From 3ada6c71d9c12755ae839d0490052f78a5134762 Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Wed, 12 Feb 2025 18:25:26 +0200 Subject: [PATCH] Update PHP requirement and improve user action handling Raised minimum PHP version to 7.0 and finalized the plugin version to 2.9.3. Introduced a centralized user actions array and replaced 'manage_options' capability with 'edit_users' for better permission handling. Optimized the nonce actions extension method for cleaner code. * reviewed #1619 --- includes/admin/class-actions-listener.php | 306 ++++++++++++---------- readme.txt | 4 +- ultimate-member.php | 4 +- 3 files changed, 170 insertions(+), 144 deletions(-) diff --git a/includes/admin/class-actions-listener.php b/includes/admin/class-actions-listener.php index fa25877d..71df1080 100644 --- a/includes/admin/class-actions-listener.php +++ b/includes/admin/class-actions-listener.php @@ -14,6 +14,24 @@ if ( ! class_exists( 'um\admin\Actions_Listener' ) ) { */ class Actions_Listener { + /** + * USER_ACTIONS array containing different actions for managing users: + * - approve_user: Approve a user + * - reactivate_user: Reactivate a user account + * - put_user_as_pending: Set a user as pending + * - resend_user_activation: Resend activation email to a user + * - reject_user: Reject a user + * - deactivate_user: Deactivate a user account + */ + const USER_ACTIONS = array( + 'approve_user', + 'reactivate_user', + 'put_user_as_pending', + 'resend_user_activation', + 'reject_user', + 'deactivate_user', + ); + /** * Actions_Listener constructor. */ @@ -26,171 +44,179 @@ if ( ! class_exists( 'um\admin\Actions_Listener' ) ) { * Handle wp-admin actions * * @since 2.8.7 + * @since 2.9.3 User should have 'edit_users' capability instead of 'manage_options'. */ public function actions_listener() { - if ( ! current_user_can( 'manage_options' ) ) { + // phpcs:disable WordPress.Security.NonceVerification -- there is nonce verification below for each case + if ( empty( $_REQUEST['um_adm_action'] ) ) { return; } - if ( ! empty( $_REQUEST['um_adm_action'] ) ) { - switch ( sanitize_key( $_REQUEST['um_adm_action'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification -- there is nonce verification below for each case - case 'approve_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + $action = sanitize_key( $_REQUEST['um_adm_action'] ); + // phpcs:enable WordPress.Security.NonceVerification -- there is nonce verification below for each case + + if ( in_array( $action, self::USER_ACTIONS, true ) && ! current_user_can( 'edit_users' ) ) { + return; + } + + switch ( $action ) { + case 'approve_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } + + $user_id = absint( $_REQUEST['uid'] ); + + check_admin_referer( "approve_user{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->approve( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_approved', + 'approved_count' => 1, + ), + $redirect + ); } + } - $user_id = absint( $_REQUEST['uid'] ); + wp_safe_redirect( $redirect ); + exit; + case 'reactivate_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - check_admin_referer( "approve_user{$user_id}" ); + $user_id = absint( $_REQUEST['uid'] ); - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->approve( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_approved', - 'approved_count' => 1, - ), - $redirect - ); - } + check_admin_referer( "reactivate_user{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->reactivate( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_reactivated', + 'reactivated_count' => 1, + ), + $redirect + ); } + } + wp_safe_redirect( $redirect ); + exit; + case 'put_user_as_pending': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - wp_safe_redirect( $redirect ); - exit; - case 'reactivate_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + $user_id = absint( $_REQUEST['uid'] ); + + check_admin_referer( "put_user_as_pending{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->set_as_pending( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_pending', + 'pending_count' => 1, + ), + $redirect + ); } + } + wp_safe_redirect( $redirect ); + exit; + case 'resend_user_activation': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - $user_id = absint( $_REQUEST['uid'] ); + $user_id = absint( $_REQUEST['uid'] ); - check_admin_referer( "reactivate_user{$user_id}" ); + check_admin_referer( "resend_user_activation{$user_id}" ); - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->reactivate( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_reactivated', - 'reactivated_count' => 1, - ), - $redirect - ); - } + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->send_activation( $user_id, true ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_resend_activation', + 'resend_activation_count' => 1, + ), + $redirect + ); } - wp_safe_redirect( $redirect ); - exit; - case 'put_user_as_pending': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } + wp_safe_redirect( $redirect ); + exit; + case 'reject_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } + + $user_id = absint( $_REQUEST['uid'] ); + + check_admin_referer( "reject_user{$user_id}" ); + + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->reject( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_rejected', + 'rejected_count' => 1, + ), + $redirect + ); } + } + wp_safe_redirect( $redirect ); + exit; + case 'deactivate_user': + if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { + die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); + } - $user_id = absint( $_REQUEST['uid'] ); + $user_id = absint( $_REQUEST['uid'] ); - check_admin_referer( "put_user_as_pending{$user_id}" ); + check_admin_referer( "deactivate_user{$user_id}" ); - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->set_as_pending( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_pending', - 'pending_count' => 1, - ), - $redirect - ); - } + $redirect = wp_get_referer(); + if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { + $result = UM()->common()->users()->deactivate( $user_id ); + if ( $result ) { + $redirect = add_query_arg( + array( + 'update' => 'um_deactivate', + 'deactivated_count' => 1, + ), + $redirect + ); } - wp_safe_redirect( $redirect ); - exit; - case 'resend_user_activation': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); - } - - $user_id = absint( $_REQUEST['uid'] ); - - check_admin_referer( "resend_user_activation{$user_id}" ); - - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->send_activation( $user_id, true ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_resend_activation', - 'resend_activation_count' => 1, - ), - $redirect - ); - } - } - wp_safe_redirect( $redirect ); - exit; - case 'reject_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); - } - - $user_id = absint( $_REQUEST['uid'] ); - - check_admin_referer( "reject_user{$user_id}" ); - - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->reject( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_rejected', - 'rejected_count' => 1, - ), - $redirect - ); - } - } - wp_safe_redirect( $redirect ); - exit; - case 'deactivate_user': - if ( empty( $_REQUEST['uid'] ) || ! is_numeric( $_REQUEST['uid'] ) ) { - die( esc_html__( 'Invalid user ID', 'ultimate-member' ) ); - } - - $user_id = absint( $_REQUEST['uid'] ); - - check_admin_referer( "deactivate_user{$user_id}" ); - - $redirect = wp_get_referer(); - if ( UM()->common()->users()->can_current_user_edit_user( $user_id ) ) { - $result = UM()->common()->users()->deactivate( $user_id ); - if ( $result ) { - $redirect = add_query_arg( - array( - 'update' => 'um_deactivate', - 'deactivated_count' => 1, - ), - $redirect - ); - } - } - wp_safe_redirect( $redirect ); - exit; - } + } + wp_safe_redirect( $redirect ); + exit; } } + /** + * Extends an array of actions with the predefined user actions. + * + * @param array $actions The original array of actions to extend. + * + * @return array The extended array containing additional user actions. + */ public function extends_individual_nonce_actions( $actions ) { - $actions[] = 'approve_user'; - $actions[] = 'reactivate_user'; - $actions[] = 'put_user_as_pending'; - $actions[] = 'resend_user_activation'; - $actions[] = 'reject_user'; - $actions[] = 'deactivate_user'; - return $actions; + return array_merge( $actions, self::USER_ACTIONS ); } } } diff --git a/readme.txt b/readme.txt index f7c18b43..b33311c5 100644 --- a/readme.txt +++ b/readme.txt @@ -3,10 +3,10 @@ Author URI: https://ultimatemember.com/ Plugin URI: https://ultimatemember.com/ Contributors: ultimatemember, champsupertramp, nsinelnikov Tags: community, member, membership, user-profile, user-registration -Requires PHP: 5.6 +Requires PHP: 7.0 Requires at least: 6.2 Tested up to: 6.7 -Stable tag: 2.9.2 +Stable tag: 2.9.3 License: GPLv3 License URI: http://www.gnu.org/licenses/gpl-3.0.txt diff --git a/ultimate-member.php b/ultimate-member.php index 5b6c4ae9..7d897dad 100644 --- a/ultimate-member.php +++ b/ultimate-member.php @@ -3,13 +3,13 @@ * Plugin Name: Ultimate Member * Plugin URI: http://ultimatemember.com/ * Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress - * Version: 2.9.3-alpha + * Version: 2.9.3 * Author: Ultimate Member * Author URI: http://ultimatemember.com/ * Text Domain: ultimate-member * Domain Path: /languages * Requires at least: 6.2 - * Requires PHP: 5.6 + * Requires PHP: 7.0 * * @package UM */