diff --git a/includes/core/class-roles-capabilities.php b/includes/core/class-roles-capabilities.php index 3f2a1489..a16be27e 100644 --- a/includes/core/class-roles-capabilities.php +++ b/includes/core/class-roles-capabilities.php @@ -571,21 +571,25 @@ if ( ! class_exists( 'um\core\Roles_Capabilities' ) ) { * @return bool|int */ function um_current_user_can( $cap, $user_id ) { - if ( ! is_user_logged_in() ) + if ( ! is_user_logged_in() ) { return false; + } $return = 1; um_fetch_user( get_current_user_id() ); $current_user_roles = UM()->roles()->get_all_user_roles( $user_id ); + switch( $cap ) { case 'edit': if ( get_current_user_id() == $user_id && um_user( 'can_edit_profile' ) ) $return = 1; - elseif ( ! um_user( 'can_edit_everyone' ) ) + elseif ( get_current_user_id() == $user_id && ! um_user( 'can_edit_profile' ) ) $return = 0; - elseif ( get_current_user_id() == $user_id && ! um_user( 'can_edit_profile') ) + elseif ( um_user( 'can_edit_everyone' ) ) + $return = 1; + elseif ( ! um_user( 'can_edit_everyone' ) ) $return = 0; elseif ( um_user( 'can_edit_roles' ) && ( empty( $current_user_roles ) || count( array_intersect( $current_user_roles, um_user( 'can_edit_roles' ) ) ) <= 0 ) ) $return = 0; diff --git a/includes/core/class-user.php b/includes/core/class-user.php index e52f459b..ca527b46 100644 --- a/includes/core/class-user.php +++ b/includes/core/class-user.php @@ -1467,6 +1467,7 @@ if ( ! class_exists( 'um\core\User' ) ) { function get_admin_actions() { $items = array(); $actions = array(); + /** * UM hook * @@ -1488,12 +1489,16 @@ if ( ! class_exists( 'um\core\User' ) ) { * } * ?> */ - $actions = apply_filters('um_admin_user_actions_hook', $actions ); - if ( !isset( $actions ) || empty( $actions ) ) return false; - foreach($actions as $id => $arr ) { - $url = add_query_arg('um_action', $id ); - $url = add_query_arg('uid', um_profile_id(), $url ); - $items[] = '' . $arr['label'] . ''; + $actions = apply_filters( 'um_admin_user_actions_hook', $actions ); + if ( ! isset( $actions ) || empty( $actions ) ) { + return false; + } + + foreach ( $actions as $id => $arr ) { + $url = add_query_arg( array( 'um_action' => $id, 'uid' => um_profile_id() ) ); + /*$url = add_query_arg( 'um_action', $id ); + $url = add_query_arg( 'uid', um_profile_id(), $url );*/ + $items[] = '' . $arr['label'] . ''; } return $items; } diff --git a/includes/core/um-actions-core.php b/includes/core/um-actions-core.php index d5e8921d..ba9ea420 100644 --- a/includes/core/um-actions-core.php +++ b/includes/core/um-actions-core.php @@ -9,19 +9,22 @@ function um_action_request_process() { if ( is_admin() ) { return; } + if ( ! is_user_logged_in() ) { return; } + if ( ! isset( $_REQUEST['um_action'] ) ) { return; } + if ( isset( $_REQUEST['uid'] ) && ! UM()->user()->user_exists_by_id( $_REQUEST['uid'] ) ) { return; } - + if ( isset( $_REQUEST['uid'] ) ) { if ( is_super_admin( $_REQUEST['uid'] ) ) { - wp_die( __( 'Super administrators can not be modified.','ultimate-member' ) ); + wp_die( __( 'Super administrators can not be modified.', 'ultimate-member' ) ); } } @@ -32,9 +35,8 @@ function um_action_request_process() { if ( isset( $_REQUEST['uid'] ) ) { $uid = $_REQUEST['uid']; } - + switch ( $_REQUEST['um_action'] ) { - default: $uid = isset( $_REQUEST['uid'] ) ? $_REQUEST['uid'] : 0; /** @@ -59,63 +61,90 @@ function um_action_request_process() { */ do_action( 'um_action_user_request_hook', $_REQUEST['um_action'], $uid ); break; - + case 'edit': UM()->fields()->editing = true; - if ( !um_can_edit_my_profile() ) { - $url = um_edit_my_profile_cancel_uri(); - exit( wp_redirect( $url ) ); + if ( ! um_is_myprofile() ) { + if ( ! UM()->roles()->um_current_user_can( 'edit', um_profile_id() ) ) { + exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); + } + } else { + if ( ! um_can_edit_my_profile() ) { + $url = um_edit_my_profile_cancel_uri(); + exit( wp_redirect( $url ) ); + } } break; - + case 'um_switch_user': - if ( !current_user_can('delete_users') ) { + if ( ! current_user_can( 'delete_users' ) ) { return; } UM()->user()->auto_login( $_REQUEST['uid'] ); exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); break; - + case 'um_reject_membership': + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have permission to make this action.', 'ultimate-member' ) ); + } + um_fetch_user( $uid ); UM()->user()->reject(); exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); break; - + case 'um_approve_membership': case 'um_reenable': - um_fetch_user( $uid ); - UM()->user()->approve(); - exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); - break; - + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have permission to make this action.', 'ultimate-member' ) ); + } + + um_fetch_user( $uid ); + UM()->user()->approve(); + exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); + break; + case 'um_put_as_pending': + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have permission to make this action.', 'ultimate-member' ) ); + } + um_fetch_user( $uid ); UM()->user()->pending(); exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); break; - + case 'um_resend_activation': + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have permission to make this action.', 'ultimate-member' ) ); + } + um_fetch_user( $uid ); UM()->user()->email_pending(); exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); break; - + case 'um_deactivate': + if ( ! current_user_can( 'manage_options' ) ) { + wp_die( __( 'You do not have permission to make this action.', 'ultimate-member' ) ); + } + um_fetch_user( $uid ); UM()->user()->deactivate(); exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); break; - + case 'um_delete': if ( ! UM()->roles()->um_current_user_can( 'delete', $uid ) ) { - wp_die( __('You do not have permission to delete this user.','ultimate-member') ); + wp_die( __( 'You do not have permission to delete this user.', 'ultimate-member' ) ); } + um_fetch_user( $uid ); UM()->user()->delete(); exit( wp_redirect( UM()->permalinks()->get_current_url( true ) ) ); break; - + } } -add_action( 'init', 'um_action_request_process', 10 ); \ No newline at end of file +add_action( 'template_redirect', 'um_action_request_process', 10000 ); \ No newline at end of file diff --git a/includes/core/um-actions-profile.php b/includes/core/um-actions-profile.php index 494b6415..4aab36c5 100644 --- a/includes/core/um-actions-profile.php +++ b/includes/core/um-actions-profile.php @@ -1064,113 +1064,104 @@ add_action( 'um_pre_profile_shortcode', 'um_pre_profile_shortcode' ); * @param $args */ function um_add_edit_icon( $args ) { - $output = ''; - - if (!is_user_logged_in()) return; // not allowed for guests - - // do not proceed if user cannot edit - - if (UM()->fields()->editing == true) { - - ?> - -
- - roles()->um_current_user_can( 'edit', um_profile_id() ) || UM()->roles()->um_current_user_can( 'delete', um_profile_id() ) ) ) { - - ?> - -