mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-06-05 15:09:37 +09:00
Merge pull request #1575 from ultimatemember/security/uploader_conditions
Fixes security issue related to the file/image upload and image resize
This commit is contained in:
Mykyta Synelnikov
@@ -49,13 +49,13 @@ if ( ! class_exists( 'um\core\AJAX_Common' ) ) {
|
||||
add_action( 'wp_ajax_um_remove_file', array( UM()->files(), 'ajax_remove_file' ) );
|
||||
add_action( 'wp_ajax_nopriv_um_remove_file', array( UM()->files(), 'ajax_remove_file' ) );
|
||||
|
||||
add_action( 'wp_ajax_nopriv_um_fileupload', array( UM()->files(), 'ajax_file_upload' ) );
|
||||
add_action( 'wp_ajax_nopriv_um_fileupload', array( UM()->files(), 'ajax_file_upload' ) ); // Enabled files uploading on registration form.
|
||||
add_action( 'wp_ajax_um_fileupload', array( UM()->files(), 'ajax_file_upload' ) );
|
||||
|
||||
add_action( 'wp_ajax_nopriv_um_imageupload', array( UM()->files(), 'ajax_image_upload' ) );
|
||||
add_action( 'wp_ajax_nopriv_um_imageupload', array( UM()->files(), 'ajax_image_upload' ) ); // Enabled image uploading on registration form.
|
||||
add_action( 'wp_ajax_um_imageupload', array( UM()->files(), 'ajax_image_upload' ) );
|
||||
|
||||
add_action( 'wp_ajax_nopriv_um_resize_image', array( UM()->files(), 'ajax_resize_image' ) );
|
||||
add_action( 'wp_ajax_nopriv_um_resize_image', array( UM()->files(), 'ajax_resize_image' ) ); // Enabled image resize on registration form.
|
||||
add_action( 'wp_ajax_um_resize_image', array( UM()->files(), 'ajax_resize_image' ) );
|
||||
|
||||
add_action( 'wp_ajax_nopriv_um_get_members', array( UM()->member_directory(), 'ajax_get_members' ) );
|
||||
|
||||
+321
-104
@@ -1,6 +1,8 @@
|
||||
<?php
|
||||
namespace um\core;
|
||||
|
||||
use Exception;
|
||||
|
||||
if ( ! defined( 'ABSPATH' ) ) {
|
||||
exit;
|
||||
}
|
||||
@@ -322,16 +324,86 @@ if ( ! class_exists( 'um\core\Files' ) ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid coordinates', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
$key = sanitize_text_field( $_REQUEST['key'] );
|
||||
$coord = sanitize_text_field( $_REQUEST['coord'] );
|
||||
$user_id = empty( $_REQUEST['user_id'] ) ? get_current_user_id() : absint( $_REQUEST['user_id'] );
|
||||
$user_id = empty( $_REQUEST['user_id'] ) ? null : absint( $_REQUEST['user_id'] );
|
||||
if ( $user_id && is_user_logged_in() && ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
|
||||
wp_send_json_error( esc_js( __( 'You have no permission to edit this user', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
UM()->fields()->set_id = isset( $_POST['set_id'] ) ? absint( $_POST['set_id'] ) : null;
|
||||
UM()->fields()->set_mode = isset( $_POST['set_mode'] ) ? sanitize_text_field( $_POST['set_mode'] ) : null;
|
||||
if ( $user_id && ! is_user_logged_in() ) {
|
||||
wp_send_json_error( esc_js( __( 'Please login to edit this user', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
if ( 'register' !== UM()->fields()->set_mode && ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
|
||||
$ret['error'] = esc_js( __( 'You have no permission to edit this user', 'ultimate-member' ) );
|
||||
wp_send_json_error( $ret );
|
||||
$form_id = isset( $_POST['set_id'] ) ? absint( $_POST['set_id'] ) : null;
|
||||
$mode = isset( $_POST['set_mode'] ) ? sanitize_text_field( $_POST['set_mode'] ) : null;
|
||||
|
||||
UM()->fields()->set_id = $form_id;
|
||||
UM()->fields()->set_mode = $mode;
|
||||
|
||||
if ( ! is_user_logged_in() && 'profile' === $mode ) {
|
||||
wp_send_json_error( esc_js( __( 'You have no permission to edit user profile', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
if ( null !== $user_id && 'register' === $mode ) {
|
||||
wp_send_json_error( esc_js( __( 'User has to be empty on registration', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
$form_post = get_post( $form_id );
|
||||
// Invalid post ID. Maybe post doesn't exist.
|
||||
if ( empty( $form_post ) ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid form ID', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
if ( 'um_form' !== $form_post->post_type ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid form post type', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
$form_status = get_post_status( $form_id );
|
||||
if ( 'publish' !== $form_status ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid form status', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
$post_data = UM()->query()->post_data( $form_id );
|
||||
if ( ! array_key_exists( 'mode', $post_data ) || $mode !== $post_data['mode'] ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid form type', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
// For profiles only.
|
||||
if ( 'profile' === $mode && ! empty( $post_data['use_custom_settings'] ) && ! empty( $post_data['role'] ) ) {
|
||||
// Option "Apply custom settings to this form". Option "Make this profile form role-specific".
|
||||
// Show the first Profile Form with role selected, don't show profile forms below the page with other role-specific setting.
|
||||
$current_user_roles = UM()->roles()->get_all_user_roles( $user_id );
|
||||
if ( empty( $current_user_roles ) ) {
|
||||
wp_send_json_error( esc_js( __( 'You have no permission to edit this user through this form', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
if ( is_array( $post_data['role'] ) ) {
|
||||
if ( ! count( array_intersect( $post_data['role'], $current_user_roles ) ) ) {
|
||||
wp_send_json_error( esc_js( __( 'You have no permission to edit this user through this form', 'ultimate-member' ) ) );
|
||||
}
|
||||
} elseif ( ! in_array( $post_data['role'], $current_user_roles, true ) ) {
|
||||
wp_send_json_error( esc_js( __( 'You have no permission to edit this user through this form', 'ultimate-member' ) ) );
|
||||
}
|
||||
}
|
||||
|
||||
$key = sanitize_text_field( $_REQUEST['key'] );
|
||||
|
||||
if ( ! array_key_exists( 'custom_fields', $post_data ) || empty( $post_data['custom_fields'] ) ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid form fields', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
$custom_fields = maybe_unserialize( $post_data['custom_fields'] );
|
||||
if ( ! is_array( $custom_fields ) || ! array_key_exists( $key, $custom_fields ) ) {
|
||||
if ( ! ( 'profile' === $mode && in_array( $key, array( 'cover_photo', 'profile_photo' ), true ) ) ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid field metakey', 'ultimate-member' ) ) );
|
||||
}
|
||||
}
|
||||
|
||||
if ( empty( $custom_fields[ $key ]['crop'] ) && ! in_array( $key, array( 'cover_photo', 'profile_photo' ), true ) ) {
|
||||
wp_send_json_error( esc_js( __( 'This field doesn\'t support image crop', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
if ( 'profile' === $mode && ! um_can_edit_field( $custom_fields[ $key ] ) ) {
|
||||
wp_send_json_error( esc_js( __( 'You have no permission to edit this field', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
$src = esc_url_raw( $_REQUEST['src'] );
|
||||
@@ -340,6 +412,8 @@ if ( ! class_exists( 'um\core\Files' ) ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid file ownership', 'ultimate-member' ) ) );
|
||||
}
|
||||
|
||||
$coord = sanitize_text_field( $_REQUEST['coord'] );
|
||||
|
||||
UM()->uploader()->replace_upload_dir = true;
|
||||
|
||||
$output = UM()->uploader()->resize_image( $image_path, $src, $key, $user_id, $coord );
|
||||
@@ -354,166 +428,309 @@ if ( ! class_exists( 'um\core\Files' ) ) {
|
||||
/**
|
||||
* Image upload by AJAX
|
||||
*
|
||||
* @throws \Exception
|
||||
* @throws Exception
|
||||
*/
|
||||
function ajax_image_upload() {
|
||||
public function ajax_image_upload() {
|
||||
$ret['error'] = null;
|
||||
$ret = array();
|
||||
|
||||
$id = sanitize_text_field( $_POST['key'] );
|
||||
$timestamp = absint( $_POST['timestamp'] );
|
||||
$nonce = sanitize_text_field( $_POST['_wpnonce'] );
|
||||
$user_id = empty( $_POST['user_id'] ) ? get_current_user_id() : absint( $_POST['user_id'] );
|
||||
|
||||
UM()->fields()->set_id = absint( $_POST['set_id'] );
|
||||
UM()->fields()->set_mode = sanitize_key( $_POST['set_mode'] );
|
||||
|
||||
if ( UM()->fields()->set_mode != 'register' && ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
|
||||
$ret['error'] = __( 'You have no permission to edit this user', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
$ret = array();
|
||||
|
||||
/**
|
||||
* UM hook
|
||||
* Filters image upload checking nonce.
|
||||
*
|
||||
* @type filter
|
||||
* @title um_image_upload_nonce
|
||||
* @description Change Image Upload nonce
|
||||
* @input_vars
|
||||
* [{"var":"$nonce","type":"bool","desc":"Nonce"}]
|
||||
* @change_log
|
||||
* ["Since: 2.0"]
|
||||
* @usage
|
||||
* <?php add_filter( 'um_image_upload_nonce', 'function_name', 10, 1 ); ?>
|
||||
* @example
|
||||
* <?php
|
||||
* add_filter( 'um_image_upload_nonce', 'my_image_upload_nonce', 10, 1 );
|
||||
* function my_image_upload_nonce( $nonce ) {
|
||||
* @param {bool} $verify_nonce Verify nonce marker. Default true.
|
||||
*
|
||||
* @return {bool} Verify nonce marker.
|
||||
*
|
||||
* @since 1.3.x
|
||||
* @hook um_image_upload_nonce
|
||||
*
|
||||
* @example <caption>Disable checking nonce on image upload.</caption>
|
||||
* function my_image_upload_nonce( $verify_nonce ) {
|
||||
* // your code here
|
||||
* return $nonce;
|
||||
* $verify_nonce = false;
|
||||
* return $verify_nonce;
|
||||
* }
|
||||
* ?>
|
||||
* add_filter( 'um_image_upload_nonce', 'my_image_upload_nonce' );
|
||||
*/
|
||||
$um_image_upload_nonce = apply_filters( 'um_image_upload_nonce', true );
|
||||
|
||||
if ( $um_image_upload_nonce ) {
|
||||
$timestamp = absint( $_POST['timestamp'] );
|
||||
$nonce = sanitize_text_field( $_POST['_wpnonce'] );
|
||||
if ( ! wp_verify_nonce( $nonce, "um_upload_nonce-{$timestamp}" ) && is_user_logged_in() ) {
|
||||
// This nonce is not valid.
|
||||
$ret['error'] = __( 'Invalid nonce', 'ultimate-member' );
|
||||
$ret['error'] = esc_html__( 'Invalid nonce', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
}
|
||||
|
||||
$user_id = empty( $_POST['user_id'] ) ? null : absint( $_POST['user_id'] );
|
||||
if ( $user_id && is_user_logged_in() && ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( $user_id && ! is_user_logged_in() ) {
|
||||
$ret['error'] = esc_html__( 'Please login to edit this user', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$form_id = absint( $_POST['set_id'] );
|
||||
$mode = sanitize_key( $_POST['set_mode'] );
|
||||
|
||||
UM()->fields()->set_id = $form_id;
|
||||
UM()->fields()->set_mode = $mode;
|
||||
|
||||
if ( ! is_user_logged_in() && 'profile' === $mode ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit user profile', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( null !== $user_id && 'register' === $mode ) {
|
||||
$ret['error'] = esc_html__( 'User has to be empty on registration', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$form_post = get_post( $form_id );
|
||||
// Invalid post ID. Maybe post doesn't exist.
|
||||
if ( empty( $form_post ) ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form ID', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( 'um_form' !== $form_post->post_type ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form post type', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$form_status = get_post_status( $form_id );
|
||||
if ( 'publish' !== $form_status ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form status', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$post_data = UM()->query()->post_data( $form_id );
|
||||
if ( ! array_key_exists( 'mode', $post_data ) || $mode !== $post_data['mode'] ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form type', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
// For profiles only.
|
||||
if ( 'profile' === $mode && ! empty( $post_data['use_custom_settings'] ) && ! empty( $post_data['role'] ) ) {
|
||||
// Option "Apply custom settings to this form". Option "Make this profile form role-specific".
|
||||
// Show the first Profile Form with role selected, don't show profile forms below the page with other role-specific setting.
|
||||
$current_user_roles = UM()->roles()->get_all_user_roles( $user_id );
|
||||
if ( empty( $current_user_roles ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user through this form', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( is_array( $post_data['role'] ) ) {
|
||||
if ( ! count( array_intersect( $post_data['role'], $current_user_roles ) ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user through this form', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
} elseif ( ! in_array( $post_data['role'], $current_user_roles, true ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user through this form', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
}
|
||||
|
||||
$id = sanitize_text_field( $_POST['key'] );
|
||||
|
||||
if ( ! array_key_exists( 'custom_fields', $post_data ) || empty( $post_data['custom_fields'] ) ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form fields', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$custom_fields = maybe_unserialize( $post_data['custom_fields'] );
|
||||
if ( ! is_array( $custom_fields ) || ! array_key_exists( $id, $custom_fields ) ) {
|
||||
if ( ! ( 'profile' === $mode && in_array( $id, array( 'cover_photo', 'profile_photo' ), true ) ) ) {
|
||||
$ret['error'] = esc_html__( 'Invalid field metakey', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
}
|
||||
|
||||
if ( 'profile' === $mode && ! um_can_edit_field( $custom_fields[ $id ] ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this field', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( isset( $_FILES[ $id ]['name'] ) ) {
|
||||
|
||||
if ( ! is_array( $_FILES[ $id ]['name'] ) ) {
|
||||
|
||||
UM()->uploader()->replace_upload_dir = true;
|
||||
|
||||
$uploaded = UM()->uploader()->upload_image( $_FILES[ $id ], $user_id, $id );
|
||||
|
||||
UM()->uploader()->replace_upload_dir = false;
|
||||
|
||||
if ( isset( $uploaded['error'] ) ) {
|
||||
$ret['error'] = $uploaded['error'];
|
||||
} else {
|
||||
$ret[] = $uploaded['handle_upload'];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
} else {
|
||||
$ret['error'] = __( 'A theme or plugin compatibility issue', 'ultimate-member' );
|
||||
$ret['error'] = esc_html__( 'A theme or plugin compatibility issue', 'ultimate-member' );
|
||||
}
|
||||
|
||||
wp_send_json_success( $ret );
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* File upload by AJAX
|
||||
*
|
||||
* @throws Exception
|
||||
*/
|
||||
function ajax_file_upload() {
|
||||
public function ajax_file_upload() {
|
||||
$ret['error'] = null;
|
||||
$ret = array();
|
||||
|
||||
/* commented for enable download files on registration form
|
||||
* if ( ! is_user_logged_in() ) {
|
||||
$ret['error'] = 'Invalid user';
|
||||
die( json_encode( $ret ) );
|
||||
}*/
|
||||
|
||||
$nonce = sanitize_text_field( $_POST['_wpnonce'] );
|
||||
$id = sanitize_text_field( $_POST['key'] );
|
||||
$timestamp = absint( $_POST['timestamp'] );
|
||||
|
||||
UM()->fields()->set_id = absint( $_POST['set_id'] );
|
||||
UM()->fields()->set_mode = sanitize_key( $_POST['set_mode'] );
|
||||
$ret = array();
|
||||
|
||||
/**
|
||||
* UM hook
|
||||
* Filters file upload checking nonce.
|
||||
*
|
||||
* @type filter
|
||||
* @title um_file_upload_nonce
|
||||
* @description Change File Upload nonce
|
||||
* @input_vars
|
||||
* [{"var":"$nonce","type":"bool","desc":"Nonce"}]
|
||||
* @change_log
|
||||
* ["Since: 2.0"]
|
||||
* @usage
|
||||
* <?php add_filter( 'um_file_upload_nonce', 'function_name', 10, 1 ); ?>
|
||||
* @example
|
||||
* <?php
|
||||
* add_filter( 'um_file_upload_nonce', 'my_file_upload_nonce', 10, 1 );
|
||||
* function my_file_upload_nonce( $nonce ) {
|
||||
* @param {bool} $verify_nonce Verify nonce marker. Default true.
|
||||
*
|
||||
* @return {bool} Verify nonce marker.
|
||||
*
|
||||
* @since 1.3.x
|
||||
* @hook um_file_upload_nonce
|
||||
*
|
||||
* @example <caption>Disable checking nonce on file upload.</caption>
|
||||
* function my_file_upload_nonce( $verify_nonce ) {
|
||||
* // your code here
|
||||
* return $nonce;
|
||||
* $verify_nonce = false;
|
||||
* return $verify_nonce;
|
||||
* }
|
||||
* ?>
|
||||
* add_filter( 'um_file_upload_nonce', 'my_file_upload_nonce' );
|
||||
*/
|
||||
$um_file_upload_nonce = apply_filters("um_file_upload_nonce", true );
|
||||
$um_file_upload_nonce = apply_filters( 'um_file_upload_nonce', true );
|
||||
if ( $um_file_upload_nonce ) {
|
||||
$nonce = sanitize_text_field( $_POST['_wpnonce'] );
|
||||
$timestamp = absint( $_POST['timestamp'] );
|
||||
|
||||
if ( $um_file_upload_nonce ) {
|
||||
if ( ! wp_verify_nonce( $nonce, 'um_upload_nonce-'.$timestamp ) && is_user_logged_in() ) {
|
||||
if ( ! wp_verify_nonce( $nonce, 'um_upload_nonce-' . $timestamp ) && is_user_logged_in() ) {
|
||||
// This nonce is not valid.
|
||||
$ret['error'] = 'Invalid nonce';
|
||||
$ret['error'] = esc_html__( 'Invalid nonce', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
$user_id = empty( $_POST['user_id'] ) ? null : absint( $_POST['user_id'] );
|
||||
if ( $user_id && is_user_logged_in() && ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if( isset( $_FILES[ $id ]['name'] ) ) {
|
||||
if ( $user_id && ! is_user_logged_in() ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( ! is_array( $_FILES[ $id ]['name'] ) ) {
|
||||
$form_id = absint( $_POST['set_id'] );
|
||||
$mode = sanitize_key( $_POST['set_mode'] );
|
||||
|
||||
$user_id = absint( $_POST['user_id'] );
|
||||
UM()->fields()->set_id = $form_id;
|
||||
UM()->fields()->set_mode = $mode;
|
||||
|
||||
UM()->uploader()->replace_upload_dir = true;
|
||||
$uploaded = UM()->uploader()->upload_file( $_FILES[ $id ], $user_id, $id );
|
||||
UM()->uploader()->replace_upload_dir = false;
|
||||
if ( isset( $uploaded['error'] ) ){
|
||||
if ( ! is_user_logged_in() && 'profile' === $mode ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$ret['error'] = $uploaded['error'];
|
||||
if ( null !== $user_id && 'register' === $mode ) {
|
||||
$ret['error'] = esc_html__( 'User has to be empty on registration', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
} else {
|
||||
$form_post = get_post( $form_id );
|
||||
// Invalid post ID. Maybe post doesn't exist.
|
||||
if ( empty( $form_post ) ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form ID', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$uploaded_file = $uploaded['handle_upload'];
|
||||
$ret['url'] = $uploaded_file['file_info']['name'];
|
||||
$ret['icon'] = UM()->files()->get_fonticon_by_ext( $uploaded_file['file_info']['ext'] );
|
||||
$ret['icon_bg'] = UM()->files()->get_fonticon_bg_by_ext( $uploaded_file['file_info']['ext'] );
|
||||
$ret['filename'] = $uploaded_file['file_info']['basename'];
|
||||
$ret['original_name'] = $uploaded_file['file_info']['original_name'];
|
||||
if ( 'um_form' !== $form_post->post_type ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form post type', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$form_status = get_post_status( $form_id );
|
||||
if ( 'publish' !== $form_status ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form status', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$post_data = UM()->query()->post_data( $form_id );
|
||||
if ( ! array_key_exists( 'mode', $post_data ) || $mode !== $post_data['mode'] ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form type', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
// For profiles only.
|
||||
if ( 'profile' === $mode && ! empty( $post_data['use_custom_settings'] ) && ! empty( $post_data['role'] ) ) {
|
||||
// Option "Apply custom settings to this form". Option "Make this profile form role-specific".
|
||||
// Show the first Profile Form with role selected, don't show profile forms below the page with other role-specific setting.
|
||||
$current_user_roles = UM()->roles()->get_all_user_roles( $user_id );
|
||||
if ( empty( $current_user_roles ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user through this form', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( is_array( $post_data['role'] ) ) {
|
||||
if ( ! count( array_intersect( $post_data['role'], $current_user_roles ) ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user through this form', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
} elseif ( ! in_array( $post_data['role'], $current_user_roles, true ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this user through this form', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
} else {
|
||||
$ret['error'] = __('A theme or plugin compatibility issue','ultimate-member');
|
||||
}
|
||||
|
||||
$id = sanitize_text_field( $_POST['key'] );
|
||||
|
||||
if ( ! array_key_exists( 'custom_fields', $post_data ) || empty( $post_data['custom_fields'] ) ) {
|
||||
$ret['error'] = esc_html__( 'Invalid form fields', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$custom_fields = maybe_unserialize( $post_data['custom_fields'] );
|
||||
if ( ! is_array( $custom_fields ) || ! array_key_exists( $id, $custom_fields ) ) {
|
||||
$ret['error'] = esc_html__( 'Invalid field metakey', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( 'profile' === $mode && ! um_can_edit_field( $custom_fields[ $id ] ) ) {
|
||||
$ret['error'] = esc_html__( 'You have no permission to edit this field', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
if ( isset( $_FILES[ $id ]['name'] ) ) {
|
||||
if ( ! is_array( $_FILES[ $id ]['name'] ) ) {
|
||||
UM()->uploader()->replace_upload_dir = true;
|
||||
|
||||
$uploaded = UM()->uploader()->upload_file( $_FILES[ $id ], $user_id, $id );
|
||||
|
||||
UM()->uploader()->replace_upload_dir = false;
|
||||
|
||||
if ( isset( $uploaded['error'] ) ) {
|
||||
$ret['error'] = $uploaded['error'];
|
||||
} else {
|
||||
$uploaded_file = $uploaded['handle_upload'];
|
||||
$ret['url'] = $uploaded_file['file_info']['name'];
|
||||
$ret['icon'] = UM()->files()->get_fonticon_by_ext( $uploaded_file['file_info']['ext'] );
|
||||
$ret['icon_bg'] = UM()->files()->get_fonticon_bg_by_ext( $uploaded_file['file_info']['ext'] );
|
||||
$ret['filename'] = $uploaded_file['file_info']['basename'];
|
||||
$ret['original_name'] = $uploaded_file['file_info']['original_name'];
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$ret['error'] = esc_html__( 'A theme or plugin compatibility issue', 'ultimate-member' );
|
||||
}
|
||||
|
||||
wp_send_json_success( $ret );
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Allowed image types
|
||||
*
|
||||
|
||||
@@ -250,7 +250,7 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) {
|
||||
return;
|
||||
}
|
||||
|
||||
require_once( ABSPATH . 'wp-admin/includes/plugin.php' );
|
||||
require_once ABSPATH . 'wp-admin/includes/plugin.php';
|
||||
|
||||
$api_params = array(
|
||||
'edd_action' => 'check_licenses',
|
||||
|
||||
@@ -3,6 +3,8 @@ namespace um\core;
|
||||
|
||||
|
||||
// Exit if accessed directly
|
||||
use Exception;
|
||||
|
||||
if ( ! defined( 'ABSPATH' ) ) exit;
|
||||
|
||||
|
||||
@@ -300,13 +302,13 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
* @since 2.0.22
|
||||
*
|
||||
* @return array
|
||||
* @throws \Exception
|
||||
* @throws Exception
|
||||
*/
|
||||
public function upload_image( $uploadedfile, $user_id = null, $field_key = '', $upload_type = 'stream_photo' ) {
|
||||
$response = array();
|
||||
|
||||
if ( ! function_exists( 'wp_handle_upload' ) ) {
|
||||
require_once( ABSPATH . 'wp-admin/includes/file.php' );
|
||||
require_once ABSPATH . 'wp-admin/includes/file.php';
|
||||
}
|
||||
|
||||
if ( empty( $field_key ) ) {
|
||||
@@ -323,7 +325,7 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
$this->user_id = $user_id;
|
||||
}
|
||||
|
||||
if ( in_array( $field_key, array( 'profile_photo', 'cover_photo' ) ) ) {
|
||||
if ( in_array( $field_key, array( 'profile_photo', 'cover_photo' ), true ) ) {
|
||||
$this->upload_image_type = $field_key;
|
||||
}
|
||||
|
||||
@@ -510,19 +512,20 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
/**
|
||||
* Upload Files
|
||||
*
|
||||
* @since 2.0.22
|
||||
*
|
||||
* @param $uploadedfile
|
||||
* @param int|null $user_id
|
||||
* @param string $field_key
|
||||
*
|
||||
* @since 2.0.22
|
||||
*
|
||||
* @return array
|
||||
* @throws Exception
|
||||
*/
|
||||
public function upload_file( $uploadedfile, $user_id = null, $field_key = '' ) {
|
||||
$response = array();
|
||||
|
||||
if ( ! function_exists( 'wp_handle_upload' ) ) {
|
||||
require_once( ABSPATH . 'wp-admin/includes/file.php' );
|
||||
require_once ABSPATH . 'wp-admin/includes/file.php';
|
||||
}
|
||||
|
||||
$this->field_key = $field_key;
|
||||
@@ -535,19 +538,19 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
|
||||
$field_data = UM()->fields()->get_field( $field_key );
|
||||
|
||||
$field_allowed_file_types = explode(",", $field_data['allowed_types'] );
|
||||
$field_allowed_file_types = explode( ',', $field_data['allowed_types'] );
|
||||
|
||||
$allowed_file_mimes = array();
|
||||
|
||||
foreach ( $field_allowed_file_types as $a ) {
|
||||
$atype = wp_check_filetype( "test.{$a}" );
|
||||
$atype = wp_check_filetype( "test.{$a}" );
|
||||
$allowed_file_mimes[ $atype['ext'] ] = $atype['type'];
|
||||
}
|
||||
|
||||
$upload_overrides = array(
|
||||
'test_form' => false,
|
||||
'mimes' => apply_filters( 'um_uploader_allowed_file_mimes', $allowed_file_mimes ),
|
||||
'unique_filename_callback' => array( $this, 'unique_filename' ),
|
||||
'test_form' => false,
|
||||
'mimes' => apply_filters( 'um_uploader_allowed_file_mimes', $allowed_file_mimes ),
|
||||
'unique_filename_callback' => array( $this, 'unique_filename' ),
|
||||
);
|
||||
|
||||
$upload_overrides = apply_filters( "um_file_upload_handler_overrides__{$field_key}", $upload_overrides );
|
||||
@@ -556,9 +559,9 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
|
||||
if ( isset( $movefile['error'] ) ) {
|
||||
/*
|
||||
* Error generated by _wp_handle_upload()
|
||||
* @see _wp_handle_upload() in wp-admin/includes/file.php
|
||||
*/
|
||||
* Error generated by _wp_handle_upload()
|
||||
* @see _wp_handle_upload() in wp-admin/includes/file.php
|
||||
*/
|
||||
$response['error'] = $movefile['error'];
|
||||
} else {
|
||||
|
||||
@@ -574,7 +577,6 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
$movefile['file_info']['size'] = filesize( $movefile['file'] );
|
||||
$movefile['file_info']['size_format'] = size_format( $movefile['file_info']['size'] );
|
||||
|
||||
|
||||
/**
|
||||
* UM hook
|
||||
*
|
||||
@@ -690,7 +692,7 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
$error = null;
|
||||
|
||||
if ( ! function_exists( 'wp_get_image_editor' ) ) {
|
||||
require_once( ABSPATH . 'wp-admin/includes/media.php' );
|
||||
require_once ABSPATH . 'wp-admin/includes/media.php';
|
||||
}
|
||||
|
||||
$image = wp_get_image_editor( $file );
|
||||
@@ -814,7 +816,7 @@ if ( ! class_exists( 'um\core\Uploader' ) ) {
|
||||
$error = null;
|
||||
|
||||
if ( ! function_exists( 'wp_get_image_editor' ) ) {
|
||||
require_once( ABSPATH . 'wp-admin/includes/media.php' );
|
||||
require_once ABSPATH . 'wp-admin/includes/media.php';
|
||||
}
|
||||
|
||||
$file_type = wp_check_filetype( $file );
|
||||
|
||||
Reference in New Issue
Block a user