mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-14 12:16:39 +09:00
- bugfix for roles secutiry;
This commit is contained in:
@@ -59,64 +59,77 @@ if ( ! empty( $_GET['id'] ) ) {
|
||||
|
||||
if ( ! empty( $_POST['role'] ) ) {
|
||||
|
||||
$data = $_POST['role'];
|
||||
|
||||
$id = '';
|
||||
$redirect = '';
|
||||
$error = '';
|
||||
|
||||
if ( empty( $data['name'] ) ) {
|
||||
|
||||
$error .= __( 'Title is empty!', 'ultimate-member' ) . '<br />';
|
||||
|
||||
} else {
|
||||
|
||||
if ( 'add' == $_GET['tab'] ) {
|
||||
|
||||
if ( preg_match( "/[a-z0-9]+$/i", $data['name'] ) ) {
|
||||
$id = sanitize_title( $data['name'] );
|
||||
} else {
|
||||
$auto_increment = UM()->options()->get( 'custom_roles_increment' );
|
||||
$auto_increment = ! empty( $auto_increment ) ? $auto_increment : 1;
|
||||
$id = 'custom_role_' . $auto_increment;
|
||||
}
|
||||
|
||||
$redirect = add_query_arg( array( 'page'=>'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'a' ), admin_url( 'admin.php' ) );
|
||||
} elseif ( 'edit' == $_GET['tab'] && ! empty( $_GET['id'] ) ) {
|
||||
$id = $_GET['id'];
|
||||
$redirect = add_query_arg( array( 'page' => 'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'u' ), admin_url( 'admin.php' ) );
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$all_roles = array_keys( get_editable_roles() );
|
||||
if ( 'add' == $_GET['tab'] ) {
|
||||
if ( in_array( 'um_' . $id, $all_roles ) || in_array( $id, $all_roles ) )
|
||||
$error .= __( 'Role already exists!', 'ultimate-member' ) . '<br />';
|
||||
if ( ! wp_verify_nonce( $_POST['um_nonce'], 'um-add-role' ) ) {
|
||||
$error = __( 'Security Issue', 'ultimate-member' ) . '<br />';
|
||||
}
|
||||
} else {
|
||||
if ( ! wp_verify_nonce( $_POST['um_nonce'], 'um-edit-role' ) ) {
|
||||
$error = __( 'Security Issue', 'ultimate-member' ) . '<br />';
|
||||
}
|
||||
}
|
||||
|
||||
if ( '' == $error ) {
|
||||
if ( empty( $error ) ) {
|
||||
|
||||
if ( 'add' == $_GET['tab'] ) {
|
||||
$roles = get_option( 'um_roles' );
|
||||
$roles[] = $id;
|
||||
$data = $_POST['role'];
|
||||
|
||||
update_option( 'um_roles', $roles );
|
||||
if ( empty( $data['name'] ) ) {
|
||||
|
||||
if ( isset( $auto_increment ) ) {
|
||||
$auto_increment++;
|
||||
UM()->options()->update( 'custom_roles_increment', $auto_increment );
|
||||
$error .= __( 'Title is empty!', 'ultimate-member' ) . '<br />';
|
||||
|
||||
} else {
|
||||
|
||||
if ( 'add' == $_GET['tab'] ) {
|
||||
|
||||
if ( preg_match( "/[a-z0-9]+$/i", $data['name'] ) ) {
|
||||
$id = sanitize_title( $data['name'] );
|
||||
} else {
|
||||
$auto_increment = UM()->options()->get( 'custom_roles_increment' );
|
||||
$auto_increment = ! empty( $auto_increment ) ? $auto_increment : 1;
|
||||
$id = 'custom_role_' . $auto_increment;
|
||||
}
|
||||
|
||||
$redirect = add_query_arg( array( 'page'=>'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'a' ), admin_url( 'admin.php' ) );
|
||||
} elseif ( 'edit' == $_GET['tab'] && ! empty( $_GET['id'] ) ) {
|
||||
$id = $_GET['id'];
|
||||
$redirect = add_query_arg( array( 'page' => 'um_roles', 'tab'=>'edit', 'id'=>$id, 'msg'=>'u' ), admin_url( 'admin.php' ) );
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$role_meta = $data;
|
||||
unset( $role_meta['id'] );
|
||||
$all_roles = array_keys( get_editable_roles() );
|
||||
if ( 'add' == $_GET['tab'] ) {
|
||||
if ( in_array( 'um_' . $id, $all_roles ) || in_array( $id, $all_roles ) )
|
||||
$error .= __( 'Role already exists!', 'ultimate-member' ) . '<br />';
|
||||
}
|
||||
|
||||
update_option( "um_role_{$id}_meta", $role_meta );
|
||||
if ( '' == $error ) {
|
||||
|
||||
UM()->user()->remove_cache_all_users();
|
||||
if ( 'add' == $_GET['tab'] ) {
|
||||
$roles = get_option( 'um_roles' );
|
||||
$roles[] = $id;
|
||||
|
||||
um_js_redirect( $redirect );
|
||||
update_option( 'um_roles', $roles );
|
||||
|
||||
if ( isset( $auto_increment ) ) {
|
||||
$auto_increment++;
|
||||
UM()->options()->update( 'custom_roles_increment', $auto_increment );
|
||||
}
|
||||
}
|
||||
|
||||
$role_meta = $data;
|
||||
unset( $role_meta['id'] );
|
||||
|
||||
update_option( "um_role_{$id}_meta", $role_meta );
|
||||
|
||||
UM()->user()->remove_cache_all_users();
|
||||
|
||||
um_js_redirect( $redirect );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -158,8 +171,10 @@ $screen_id = $current_screen->id; ?>
|
||||
<input type="hidden" name="role[id]" value="<?php echo isset( $_GET['id'] ) ? esc_attr( $_GET['id'] ) : '' ?>" />
|
||||
<?php if ( 'add' == $_GET['tab'] ) { ?>
|
||||
<input type="hidden" name="role[_um_is_custom]" value="1" />
|
||||
<input type="hidden" name="um_nonce" value="<?php echo wp_create_nonce( 'um-add-role' ) ?>" />
|
||||
<?php } else { ?>
|
||||
<input type="hidden" name="role[_um_is_custom]" value="<?php echo ! empty( $data['_um_is_custom'] ) ? 1 : 0 ?>" />
|
||||
<input type="hidden" name="um_nonce" value="<?php echo wp_create_nonce( 'um-edit-role' ) ?>" />
|
||||
<?php } ?>
|
||||
<?php wp_nonce_field( 'closedpostboxes', 'closedpostboxesnonce', false ); ?>
|
||||
<div id="poststuff">
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: Ultimate Member\n"
|
||||
"POT-Creation-Date: 2019-07-01 14:36+0300\n"
|
||||
"PO-Revision-Date: 2019-07-01 14:36+0300\n"
|
||||
"POT-Creation-Date: 2019-07-09 18:37+0300\n"
|
||||
"PO-Revision-Date: 2019-07-09 18:37+0300\n"
|
||||
"Last-Translator: \n"
|
||||
"Language-Team: \n"
|
||||
"Language: en_US\n"
|
||||
@@ -172,7 +172,7 @@ msgstr ""
|
||||
|
||||
#: includes/admin/core/class-admin-columns.php:130
|
||||
#: includes/admin/core/class-admin-columns.php:150
|
||||
#: includes/admin/templates/role/role-edit.php:171
|
||||
#: includes/admin/templates/role/role-edit.php:186
|
||||
msgid "Title"
|
||||
msgstr ""
|
||||
|
||||
@@ -2789,7 +2789,7 @@ msgstr ""
|
||||
|
||||
#: includes/admin/core/list-tables/roles-list-table.php:479
|
||||
#: includes/admin/core/packages/2.0-beta1/user_roles.php:14
|
||||
#: includes/admin/templates/role/role-edit.php:136
|
||||
#: includes/admin/templates/role/role-edit.php:149
|
||||
#: includes/core/class-common.php:56 includes/core/class-common.php:86
|
||||
msgid "Add New"
|
||||
msgstr ""
|
||||
@@ -3927,31 +3927,36 @@ msgid ""
|
||||
"been successful or not."
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:70
|
||||
#: includes/admin/templates/role/role-edit.php:68
|
||||
#: includes/admin/templates/role/role-edit.php:72
|
||||
msgid "Security Issue"
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:82
|
||||
msgid "Title is empty!"
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:95
|
||||
#: includes/admin/templates/role/role-edit.php:107
|
||||
msgid "Role already exists!"
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:134
|
||||
#: includes/admin/templates/role/role-edit.php:147
|
||||
msgid "Add New Role"
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:134
|
||||
#: includes/admin/templates/role/role-edit.php:147
|
||||
msgid "Edit Role"
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:143
|
||||
#: includes/admin/templates/role/role-edit.php:156
|
||||
msgid "User Role <strong>Added</strong> Successfully."
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:146
|
||||
#: includes/admin/templates/role/role-edit.php:159
|
||||
msgid "User Role <strong>Updated</strong> Successfully."
|
||||
msgstr ""
|
||||
|
||||
#: includes/admin/templates/role/role-edit.php:172
|
||||
#: includes/admin/templates/role/role-edit.php:187
|
||||
msgid "Enter Title Here"
|
||||
msgstr ""
|
||||
|
||||
|
||||
+6
-1
@@ -6,7 +6,7 @@ Donate link:
|
||||
Tags: community, member, membership, user-profile, user-registration
|
||||
Requires at least: 4.9
|
||||
Tested up to: 5.2
|
||||
Stable tag: 2.0.50
|
||||
Stable tag: 2.0.51
|
||||
License: GNU Version 2 or Any Later Version
|
||||
License URI: http://www.gnu.org/licenses/gpl-3.0.txt
|
||||
|
||||
@@ -137,6 +137,11 @@ The plugin works with popular caching plugins by automatically excluding Ultimat
|
||||
|
||||
= Important: UM2.0+ is a significant update to the code base from 1.3.88. Please make sure you take a full-site backup with restore point before updating the plugin =
|
||||
|
||||
= 2.0.51: July 09, 2019 =
|
||||
|
||||
* Bugfixes:
|
||||
- Fixed UM Roles create/edit security issue
|
||||
|
||||
= 2.0.50: July 02, 2019 =
|
||||
|
||||
* Enhancements:
|
||||
|
||||
+1
-1
@@ -3,7 +3,7 @@
|
||||
Plugin Name: Ultimate Member
|
||||
Plugin URI: http://ultimatemember.com/
|
||||
Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress
|
||||
Version: 2.0.50
|
||||
Version: 2.0.51
|
||||
Author: Ultimate Member
|
||||
Author URI: http://ultimatemember.com/
|
||||
Text Domain: ultimate-member
|
||||
|
||||
Reference in New Issue
Block a user