From fa3c4f4b9e07a5be82d9c6dabd71bc096a03ecfe Mon Sep 17 00:00:00 2001 From: nikitasinelnikov Date: Mon, 5 Oct 2020 23:21:40 +0300 Subject: [PATCH] - removed Instagram extension from marketing pages; - fixed security lack with not editable roles field; --- includes/admin/templates/extensions.php | 6 ----- includes/core/class-form.php | 4 ++++ includes/core/um-actions-profile.php | 30 ++++++++++++++++++++++--- readme.txt | 3 +-- 4 files changed, 32 insertions(+), 11 deletions(-) diff --git a/includes/admin/templates/extensions.php b/includes/admin/templates/extensions.php index 51496429..1a0522ec 100644 --- a/includes/admin/templates/extensions.php +++ b/includes/admin/templates/extensions.php @@ -66,12 +66,6 @@ $premium['social-login'] = array( 'desc' => 'Let users register & login to your site via Facebook, Twitter, G+, LinkedIn, and more', ); -$premium['instagram'] = array( - 'url' => 'https://ultimatemember.com/extensions/instagram/', - 'name' => 'Instagram', - 'desc' => 'Allow users to show their Instagram photos on their profile', -); - $premium['user-tags'] = array( 'url' => 'https://ultimatemember.com/extensions/user-tags/', 'name' => 'User Tags', diff --git a/includes/core/class-form.php b/includes/core/class-form.php index 18f9347b..d6ce1244 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -616,6 +616,10 @@ if ( ! class_exists( 'um\core\Form' ) ) { continue; } + if ( ! um_can_view_field( $field_settings ) ) { + continue; + } + $intersected_options = array(); foreach ( $field_settings['options'] as $key => $title ) { if ( false !== $search_key = array_search( $title, $roles ) ) { diff --git a/includes/core/um-actions-profile.php b/includes/core/um-actions-profile.php index bec1d452..d41d35c2 100644 --- a/includes/core/um-actions-profile.php +++ b/includes/core/um-actions-profile.php @@ -367,7 +367,9 @@ function um_user_edit_profile( $args ) { $to_update[ $description_key ] = $args['submitted'][ $description_key ]; } - if ( is_admin() || ( ! is_admin() && ( isset( $fields['role'] ) || isset( $fields['role_select'] ) || isset( $fields['role_radio'] ) ) ) ) { // Secure selected role + + // Secure selected role + if ( is_admin() ) { if ( ! empty( $args['submitted']['role'] ) ) { global $wp_roles; @@ -383,6 +385,27 @@ function um_user_edit_profile( $args ) { $args['roles_before_upgrade'] = UM()->roles()->get_all_user_roles( $user_id ); } + } else { + + if ( ( isset( $fields['role'] ) && $fields['role']['editable'] != 0 && um_can_view_field( $fields['role'] ) ) || + ( isset( $fields['role_select'] ) && $fields['role_select']['editable'] != 0 && um_can_view_field( $fields['role_select'] ) ) || + ( isset( $fields['role_radio'] ) ) && $fields['role_radio']['editable'] != 0 && um_can_view_field( $fields['role_radio'] ) ) { + + if ( ! empty( $args['submitted']['role'] ) ) { + global $wp_roles; + $role_keys = array_map( function( $item ) { + return 'um_' . $item; + }, get_option( 'um_roles' ) ); + $exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) ); + + if ( ! in_array( $args['submitted']['role'], $exclude_roles ) ) { + $to_update['role'] = $args['submitted']['role']; + } + + $args['roles_before_upgrade'] = UM()->roles()->get_all_user_roles( $user_id ); + } + } + } /** @@ -545,8 +568,9 @@ add_action( 'um_user_edit_profile', 'um_user_edit_profile', 10 ); * @param array $post_form */ function um_profile_validate_nonce( $post_form ) { + $user_id = isset( $post_form['user_id'] ) ? $post_form['user_id'] : ''; $nonce = isset( $post_form['profile_nonce'] ) ? $post_form['profile_nonce'] : ''; - if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, 'um-profile-nonce' ) ) { + if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, 'um-profile-nonce' . $user_id ) ) { wp_die( __( 'This is not possible for security reasons.', 'ultimate-member' ) ); } } @@ -597,7 +621,7 @@ function um_editing_user_id_input( $args ) { if ( UM()->fields()->editing == 1 && UM()->fields()->set_mode == 'profile' && UM()->user()->target_id ) { ?> - +