mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-06-05 15:09:37 +09:00
- reviewed #1442;
This commit is contained in:
Mykyta Synelnikov
@@ -52,7 +52,8 @@
|
||||
width: 100%;
|
||||
}
|
||||
#um-users-overview-table td {
|
||||
width: 50%;
|
||||
width: auto;
|
||||
min-width: 120px;
|
||||
vertical-align: middle;
|
||||
padding: 0 0 0 5px;
|
||||
box-sizing: border-box;
|
||||
|
||||
Vendored
+1
-1
@@ -1 +1 @@
|
||||
#um-metaboxes-general h1 sup{font-size:14px;position:relative;font-weight:400;background:#0085ba;color:#fff!important;padding:2px 4px!important;border-radius:3px;top:5px;left:3px;border:none!important}#um-metaboxes-general.wrap a.red,#um-metaboxes-general.wrap span.red{color:#c74a4a}#um-metaboxes-general.wrap span.ok{color:#7acf58}.um-metabox-holder p.sub{padding:0 4px 2px 4px;margin:0 0 8px 0;color:#8f8f8f;font-size:14px;border-bottom:1px solid #ececec}.um-metabox-holder a.warning{color:#c74a4a!important;background:0 0!important;border:0}.um-metabox-holder .norm i{display:inline-block;width:30px;text-align:center}.um-metabox-holder .norm p{margin:5px 0}.um-metabox-holder .norm .count{font-size:16px;font-family:Georgia,"Times New Roman","Bitstream Charter",Times,serif;color:#999;width:40px;display:inline-block;text-align:right;margin-right:10px}#um-users-overview-table{width:100%}#um-users-overview-table td{width:50%;vertical-align:middle;padding:0 0 0 5px;box-sizing:border-box}#um-users-overview-table td:first-child{padding:0 5px 0 0}#um-users-overview-table td>span{width:100%;direction:ltr;display:grid;grid-gap:6px;grid-template-columns:repeat(2,minmax(20px,auto));align-content:start;align-items:center;justify-content:start;justify-items:center}#um-users-overview-table td>span a{word-break:break-word}#um-users-overview-table td>span a.count{justify-self:end;font-family:Georgia,"Times New Roman","Bitstream Charter",Times,serif;font-size:18px}
|
||||
#um-metaboxes-general h1 sup{font-size:14px;position:relative;font-weight:400;background:#0085ba;color:#fff!important;padding:2px 4px!important;border-radius:3px;top:5px;left:3px;border:none!important}#um-metaboxes-general.wrap a.red,#um-metaboxes-general.wrap span.red{color:#c74a4a}#um-metaboxes-general.wrap span.ok{color:#7acf58}.um-metabox-holder p.sub{padding:0 4px 2px 4px;margin:0 0 8px 0;color:#8f8f8f;font-size:14px;border-bottom:1px solid #ececec}.um-metabox-holder a.warning{color:#c74a4a!important;background:0 0!important;border:0}.um-metabox-holder .norm i{display:inline-block;width:30px;text-align:center}.um-metabox-holder .norm p{margin:5px 0}.um-metabox-holder .norm .count{font-size:16px;font-family:Georgia,"Times New Roman","Bitstream Charter",Times,serif;color:#999;width:40px;display:inline-block;text-align:right;margin-right:10px}#um-users-overview-table{width:100%}#um-users-overview-table td{width:auto;min-width:120px;vertical-align:middle;padding:0 0 0 5px;box-sizing:border-box}#um-users-overview-table td:first-child{padding:0 5px 0 0}#um-users-overview-table td>span{width:100%;direction:ltr;display:grid;grid-gap:6px;grid-template-columns:repeat(2,minmax(20px,auto));align-content:start;align-items:center;justify-content:start;justify-items:center}#um-users-overview-table td>span a{word-break:break-word}#um-users-overview-table td>span a.count{justify-self:end;font-family:Georgia,"Times New Roman","Bitstream Charter",Times,serif;font-size:18px}
|
||||
@@ -56,7 +56,8 @@
|
||||
#um-users-overview-table
|
||||
width: 100%
|
||||
td
|
||||
width: 50%
|
||||
width: auto
|
||||
min-width: 120px
|
||||
vertical-align: middle
|
||||
padding: 0 0 0 5px
|
||||
box-sizing: border-box
|
||||
|
||||
Vendored
+1
-1
File diff suppressed because one or more lines are too long
@@ -1,5 +1,20 @@
|
||||
== Changelog ==
|
||||
|
||||
= 2.8.5: April 9, 2024 =
|
||||
|
||||
* Enhancements:
|
||||
|
||||
- Added: "Hide my last login" via the Account > Privacy setting
|
||||
- Added: Exclude and Include fields for member directory searching
|
||||
|
||||
* Bugfixes:
|
||||
|
||||
- Fixed: URL attributes escaping (CVE-2024-2765)
|
||||
- Fixed: wp-admin Ultimate Member > Dashboard layouts
|
||||
- Fixed: Required fields labels
|
||||
- Fixed: Change password and update account email notifications duplicates
|
||||
- Fixed: Clear media JS in wp-admin settings
|
||||
|
||||
= 2.8.4: March 6, 2024 =
|
||||
|
||||
* Enhancements:
|
||||
|
||||
@@ -43,11 +43,11 @@ $_um_search_filters = get_post_meta( $post_id, '_um_search_filters', true
|
||||
array(
|
||||
'id' => '_um_search_exclude_fields',
|
||||
'type' => 'multi_selects',
|
||||
'label' => __( 'Choose fields to exclude from search', 'ultimate-member' ),
|
||||
'label' => __( 'Exclude fields from search', 'ultimate-member' ),
|
||||
'value' => $_um_search_exclude_fields,
|
||||
'conditional' => array( '_um_search', '=', 1 ),
|
||||
'options' => UM()->member_directory()->filter_fields,
|
||||
'add_text' => __( 'Add New Custom Field to Exclude', 'ultimate-member' ),
|
||||
'options' => UM()->member_directory()->searching_fields,
|
||||
'add_text' => __( 'Add New', 'ultimate-member' ),
|
||||
'show_default_number' => 0,
|
||||
'sorting' => true,
|
||||
'tooltip' => __( 'Choose fields to exclude them from search. This option will delete all included fields.', 'ultimate-member' ),
|
||||
@@ -55,11 +55,11 @@ $_um_search_filters = get_post_meta( $post_id, '_um_search_filters', true
|
||||
array(
|
||||
'id' => '_um_search_include_fields',
|
||||
'type' => 'multi_selects',
|
||||
'label' => __( 'Choose fields to only include in the search', 'ultimate-member' ),
|
||||
'label' => __( 'Fields to search by', 'ultimate-member' ),
|
||||
'value' => $_um_search_include_fields,
|
||||
'conditional' => array( '_um_search', '=', 1 ),
|
||||
'options' => UM()->member_directory()->filter_fields,
|
||||
'add_text' => __( 'Add New Custom Field to Include', 'ultimate-member' ),
|
||||
'options' => UM()->member_directory()->searching_fields,
|
||||
'add_text' => __( 'Add New', 'ultimate-member' ),
|
||||
'show_default_number' => 0,
|
||||
'sorting' => true,
|
||||
'tooltip' => __( 'Choose fields to only include them in the search. This option will delete all excluded fields.', 'ultimate-member' ),
|
||||
|
||||
@@ -706,13 +706,29 @@ if ( ! class_exists( 'um\core\Member_Directory_Meta' ) ) {
|
||||
// phpcs:enable WordPress.Security.NonceVerification -- verified via `UM()->check_ajax_nonce();`.
|
||||
if ( ! empty( $search_line ) ) {
|
||||
$searches = array();
|
||||
foreach ( $this->core_search_fields as $field ) {
|
||||
$field = esc_sql( $field );
|
||||
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- $field is pre-escaped.
|
||||
$searches[] = $wpdb->prepare( "u.{$field} LIKE %s", '%' . $wpdb->esc_like( $search_line ) . '%' );
|
||||
|
||||
$exclude_fields = get_post_meta( $directory_id, '_um_search_exclude_fields', true );
|
||||
$include_fields = get_post_meta( $directory_id, '_um_search_include_fields', true );
|
||||
|
||||
$core_search = $this->get_core_search_fields();
|
||||
if ( ! empty( $include_fields ) ) {
|
||||
$core_search = array_intersect( $core_search, $include_fields );
|
||||
}
|
||||
if ( ! empty( $exclude_fields ) ) {
|
||||
$core_search = array_diff( $core_search, $exclude_fields );
|
||||
}
|
||||
if ( ! empty( $core_search ) ) {
|
||||
foreach ( $core_search as $field ) {
|
||||
$field = esc_sql( $field );
|
||||
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- $field is pre-escaped.
|
||||
$searches[] = $wpdb->prepare( "u.{$field} LIKE %s", '%' . $wpdb->esc_like( $search_line ) . '%' );
|
||||
}
|
||||
}
|
||||
|
||||
$core_search = implode( ' OR ', $searches );
|
||||
if ( ! empty( $core_search ) ) {
|
||||
$core_search = ' OR ' . $core_search;
|
||||
}
|
||||
|
||||
$this->joins[] = "LEFT JOIN {$wpdb->prefix}um_metadata umm_search ON umm_search.user_id = u.ID";
|
||||
|
||||
@@ -720,27 +736,17 @@ if ( ! class_exists( 'um\core\Member_Directory_Meta' ) ) {
|
||||
|
||||
$search_like_string = apply_filters( 'um_member_directory_meta_search_like_type', '%' . $wpdb->esc_like( $search_line ) . '%', $search_line );
|
||||
|
||||
$directory_id = $this->get_directory_by_hash( sanitize_key( $_POST['directory_id'] ) );
|
||||
$exclude_fields = get_post_meta( $directory_id, '_um_search_exclude_fields', true );
|
||||
$include_fields = get_post_meta( $directory_id, '_um_search_include_fields', true );
|
||||
$custom_fields_sql = '';
|
||||
|
||||
if ( ! empty( $exclude_fields ) ) {
|
||||
$custom_fields_sql = 'AND umm_search.um_key NOT IN (';
|
||||
foreach ( $exclude_fields as $exclude_field ) {
|
||||
$custom_fields_sql .= "'" . $exclude_field . "',";
|
||||
}
|
||||
$custom_fields_sql = rtrim( $custom_fields_sql, ',' );
|
||||
$custom_fields_sql .= ') ';
|
||||
$custom_fields_sql = " AND umm_search.um_key NOT IN ('" . implode( "','", $exclude_fields ) . "') ";
|
||||
}
|
||||
if ( ! empty( $include_fields ) ) {
|
||||
$custom_fields_sql = 'AND umm_search.um_key IN (';
|
||||
foreach ( $include_fields as $include_field ) {
|
||||
$custom_fields_sql .= "'" . $include_field . "',";
|
||||
}
|
||||
$custom_fields_sql = rtrim( $custom_fields_sql, ',' );
|
||||
$custom_fields_sql .= ') ';
|
||||
$custom_fields_sql = " AND umm_search.um_key IN ('" . implode( "','", $include_fields ) . "') ";
|
||||
}
|
||||
|
||||
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- $core_search and $additional_search are pre-prepared.
|
||||
$this->where_clauses[] = $wpdb->prepare( "( umm_search.um_value = %s OR umm_search.um_value LIKE %s OR umm_search.um_value LIKE %s OR {$core_search}{$additional_search}) {$custom_fields_sql}", $search_line, $search_like_string, '%' . $wpdb->esc_like( maybe_serialize( (string) $search_line ) ) . '%' );
|
||||
$this->where_clauses[] = $wpdb->prepare( "( umm_search.um_value = %s OR umm_search.um_value LIKE %s OR umm_search.um_value LIKE %s{$core_search}{$additional_search}){$custom_fields_sql}", $search_line, $search_like_string, '%' . $wpdb->esc_like( maybe_serialize( (string) $search_line ) ) . '%' );
|
||||
|
||||
$this->is_search = true;
|
||||
}
|
||||
|
||||
@@ -42,6 +42,11 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
*/
|
||||
var $filter_fields = array();
|
||||
|
||||
/**
|
||||
* @var array
|
||||
*/
|
||||
public $searching_fields = array();
|
||||
|
||||
|
||||
/**
|
||||
* @var array
|
||||
@@ -122,7 +127,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
* Get the WordPress core searching fields in wp_users query.
|
||||
* @return array
|
||||
*/
|
||||
private function get_core_search_fields() {
|
||||
protected function get_core_search_fields() {
|
||||
/**
|
||||
* Filters the WordPress core searching fields in wp_users query for UM Member directory query.
|
||||
*
|
||||
@@ -433,6 +438,25 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
|
||||
$this->filter_supported_fields = apply_filters( 'um_members_directory_custom_field_types_supported_filter', array( 'date', 'time', 'select', 'multiselect', 'radio', 'checkbox', 'rating', 'text', 'textarea', 'number' ) );
|
||||
|
||||
$core_search_keys = $this->get_core_search_fields();
|
||||
|
||||
$this->searching_fields = array();
|
||||
if ( ! empty( UM()->builtin()->all_user_fields() ) ) {
|
||||
foreach ( UM()->builtin()->all_user_fields() as $key => $data ) {
|
||||
if ( in_array( $key, $core_search_keys, true ) ) {
|
||||
if ( isset( $data['title'] ) && array_search( $data['title'], $this->searching_fields, true ) !== false ) {
|
||||
$data['title'] = $data['title'] . ' (' . $key . ')';
|
||||
}
|
||||
|
||||
$title = isset( $data['title'] ) ? $data['title'] : ( isset( $data['label'] ) ? $data['label'] : '' );
|
||||
if ( empty( $title ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$this->searching_fields[ $key ] = $title;
|
||||
}
|
||||
}
|
||||
}
|
||||
if ( ! empty( UM()->builtin()->saved_fields ) ) {
|
||||
foreach ( UM()->builtin()->saved_fields as $key => $data ) {
|
||||
|
||||
@@ -459,6 +483,9 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
|
||||
ksort( $this->filter_fields );
|
||||
|
||||
$this->searching_fields = array_merge( $this->searching_fields, $this->filter_fields );
|
||||
asort( $this->searching_fields );
|
||||
|
||||
$this->filter_types = apply_filters( 'um_members_directory_filter_types', array(
|
||||
'country' => 'select',
|
||||
'gender' => 'select',
|
||||
@@ -1757,38 +1784,57 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) {
|
||||
$custom_fields[] = $field_key;
|
||||
}
|
||||
} else {
|
||||
$custom_fields = $include_fields;
|
||||
foreach ( $include_fields as $field_key ) {
|
||||
if ( empty( $field_key ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$data = UM()->fields()->get_field( $field_key );
|
||||
if ( ! um_can_view_field( $data ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$custom_fields[] = $field_key;
|
||||
}
|
||||
}
|
||||
|
||||
$custom_fields = apply_filters( 'um_general_search_custom_fields', $custom_fields );
|
||||
|
||||
if ( ! empty( $custom_fields ) ) {
|
||||
if ( ! empty( $exclude_fields ) ) {
|
||||
$custom_fields = array_diff( $custom_fields, $exclude_fields );
|
||||
}
|
||||
|
||||
$sql['join'] = preg_replace(
|
||||
'/(' . $meta_join_for_search . ' ON \( ' . $wpdb->users . '\.ID = ' . $meta_join_for_search . '\.user_id )(\))/im',
|
||||
"$1 AND " . $meta_join_for_search . ".meta_key IN( '" . implode( "','", $custom_fields ) . "' ) $2",
|
||||
$sql['join']
|
||||
);
|
||||
}
|
||||
|
||||
if ( ! empty( $exclude_fields ) ) {
|
||||
foreach ( $exclude_fields as $field ) {
|
||||
$sql['join'] = str_replace( ",'" . $field . "'", '', $sql['join'] );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Add OR instead AND to search in WP core fields user_email, user_login, user_display_name
|
||||
$search_where = $context->get_search_sql( $search, $this->get_core_search_fields(), 'both' );
|
||||
$core_search = $this->get_core_search_fields();
|
||||
if ( ! empty( $include_fields ) ) {
|
||||
$core_search = array_intersect( $core_search, $include_fields );
|
||||
}
|
||||
if ( ! empty( $exclude_fields ) ) {
|
||||
$core_search = array_diff( $core_search, $exclude_fields );
|
||||
}
|
||||
|
||||
$search_where = preg_replace( '/ AND \((.*?)\)/im', "$1 OR", $search_where );
|
||||
if ( ! empty( $core_search ) ) {
|
||||
// Add OR instead AND to search in WP core fields user_email, user_login, user_display_name
|
||||
$search_where = $context->get_search_sql( $search, $core_search, 'both' );
|
||||
|
||||
// str_replace( '/', '\/', wp_slash( $search ) ) means that we add backslashes to special symbols + add backslash to slash(/) symbol for proper regular pattern.
|
||||
$sql['where'] = preg_replace(
|
||||
'/(' . $meta_join_for_search . '.meta_value = \'' . str_replace( '/', '\/', wp_slash( $search ) ) . '\')/im',
|
||||
trim( $search_where ) . " $1",
|
||||
$sql['where'],
|
||||
1
|
||||
);
|
||||
$search_where = preg_replace( '/ AND \((.*?)\)/im', "$1 OR", $search_where );
|
||||
|
||||
// str_replace( '/', '\/', wp_slash( $search ) ) means that we add backslashes to special symbols + add backslash to slash(/) symbol for proper regular pattern.
|
||||
$sql['where'] = preg_replace(
|
||||
'/(' . $meta_join_for_search . '.meta_value = \'' . str_replace( '/', '\/', wp_slash( $search ) ) . '\')/im',
|
||||
trim( $search_where ) . " $1",
|
||||
$sql['where'],
|
||||
1
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+21
-3
@@ -5,8 +5,8 @@ Contributors: ultimatemember, champsupertramp, nsinelnikov
|
||||
Tags: community, member, membership, user-profile, user-registration
|
||||
Requires PHP: 5.6
|
||||
Requires at least: 5.5
|
||||
Tested up to: 6.4
|
||||
Stable tag: 2.8.4
|
||||
Tested up to: 6.5
|
||||
Stable tag: 2.8.5
|
||||
License: GNU Version 2 or Any Later Version
|
||||
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
|
||||
|
||||
@@ -166,9 +166,22 @@ No specific extensions are needed. But we highly recommended keep active these P
|
||||
|
||||
IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION
|
||||
|
||||
= 2.8.5 2024-03-xx =
|
||||
= 2.8.5 2024-04-09 =
|
||||
|
||||
**Enhancements**
|
||||
|
||||
* Added: "Hide my last login" via the Account > Privacy setting
|
||||
* Added: Exclude and Include fields for member directory searching
|
||||
|
||||
**Bugfixes**
|
||||
|
||||
* Fixed: URL attributes escaping (CVE-2024-2765)
|
||||
* Fixed: wp-admin Ultimate Member > Dashboard layouts
|
||||
* Fixed: Required fields labels
|
||||
* Fixed: Change password and update account email notifications duplicates
|
||||
* Fixed: Clear media JS in wp-admin settings
|
||||
|
||||
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
|
||||
|
||||
= 2.8.4 2024-03-06 =
|
||||
|
||||
@@ -184,6 +197,8 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
||||
* Fixed: Password reset url for the approved user who didn't set their password after registration without password
|
||||
* Fixed: Conflict with WebP Uploads
|
||||
|
||||
**Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade**
|
||||
|
||||
= 2.8.3 2024-02-19 =
|
||||
|
||||
**Enhancements**
|
||||
@@ -316,6 +331,9 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI
|
||||
|
||||
== Upgrade Notice ==
|
||||
|
||||
= 2.8.5 =
|
||||
This version fixes a security related bug. Upgrade immediately.
|
||||
|
||||
= 2.8.4 =
|
||||
This version fixes a security related bug. Upgrade immediately.
|
||||
|
||||
|
||||
+1
-1
@@ -3,7 +3,7 @@
|
||||
* Plugin Name: Ultimate Member
|
||||
* Plugin URI: http://ultimatemember.com/
|
||||
* Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
|
||||
* Version: 2.8.5-alpha
|
||||
* Version: 2.8.5
|
||||
* Author: Ultimate Member
|
||||
* Author URI: http://ultimatemember.com/
|
||||
* Text Domain: ultimate-member
|
||||
|
||||
Reference in New Issue
Block a user