- sanitizing variables in wp-admin classes;

This commit is contained in:
nikitasinelnikov
2020-02-28 15:51:45 +02:00
parent e0e6030b46
commit 0aab9853d9
14 changed files with 1045 additions and 992 deletions
+163 -161
View File
@@ -179,14 +179,12 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
/**
* @param $post_id
* @param $post
*
* @return mixed
*/
function save_metabox_custom( $post_id, $post ) {
// validate nonce
if ( ! isset( $_POST['um_admin_save_metabox_custom_nonce'] ) ||
! wp_verify_nonce( $_POST['um_admin_save_metabox_custom_nonce'], basename( __FILE__ ) ) ) {
return $post_id;
return;
}
/**
@@ -285,56 +283,52 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
/**
* @param $post_id
* @param $post
*
* @return mixed
*/
function save_metabox_restrict_content( $post_id, $post ) {
// validate nonce
if ( ! isset( $_POST['um_admin_save_metabox_restrict_content_nonce'] ) || !wp_verify_nonce( $_POST['um_admin_save_metabox_restrict_content_nonce'], basename( __FILE__ ) ) ) {
return $post_id;
if ( ! isset( $_POST['um_admin_save_metabox_restrict_content_nonce'] ) ||
! wp_verify_nonce( $_POST['um_admin_save_metabox_restrict_content_nonce'], basename( __FILE__ ) ) ) {
return;
}
// validate user
$post_type = get_post_type_object( $post->post_type );
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) ) {
return $post_id;
return;
}
if ( ! empty( $_POST['um_content_restriction'] ) ) {
if ( ! empty( $_POST['um_content_restriction'] ) && is_array( $_POST['um_content_restriction'] ) ) {
update_post_meta( $post_id, 'um_content_restriction', $_POST['um_content_restriction'] );
} else {
delete_post_meta( $post_id, 'um_content_restriction' );
}
return $post_id;
}
/**
* @param $post_id
*
* @return mixed
*/
function save_attachment_metabox_restrict_content( $post_id ) {
// validate nonce
if ( ! isset( $_POST['um_admin_save_metabox_restrict_content_nonce'] ) || !wp_verify_nonce( $_POST['um_admin_save_metabox_restrict_content_nonce'], basename( __FILE__ ) ) )
return $post_id;
if ( ! isset( $_POST['um_admin_save_metabox_restrict_content_nonce'] )
|| ! wp_verify_nonce( $_POST['um_admin_save_metabox_restrict_content_nonce'], basename( __FILE__ ) ) ) {
return;
}
$post = get_post( $post_id );
// validate user
$post_type = get_post_type_object( $post->post_type );
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) ) {
return $post_id;
return;
}
if ( ! empty( $_POST['um_content_restriction'] ) ) {
if ( ! empty( $_POST['um_content_restriction'] ) && is_array( $_POST['um_content_restriction'] ) ) {
update_post_meta( $post_id, 'um_content_restriction', $_POST['um_content_restriction'] );
} else {
delete_post_meta( $post_id, 'um_content_restriction' );
}
return $post_id;
}
@@ -375,102 +369,102 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
*/
$fields = apply_filters( 'um_admin_category_access_settings_fields', array(
array(
'id' => '_um_custom_access_settings',
'type' => 'checkbox',
'label' => __( 'Restrict access to this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_custom_access_settings'] ) ? $data['_um_custom_access_settings'] : 0,
'id' => '_um_custom_access_settings',
'type' => 'checkbox',
'label' => __( 'Restrict access to this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_custom_access_settings'] ) ? $data['_um_custom_access_settings'] : 0,
),
array(
'id' => '_um_accessible',
'type' => 'select',
'label' => __( 'Who can access this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_accessible'] ) ? $data['_um_accessible'] : 0,
'options' => array(
'id' => '_um_accessible',
'type' => 'select',
'label' => __( 'Who can access this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_accessible'] ) ? $data['_um_accessible'] : 0,
'options' => array(
'0' => __( 'Everyone', 'ultimate-member' ),
'1' => __( 'Logged out users', 'ultimate-member' ),
'2' => __( 'Logged in users', 'ultimate-member' ),
),
'conditional' => array( '_um_custom_access_settings', '=', '1' )
'conditional' => array( '_um_custom_access_settings', '=', '1' )
),
array(
'id' => '_um_access_roles',
'type' => 'multi_checkbox',
'label' => __( 'Select which roles can access this content', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'options' => UM()->roles()->get_roles( false, array( 'administrator' ) ),
'id' => '_um_access_roles',
'type' => 'multi_checkbox',
'label' => __( 'Select which roles can access this content', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'options' => UM()->roles()->get_roles( false, array( 'administrator' ) ),
'columns' => 3,
'conditional' => array( '_um_accessible', '=', '2' )
'conditional' => array( '_um_accessible', '=', '2' )
),
array(
'id' => '_um_noaccess_action',
'type' => 'select',
'label' => __( 'What happens when users without access tries to view the content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_noaccess_action'] ) ? $data['_um_noaccess_action'] : 0,
'options' => array(
'id' => '_um_noaccess_action',
'type' => 'select',
'label' => __( 'What happens when users without access tries to view the content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_noaccess_action'] ) ? $data['_um_noaccess_action'] : 0,
'options' => array(
'0' => __( 'Show access restricted message', 'ultimate-member' ),
'1' => __( 'Redirect user', 'ultimate-member' ),
),
'conditional' => array( '_um_accessible', '!=', '0' )
'conditional' => array( '_um_accessible', '!=', '0' )
),
array(
'id' => '_um_restrict_by_custom_message',
'type' => 'select',
'label' => __( 'Would you like to use the global default message or apply a custom message to this content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_by_custom_message'] ) ? $data['_um_restrict_by_custom_message'] : '0',
'options' => array(
'id' => '_um_restrict_by_custom_message',
'type' => 'select',
'label' => __( 'Would you like to use the global default message or apply a custom message to this content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_by_custom_message'] ) ? $data['_um_restrict_by_custom_message'] : '0',
'options' => array(
'0' => __( 'Global default message (default)', 'ultimate-member' ),
'1' => __( 'Custom message', 'ultimate-member' ),
),
'conditional' => array( '_um_noaccess_action', '=', '0' )
'conditional' => array( '_um_noaccess_action', '=', '0' )
),
array(
'id' => '_um_restrict_custom_message',
'type' => 'wp_editor',
'label' => __( 'Custom Restrict Content message', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_custom_message'] ) ? $data['_um_restrict_custom_message'] : '',
'conditional' => array( '_um_restrict_by_custom_message', '=', '1' )
'id' => '_um_restrict_custom_message',
'type' => 'wp_editor',
'label' => __( 'Custom Restrict Content message', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_custom_message'] ) ? $data['_um_restrict_custom_message'] : '',
'conditional' => array( '_um_restrict_by_custom_message', '=', '1' )
),
array(
'id' => '_um_access_redirect',
'type' => 'select',
'label' => __( 'Where should users be redirected to?', 'ultimate-member' ),
'description' => __( 'Select redirect to page when user hasn\'t access to content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect'] ) ? $data['_um_access_redirect'] : '0',
'conditional' => array( '_um_noaccess_action', '=', '1' ),
'options' => array(
'id' => '_um_access_redirect',
'type' => 'select',
'label' => __( 'Where should users be redirected to?', 'ultimate-member' ),
'description' => __( 'Select redirect to page when user hasn\'t access to content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect'] ) ? $data['_um_access_redirect'] : '0',
'conditional' => array( '_um_noaccess_action', '=', '1' ),
'options' => array(
'0' => __( 'Login page', 'ultimate-member' ),
'1' => __( 'Custom URL', 'ultimate-member' ),
),
),
array(
'id' => '_um_access_redirect_url',
'type' => 'text',
'label' => __( 'Redirect URL', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect_url'] ) ? $data['_um_access_redirect_url'] : '',
'conditional' => array( '_um_access_redirect', '=', '1' )
'id' => '_um_access_redirect_url',
'type' => 'text',
'label' => __( 'Redirect URL', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect_url'] ) ? $data['_um_access_redirect_url'] : '',
'conditional' => array( '_um_access_redirect', '=', '1' )
),
array(
'id' => '_um_access_hide_from_queries',
'type' => 'checkbox',
'label' => __( 'Hide from queries', 'ultimate-member' ),
'description' => __( 'Hide this content from archives, RSS feeds etc for users who do not have permission to view this content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_hide_from_queries'] ) ? $data['_um_access_hide_from_queries'] : '',
'conditional' => array( '_um_accessible', '!=', '0' )
'id' => '_um_access_hide_from_queries',
'type' => 'checkbox',
'label' => __( 'Hide from queries', 'ultimate-member' ),
'description' => __( 'Hide this content from archives, RSS feeds etc for users who do not have permission to view this content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_hide_from_queries'] ) ? $data['_um_access_hide_from_queries'] : '',
'conditional' => array( '_um_accessible', '!=', '0' )
)
), $data, 'create' );
UM()->admin_forms( array(
'class' => 'um-restrict-content um-third-column',
'prefix_id' => 'um_content_restriction',
'without_wrapper' => true,
'div_line' => true,
'fields' => $fields
'class' => 'um-restrict-content um-third-column',
'prefix_id' => 'um_content_restriction',
'without_wrapper' => true,
'div_line' => true,
'fields' => $fields
) )->render_form();
wp_nonce_field( basename( __FILE__ ), 'um_admin_save_taxonomy_restrict_content_nonce' );
@@ -525,110 +519,110 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
*/
$fields = apply_filters( 'um_admin_category_access_settings_fields', array(
array(
'id' => '_um_custom_access_settings',
'type' => 'checkbox',
'class' => 'form-field',
'label' => __( 'Restrict access to this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_custom_access_settings'] ) ? $data['_um_custom_access_settings'] : 0,
'id' => '_um_custom_access_settings',
'type' => 'checkbox',
'class' => 'form-field',
'label' => __( 'Restrict access to this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_custom_access_settings'] ) ? $data['_um_custom_access_settings'] : 0,
),
array(
'id' => '_um_accessible',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'Who can access this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_accessible'] ) ? $data['_um_accessible'] : 0,
'options' => array(
'id' => '_um_accessible',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'Who can access this content?', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => ! empty( $data['_um_accessible'] ) ? $data['_um_accessible'] : 0,
'options' => array(
'0' => __( 'Everyone', 'ultimate-member' ),
'1' => __( 'Logged out users', 'ultimate-member' ),
'2' => __( 'Logged in users', 'ultimate-member' ),
),
'conditional' => array( '_um_custom_access_settings', '=', '1' )
'conditional' => array( '_um_custom_access_settings', '=', '1' )
),
array(
'id' => '_um_access_roles',
'type' => 'multi_checkbox',
'class' => 'form-field',
'label' => __( 'Select which roles can access this content', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => $_um_access_roles_value,
'options' => UM()->roles()->get_roles( false, array( 'administrator' ) ),
'id' => '_um_access_roles',
'type' => 'multi_checkbox',
'class' => 'form-field',
'label' => __( 'Select which roles can access this content', 'ultimate-member' ),
'description' => __( 'Activate content restriction for this post', 'ultimate-member' ),
'value' => $_um_access_roles_value,
'options' => UM()->roles()->get_roles( false, array( 'administrator' ) ),
'columns' => 3,
'conditional' => array( '_um_accessible', '=', '2' )
'conditional' => array( '_um_accessible', '=', '2' )
),
array(
'id' => '_um_noaccess_action',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'What happens when users without access tries to view the content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_noaccess_action'] ) ? $data['_um_noaccess_action'] : 0,
'options' => array(
'id' => '_um_noaccess_action',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'What happens when users without access tries to view the content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_noaccess_action'] ) ? $data['_um_noaccess_action'] : 0,
'options' => array(
'0' => __( 'Show access restricted message', 'ultimate-member' ),
'1' => __( 'Redirect user', 'ultimate-member' ),
),
'conditional' => array( '_um_accessible', '!=', '0' )
'conditional' => array( '_um_accessible', '!=', '0' )
),
array(
'id' => '_um_restrict_by_custom_message',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'Would you like to use the global default message or apply a custom message to this content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_by_custom_message'] ) ? $data['_um_restrict_by_custom_message'] : '0',
'options' => array(
'id' => '_um_restrict_by_custom_message',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'Would you like to use the global default message or apply a custom message to this content?', 'ultimate-member' ),
'description' => __( 'Action when users without access tries to view the content', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_by_custom_message'] ) ? $data['_um_restrict_by_custom_message'] : '0',
'options' => array(
'0' => __( 'Global default message (default)', 'ultimate-member' ),
'1' => __( 'Custom message', 'ultimate-member' ),
),
'conditional' => array( '_um_noaccess_action', '=', '0' )
'conditional' => array( '_um_noaccess_action', '=', '0' )
),
array(
'id' => '_um_restrict_custom_message',
'type' => 'wp_editor',
'class' => 'form-field',
'label' => __( 'Custom Restrict Content message', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_custom_message'] ) ? $data['_um_restrict_custom_message'] : '',
'conditional' => array( '_um_restrict_by_custom_message', '=', '1' )
'id' => '_um_restrict_custom_message',
'type' => 'wp_editor',
'class' => 'form-field',
'label' => __( 'Custom Restrict Content message', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_restrict_custom_message'] ) ? $data['_um_restrict_custom_message'] : '',
'conditional' => array( '_um_restrict_by_custom_message', '=', '1' )
),
array(
'id' => '_um_access_redirect',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'Where should users be redirected to?', 'ultimate-member' ),
'description' => __( 'Select redirect to page when user hasn\'t access to content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect'] ) ? $data['_um_access_redirect'] : '0',
'conditional' => array( '_um_noaccess_action', '=', '1' ),
'options' => array(
'id' => '_um_access_redirect',
'type' => 'select',
'class' => 'form-field',
'label' => __( 'Where should users be redirected to?', 'ultimate-member' ),
'description' => __( 'Select redirect to page when user hasn\'t access to content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect'] ) ? $data['_um_access_redirect'] : '0',
'conditional' => array( '_um_noaccess_action', '=', '1' ),
'options' => array(
'0' => __( 'Login page', 'ultimate-member' ),
'1' => __( 'Custom URL', 'ultimate-member' ),
),
),
array(
'id' => '_um_access_redirect_url',
'type' => 'text',
'class' => 'form-field',
'label' => __( 'Redirect URL', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect_url'] ) ? $data['_um_access_redirect_url'] : '',
'conditional' => array( '_um_access_redirect', '=', '1' )
'id' => '_um_access_redirect_url',
'type' => 'text',
'class' => 'form-field',
'label' => __( 'Redirect URL', 'ultimate-member' ),
'description' => __( 'Changed global restrict message', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_redirect_url'] ) ? $data['_um_access_redirect_url'] : '',
'conditional' => array( '_um_access_redirect', '=', '1' )
),
array(
'id' => '_um_access_hide_from_queries',
'type' => 'checkbox',
'class' => 'form-field',
'label' => __( 'Hide from queries', 'ultimate-member' ),
'description' => __( 'Hide this content from archives, RSS feeds etc for users who do not have permission to view this content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_hide_from_queries'] ) ? $data['_um_access_hide_from_queries'] : '',
'conditional' => array( '_um_accessible', '!=', '0' )
'id' => '_um_access_hide_from_queries',
'type' => 'checkbox',
'class' => 'form-field',
'label' => __( 'Hide from queries', 'ultimate-member' ),
'description' => __( 'Hide this content from archives, RSS feeds etc for users who do not have permission to view this content', 'ultimate-member' ),
'value' => ! empty( $data['_um_access_hide_from_queries'] ) ? $data['_um_access_hide_from_queries'] : '',
'conditional' => array( '_um_accessible', '!=', '0' )
)
), $data, 'edit' );
UM()->admin_forms( array(
'class' => 'um-restrict-content um-third-column',
'prefix_id' => 'um_content_restriction',
'without_wrapper' => true,
'class' => 'um-restrict-content um-third-column',
'prefix_id' => 'um_content_restriction',
'without_wrapper' => true,
'fields' => $fields
) )->render_form();
@@ -656,7 +650,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
return $termID;
}
if ( ! empty( $_REQUEST['um_content_restriction'] ) ) {
if ( ! empty( $_REQUEST['um_content_restriction'] ) && is_array( $_REQUEST['um_content_restriction'] ) ) {
update_term_meta( $termID, 'um_content_restriction', $_REQUEST['um_content_restriction'] );
} else {
delete_term_meta( $termID, 'um_content_restriction' );
@@ -1045,7 +1039,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
global $wpdb;
// validate nonce
if ( ! isset( $_POST['um_admin_save_metabox_directory_nonce'] ) || ! wp_verify_nonce( $_POST['um_admin_save_metabox_directory_nonce'], basename( __FILE__ ) ) ) {
if ( ! isset( $_POST['um_admin_save_metabox_directory_nonce'] ) ||
! wp_verify_nonce( $_POST['um_admin_save_metabox_directory_nonce'], basename( __FILE__ ) ) ) {
return;
}
@@ -1063,10 +1058,10 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
$where = array( 'ID' => $post_id );
if ( empty( $_POST['post_title'] ) ) {
$_POST['post_title'] = 'Directory #'.$post_id;
$_POST['post_title'] = sprintf( __( 'Directory #%s', 'ultimate-member' ), $post_id );
}
$wpdb->update( $wpdb->posts, array( 'post_title' => $_POST['post_title'] ), $where );
$wpdb->update( $wpdb->posts, array( 'post_title' => sanitize_text_field( $_POST['post_title'] ) ), $where );
// save
delete_post_meta( $post_id, '_um_roles' );
@@ -1126,25 +1121,32 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) {
*
* @param $post_id
* @param $post
*
* @return mixed
*/
function save_metabox_form( $post_id, $post ) {
global $wpdb;
// validate nonce
if ( !isset( $_POST['um_admin_save_metabox_form_nonce'] ) || !wp_verify_nonce( $_POST['um_admin_save_metabox_form_nonce'], basename( __FILE__ ) ) ) return $post_id;
if ( ! isset( $_POST['um_admin_save_metabox_form_nonce'] ) ||
! wp_verify_nonce( $_POST['um_admin_save_metabox_form_nonce'], basename( __FILE__ ) ) ) {
return;
}
// validate post type
if ( $post->post_type != 'um_form' ) return $post_id;
if ( $post->post_type != 'um_form' ) {
return;
}
// validate user
$post_type = get_post_type_object( $post->post_type );
if ( !current_user_can( $post_type->cap->edit_post, $post_id ) ) return $post_id;
if ( ! current_user_can( $post_type->cap->edit_post, $post_id ) ) {
return;
}
$where = array( 'ID' => $post_id );
if ( empty( $_POST['post_title'] ) ) $_POST['post_title'] = 'Form #' . $post_id;
$wpdb->update( $wpdb->posts, array( 'post_title' => $_POST['post_title'] ), $where );
if ( empty( $_POST['post_title'] ) ) {
$_POST['post_title'] = sprintf( __( 'Form #%s', 'ultimate-member' ), $post_id );
}
$wpdb->update( $wpdb->posts, array( 'post_title' => sanitize_text_field( $_POST['post_title'] ) ), $where );
// save
delete_post_meta( $post_id, '_um_profile_metafields' );