Subject: [PATCH] - fixed profile form nonce; - fixed profile form getting ID
 and data; - fixed class-access.php when restricted taxonomies are disabled;

---
 includes/core/class-access.php       | 18 ++++++++++--------
 includes/core/class-fields.php       | 11 +++++++++++
 includes/core/class-form.php         | 13 ++++++++++---
 includes/core/um-actions-profile.php |  2 +-
 4 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/includes/core/class-access.php b/includes/core/class-access.php
index 1246b581..a33b28e6 100644
--- a/includes/core/class-access.php
+++ b/includes/core/class-access.php
@@ -204,14 +204,14 @@ if ( ! class_exists( 'um\core\Access' ) ) {
 						}
 					}
 					$restricted_taxonomies = array_values( $restricted_taxonomies );
-				}
 
-				if ( ! empty( $post_types ) ) {
-					$taxonomies = array();
-					foreach ( $post_types as $p_t ) {
-						$taxonomies = array_merge( $taxonomies, get_object_taxonomies( $p_t ) );
+					if ( ! empty( $post_types ) ) {
+						$taxonomies = array();
+						foreach ( $post_types as $p_t ) {
+							$taxonomies = array_merge( $taxonomies, get_object_taxonomies( $p_t ) );
+						}
+						$restricted_taxonomies = array_intersect( $taxonomies, $restricted_taxonomies );
 					}
-					$restricted_taxonomies = array_intersect( $taxonomies, $restricted_taxonomies );
 				}
 
 				if ( ! empty( $restricted_taxonomies ) ) {
@@ -327,9 +327,11 @@ if ( ! class_exists( 'um\core\Access' ) ) {
 					}
 				}
 				$restricted_taxonomies = array_values( $restricted_taxonomies );
-			}
 
-			$restricted_taxonomies = array_intersect( $query->query_vars['taxonomy'], $restricted_taxonomies );
+				if ( ! empty( $restricted_taxonomies ) ) {
+					$restricted_taxonomies = array_intersect( $query->query_vars['taxonomy'], $restricted_taxonomies );
+				}
+			}
 
 			if ( empty( $restricted_taxonomies ) ) {
 				return $exclude;
diff --git a/includes/core/class-fields.php b/includes/core/class-fields.php
index 80e24674..c3be45e0 100644
--- a/includes/core/class-fields.php
+++ b/includes/core/class-fields.php
@@ -709,6 +709,12 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
 					return '';
 				}
 
+				if ( 'profile' === $this->set_mode ) {
+					if ( ! isset( UM()->form()->post_form['profile_nonce'] ) || UM()->form()->post_form['profile_nonce'] !== UM()->form()->nonce ) {
+						return '';
+					}
+				}
+
 				return stripslashes_deep( UM()->form()->post_form[ $key ] );
 
 			} elseif ( um_user( $key ) && $this->editing == true ) {
@@ -3879,6 +3885,11 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
 			UM()->form()->form_suffix = '-' . $this->global_args['form_id'];
 
 			$this->set_mode = $mode;
+
+			if ( 'profile' === $mode ) {
+				UM()->form()->nonce = wp_create_nonce( 'um-profile-nonce' . UM()->user()->target_id );
+			}
+
 			$this->set_id = $this->global_args['form_id'];
 
 			$this->field_icons = ( isset( $this->global_args['icons'] ) ) ? $this->global_args['icons'] : 'label';
diff --git a/includes/core/class-form.php b/includes/core/class-form.php
index e8aa6c02..e601be2a 100644
--- a/includes/core/class-form.php
+++ b/includes/core/class-form.php
@@ -32,6 +32,9 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 		var $post_form = null;
 
 
+		var $nonce = null;
+
+
 		/**
 		 * Form constructor.
 		 */
@@ -331,14 +334,18 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 
 			if ( $http_post && ! is_admin() && isset( $_POST['form_id'] ) && is_numeric( $_POST['form_id'] ) ) {
 
-				$this->form_id     = absint( $_POST['form_id'] );
-				$this->form_status = get_post_status( $this->form_id );
-				$this->form_data = UM()->query()->post_data( $this->form_id );
+				$this->form_id = absint( $_POST['form_id'] );
+				if ( 'um_form' !== get_post_type( $this->form_id ) ) {
+					return;
+				}
 
+				$this->form_status = get_post_status( $this->form_id );
 				if ( 'publish' !== $this->form_status ) {
 					return;
 				}
 
+				$this->form_data   = UM()->query()->post_data( $this->form_id );
+
 				/**
 				 * UM hook
 				 *
diff --git a/includes/core/um-actions-profile.php b/includes/core/um-actions-profile.php
index 0233e127..92ccf3e5 100644
--- a/includes/core/um-actions-profile.php
+++ b/includes/core/um-actions-profile.php
@@ -629,7 +629,7 @@ function um_editing_user_id_input( $args ) {
 	if ( UM()->fields()->editing == 1 && UM()->fields()->set_mode == 'profile' && UM()->user()->target_id ) { ?>
 
 		<input type="hidden" name="user_id" id="user_id" value="<?php echo esc_attr( UM()->user()->target_id ); ?>" />
-		<input type="hidden" name="profile_nonce" id="profile_nonce" value="<?php echo esc_attr( wp_create_nonce( 'um-profile-nonce' . UM()->user()->target_id ) ); ?>" />
+		<input type="hidden" name="profile_nonce" id="profile_nonce" value="<?php echo esc_attr( UM()->form()->nonce ); ?>" />
 
 	<?php }
 }