mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-18 14:13:46 +09:00
- fixed vulnerability with uploading cover/profile photo for other user ID;
- re-written member directory meta queries; - fixed search line additional slashes;
This commit is contained in:
@@ -287,6 +287,12 @@ if ( ! class_exists( 'um\core\Files' ) ) {
|
||||
}
|
||||
|
||||
$user_id = empty( $_REQUEST['user_id'] ) ? get_current_user_id() : $_REQUEST['user_id'];
|
||||
|
||||
if ( ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
|
||||
$ret['error'] = esc_js( __( 'You haven\'t ability to edit this user', 'ultimate-member' ) );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
$image_path = um_is_file_owner( $src, $user_id, true );
|
||||
if ( ! $image_path ) {
|
||||
wp_send_json_error( esc_js( __( 'Invalid file ownership', 'ultimate-member' ) ) );
|
||||
@@ -319,6 +325,11 @@ if ( ! class_exists( 'um\core\Files' ) ) {
|
||||
UM()->fields()->set_id = $_POST['set_id'];
|
||||
UM()->fields()->set_mode = $_POST['set_mode'];
|
||||
|
||||
if ( ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
|
||||
$ret['error'] = __( 'You haven\'t ability to edit this user', 'ultimate-member' );
|
||||
wp_send_json_error( $ret );
|
||||
}
|
||||
|
||||
/**
|
||||
* UM hook
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user