diff --git a/.wordpress-org/blueprints/blueprint.json b/.wordpress-org/blueprints/blueprint.json index af1def30..e3367203 100644 --- a/.wordpress-org/blueprints/blueprint.json +++ b/.wordpress-org/blueprints/blueprint.json @@ -15,7 +15,7 @@ "step": "installPlugin", "pluginZipFile": { "resource": "url", - "url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.9.2.zip" + "url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.10.0.zip" }, "options": { "activate": true diff --git a/README.md b/README.md index 50d0dc66..6a754132 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ GNU Version 2 or Any Later Version ### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION -[Official Release Version: 2.9.2](https://github.com/ultimatemember/ultimatemember/releases/tag/2.9.2). +[Official Release Version: 2.10.0](https://github.com/ultimatemember/ultimatemember/releases/tag/2.10.0). ## Changelog diff --git a/assets/js/um-modal.js b/assets/js/um-modal.js index bbb06e4c..d7792beb 100644 --- a/assets/js/um-modal.js +++ b/assets/js/um-modal.js @@ -107,9 +107,12 @@ jQuery(document).ready(function() { var form_id = 0; var mode = ''; if ( jQuery('div.um-field-image[data-key="' + key + '"]').length === 1 ) { - var $formWrapper = jQuery('div.um-field-image[data-key="' + key + '"]').closest('.um-form'); - form_id = $formWrapper.find('input[name="form_id"]').val(); - mode = $formWrapper.attr('data-mode'); + let $formWrapper = jQuery('div.um-field-image[data-key="' + key + '"]').closest('.um-form'); + form_id = $formWrapper.data('form_id') || $formWrapper.find('input[name="form_id"]').val(); // 'input[name="form_id"]' is a backward compatibility. + mode = $formWrapper.data('mode'); + } else { + console.warn( wp.i18n.__( 'UM Warning: No field associated with image uploader.', 'ultimate-member' ) ); + return; } if ( jQuery('.cropper-hidden').length > 0 && UM.frontend.cropper.obj ) { @@ -140,11 +143,38 @@ jQuery(document).ready(function() { if ( key === 'profile_photo' ) { jQuery('.um-profile-photo-img img').attr('src', response.data.image.source_url + "?"+d.getTime()); + + let $dropdown = jQuery('.um-profile-photo .um-dropdown'); + if ( ! $dropdown.find('.um-reset-profile-photo').hasClass('um-is-visible') ) { + let $dropdownItem = $dropdown.find('.um-manual-trigger[data-parent=".um-profile-photo"]'); + let altText = $dropdownItem.data('alt_text'); + $dropdownItem.data( 'alt_text', $dropdownItem.text() ).text( altText ); + + $dropdown.find('.um-reset-profile-photo').addClass('um-is-visible').show(); + } + + if ( ! jQuery('.um').hasClass('um-editing') ) { + $dropdown.remove(); + } } else if ( key === 'cover_photo' ) { jQuery('.um-cover-e').empty().html(''); + + let $dropdown = jQuery('.um-cover .um-dropdown'); + if ( ! $dropdown.find('.um-reset-cover-photo').hasClass('um-is-visible') ) { + let $dropdownItem = $dropdown.find('.um-manual-trigger[data-parent=".um-cover"]'); + let altText = $dropdownItem.data('alt_text'); + $dropdownItem.data( 'alt_text', $dropdownItem.text() ).text( altText ); + + $dropdown.find('.um-reset-cover-photo').addClass('um-is-visible').show(); + } + if ( jQuery('.um').hasClass('um-editing') ) { jQuery('.um-cover-overlay').show(); + } else { + $dropdown.remove(); } + + um_responsive(); } jQuery('.um-single-image-preview[data-key='+key+']').fadeIn().find('img').attr('src', response.data.image.source_url + "?"+d.getTime()); diff --git a/assets/js/um-modal.min.js b/assets/js/um-modal.min.js index 7464fe88..14bc307d 100644 --- a/assets/js/um-modal.min.js +++ b/assets/js/um-modal.min.js @@ -1 +1 @@ -jQuery(document).ready(function(){jQuery(document).on("click",".um-popup-overlay",function(){remove_Modal()}),jQuery(document).on("click",'.um-modal-overlay, a[data-action="um_remove_modal"]',function(){um_remove_modal()}),jQuery(document).on("click",'a[data-modal^="um_"], span[data-modal^="um_"], .um-modal:not(:has(.um-form)) a',function(e){return e.preventDefault(),!1}),jQuery(document).on("click",".um-finish-upload.file:not(.disabled)",function(){var e=jQuery(this).attr("data-key"),a=jQuery(this).parents(".um-modal-body").find(".um-single-file-preview").html(),a=(um_remove_modal(),jQuery(".um-single-file-preview[data-key="+e+"]").fadeIn().html(a),jQuery(".um-field[data-key="+e+"]").find(".um-single-fileinfo a").data("file"));jQuery(".um-single-file-preview[data-key="+e+"]").parents(".um-field").find(".um-btn-auto-width").html(jQuery(this).attr("data-change")),jQuery(".um-single-file-preview[data-key="+e+"]").parents(".um-field").find('input[type="hidden"]').val(a)}),jQuery(document).on("click",".um-finish-upload.image:not(.disabled)",function(){var a,e,t=jQuery(this),i=jQuery(this).attr("data-key"),r=jQuery(this).parents(".um-modal-body").find(".um-single-image-preview"),u=r.find("img").attr("src"),r=r.find("img").data("file"),d=0,m=(jQuery(this).parents("#um_upload_single").data("user_id")&&(d=jQuery(this).parents("#um_upload_single").data("user_id")),0),n="";1===jQuery('div.um-field-image[data-key="'+i+'"]').length&&(m=(e=jQuery('div.um-field-image[data-key="'+i+'"]').closest(".um-form")).find('input[name="form_id"]').val(),n=e.attr("data-mode")),0'),jQuery(".um").hasClass("um-editing"))&&jQuery(".um-cover-overlay").show(),jQuery(".um-single-image-preview[data-key="+i+"]").fadeIn().find("img").attr("src",e.data.image.source_url+"?"+a.getTime()),um_remove_modal(),jQuery("img.cropper-invisible").remove(),jQuery(".um-single-image-preview[data-key="+i+"]").parents(".um-field").find(".um-btn-auto-width").html(t.attr("data-change")),jQuery(".um-single-image-preview[data-key="+i+"]").parents(".um-field").find('input[type="hidden"]').val(e.data.image.filename))}})):(a=new Date,jQuery(".um-single-image-preview[data-key="+i+"]").fadeIn().find("img").attr("src",u+"?"+a.getTime()),um_remove_modal(),jQuery(".um-single-image-preview[data-key="+i+"]").parents(".um-field").find(".um-btn-auto-width").html(t.attr("data-change")),jQuery(".um-single-image-preview[data-key="+i+"]").parents(".um-field").find("input[type=hidden]").val(r))}),jQuery(document.body).on("click",'a[data-modal^="um_"], span[data-modal^="um_"]',function(e){var a=jQuery(this).attr("data-modal"),t="normal";jQuery(this).data("modal-size")&&(t=jQuery(this).data("modal-size")),jQuery(this).data("modal-copy")&&(jQuery("#"+a).html(jQuery(this).parents(".um-field").find(".um-modal-hidden-content").html()),jQuery(this).parents(".um-profile-photo").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-profile-photo").attr("data-user_id")),jQuery(this).parents(".um-cover").attr("data-ratio")&&jQuery("#"+a).attr("data-ratio",jQuery(this).parents(".um-cover").attr("data-ratio")),jQuery(this).parents(".um-cover").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-cover").attr("data-user_id")),0'),(a=jQuery(".um-cover .um-dropdown")).find(".um-reset-cover-photo").hasClass("um-is-visible")||(i=(t=a.find('.um-manual-trigger[data-parent=".um-cover"]')).data("alt_text"),t.data("alt_text",t.text()).text(i),a.find(".um-reset-cover-photo").addClass("um-is-visible").show()),jQuery(".um").hasClass("um-editing")?jQuery(".um-cover-overlay").show():a.remove(),um_responsive()),jQuery(".um-single-image-preview[data-key="+d+"]").fadeIn().find("img").attr("src",e.data.image.source_url+"?"+r.getTime()),um_remove_modal(),jQuery("img.cropper-invisible").remove(),jQuery(".um-single-image-preview[data-key="+d+"]").parents(".um-field").find(".um-btn-auto-width").html(u.attr("data-change")),jQuery(".um-single-image-preview[data-key="+d+"]").parents(".um-field").find('input[type="hidden"]').val(e.data.image.filename))}})):(r=new Date,jQuery(".um-single-image-preview[data-key="+d+"]").fadeIn().find("img").attr("src",t+"?"+r.getTime()),um_remove_modal(),jQuery(".um-single-image-preview[data-key="+d+"]").parents(".um-field").find(".um-btn-auto-width").html(u.attr("data-change")),jQuery(".um-single-image-preview[data-key="+d+"]").parents(".um-field").find("input[type=hidden]").val(a)))}),jQuery(document.body).on("click",'a[data-modal^="um_"], span[data-modal^="um_"]',function(e){var a=jQuery(this).attr("data-modal"),t="normal";jQuery(this).data("modal-size")&&(t=jQuery(this).data("modal-size")),jQuery(this).data("modal-copy")&&(jQuery("#"+a).html(jQuery(this).parents(".um-field").find(".um-modal-hidden-content").html()),jQuery(this).parents(".um-profile-photo").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-profile-photo").attr("data-user_id")),jQuery(this).parents(".um-cover").attr("data-ratio")&&jQuery("#"+a).attr("data-ratio",jQuery(this).parents(".um-cover").attr("data-ratio")),jQuery(this).parents(".um-cover").attr("data-user_id")&&jQuery("#"+a).attr("data-user_id",jQuery(this).parents(".um-cover").attr("data-user_id")),0'); + jQuery('.um-cover-e').html(''); um_responsive(); - user_id = jQuery(this).attr('data-user_id'); - metakey = 'cover_photo'; - jQuery.ajax({ url: wp.ajax.settings.url, type: 'post', data: { action: 'um_delete_cover_photo', - metakey: metakey, user_id: user_id, nonce: um_scripts.nonce }, - success: function( response ) { - obj.hide(); + success: function() { + $obj.removeClass('um-is-visible').hide(); } }); diff --git a/assets/js/um-profile.min.js b/assets/js/um-profile.min.js index c2e401fc..8875a363 100644 --- a/assets/js/um-profile.min.js +++ b/assets/js/um-profile.min.js @@ -1 +1 @@ -jQuery(document).ready(function(){jQuery(".um-profile.um-viewing .um-profile-body .um-row").each(function(){var e=jQuery(this);0==e.find(".um-field").length&&(e.prev(".um-row-heading").remove(),e.remove())}),jQuery(".um-profile.um-viewing .um-profile-body").length&&0==jQuery(".um-profile.um-viewing .um-profile-body").find(".um-field").length&&(jQuery(".um-profile.um-viewing .um-profile-body").find(".um-row-heading,.um-row").remove(),jQuery(".um-profile-note").show()),jQuery(document.body).on("click",".um-profile-save",function(e){return e.preventDefault(),jQuery(this).parents(".um.um-profile.um-editing").find("form").trigger("submit"),!1}),jQuery(document.body).on("click",".um-profile-edit-a",function(e){jQuery(this).addClass("active")}),jQuery(document.body).on("click",".um-cover a.um-cover-add, .um-photo a",function(e){e.preventDefault()}),jQuery(document.body).on("click",".um-photo-modal",function(e){e.preventDefault();e=jQuery(this).attr("data-src");return um_new_modal("um_view_photo","fit",!0,e),!1}),jQuery(document.body).on("click",".um-reset-profile-photo",function(e){return jQuery(".um-profile-photo-img img").attr("src",jQuery(this).attr("data-default_src")),user_id=jQuery(this).attr("data-user_id"),metakey="profile_photo",UM.dropdown.hideAll(),jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_delete_profile_photo",metakey:metakey,user_id:user_id,nonce:um_scripts.nonce}}),jQuery(this).parents("li").hide(),!1}),jQuery(document.body).on("click",".um-reset-cover-photo",function(e){var t=jQuery(this);return jQuery(".um-cover-overlay").hide(),jQuery(".um-cover-e").html(''),um_responsive(),user_id=jQuery(this).attr("data-user_id"),metakey="cover_photo",jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_delete_cover_photo",metakey:metakey,user_id:user_id,nonce:um_scripts.nonce},success:function(e){t.hide()}}),UM.dropdown.hideAll(),!1}),jQuery(document.body).on("change keyup","#um-meta-bio",function(){if(void 0!==jQuery(this).val()){var t=jQuery(this).data("character-limit"),r=jQuery(this).data("html");let e=t-jQuery(this).val().length;e=(e=1===parseInt(r)?t-jQuery(this).val().replace(/(<([^>]+)>)/gi,"").length:e)<0?0:e,jQuery("span.um-meta-bio-character span.um-bio-limit").text(e);r=e<5?"red":"";jQuery("span.um-meta-bio-character").css("color",r)}}),jQuery("#um-meta-bio").trigger("change"),jQuery(".um-profile form").each(function(){let t=jQuery(this).data("description_key");jQuery(this).find('textarea[name="'+t+'"]').length&&jQuery(document.body).on("change input",'textarea[name="'+t+'"]',function(e){jQuery(this).parents("form").find('textarea[name="'+t+'"]').each(function(){jQuery(this).val(e.currentTarget.value),jQuery("#um-meta-bio")[0]!==e.currentTarget&&jQuery("#um-meta-bio")[0]===jQuery(this)[0]&&jQuery(this).trigger("change")})})}),jQuery(".um-profile-edit a.um_delete-item").on("click",function(e){if(e.preventDefault(),!confirm(wp.i18n.__("Are you sure that you want to delete this user?","ultimate-member")))return!1}),jQuery(".um-profile-nav a").on("touchend",function(e){jQuery(e.currentTarget).trigger("click")})}); \ No newline at end of file +jQuery(document).ready(function(){jQuery(".um-profile.um-viewing .um-profile-body .um-row").each(function(){var e=jQuery(this);0==e.find(".um-field").length&&(e.prev(".um-row-heading").remove(),e.remove())}),jQuery(".um-profile.um-viewing .um-profile-body").length&&0==jQuery(".um-profile.um-viewing .um-profile-body").find(".um-field").length&&(jQuery(".um-profile.um-viewing .um-profile-body").find(".um-row-heading,.um-row").remove(),jQuery(".um-profile-note").show()),jQuery(document.body).on("click",".um-profile-save",function(e){return e.preventDefault(),jQuery(this).parents(".um.um-profile.um-editing").find("form").trigger("submit"),!1}),jQuery(document.body).on("click",".um-profile-edit-a",function(e){jQuery(this).addClass("active")}),jQuery(document.body).on("click",".um-cover a.um-cover-add, .um-photo a",function(e){e.preventDefault()}),jQuery(document.body).on("click",".um-photo-modal",function(e){e.preventDefault();e=jQuery(this).attr("data-src");return um_new_modal("um_view_photo","fit",!0,e),!1}),jQuery(document.body).on("click",".um-reset-profile-photo",function(e){let t=jQuery(this);var r=t.data("user_id"),u=t.parents("ul").find('.um-manual-trigger[data-parent=".um-profile-photo"]'),i=u.data("alt_text");return u.data("alt_text",u.text()).text(i),jQuery(".um-profile-photo-img img").attr("src",t.data("default_src")),jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_delete_profile_photo",user_id:r,nonce:um_scripts.nonce},success:function(){t.removeClass("um-is-visible").hide()}}),UM.dropdown.hideAll(),!1}),jQuery(document.body).on("click",".um-reset-cover-photo",function(e){let t=jQuery(this);var r=t.data("user_id"),u=t.parents("ul").find('.um-manual-trigger[data-parent=".um-cover"]'),i=u.data("alt_text");return u.data("alt_text",u.text()).text(i),jQuery(".um-cover-overlay").hide(),jQuery(".um-cover-e").html(''),um_responsive(),jQuery.ajax({url:wp.ajax.settings.url,type:"post",data:{action:"um_delete_cover_photo",user_id:r,nonce:um_scripts.nonce},success:function(){t.removeClass("um-is-visible").hide()}}),UM.dropdown.hideAll(),!1}),jQuery(document.body).on("change keyup","#um-meta-bio",function(){if(void 0!==jQuery(this).val()){var t=jQuery(this).data("character-limit"),r=jQuery(this).data("html");let e=t-jQuery(this).val().length;e=(e=1===parseInt(r)?t-jQuery(this).val().replace(/(<([^>]+)>)/gi,"").length:e)<0?0:e,jQuery("span.um-meta-bio-character span.um-bio-limit").text(e);r=e<5?"red":"";jQuery("span.um-meta-bio-character").css("color",r)}}),jQuery("#um-meta-bio").trigger("change"),jQuery(".um-profile form").each(function(){let t=jQuery(this).data("description_key");jQuery(this).find('textarea[name="'+t+'"]').length&&jQuery(document.body).on("change input",'textarea[name="'+t+'"]',function(e){jQuery(this).parents("form").find('textarea[name="'+t+'"]').each(function(){jQuery(this).val(e.currentTarget.value),jQuery("#um-meta-bio")[0]!==e.currentTarget&&jQuery("#um-meta-bio")[0]===jQuery(this)[0]&&jQuery(this).trigger("change")})})}),jQuery(".um-profile-edit a.um_delete-item").on("click",function(e){if(e.preventDefault(),!confirm(wp.i18n.__("Are you sure that you want to delete this user?","ultimate-member")))return!1}),jQuery(".um-profile-nav a").on("touchend",function(e){jQuery(e.currentTarget).trigger("click")})}); \ No newline at end of file diff --git a/changelog.txt b/changelog.txt index 08e449d3..443c517b 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,5 +1,35 @@ == Changelog == += 2.10.0 February 17, 2025 = + +* Enhancements: + + - Added: User Profile `form-id` attribute and updated code for Profile/Cover photos actions dropdowns. + - Added: Honeypot scripts/styles via `wp_add_inline_script()`, `wp_add_inline_style()` changed from direct adding in header and footer. + - Updated: We've made improvements to requests for extension updates to boost stability. + - Updated: PHP requirement - the minimum PHP version is now upgraded to 7.0. + - Updated: Using $wpdb and WPCS for queries. Set minimum required version to 6.2 due to using %i for `$wpdb->prepare()`. + - Updated: Revised wp-admin user actions handling. Now, the required capability is `edit_users` instead of `manage_options`. + - Removed: User Profile hidden inputs on view mode. + - Tweak: WPCS enhancements. + +* Bugfixes: + + - Fixed: Security issue CVE ID: CVE-2024-12276. + - Fixed: Custom usermeta table metakeys for filtering in member directory (from `_money_spent` to `wc_money_spent_` and added `wc_order_count_`). + - Fixed: Layout for "Download your data" and "Erase of your data" fields. + - Fixed: Image sizes used for Open Graph meta in User Profile headers are now corrected. + - Fixed: "Delete account text" settings visibility issue in wp-admin. + - Fixed: The "Privacy Policy" field in the registration form. Disallowed HTML from the "Privacy Policy" content (like `
`) is filtered out by the `wp_kses()` function. + - Fixed: Password fields are now sanitized the WordPress native way, with `wp_unslash()` omitted post-submission. + +* Templates required update: + + - gdpr-register.php + - profile.php + +* Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade * + = 2.9.2 January 14, 2025 = * Enhancements: diff --git a/includes/admin/class-actions-listener.php b/includes/admin/class-actions-listener.php index fa25877d..48c4396c 100644 --- a/includes/admin/class-actions-listener.php +++ b/includes/admin/class-actions-listener.php @@ -14,6 +14,24 @@ if ( ! class_exists( 'um\admin\Actions_Listener' ) ) { */ class Actions_Listener { + /** + * USER_ACTIONS array containing different actions for managing users: + * - approve_user: Approve a user + * - reactivate_user: Reactivate a user account + * - put_user_as_pending: Set a user as pending + * - resend_user_activation: Resend activation email to a user + * - reject_user: Reject a user + * - deactivate_user: Deactivate a user account + */ + const USER_ACTIONS = array( + 'approve_user', + 'reactivate_user', + 'put_user_as_pending', + 'resend_user_activation', + 'reject_user', + 'deactivate_user', + ); + /** * Actions_Listener constructor. */ @@ -26,171 +44,179 @@ if ( ! class_exists( 'um\admin\Actions_Listener' ) ) { * Handle wp-admin actions * * @since 2.8.7 + * @since 2.10.0 User should have 'edit_users' capability instead of 'manage_options'. */ public function actions_listener() { - if ( ! current_user_can( 'manage_options' ) ) { + // phpcs:disable WordPress.Security.NonceVerification -- there is nonce verification below for each case + if ( empty( $_REQUEST['um_adm_action'] ) ) { return; } - if ( ! empty( $_REQUEST['um_adm_action'] ) ) { - switch ( sanitize_key( $_REQUEST['um_adm_action'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification -- there is nonce verification below for each case - case 'approve_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + $action = sanitize_key( $_REQUEST['um_adm_action'] ); + // phpcs:enable WordPress.Security.NonceVerification -- there is nonce verification below for each case + + if ( in_array( $action, self::USER_ACTIONS, true ) && ! current_user_can( 'edit_users' ) ) { + return; + } + + switch ( $action ) { + case 'approve_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } + + $user_id = absint( $_REQUEST['uid'] ); + + check_admin_referer( "approve_user{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->approve( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_approved', + 'approved_count' => 1, + ), + $redirect + ); } + } - $user_id = absint( $_REQUEST['uid'] ); + wp_safe_redirect( $redirect ); + exit; + case 'reactivate_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - check_admin_referer( "approve_user{$user_id}" ); + $user_id = absint( $_REQUEST['uid'] ); - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->approve( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_approved', - 'approved_count' => 1, - ), - $redirect - ); - } + check_admin_referer( "reactivate_user{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->reactivate( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_reactivated', + 'reactivated_count' => 1, + ), + $redirect + ); } + } + wp_safe_redirect( $redirect ); + exit; + case 'put_user_as_pending': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - wp_safe_redirect( $redirect ); - exit; - case 'reactivate_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + $user_id = absint( $_REQUEST['uid'] ); + + check_admin_referer( "put_user_as_pending{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->set_as_pending( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_pending', + 'pending_count' => 1, + ), + $redirect + ); } + } + wp_safe_redirect( $redirect ); + exit; + case 'resend_user_activation': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - $user_id = absint( $_REQUEST['uid'] ); + $user_id = absint( $_REQUEST['uid'] ); - check_admin_referer( "reactivate_user{$user_id}" ); + check_admin_referer( "resend_user_activation{$user_id}" ); - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->reactivate( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_reactivated', - 'reactivated_count' => 1, - ), - $redirect - ); - } + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->send_activation( $user_id, true ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_resend_activation', + 'resend_activation_count' => 1, + ), + $redirect + ); } - wp_safe_redirect( $redirect ); - exit; - case 'put_user_as_pending': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } + wp_safe_redirect( $redirect ); + exit; + case 'reject_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } + + $user_id = absint( $_REQUEST['uid'] ); + + check_admin_referer( "reject_user{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->reject( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_rejected', + 'rejected_count' => 1, + ), + $redirect + ); } + } + wp_safe_redirect( $redirect ); + exit; + case 'deactivate_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - $user_id = absint( $_REQUEST['uid'] ); + $user_id = absint( $_REQUEST['uid'] ); - check_admin_referer( "put_user_as_pending{$user_id}" ); + check_admin_referer( "deactivate_user{$user_id}" ); - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->set_as_pending( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_pending', - 'pending_count' => 1, - ), - $redirect - ); - } + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->deactivate( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_deactivate', + 'deactivated_count' => 1, + ), + $redirect + ); } - wp_safe_redirect( $redirect ); - exit; - case 'resend_user_activation': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); - } - - $user_id = absint( $_REQUEST['uid'] ); - - check_admin_referer( "resend_user_activation{$user_id}" ); - - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->send_activation( $user_id, true ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_resend_activation', - 'resend_activation_count' => 1, - ), - $redirect - ); - } - } - wp_safe_redirect( $redirect ); - exit; - case 'reject_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); - } - - $user_id = absint( $_REQUEST['uid'] ); - - check_admin_referer( "reject_user{$user_id}" ); - - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->reject( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_rejected', - 'rejected_count' => 1, - ), - $redirect - ); - } - } - wp_safe_redirect( $redirect ); - exit; - case 'deactivate_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); - } - - $user_id = absint( $_REQUEST['uid'] ); - - check_admin_referer( "deactivate_user{$user_id}" ); - - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->deactivate( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_deactivate', - 'deactivated_count' => 1, - ), - $redirect - ); - } - } - wp_safe_redirect( $redirect ); - exit; - } + } + wp_safe_redirect( $redirect ); + exit; } } + /** + * Extends an array of actions with the predefined user actions. + * + * @param array $actions The original array of actions to extend. + * + * @return array The extended array containing additional user actions. + */ public function extends_individual_nonce_actions( $actions ) { - $actions[] = 'approve_user'; - $actions[] = 'reactivate_user'; - $actions[] = 'put_user_as_pending'; - $actions[] = 'resend_user_activation'; - $actions[] = 'reject_user'; - $actions[] = 'deactivate_user'; - return $actions; + return array_merge( $actions, self::USER_ACTIONS ); } } } diff --git a/includes/admin/core/class-admin-gdpr.php b/includes/admin/core/class-admin-gdpr.php index 592e525e..724f1a98 100644 --- a/includes/admin/core/class-admin-gdpr.php +++ b/includes/admin/core/class-admin-gdpr.php @@ -170,12 +170,16 @@ if ( ! class_exists( 'um\admin\core\Admin_GDPR' ) ) { function get_metadata( $user_id ) { global $wpdb; - $metadata = $wpdb->get_results( $wpdb->prepare( - "SELECT meta_key, meta_value - FROM {$wpdb->usermeta} - WHERE user_id = %d", - $user_id - ), ARRAY_A ); + $metadata = $wpdb->get_results( + $wpdb->prepare( + "SELECT meta_key, + meta_value + FROM {$wpdb->usermeta} + WHERE user_id = %d", + $user_id + ), + ARRAY_A + ); $filtered = array(); foreach ( $metadata as $data ) { diff --git a/includes/admin/core/class-admin-metabox.php b/includes/admin/core/class-admin-metabox.php index 09cce4f7..9332880f 100644 --- a/includes/admin/core/class-admin-metabox.php +++ b/includes/admin/core/class-admin-metabox.php @@ -1177,7 +1177,19 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) { $where = array( 'ID' => $post_id ); // translators: %s: Directory id. $_POST['post_title'] = sprintf( __( 'Directory #%s', 'ultimate-member' ), $post_id ); - $wpdb->update( $wpdb->posts, array( 'post_title' => sanitize_text_field( wp_unslash( $_POST['post_title'] ) ) ), $where ); + $wpdb->update( + $wpdb->posts, + array( + 'post_title' => sanitize_text_field( wp_unslash( $_POST['post_title'] ) ), + ), + $where, + array( + '%s', + ), + array( + '%d', + ) + ); } do_action( 'um_before_member_directory_save', $post_id ); @@ -1275,7 +1287,19 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) { $where = array( 'ID' => $post_id ); // translators: %s: Form id. $_POST['post_title'] = sprintf( __( 'Form #%s', 'ultimate-member' ), $post_id ); - $wpdb->update( $wpdb->posts, array( 'post_title' => sanitize_text_field( wp_unslash( $_POST['post_title'] ) ) ), $where ); + $wpdb->update( + $wpdb->posts, + array( + 'post_title' => sanitize_text_field( wp_unslash( $_POST['post_title'] ) ), + ), + $where, + array( + '%s', + ), + array( + '%d', + ) + ); } // save diff --git a/includes/admin/core/class-admin-notices.php b/includes/admin/core/class-admin-notices.php index 94641895..0fbc12ab 100644 --- a/includes/admin/core/class-admin-notices.php +++ b/includes/admin/core/class-admin-notices.php @@ -630,8 +630,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Notices' ) ) { 'license_key', array( 'class' => 'error', - // translators: %1$s is an inactive license number; %2$s is a plugin name; %3$s is a store link. - 'message' => '

' . sprintf( __( 'There are %1$s inactive %2$s license keys for this site. This site is not authorized to get plugin updates. You can active this site on www.ultimatemember.com.', 'ultimate-member' ), count( $arr_inactive_license_keys ), UM_PLUGIN_NAME, UM()->store_url ) . '

', + // translators: %1$s is an inactive license number; %2$s is a plugin name. + 'message' => '

' . sprintf( __( 'There are %1$s inactive %2$s license keys for this site. This site is not authorized to get plugin updates. You can activate this site on www.ultimatemember.com.', 'ultimate-member' ), count( $arr_inactive_license_keys ), UM_PLUGIN_NAME ) . '

', ), 3 ); diff --git a/includes/admin/core/class-admin-settings.php b/includes/admin/core/class-admin-settings.php index 0325d07b..122310c7 100644 --- a/includes/admin/core/class-admin-settings.php +++ b/includes/admin/core/class-admin-settings.php @@ -97,20 +97,22 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) { $metakeys = apply_filters( 'um_metadata_same_page_update_ajax', $metakeys, UM()->builtin()->all_user_fields ); if ( is_multisite() ) { - $sites = get_sites( array( 'fields' => 'ids' ) ); foreach ( $sites as $blog_id ) { $metakeys[] = $wpdb->get_blog_prefix( $blog_id ) . 'capabilities'; + $metakeys[] = 'wc_money_spent_' . rtrim( $wpdb->get_blog_prefix( $blog_id ), '_' ); + $metakeys[] = 'wc_order_count_' . rtrim( $wpdb->get_blog_prefix( $blog_id ), '_' ); } } else { $blog_id = get_current_blog_id(); $metakeys[] = $wpdb->get_blog_prefix( $blog_id ) . 'capabilities'; + $metakeys[] = 'wc_money_spent_' . rtrim( $wpdb->get_blog_prefix( $blog_id ), '_' ); + $metakeys[] = 'wc_order_count_' . rtrim( $wpdb->get_blog_prefix( $blog_id ), '_' ); } //member directory data $metakeys[] = 'um_member_directory_data'; $metakeys[] = '_um_verified'; - $metakeys[] = '_money_spent'; $metakeys[] = '_completed'; $metakeys[] = '_reviews_avg'; @@ -2239,6 +2241,12 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) { } else { unset( $this->settings_structure['advanced']['sections']['features']['form_sections']['beta_features'] ); } + + if ( UM()->account()->current_password_is_required( 'delete' ) ) { + unset( $this->settings_structure['']['sections']['account']['form_sections']['delete_tab']['fields'][2] ); + } else { + unset( $this->settings_structure['']['sections']['account']['form_sections']['delete_tab']['fields'][1] ); + } } /** @@ -2927,9 +2935,9 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) { ); $request = wp_remote_post( - UM()->store_url, + UM()::$store_url, array( - 'timeout' => UM()->request_timeout, + 'timeout' => UM()::$request_timeout, 'sslverify' => false, 'body' => $api_params, ) @@ -2939,9 +2947,9 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) { $request = json_decode( wp_remote_retrieve_body( $request ) ); } else { $request = wp_remote_post( - UM()->store_url, + UM()::$store_url, array( - 'timeout' => UM()->request_timeout, + 'timeout' => UM()::$request_timeout, 'sslverify' => true, 'body' => $api_params, ) diff --git a/includes/admin/core/packages/2.0-beta1/user_roles.php b/includes/admin/core/packages/2.0-beta1/user_roles.php index 17fb8597..684d0365 100644 --- a/includes/admin/core/packages/2.0-beta1/user_roles.php +++ b/includes/admin/core/packages/2.0-beta1/user_roles.php @@ -55,15 +55,18 @@ if ( ! empty( $um_roles ) ) { $role_keys[] = $role_key; } - $all_role_metadata = $wpdb->get_results( $wpdb->prepare( - "SELECT pm.meta_key, - pm.meta_value - FROM {$wpdb->postmeta} pm - WHERE pm.post_id = %d AND - pm.meta_key LIKE %s", - $um_role->ID, - "_um_%" - ), ARRAY_A ); + $all_role_metadata = $wpdb->get_results( + $wpdb->prepare( + "SELECT pm.meta_key, + pm.meta_value + FROM {$wpdb->postmeta} pm + WHERE pm.post_id = %d AND + pm.meta_key LIKE %s", + $um_role->ID, + "_um_%" + ), + ARRAY_A + ); $role_metadata = array(); if ( ! empty( $all_role_metadata ) ) { @@ -160,4 +163,4 @@ if ( version_compare( $wp_version, '4.9', '<' ) ) { //temporary option -update_option( 'um_roles_associations', $roles_associations ); \ No newline at end of file +update_option( 'um_roles_associations', $roles_associations ); diff --git a/includes/admin/core/packages/2.1.0-beta1/member-directory.php b/includes/admin/core/packages/2.1.0-beta1/member-directory.php index fe71a0f7..8108d475 100644 --- a/includes/admin/core/packages/2.1.0-beta1/member-directory.php +++ b/includes/admin/core/packages/2.1.0-beta1/member-directory.php @@ -10,7 +10,8 @@ if ( ! empty( $postmeta ) ) { update_post_meta( $row['post_id'], '_um_hide_pm_button', $value ); } - $wpdb->delete( "{$wpdb->postmeta}", + $wpdb->delete( + $wpdb->postmeta, array( 'meta_value' => '_um_show_pm_button', ), @@ -185,4 +186,4 @@ if ( ! empty( $groups ) && ! is_wp_error( $groups ) ) { } } } -} \ No newline at end of file +} diff --git a/includes/admin/core/packages/2.1.0-beta1/metadata.php b/includes/admin/core/packages/2.1.0-beta1/metadata.php index c8eb8a5d..65fc3a8d 100644 --- a/includes/admin/core/packages/2.1.0-beta1/metadata.php +++ b/includes/admin/core/packages/2.1.0-beta1/metadata.php @@ -1,18 +1,22 @@ -update( "{$wpdb->usermeta}", +$wpdb->update( + $wpdb->usermeta, array( - 'meta_value' => serialize( array() ), + 'meta_value' => serialize( array() ), ), array( - 'meta_key' => 'um_account_secure_fields', + 'meta_key' => 'um_account_secure_fields', ), array( - '%s' + '%s', ), array( - '%s' + '%s', ) -); \ No newline at end of file +); diff --git a/includes/admin/core/packages/2.1.3-beta3/functions.php b/includes/admin/core/packages/2.1.3-beta3/functions.php index 7f5de7f1..cd87cab0 100644 --- a/includes/admin/core/packages/2.1.3-beta3/functions.php +++ b/includes/admin/core/packages/2.1.3-beta3/functions.php @@ -28,29 +28,35 @@ function um_upgrade_metadata_per_user213beta3() { global $wpdb; - $min_max = $wpdb->get_row( $wpdb->prepare( - "SELECT MIN(ID) AS MinID, MAX(ID) AS MaxID - FROM ( - SELECT u.ID - FROM {$wpdb->users} as u - ORDER BY u.ID - LIMIT %d, %d - ) as dt", - ( absint( $_POST['page'] ) - 1 ) * $per_page, - $per_page - ), ARRAY_A ); + $min_max = $wpdb->get_row( + $wpdb->prepare( + "SELECT MIN(ID) AS MinID, MAX(ID) AS MaxID + FROM ( + SELECT u.ID + FROM {$wpdb->users} as u + ORDER BY u.ID + LIMIT %d, %d + ) as dt", + ( absint( $_POST['page'] ) - 1 ) * $per_page, + $per_page + ), + ARRAY_A + ); - $metadata = $wpdb->get_results( $wpdb->prepare( - "SELECT u.ID as user_id, - um.meta_key as meta_key, - um.meta_value as meta_value - FROM {$wpdb->users} u - LEFT JOIN {$wpdb->usermeta} um ON ( um.user_id = u.ID AND um.meta_key IN( 'account_status','hide_in_members','synced_gravatar_hashed_id','synced_profile_photo','profile_photo','cover_photo','_um_verified' ) ) - WHERE u.ID >= %d AND - u.ID <= %d", - $min_max['MinID'], - $min_max['MaxID'] - ), ARRAY_A ); + $metadata = $wpdb->get_results( + $wpdb->prepare( + "SELECT u.ID as user_id, + um.meta_key as meta_key, + um.meta_value as meta_value + FROM {$wpdb->users} u + LEFT JOIN {$wpdb->usermeta} um ON ( um.user_id = u.ID AND um.meta_key IN( 'account_status','hide_in_members','synced_gravatar_hashed_id','synced_profile_photo','profile_photo','cover_photo','_um_verified' ) ) + WHERE u.ID >= %d AND + u.ID <= %d", + $min_max['MinID'], + $min_max['MaxID'] + ), + ARRAY_A + ); $users_map = array(); foreach ( $metadata as $metadatarow ) { diff --git a/includes/admin/core/packages/2.8.0/functions.php b/includes/admin/core/packages/2.8.0/functions.php index 57019b14..0f40ebf4 100644 --- a/includes/admin/core/packages/2.8.0/functions.php +++ b/includes/admin/core/packages/2.8.0/functions.php @@ -14,9 +14,9 @@ function um_upgrade_usermeta_count280() { "SELECT COUNT(*) FROM {$wpdb->usermeta} WHERE meta_key = 'use_gdpr_agreement' OR - meta_key = 'um_user_blocked__timestamp' OR - meta_key = '_um_last_login' OR - meta_key = 'submitted'" + meta_key = 'um_user_blocked__timestamp' OR + meta_key = '_um_last_login' OR + meta_key = 'submitted'" ); wp_send_json_success( array( 'count' => $count ) ); @@ -40,9 +40,9 @@ function um_upgrade_metadata_per_user280() { "SELECT * FROM {$wpdb->usermeta} WHERE meta_key = 'use_gdpr_agreement' OR - meta_key = 'um_user_blocked__timestamp' OR - meta_key = '_um_last_login' OR - meta_key = 'submitted' + meta_key = 'um_user_blocked__timestamp' OR + meta_key = '_um_last_login' OR + meta_key = 'submitted' LIMIT %d, %d", ( absint( $_POST['page'] ) - 1 ) * $per_page, $per_page diff --git a/includes/admin/templates/form/builder.php b/includes/admin/templates/form/builder.php index 06f18bc6..be7fe75f 100644 --- a/includes/admin/templates/form/builder.php +++ b/includes/admin/templates/form/builder.php @@ -1,20 +1,25 @@ -builder()->form_id ) ) { UM()->builder()->form_id = $this->form_id; -} ?> +} +?>
@@ -26,7 +31,7 @@ if ( empty( UM()->builder()->form_id ) ) {
+ data-row_action="add_row">
diff --git a/includes/admin/templates/modal/forms/dynamic_form_preview.php b/includes/admin/templates/modal/forms/dynamic_form_preview.php index 3eaee1a0..37045277 100644 --- a/includes/admin/templates/modal/forms/dynamic_form_preview.php +++ b/includes/admin/templates/modal/forms/dynamic_form_preview.php @@ -1,16 +1,16 @@ - - - + \ No newline at end of file + diff --git a/includes/class-functions.php b/includes/class-functions.php index c4811570..bf861f15 100644 --- a/includes/class-functions.php +++ b/includes/class-functions.php @@ -1,36 +1,27 @@ - $post_type ) { if ( 'closed' === get_default_comment_status( $post_type ) ) { - $open_comments = $wpdb->get_var( $wpdb->prepare( - "SELECT ID - FROM {$wpdb->posts} - WHERE post_type = %s AND - comment_status != 'closed'", - $post_type - ) ); + $open_comments = $wpdb->get_var( + $wpdb->prepare( + "SELECT ID + FROM {$wpdb->posts} + WHERE post_type = %s AND + comment_status != 'closed'", + $post_type + ) + ); if ( empty( $open_comments ) ) { unset( $restricted_posts[ $k ] ); @@ -1070,12 +1072,11 @@ if ( ! class_exists( 'um\core\Access' ) ) { } $totals = (array) $wpdb->get_results( - " - SELECT comment_approved, COUNT( * ) AS total - FROM {$wpdb->comments} - {$where} - GROUP BY comment_approved - ", + "SELECT comment_approved, + COUNT(*) AS total + FROM {$wpdb->comments} + {$where} + GROUP BY comment_approved", ARRAY_A ); diff --git a/includes/core/class-account.php b/includes/core/class-account.php index 65df44e9..be3891e0 100644 --- a/includes/core/class-account.php +++ b/includes/core/class-account.php @@ -340,93 +340,100 @@ if ( ! class_exists( 'um\core\Account' ) ) { } } - /** - * Submit Account handler + * Process the submission of account details */ - function account_submit() { + public function account_submit() { + if ( ! um_submitting_account_page() ) { + return; + } - if ( um_submitting_account_page() ) { + $formdata = wp_unslash( $_POST ); - UM()->form()->post_form = wp_unslash( $_POST ); + // Don't un-slash passwords in manner of WordPress native password field. + $fields_map = array( + 'user_password', + 'confirm_user_password', + 'current_user_password', + 'single_user_password', + ); + $formdata = UM()->form()::ignore_formdata_unslash( $formdata, $fields_map ); + UM()->form()->post_form = $formdata; + + /** + * UM hook + * + * @type action + * @title um_submit_account_errors_hook + * @description Validate process on account submit + * @input_vars + * [{"var":"$submitted","type":"array","desc":"Account Page Submitted data"}] + * @change_log + * ["Since: 2.0"] + * @usage add_action( 'um_submit_account_errors_hook', 'function_name', 10, 1 ); + * @example + * + */ + do_action( 'um_submit_account_errors_hook', UM()->form()->post_form ); + + if ( um_is_core_page( 'account' ) && get_query_var( 'um_tab' ) ) { + $this->current_tab = get_query_var( 'um_tab' ); + } else { + $this->current_tab = UM()->form()->post_form['_um_account_tab']; + } + + $this->current_tab = sanitize_key( $this->current_tab ); + + if ( ! isset( UM()->form()->errors ) ) { /** * UM hook * * @type action - * @title um_submit_account_errors_hook - * @description Validate process on account submit + * @title um_submit_account_details + * @description On success account submit * @input_vars * [{"var":"$submitted","type":"array","desc":"Account Page Submitted data"}] * @change_log * ["Since: 2.0"] - * @usage add_action( 'um_submit_account_errors_hook', 'function_name', 10, 1 ); + * @usage add_action( 'um_submit_account_details', 'function_name', 10, 1 ); * @example * */ - do_action( 'um_submit_account_errors_hook', UM()->form()->post_form ); + do_action( 'um_submit_account_details', UM()->form()->post_form ); - if ( um_is_core_page( 'account' ) && get_query_var( 'um_tab' ) ) { - $this->current_tab = get_query_var( 'um_tab' ); - } else { - $this->current_tab = UM()->form()->post_form['_um_account_tab']; - } + } elseif ( UM()->form()->has_error( 'um_account_security' ) ) { + $url = ''; + if ( um_is_core_page( 'account' ) ) { - $this->current_tab = sanitize_key( $this->current_tab ); + $url = UM()->account()->tab_link( $this->current_tab ); - if ( ! isset( UM()->form()->errors ) ) { - /** - * UM hook - * - * @type action - * @title um_submit_account_details - * @description On success account submit - * @input_vars - * [{"var":"$submitted","type":"array","desc":"Account Page Submitted data"}] - * @change_log - * ["Since: 2.0"] - * @usage add_action( 'um_submit_account_details', 'function_name', 10, 1 ); - * @example - * - */ - do_action( 'um_submit_account_details', UM()->form()->post_form ); + $url = add_query_arg( 'err', 'account', $url ); - } elseif ( UM()->form()->has_error( 'um_account_security' ) ) { - $url = ''; - if ( um_is_core_page( 'account' ) ) { + if ( function_exists( 'icl_get_current_language' ) ) { + if ( icl_get_current_language() != icl_get_default_language() ) { + $url = UM()->permalinks()->get_current_url( true ); + $url = add_query_arg( 'err', 'account', $url ); - $url = UM()->account()->tab_link( $this->current_tab ); - - $url = add_query_arg( 'err', 'account', $url ); - - if ( function_exists( 'icl_get_current_language' ) ) { - if ( icl_get_current_language() != icl_get_default_language() ) { - $url = UM()->permalinks()->get_current_url( true ); - $url = add_query_arg( 'err', 'account', $url ); - - exit( wp_redirect( $url ) ); - } + exit( wp_redirect( $url ) ); } } - - exit( wp_redirect( $url ) ); } + exit( wp_redirect( $url ) ); } - } - /** * Filter account fields * @param array $predefined_fields diff --git a/includes/core/class-form.php b/includes/core/class-form.php index 1cd407ed..e7a553db 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -453,6 +453,11 @@ if ( ! class_exists( 'um\core\Form' ) ) { $arr_restricted_fields = UM()->fields()->get_restricted_fields_for_edit(); } + $password_fields = array( + 'user_password', + 'confirm_user_password', + ); + $field_types_without_metakey = UM()->builtin()->get_fields_without_metakey(); foreach ( $custom_fields as $cf_k => $cf_data ) { if ( ! array_key_exists( 'type', $cf_data ) || in_array( $cf_data['type'], $field_types_without_metakey, true ) ) { @@ -462,6 +467,9 @@ if ( ! class_exists( 'um\core\Form' ) ) { if ( array_key_exists( 'type', $cf_data ) && 'password' === $cf_data['type'] ) { $ignore_keys[] = $cf_k; $ignore_keys[] = 'confirm_' . $cf_k; + + $password_fields[] = $cf_k; + $password_fields[] = 'confirm_' . $cf_k; } if ( 'profile' === $this->form_data['mode'] ) { @@ -556,6 +564,18 @@ if ( ! class_exists( 'um\core\Form' ) ) { */ do_action( 'um_before_submit_form_post', $this ); + $formdata = wp_unslash( $_POST ); + + if ( isset( $formdata['form_id'] ) ) { + // Don't un-slash passwords in manner of WordPress native password field. + $form_id = absint( $formdata['form_id'] ); + foreach ( $password_fields as &$password_field ) { + $password_field .= '-' . $form_id; + } + unset( $password_field ); + $formdata = UM()->form()::ignore_formdata_unslash( $formdata, $password_fields ); + } + /* save entire form as global */ /** * Filters $_POST submitted data by the UM login, registration or profile form. @@ -574,7 +594,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { * } * add_filter( 'um_submit_post_form', 'my_submit_post_form' ); */ - $this->post_form = apply_filters( 'um_submit_post_form', wp_unslash( $_POST ) ); + $this->post_form = apply_filters( 'um_submit_post_form', $formdata ); // Validate form submission by honeypot. if ( isset( $this->post_form[ UM()->honeypot ] ) && '' !== $this->post_form[ UM()->honeypot ] ) { @@ -1109,7 +1129,6 @@ if ( ! class_exists( 'um\core\Form' ) ) { return $mode; } - /** * Get custom field roles * @@ -1166,5 +1185,24 @@ if ( ! class_exists( 'um\core\Form' ) ) { return false; } + + /** + * Ignore of `wp_unslash()` for form data + * + * @param array $formdata The form data to process + * @param array $fields_map The fields map array + * + * @return array The updated form data + */ + public static function ignore_formdata_unslash( $formdata, $fields_map ) { + foreach ( $fields_map as $field ) { + if ( ! isset( $_POST[ $field ] ) ) { + continue; + } + $formdata[ $field ] = trim( $_POST[ $field ] ); + } + + return $formdata; + } } } diff --git a/includes/core/class-member-directory-meta.php b/includes/core/class-member-directory-meta.php index 1bd8aa1d..9ab8b16b 100644 --- a/includes/core/class-member-directory-meta.php +++ b/includes/core/class-member-directory-meta.php @@ -169,7 +169,7 @@ if ( ! class_exists( 'um\core\Member_Directory_Meta' ) ) { "SELECT umeta_id FROM {$wpdb->prefix}um_metadata WHERE user_id = %d AND - um_key = %s + um_key = %s LIMIT 1", $object_id, $meta_key diff --git a/includes/core/class-member-directory.php b/includes/core/class-member-directory.php index 00234ccf..70ae0c0d 100644 --- a/includes/core/class-member-directory.php +++ b/includes/core/class-member-directory.php @@ -969,14 +969,17 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { default: { - $meta = $wpdb->get_row( $wpdb->prepare( - "SELECT MIN( CONVERT( meta_value, DECIMAL ) ) as min_meta, - MAX( CONVERT( meta_value, DECIMAL ) ) as max_meta, - COUNT( DISTINCT meta_value ) as amount - FROM {$wpdb->usermeta} - WHERE meta_key = %s", - $filter - ), ARRAY_A ); + $meta = $wpdb->get_row( + $wpdb->prepare( + "SELECT MIN( CONVERT( meta_value, DECIMAL ) ) as min_meta, + MAX( CONVERT( meta_value, DECIMAL ) ) as max_meta, + COUNT( DISTINCT meta_value ) as amount + FROM {$wpdb->usermeta} + WHERE meta_key = %s", + $filter + ), + ARRAY_A + ); if ( isset( $meta['min_meta'] ) && isset( $meta['max_meta'] ) && isset( $meta['amount'] ) && $meta['amount'] > 1 ) { $range = array( (float) $meta['min_meta'], (float) $meta['max_meta'] ); @@ -988,24 +991,6 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { break; } case 'birth_date': { - -// $meta = $wpdb->get_col( -// "SELECT meta_value -// FROM {$wpdb->usermeta} -// WHERE meta_key = 'birth_date' AND -// meta_value != ''" -// ); -// -// if ( empty( $meta ) || count( $meta ) < 2 ) { -// $range = false; -// } elseif ( is_array( $meta ) ) { -// $birth_dates = array_filter( array_map( 'strtotime', $meta ), 'is_numeric' ); -// sort( $birth_dates ); -// $min_meta = array_shift( $birth_dates ); -// $max_meta = array_pop( $birth_dates ); -// $range = array( $this->borndate( $max_meta ), $this->borndate( $min_meta ) ); -// } - $meta = $wpdb->get_row( "SELECT MIN( meta_value ) as min_meta, MAX( meta_value ) as max_meta, @@ -1013,7 +998,8 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { FROM {$wpdb->usermeta} WHERE meta_key = 'birth_date' AND meta_value != ''", - ARRAY_A ); + ARRAY_A + ); if ( isset( $meta['min_meta'] ) && isset( $meta['max_meta'] ) && isset( $meta['amount'] ) && $meta['amount'] > 1 ) { $range = array( $this->borndate( strtotime( $meta['max_meta'] ) ), $this->borndate( strtotime( $meta['min_meta'] ) ) ); @@ -1082,10 +1068,15 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { switch ( $filter ) { default: global $wpdb; - $meta = $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT meta_value - FROM {$wpdb->usermeta} - WHERE meta_key = %s - ORDER BY meta_value DESC", $filter ) ); + $meta = $wpdb->get_col( + $wpdb->prepare( + "SELECT DISTINCT meta_value + FROM {$wpdb->usermeta} + WHERE meta_key = %s + ORDER BY meta_value DESC", + $filter + ) + ); if ( empty( $meta ) || count( $meta ) === 1 ) { $range = false; diff --git a/includes/core/class-password.php b/includes/core/class-password.php index 7a02d7fa..5690e046 100644 --- a/includes/core/class-password.php +++ b/includes/core/class-password.php @@ -337,7 +337,17 @@ if ( ! class_exists( 'um\core\Password' ) ) { } if ( $this->is_change_request() ) { - UM()->form()->post_form = wp_unslash( $_POST ); + + $formdata = wp_unslash( $_POST ); + + // Don't un-slash passwords in manner of WordPress native password field. + $fields_map = array( + 'user_password', + 'confirm_user_password', + ); + $formdata = UM()->form()::ignore_formdata_unslash( $formdata, $fields_map ); + + UM()->form()->post_form = $formdata; /** * UM hook diff --git a/includes/core/class-plugin-updater.php b/includes/core/class-plugin-updater.php index a4082b76..3c79b090 100644 --- a/includes/core/class-plugin-updater.php +++ b/includes/core/class-plugin-updater.php @@ -1,25 +1,24 @@ store_url; + public function __construct() { add_action( 'um_daily_scheduled_events', array( &$this, 'um_checklicenses' ) ); // clean update plugin cache @@ -35,16 +34,15 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { //add_filter( 'auto_update_plugin', array( &$this, 'prevent_dangerous_auto_updates' ), 99, 2 ); } - /** * Prevent auto-updating the WooCommerce plugin on major releases if there are untested extensions active. - * + * @todo maybe check untested extensions. * @since 3.2.0 * @param bool $should_update If should update. * @param object $plugin Plugin data. * @return bool */ - function prevent_dangerous_auto_updates( $should_update, $plugin ) { + public function prevent_dangerous_auto_updates( $should_update, $plugin ) { if ( ! isset( $plugin->plugin, $plugin->new_version ) ) { return $should_update; } @@ -56,7 +54,6 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { return $should_update; } - /** * This action is documented in wp-admin/includes/class-wp-upgrader.php * @@ -204,33 +201,32 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { foreach ( $the_plugs as $key => $value ) { - if ( in_array( $value, array_keys( $paid_extensions ) ) ) { + if ( array_key_exists( $value, $paid_extensions ) ) { $license = UM()->options()->get( "um_{$paid_extensions[ $value ]['key']}_license_key" ); if ( empty( $license ) ) { continue; } - $active_um_plugins[ $value ] = $paid_extensions[ $value ]; + $active_um_plugins[ $value ] = $paid_extensions[ $value ]; $active_um_plugins[ $value ]['license'] = $license; } } restore_current_blog(); } - } else { $the_plugs = get_option( 'active_plugins' ); foreach ( $the_plugs as $key => $value ) { - if ( in_array( $value, array_keys( $paid_extensions ) ) ) { + if ( array_key_exists( $value, $paid_extensions ) ) { $license = UM()->options()->get( "um_{$paid_extensions[ $value ]['key']}_license_key" ); if ( empty( $license ) ) { continue; } - $active_um_plugins[ $value ] = $paid_extensions[ $value ]; + $active_um_plugins[ $value ] = $paid_extensions[ $value ]; $active_um_plugins[ $value ]['license'] = $license; } } @@ -239,14 +235,13 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { return $active_um_plugins; } - /** * Check license function + * WP Cron request to UM()::$store_url */ - function um_checklicenses() { + public function um_checklicenses() { $exts = $this->get_active_plugins(); - - if ( 0 == count( $exts ) ) { + if ( empty( $exts ) ) { return; } @@ -267,16 +262,16 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { 'slug' => $slug, 'license' => $data['license'], 'item_name' => $data['title'], - 'version' => $plugin_data['Version'] + 'version' => $plugin_data['Version'], ); } $request = wp_remote_post( - UM()->store_url, + UM()::$store_url, array( - 'timeout' => UM()->request_timeout, + 'timeout' => UM()::$request_timeout, 'sslverify' => false, - 'body' => $api_params + 'body' => $api_params, ) ); @@ -284,11 +279,11 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { $request = json_decode( wp_remote_retrieve_body( $request ) ); } else { $request = wp_remote_post( - UM()->store_url, + UM()::$store_url, array( - 'timeout' => UM()->request_timeout, + 'timeout' => UM()::$request_timeout, 'sslverify' => true, - 'body' => $api_params + 'body' => $api_params, ) ); @@ -321,11 +316,11 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { $request->$slug->get_version_check->sections = maybe_unserialize( $request->$slug->get_version_check->sections ); $request->$slug->get_version_check->sections = (array) $request->$slug->get_version_check->sections; } else { - $request->$slug->get_version_check = new \WP_Error( 'plugins_api_failed', + $request->$slug->get_version_check = new WP_Error( + 'plugins_api_failed', sprintf( - /* translators: %s: support forums URL */ - __( 'An unexpected error occurred. Something may be wrong with %s or this server’s configuration. If you continue to have problems, please try the support forums.' ), - UM()->store_url, + /* translators: %s: support forums URL */ + __( 'An unexpected error occurred. Something may be wrong with installation or server’s configuration. If you continue to have problems, please try the support forums.' ), __( 'https://wordpress.org/support/' ) ), wp_remote_retrieve_body( $request->$slug->get_version_check ) @@ -341,7 +336,7 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { } if ( ! empty( $request->$slug->get_version_check->sections ) ) { - foreach( $request->$slug->get_version_check->sections as $key => $section ) { + foreach ( $request->$slug->get_version_check->sections as $key => $section ) { $request->$slug->get_version_check->$key = (array) $section; } } @@ -350,11 +345,8 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { } } } - - return; } - /** * Check for Updates by request to the marketplace * and modify the update array. @@ -362,15 +354,15 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { * @param array $_transient_data plugin update array build by WordPress. * @return \stdClass modified plugin update array. */ - function check_update( $_transient_data ) { + public function check_update( $_transient_data ) { if ( ! is_object( $_transient_data ) ) { - $_transient_data = new \stdClass; + $_transient_data = new \stdClass(); } $exts = $this->get_active_plugins(); foreach ( $exts as $slug => $data ) { - //if response for current product isn't empty check for override + // If response for current product isn't empty check for override. if ( ! empty( $_transient_data->response ) && ! empty( $_transient_data->response[ $slug ] ) && $_transient_data->last_checked > time() - DAY_IN_SECONDS ) { continue; } @@ -387,12 +379,14 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { $version_info = $this->get_cached_version_info( $slug ); if ( false === $version_info ) { - $version_info = $this->single_request( 'plugin_latest_version', array( - 'slug' => $slug, - 'license' => $data['license'], - 'item_name' => $data['title'], - 'version' => $plugin_data['Version'] - ) ); + $version_info = $this->single_request( + array( + 'slug' => $slug, + 'license' => $data['license'], + 'item_name' => $data['title'], + 'version' => $plugin_data['Version'], + ) + ); $this->set_version_info_cache( $slug, $version_info ); } @@ -400,42 +394,39 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { if ( false !== $version_info && is_object( $version_info ) && isset( $version_info->new_version ) ) { //show update version block if new version > then current if ( version_compare( $plugin_data['Version'], $version_info->new_version, '<' ) ) { - $_transient_data->response[ $slug ] = $version_info; + $_transient_data->response[ $slug ] = $version_info; $_transient_data->response[ $slug ]->plugin = $slug; } else { - $_transient_data->no_update[ $slug ] = $version_info; + $_transient_data->no_update[ $slug ] = $version_info; $_transient_data->no_update[ $slug ]->plugin = $slug; } - $_transient_data->last_checked = time(); - $_transient_data->checked[ $slug ] = $plugin_data['Version']; + $_transient_data->last_checked = time(); + $_transient_data->checked[ $slug ] = $plugin_data['Version']; } elseif ( false !== $version_info && is_object( $version_info ) && ! isset( $version_info->new_version ) ) { - $_transient_data->no_update[ $slug ] = $version_info; + $_transient_data->no_update[ $slug ] = $version_info; $_transient_data->no_update[ $slug ]->plugin = $slug; - $_transient_data->last_checked = time(); - $_transient_data->checked[ $slug ] = $plugin_data['Version']; + $_transient_data->last_checked = time(); + $_transient_data->checked[ $slug ] = $plugin_data['Version']; } } return $_transient_data; } - - /** - * Calls the API and, if successfull, returns the object delivered by the API. + * Calls the API and, if successfully, returns the object delivered by the API. * * @uses get_bloginfo() * @uses wp_remote_post() * @uses is_wp_error() * - * @param string $_action The requested action. - * @param array $_data Parameters for the API action. + * @param array $_data Parameters for the API action. * @return false|object */ - private function single_request( $_action, $_data ) { + private function single_request( $_data ) { $api_params = array( 'edd_action' => 'get_version', 'author' => 'Ultimate Member', @@ -445,12 +436,12 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { $api_params = array_merge( $api_params, $_data ); - $request = wp_remote_post( - UM()->store_url, + $request = wp_remote_post( + UM()::$store_url, array( - 'timeout' => UM()->request_timeout, + 'timeout' => UM()::$request_timeout, 'sslverify' => false, - 'body' => $api_params + 'body' => $api_params, ) ); @@ -473,7 +464,7 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { $request->icons = maybe_unserialize( $request->icons ); } - if( ! empty( $request->sections ) ) { + if ( ! empty( $request->sections ) ) { foreach ( $request->sections as $key => $section ) { $request->$key = (array) $section; } @@ -490,7 +481,6 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { return $request; } - /** * Updates information on the "View version x.x details" popup with custom data. * @@ -499,9 +489,9 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { * @param object $_args * @return object $_data */ - function plugin_information( $_data, $_action = '', $_args = null ) { - //by default $data = false (from Wordpress) - if ( $_action != 'plugin_information' ) { + public function plugin_information( $_data, $_action = '', $_args = null ) { + //by default $data = false (from WordPress) + if ( 'plugin_information' !== $_action ) { return $_data; } @@ -513,19 +503,21 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { if ( false === $api_request_transient ) { $plugin_data = get_plugin_data( WP_PLUGIN_DIR . DIRECTORY_SEPARATOR . $slug ); - $api_request_transient = $this->single_request( 'plugin_latest_version', array( - 'slug' => $slug, - 'license' => $data['license'], - 'item_name' => $data['title'], - 'version' => $plugin_data['Version'] - ) ); + $api_request_transient = $this->single_request( + array( + 'slug' => $slug, + 'license' => $data['license'], + 'item_name' => $data['title'], + 'version' => $plugin_data['Version'], + ) + ); $this->set_version_info_cache( $slug, $api_request_transient ); } break; } } - //If we have no transient-saved value, run the API, set a fresh transient with the API value, and return that value too right now. + // If we have no transient-saved value, run the API, set a fresh transient with the API value, and return that value too right now. if ( isset( $api_request_transient ) ) { $_data = $api_request_transient; } @@ -533,23 +525,6 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { return $_data; } - - /** - * Disable SSL verification in order to prevent download update failures - * - * @param array $args - * @param string $url - * @return array $array - */ - function http_request_args( $args, $url ) { - // If it is an https request and we are performing a package download, disable ssl verification - if ( strpos( $url, 'https://' ) !== false && strpos( $url, 'action=package_download' ) ) { - $args['sslverify'] = false; - } - return $args; - } - - /** * Download extension URL * @@ -559,51 +534,46 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { * * @return string */ - function extend_download_url( $download_url, $slug, $data ) { - - $url = get_site_url( get_current_blog_id() ); - $domain = strtolower( urlencode( rtrim( $url, '/' ) ) ); + private function extend_download_url( $download_url, $slug, $data ) { + $url = get_site_url( get_current_blog_id() ); + $domain = strtolower( urlencode( rtrim( $url, '/' ) ) ); $plugin_data = get_plugin_data( WP_PLUGIN_DIR . DIRECTORY_SEPARATOR . $slug ); $api_params = array( - 'action' => 'get_last_version', - 'license' => ! empty( $data['license'] ) ? $data['license'] : '', - 'item_name' => str_replace( 'Ultimate Member - ', '', $plugin_data['Name'] ), - 'blog_id' => get_current_blog_id(), - 'site_url' => urlencode( $url ), - 'domain' => urlencode( $domain ), - 'slug' => urlencode( $slug ), + 'action' => 'get_last_version', + 'license' => ! empty( $data['license'] ) ? $data['license'] : '', + 'item_name' => str_replace( 'Ultimate Member - ', '', $plugin_data['Name'] ), + 'blog_id' => get_current_blog_id(), + 'site_url' => urlencode( $url ), + 'domain' => urlencode( $domain ), + 'slug' => urlencode( $slug ), ); - $download_url = add_query_arg( $api_params, $download_url ); - - return $download_url; + return add_query_arg( $api_params, $download_url ); } - /** * @param $slug * * @return bool|string */ - function get_cache_key( $slug ) { + private function get_cache_key( $slug ) { $exts = $this->get_active_plugins(); if ( empty( $exts[ $slug ] ) ) { return false; } - return 'edd_sl_' . md5( serialize( $slug . $exts[ $slug ]['license'] ) ); + return 'edd_sl_' . md5( maybe_serialize( $slug . $exts[ $slug ]['license'] ) ); } - /** * @param $slug * * @return array|bool|mixed|object */ - function get_cached_version_info( $slug ) { + private function get_cached_version_info( $slug ) { $cache_key = $this->get_cache_key( $slug ); if ( empty( $cache_key ) ) { return false; @@ -629,12 +599,11 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { return $cache['value']; } - /** - * @param $slug + * @param string $slug * @param string $value */ - function set_version_info_cache( $slug, $value = '' ) { + private function set_version_info_cache( $slug, $value = '' ) { $cache_key = $this->get_cache_key( $slug ); if ( empty( $cache_key ) ) { return; @@ -642,11 +611,10 @@ if ( ! class_exists( 'um\core\Plugin_Updater' ) ) { $data = array( 'timeout' => strtotime( '+6 hours', time() ), - 'value' => json_encode( $value ) + 'value' => wp_json_encode( $value ), ); update_option( $cache_key, $data, 'no' ); } } - } diff --git a/includes/core/class-query.php b/includes/core/class-query.php index ba8b7cc7..c3899be9 100644 --- a/includes/core/class-query.php +++ b/includes/core/class-query.php @@ -89,13 +89,12 @@ if ( ! class_exists( 'um\core\Query' ) ) { "SELECT * FROM {$wpdb->posts} WHERE post_type = 'page' AND - post_status = 'publish'", - OBJECT + post_status = 'publish'" ); $array = array(); - if( $wpdb->num_rows > 0 ){ - foreach ($pages as $page_data) { + if ( $wpdb->num_rows > 0 ) { + foreach ( $pages as $page_data ) { $array[ $page_data->ID ] = $page_data->post_title; } } diff --git a/includes/core/class-uploader.php b/includes/core/class-uploader.php index 01d695da..aa58a27f 100644 --- a/includes/core/class-uploader.php +++ b/includes/core/class-uploader.php @@ -1379,16 +1379,23 @@ if ( ! class_exists( 'um\core\Uploader' ) ) { foreach ( $files as $file ) { $str = basename( $file ); - if ( strstr( $str, 'profile_photo' ) || strstr( $str, 'cover_photo' ) || preg_grep( '/' . $str . '/', $_array ) ) { + if ( false !== strpos( $str, 'profile_photo' ) || false !== strpos( $str, 'cover_photo' ) || preg_grep( '/' . $str . '/', $_array ) ) { continue; } // Don't delete photo that belongs to the Social Activity post or Groups post - if ( strstr( $str, 'stream_photo' ) ) { + if ( false !== strpos( $str, 'stream_photo' ) ) { global $wpdb; - $is_post_image = $wpdb->get_var( " - SELECT COUNT(*) FROM {$wpdb->postmeta} - WHERE `meta_key`='_photo' AND `meta_value`='{$str}';" ); + $is_post_image = $wpdb->get_var( + $wpdb->prepare( + "SELECT COUNT(*) + FROM {$wpdb->postmeta} + WHERE meta_key = '_photo' AND + meta_value = %s", + $str + ) + ); + if ( $is_post_image ) { continue; } diff --git a/includes/core/class-user-posts.php b/includes/core/class-user-posts.php index 9a04a401..469717a4 100644 --- a/includes/core/class-user-posts.php +++ b/includes/core/class-user-posts.php @@ -211,7 +211,15 @@ if ( ! class_exists( 'um\core\User_posts' ) ) { return 0; } - $count = $wpdb->get_var("SELECT COUNT(comment_ID) FROM " . $wpdb->comments. " WHERE user_id = " . $user_id . " AND comment_approved = '1'"); + $count = $wpdb->get_var( + $wpdb->prepare( + "SELECT COUNT(comment_ID) + FROM {$wpdb->comments} + WHERE user_id = %d AND + comment_approved = '1'", + $user_id + ) + ); return $this->pretty_number_formatting( $count ); } diff --git a/includes/core/rest/class-api-v1.php b/includes/core/rest/class-api-v1.php index e80a59ea..6fed19ec 100644 --- a/includes/core/rest/class-api-v1.php +++ b/includes/core/rest/class-api-v1.php @@ -110,14 +110,16 @@ if ( ! class_exists( 'um\core\rest\API_v1' ) ) { $user = get_transient( md5( 'um_api_user_' . $key ) ); if ( false === $user ) { - $user = $wpdb->get_var( $wpdb->prepare( - "SELECT user_id - FROM $wpdb->usermeta - WHERE meta_key = 'um_user_public_key' AND - meta_value = %s - LIMIT 1", - $key - ) ); + $user = $wpdb->get_var( + $wpdb->prepare( + "SELECT user_id + FROM $wpdb->usermeta + WHERE meta_key = 'um_user_public_key' AND + meta_value = %s + LIMIT 1", + $key + ) + ); set_transient( md5( 'um_api_user_' . $key ) , $user, DAY_IN_SECONDS ); } diff --git a/includes/core/rest/class-api-v2.php b/includes/core/rest/class-api-v2.php index 8f72fd83..30d7defb 100644 --- a/includes/core/rest/class-api-v2.php +++ b/includes/core/rest/class-api-v2.php @@ -109,14 +109,16 @@ if ( ! class_exists( 'um\core\rest\API_v2' ) ) { $user = get_transient( md5( 'um_api_user_' . $key ) ); if ( false === $user ) { - $user = $wpdb->get_var( $wpdb->prepare( - "SELECT user_id - FROM $wpdb->usermeta - WHERE meta_key = 'um_user_public_key' AND - meta_value = %s - LIMIT 1", - $key - ) ); + $user = $wpdb->get_var( + $wpdb->prepare( + "SELECT user_id + FROM $wpdb->usermeta + WHERE meta_key = 'um_user_public_key' AND + meta_value = %s + LIMIT 1", + $key + ) + ); set_transient( md5( 'um_api_user_' . $key ) , $user, DAY_IN_SECONDS ); } diff --git a/includes/core/um-actions-account.php b/includes/core/um-actions-account.php index c2d0e94f..952ec739 100644 --- a/includes/core/um-actions-account.php +++ b/includes/core/um-actions-account.php @@ -681,7 +681,7 @@ function um_after_account_privacy( $args ) { } else { if ( UM()->account()->current_password_is_required( 'privacy_download_data' ) ) { ?> -