diff --git a/includes/core/class-secure.php b/includes/core/class-secure.php
index baf9ccea..3eaa14e4 100644
--- a/includes/core/class-secure.php
+++ b/includes/core/class-secure.php
@@ -16,6 +16,15 @@ if ( ! class_exists( 'um\core\Secure' ) ) {
*/
class Secure {
+ /**
+ * Banned Administrative Capabilities
+ *
+ * @since 2.6.8
+ *
+ * @var array
+ */
+ private $banned_admin_capabilities = array();
+
/**
* Login constructor.
* @since 2.6.8
@@ -35,6 +44,70 @@ if ( ! class_exists( 'um\core\Secure' ) ) {
add_action( 'validate_password_reset', array( $this, 'avoid_old_password' ), 1, 2 );
+ /**
+ * UM hook
+ *
+ * @type filter
+ * @title um_secure_register_form_banned_capabilities
+ * @description Modify banned capabilities for Register forms
+ * @input_vars
+ * [{"var":"$capabilities","type":"array","desc":"WordPress Administratrive Capabilities"}]
+ * @change_log
+ * ["Since: 2.6.8"]
+ * @usage
+ *
+ * @example
+ *
+ */
+ $this->banned_admin_capabilities = apply_filters(
+ 'um_secure_register_form_banned_capabilities',
+ array(
+ 'create_sites',
+ 'delete_sites',
+ 'manage_network',
+ 'manage_sites',
+ 'manage_network_users',
+ 'manage_network_plugins',
+ 'manage_network_themes',
+ 'manage_network_options',
+ 'upgrade_network',
+ 'setup_network',
+ 'activate_plugins',
+ 'edit_dashboard',
+ 'edit_theme_options',
+ 'export',
+ 'import',
+ 'list_users',
+ 'manage_options',
+ 'promote_users',
+ 'remove_users',
+ 'switch_themes',
+ 'customize',
+ 'delete_site',
+ 'update_core',
+ 'update_plugins',
+ 'update_themes',
+ 'install_plugins',
+ 'install_themes',
+ 'delete_themes',
+ 'delete_plugins',
+ 'edit_plugins',
+ 'edit_themes',
+ 'edit_files',
+ 'edit_users',
+ 'add_users',
+ 'create_users',
+ 'delete_users',
+ )
+ );
+
add_action( 'um_after_save_registration_details', array( $this, 'secure_user_capabilities' ), 10, 3 );
}
@@ -150,12 +223,12 @@ if ( ! class_exists( 'um\core\Secure' ) ) {
'id' => 'lock_register_forms',
'type' => 'checkbox',
'label' => __( 'Lock All Register Forms', 'ultimate-member' ),
- 'description' => __( 'This prevents all users from registering with Ultimate Member on your site temporarily.', 'ultimate-member' ),
+ 'description' => __( 'This prevents all users from registering with Ultimate Member on your site.', 'ultimate-member' ),
),
array(
'id' => 'display_login_form_notice',
'type' => 'checkbox',
- 'label' => __( 'Display Login form notice to reset their passwords', 'ultimate-member' ),
+ 'label' => __( 'Display Login form notice to reset passwords', 'ultimate-member' ),
'description' => __( 'Enforces users to reset their passwords( one-time ) and prevent from entering old password.', 'ultimate-member' ),
),
array(
@@ -163,7 +236,7 @@ if ( ! class_exists( 'um\core\Secure' ) ) {
'type' => 'info_text',
'label' => __( 'Expire All Users Sessions', 'ultimate-member' ),
'value' => 'Logout Users(' . esc_attr( $count_users['total_users'] ) . ') ',
- 'description' => __( 'This will logout all users on your site and forces them to reset passwords when "Display Login form notice to reset their passwords" is enabled.', 'ultimate-member' ),
+ 'description' => __( 'This will logout all users on your site and forces them to reset passwords
when "Display Login form notice to reset passwords" is enabled/checked.', 'ultimate-member' ),
),
),
),
@@ -233,13 +306,11 @@ if ( ! class_exists( 'um\core\Secure' ) ) {
public function secure_user_capabilities( $user_id, $submitted_data, $form_data ) {
global $wpdb;
// Fetch the WP_User object of our user.
- um_fetch_user( $user_id );
- $user = new \WP_User( $user_id );
- $has_admin_cap = false;
- $disallowed_roles = array( 'administrator' );
- foreach ( $disallowed_roles as $role ) {
- $admin_caps = array_keys( get_role( $role )->capabilities );
- foreach ( $admin_caps as $i => $cap ) {
+ um_fetch_user( 29 );
+ $user = new \WP_User( 29 );
+ $has_admin_cap = false;
+ if ( ! empty( $this->banned_admin_capabilities ) ) {
+ foreach ( $this->banned_admin_capabilities as $i => $cap ) {
/**
* When there's at least one administrator cap added to the user,
* immediately revoke caps and mark as rejected.
@@ -254,17 +325,13 @@ if ( ! class_exists( 'um\core\Secure' ) ) {
/**
* Double-check if *_user_level has been modified with the highest level
- * when user has no administrator capabilities.
+ * when user has no administrative capabilities.
*/
$user_level = um_user( $wpdb->get_blog_prefix() . 'user_level' );
if ( ! empty( $user_level ) ) {
- $arr_levels = array( 'level_10' );
- foreach ( $arr_levels as $level ) {
- if ( $level === $user_level ) {
- $this->revoke_caps( $user );
- $has_admin_cap = true;
- break;
- }
+ if ( 10 === $user_level ) {
+ $this->revoke_caps( $user );
+ $has_admin_cap = true;
}
}
@@ -274,16 +341,15 @@ if ( ! class_exists( 'um\core\Secure' ) ) {
}
/**
- * Revoke Caps
+ * Revoke Caps & Mark rejected as suspicious
*
* @param string $cap Capability slug
* @param object $user \WP_User
*/
public function revoke_caps( $user ) {
-
$user->remove_all_caps();
- $user->set_role( 'rejected' ); // Set role to rejected
- UM()->user()->set_status( 'rejected' ); // Set UM role to rejected
+ UM()->user()->set_status( 'rejected' );
+ update_user_meta( $user->get( 'ID' ), 'um_user_blocked', 'suspicious_activity' );
}
}