From e838ac57126589cd2b7b0554b0cef6e09f390c75 Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Wed, 26 Apr 2023 22:11:28 +0300 Subject: [PATCH] - added wpnonce attribute for duplicate UM Form link; --- includes/admin/class-admin.php | 42 ++++++++++++--------- includes/admin/core/class-admin-columns.php | 16 +++++--- 2 files changed, 35 insertions(+), 23 deletions(-) diff --git a/includes/admin/class-admin.php b/includes/admin/class-admin.php index 0e59a9fb..b6c7bbaf 100644 --- a/includes/admin/class-admin.php +++ b/includes/admin/class-admin.php @@ -1746,48 +1746,55 @@ if ( ! class_exists( 'um\admin\Admin' ) ) { * * @param $action */ - function duplicate_form( $action ) { - if ( ! is_admin() || ! current_user_can('manage_options') ) { + public function duplicate_form( $action ) { + if ( ! is_admin() || ! current_user_can( 'manage_options' ) ) { die(); } - if ( ! isset( $_REQUEST['post_id'] ) || ! is_numeric( $_REQUEST['post_id'] ) ) { + + if ( empty( $_REQUEST['post_id'] ) || empty( $_REQUEST['nonce'] ) || ! wp_verify_nonce( $_REQUEST['nonce'], "um-duplicate_form{$_REQUEST['post_id']}" ) ) { + die(); + } + + if ( ! is_numeric( $_REQUEST['post_id'] ) ) { die(); } $post_id = absint( $_REQUEST['post_id'] ); $n = array( - 'post_type' => 'um_form', - 'post_title' => sprintf( __( 'Duplicate of %s', 'ultimate-member' ), get_the_title( $post_id ) ), - 'post_status' => 'publish', - 'post_author' => get_current_user_id(), + 'post_type' => 'um_form', + // translators: %s - Form title + 'post_title' => sprintf( __( 'Duplicate of %s', 'ultimate-member' ), get_the_title( $post_id ) ), + 'post_status' => 'publish', + 'post_author' => get_current_user_id(), ); $n_id = wp_insert_post( $n ); $n_fields = get_post_custom( $post_id ); foreach ( $n_fields as $key => $value ) { - - if ( $key == '_um_custom_fields' ) { - $the_value = unserialize( $value[0] ); + if ( '_um_custom_fields' === $key ) { + $the_value = maybe_unserialize( $value[0] ); } else { $the_value = $value[0]; } update_post_meta( $n_id, $key, $the_value ); - } delete_post_meta( $n_id, '_um_core' ); - $url = admin_url( 'edit.php?post_type=um_form' ); - $url = add_query_arg( 'update', 'form_duplicated', $url ); - - exit( wp_redirect( $url ) ); - + $url = add_query_arg( + array( + 'post_type' => 'um_form', + 'update' => 'form_duplicated', + ), + admin_url( 'edit.php' ) + ); + wp_safe_redirect( $url ); + exit; } - /** * Action to hide notices in admin * @@ -1802,7 +1809,6 @@ if ( ! class_exists( 'um\admin\Admin' ) ) { exit( wp_redirect( remove_query_arg( 'um_adm_action' ) ) ); } - /** * Various user actions * diff --git a/includes/admin/core/class-admin-columns.php b/includes/admin/core/class-admin-columns.php index 548fc74e..55a65adb 100644 --- a/includes/admin/core/class-admin-columns.php +++ b/includes/admin/core/class-admin-columns.php @@ -104,7 +104,6 @@ if ( ! class_exists( 'um\admin\core\Admin_Columns' ) ) { return $actions; } - /** * Duplicate a form * @@ -112,13 +111,20 @@ if ( ! class_exists( 'um\admin\core\Admin_Columns' ) ) { * * @return string */ - function duplicate_uri( $id ) { - $url = add_query_arg('um_adm_action', 'duplicate_form', admin_url('edit.php?post_type=um_form') ); - $url = add_query_arg('post_id', $id, $url); + private function duplicate_uri( $id ) { + $url = add_query_arg( + array( + 'post_type' => 'um_form', + 'um_adm_action' => 'duplicate_form', + 'post_id' => $id, + 'nonce' => wp_create_nonce( "um-duplicate_form{$id}" ), + ), + admin_url( 'edit.php' ) + ); + return $url; } - /** * Custom columns for Form *