- removed Instagram extension from marketing pages;

- fixed security lack with not editable roles field;
2026-06-05 15:09:37 +09:00 · 2020-10-05 23:21:40 +03:00
parent e26a6a33ab
commit fa3c4f4b9e
4 changed files with 32 additions and 11 deletions
@@ -66,12 +66,6 @@ $premium['social-login'] = array(
 	'desc' => 'Let users register & login to your site via Facebook, Twitter, G+, LinkedIn, and more',
 );

-$premium['instagram'] = array(
-	'url' => 'https://ultimatemember.com/extensions/instagram/',
-	'name' => 'Instagram',
-	'desc' => 'Allow users to show their Instagram photos on their profile',
-);
-
 $premium['user-tags'] = array(
 	'url' => 'https://ultimatemember.com/extensions/user-tags/',
 	'name' => 'User Tags',
@@ -616,6 +616,10 @@ if ( ! class_exists( 'um\core\Form' ) ) {
 						continue;
 					}

+					if ( ! um_can_view_field( $field_settings ) ) {
+						continue;
+					}
+
 					$intersected_options = array();
 					foreach ( $field_settings['options'] as $key => $title ) {
 						if ( false !== $search_key = array_search( $title, $roles ) ) {
@@ -367,7 +367,9 @@ function um_user_edit_profile( $args ) {
 		$to_update[ $description_key ] = $args['submitted'][ $description_key ];
 	}

-	if ( is_admin() || ( ! is_admin() && ( isset( $fields['role'] ) || isset( $fields['role_select'] ) || isset( $fields['role_radio'] ) ) ) ) {  // Secure selected role
+
+	// Secure selected role
+	if ( is_admin() ) {

 		if ( ! empty( $args['submitted']['role'] ) ) {
 			global $wp_roles;
@@ -383,6 +385,27 @@ function um_user_edit_profile( $args ) {
 			$args['roles_before_upgrade'] = UM()->roles()->get_all_user_roles( $user_id );
 		}

+	} else {
+
+		if ( ( isset( $fields['role'] ) && $fields['role']['editable'] != 0 && um_can_view_field( $fields['role'] ) ) ||
+		     ( isset( $fields['role_select'] ) && $fields['role_select']['editable'] != 0 && um_can_view_field( $fields['role_select'] ) ) ||
+		     ( isset( $fields['role_radio'] ) ) && $fields['role_radio']['editable'] != 0 && um_can_view_field( $fields['role_radio'] ) ) {
+
+			if ( ! empty( $args['submitted']['role'] ) ) {
+				global $wp_roles;
+				$role_keys = array_map( function( $item ) {
+					return 'um_' . $item;
+				}, get_option( 'um_roles' ) );
+				$exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) );
+
+				if ( ! in_array( $args['submitted']['role'], $exclude_roles ) ) {
+					$to_update['role'] = $args['submitted']['role'];
+				}
+
+				$args['roles_before_upgrade'] = UM()->roles()->get_all_user_roles( $user_id );
+			}
+		}
+
 	}

 	/**
@@ -545,8 +568,9 @@ add_action( 'um_user_edit_profile', 'um_user_edit_profile', 10 );
 * @param array $post_form
 */
 function um_profile_validate_nonce( $post_form ) {
+	$user_id = isset( $post_form['user_id'] ) ? $post_form['user_id'] : '';
 	$nonce = isset( $post_form['profile_nonce'] ) ? $post_form['profile_nonce'] : '';
-	if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, 'um-profile-nonce' ) ) {
+	if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, 'um-profile-nonce' . $user_id ) ) {
 		wp_die( __( 'This is not possible for security reasons.', 'ultimate-member' ) );
 	}
 }
@@ -597,7 +621,7 @@ function um_editing_user_id_input( $args ) {
 	if ( UM()->fields()->editing == 1 && UM()->fields()->set_mode == 'profile' && UM()->user()->target_id ) { ?>

 		<input type="hidden" name="user_id" id="user_id" value="<?php echo esc_attr( UM()->user()->target_id ); ?>" />
-		<input type="hidden" name="profile_nonce" id="profile_nonce" value="<?php echo esc_attr( wp_create_nonce( 'um-profile-nonce' ) ); ?>" />
+		<input type="hidden" name="profile_nonce" id="profile_nonce" value="<?php echo esc_attr( wp_create_nonce( 'um-profile-nonce' . UM()->user()->target_id ) ); ?>" />

 	<?php }
 }
@@ -7,7 +7,7 @@ Tags: community, member, membership, user-profile, user-registration
 Requires PHP: 5.6
 Requires at least: 5.0
 Tested up to: 5.5.1
-Stable tag: 2.1.10
+Stable tag: 2.1.11
 License: GNU Version 2 or Any Later Version
 License URI: http://www.gnu.org/licenses/gpl-3.0.txt

@@ -50,7 +50,6 @@ Ultimate Member has a range of extensions that allow you to extend the power of
 * [User Photos](https://ultimatemember.com/extensions/user-photos/) - Allow users to upload photos to their profile
 * [Groups](https://ultimatemember.com/extensions/groups/) - Allow users to create and join groups around shared topics, interests etc.
 * [Private Content](https://ultimatemember.com/extensions/private-content/) - Display private content to logged in users that only they can access
-* [Instagram](https://ultimatemember.com/extensions/instagram/) - Allow users to show their Instagram photos on their profile
 * [User Tags](https://ultimatemember.com/extensions/user-tags/) - Lets you add a user tag system to your website
 * [Social Activity](https://ultimatemember.com/extensions/social-activity/) - Let users create public wall posts & see the activity of other users
 * [WooCommerce](https://ultimatemember.com/extensions/woocommerce/) - Allow you to integrate WooCommerce with Ultimate Member