From b509018276a4983c5603ff0b6b1361dd952e8cb3 Mon Sep 17 00:00:00 2001 From: yuriinalivaiko Date: Wed, 18 Sep 2024 23:16:11 +0300 Subject: [PATCH 01/15] - make it impossible to create a user without a role even with incorrect "Registration Default Role" setting. --- includes/core/class-form.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/includes/core/class-form.php b/includes/core/class-form.php index 0593c112..5b7e0475 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -1009,7 +1009,9 @@ if ( ! class_exists( 'um\core\Form' ) ) { $global_role = get_option( 'default_role' ); // WP Global settings $um_global_role = UM()->options()->get( 'register_role' ); // UM Settings Global settings - if ( ! empty( $um_global_role ) ) { + + $existing_roles = array_keys( wp_roles()->roles ); + if ( ! empty( $um_global_role ) && in_array( $um_global_role, $existing_roles, true ) ) { $global_role = $um_global_role; // Form Global settings } @@ -1023,7 +1025,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { $role = get_post_meta( $post_id, "_um_{$mode}_role", true ); } - if ( empty( $role ) ) { // custom role is default, return default role's slug + if ( empty( $role ) || ! in_array( $role, $existing_roles, true ) ) { // custom role is default, return default role's slug $role = $global_role; } From 920fb168dc03f8c9a55f97efd4353c4164a69d7d Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Mon, 11 Nov 2024 18:53:17 +0200 Subject: [PATCH 02/15] * fix related to commit 945b79a97940406b40a5996f9aa2159bd11e29ab --- includes/admin/core/class-admin-builder.php | 6 ++-- includes/core/class-fields.php | 34 +++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/includes/admin/core/class-admin-builder.php b/includes/admin/core/class-admin-builder.php index 243b4c33..e0b49050 100644 --- a/includes/admin/core/class-admin-builder.php +++ b/includes/admin/core/class-admin-builder.php @@ -366,8 +366,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { * * @return string */ - function get_fields_by_row( $row_id ) { - + public function get_fields_by_row( $row_id ) { if ( empty( $this->global_fields ) || ! is_array( $this->global_fields ) ) { $this->global_fields = array(); } @@ -379,10 +378,9 @@ if ( ! class_exists( 'um\admin\core\Admin_Builder' ) ) { } } - return ( isset ( $results ) ) ? $results : ''; + return isset( $results ) ? $results : ''; } - /** * Get fields by sub row * diff --git a/includes/core/class-fields.php b/includes/core/class-fields.php index b781b30d..2aa7a3b3 100644 --- a/includes/core/class-fields.php +++ b/includes/core/class-fields.php @@ -1,6 +1,8 @@ query()->get_attr( 'custom_fields', $form_id ); - $field_scope = UM()->builtin()->predefined_fields; + $fields = UM()->query()->get_attr( 'custom_fields', $form_id ); + if ( empty( $fields ) || ! is_array( $fields ) ) { + $fields = array(); + } if ( ! isset( $fields[ $global_id ] ) ) { + $field_scope = UM()->builtin()->predefined_fields; + $count = 1; if ( ! empty( $fields ) ) { $count = count( $fields ) + 1; @@ -1624,7 +1630,7 @@ if ( ! class_exists( 'um\core\Fields' ) ) { * @param $key * * @return mixed - * @throws \Exception + * @throws Exception */ public function get_field( $key ) { $fields = $this->get_fields(); @@ -2161,7 +2167,7 @@ if ( ! class_exists( 'um\core\Fields' ) ) { * @param array $args * * @return string|null - * @throws \Exception + * @throws Exception */ public function edit_field( $key, $data, $rule = false, $args = array() ) { global $_um_profile_id; @@ -4030,7 +4036,6 @@ if ( ! class_exists( 'um\core\Fields' ) ) { return $arr; } - /** * Get fields in row * @@ -4038,8 +4043,8 @@ if ( ! class_exists( 'um\core\Fields' ) ) { * * @return string */ - function get_fields_by_row( $row_id ) { - if ( ! isset( $this->get_fields ) ) { + public function get_fields_by_row( $row_id ) { + if ( ! isset( $this->get_fields ) || ! is_array( $this->get_fields ) ) { return ''; } @@ -4049,10 +4054,9 @@ if ( ! class_exists( 'um\core\Fields' ) ) { } } - return ( isset ( $results ) ) ? $results : ''; + return isset( $results ) ? $results : ''; } - /** * Get fields by sub row * @@ -4119,7 +4123,7 @@ if ( ! class_exists( 'um\core\Fields' ) ) { * @param array $args * * @return string|null - * @throws \Exception + * @throws Exception */ public function display( $mode, $args ) { $output = null; @@ -4289,7 +4293,7 @@ if ( ! class_exists( 'um\core\Fields' ) ) { * @param bool $rule * * @return string|null - * @throws \Exception + * @throws Exception */ public function view_field( $key, $data, $rule = false ) { if ( '_um_last_login' === $key ) { @@ -4644,7 +4648,6 @@ if ( ! class_exists( 'um\core\Fields' ) ) { return apply_filters( "um_view_field_output_" . $data['type'], $data ); } - /** * Display fields ( view mode ) * @@ -4652,7 +4655,7 @@ if ( ! class_exists( 'um\core\Fields' ) ) { * @param array $args * * @return string|null - * @throws \Exception + * @throws Exception */ public function display_view( $mode, $args ) { $output = null; @@ -4664,7 +4667,7 @@ if ( ! class_exists( 'um\core\Fields' ) ) { $this->set_mode = $mode; $this->set_id = absint( $this->global_args['form_id'] ); - $this->field_icons = ( isset( $this->global_args['icons'] ) ) ? $this->global_args['icons'] : 'label'; + $this->field_icons = isset( $this->global_args['icons'] ) ? $this->global_args['icons'] : 'label'; // start output here $this->get_fields = $this->get_fields(); @@ -4694,8 +4697,7 @@ if ( ! class_exists( 'um\core\Fields' ) ) { } } - if ( ! empty( $this->get_fields ) ) { - + if ( ! empty( $this->get_fields ) && is_array( $this->get_fields ) ) { // find rows foreach ( $this->get_fields as $key => $array ) { if ( isset( $array['type'] ) && 'row' === $array['type'] ) { From 4bf14b736f84429ad8867bada32d2bd00f7cd5cb Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Mon, 11 Nov 2024 19:18:42 +0200 Subject: [PATCH 03/15] * fix based on commit 7b44add0d7b183fd8f0ddf314e023e1cc035afa2 * fixed allowed query variables --- includes/class-init.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/includes/class-init.php b/includes/class-init.php index b498a084..1cd27dfa 100644 --- a/includes/class-init.php +++ b/includes/class-init.php @@ -548,7 +548,6 @@ if ( ! class_exists( 'UM' ) ) { $this->password(); $this->rewrite(); $this->mail(); - $this->rest_api(); $this->shortcodes(); $this->roles(); $this->user(); @@ -565,11 +564,15 @@ if ( ! class_exists( 'UM' ) ) { $this->blocks(); $this->secure(); - //if multisite networks active + // If multisite networks active if ( is_multisite() ) { $this->multisite(); } + // Call only when REST_API request + if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) { + $this->rest_api(); + } } @@ -1001,14 +1004,12 @@ if ( ! class_exists( 'UM' ) ) { return $this->classes['config']; } - /** * @since 2.0 * * @return um\core\rest\API_v1|um\core\rest\API_v2 */ - function rest_api() { - + public function rest_api() { $api_version = $this->options()->get( 'rest_api_version' ); if ( empty( $this->classes['rest_api'] ) ) { @@ -1024,7 +1025,6 @@ if ( ! class_exists( 'UM' ) ) { return $this->classes['rest_api']; } - /** * @since 2.0 * From 9c0dd00d3406eb0d97a3ac3b739cd6c24e320e06 Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Mon, 11 Nov 2024 19:29:01 +0200 Subject: [PATCH 04/15] * updated version --- .wordpress-org/blueprints/blueprint.json | 2 +- README.md | 2 +- readme.txt | 290 +---------------------- ultimate-member.php | 2 +- 4 files changed, 7 insertions(+), 289 deletions(-) diff --git a/.wordpress-org/blueprints/blueprint.json b/.wordpress-org/blueprints/blueprint.json index 0860d56d..d4f5cf9f 100644 --- a/.wordpress-org/blueprints/blueprint.json +++ b/.wordpress-org/blueprints/blueprint.json @@ -15,7 +15,7 @@ "step": "installPlugin", "pluginZipFile": { "resource": "url", - "url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.9.0.zip" + "url": "https:\/\/downloads.wordpress.org\/plugin\/ultimate-member.2.9.1.zip" }, "options": { "activate": true diff --git a/README.md b/README.md index 11318199..f7e6d75e 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ GNU Version 2 or Any Later Version ### IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION -[Official Release Version: 2.9.0](https://github.com/ultimatemember/ultimatemember/releases/tag/2.9.0). +[Official Release Version: 2.9.1](https://github.com/ultimatemember/ultimatemember/releases/tag/2.9.1). ## Changelog diff --git a/readme.txt b/readme.txt index 0e3811d0..fe1f3e24 100644 --- a/readme.txt +++ b/readme.txt @@ -166,6 +166,10 @@ No specific extensions are needed. But we highly recommended keep active these P IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSION 2.6.7 PATCHES SECURITY PRIVILEGE ESCALATION VULNERABILITY. PLEASE SEE [THIS ARTICLE](https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions) FOR MORE INFORMATION += 2.9.1 xx-xx-xx = + + + = 2.9.0 2024-11-12 = **Enhancements** @@ -182,292 +186,6 @@ IMPORTANT: PLEASE UPDATE THE PLUGIN TO AT LEAST VERSION 2.6.7 IMMEDIATELY. VERSI **Cached and optimized/minified assets(JS/CSS) must be flushed/re-generated after upgrade** -= 2.8.9 2024-10-14 = - -**Enhancements** - -* Added: Using PHP tidy extension (if it's active) to make HTML textarea value clear -* Added: `um_tidy_config` filter hook for setting PHP tidy config -* Tweak: Avoid using force `set_status()` function. -* Tweak: Properly using `UM()->common()->users()->get_status( $user_id )` instead of `um_user( 'account_status' )` -* Tweak: Properly using `UM()->common()->users()->get_status( $user_id, 'formatted' )` instead of `um_user( 'account_status_name' )` -* Tweak: Properly using `um_user( 'status' )` for getting user role setting while registration - -**Bugfixes** - -* Fixed: UM tipsy removing inside .um-page selector (e.g. tipsy init from um-modal) -* Fixed: Rollback using `