From dbf754376198f1d658b1ac9cbf2d35be36ee4240 Mon Sep 17 00:00:00 2001 From: champsupertramp Date: Wed, 9 Dec 2015 10:15:56 +0800 Subject: [PATCH 1/4] Sanitize referers and printing notices in admin screens --- admin/core/um-admin-actions.php | 4 ++-- admin/core/um-admin-notices.php | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/admin/core/um-admin-actions.php b/admin/core/um-admin-actions.php index c2b3a378..b2815ba0 100644 --- a/admin/core/um-admin-actions.php +++ b/admin/core/um-admin-actions.php @@ -240,8 +240,8 @@ $uri = add_query_arg('user[]', $user_id, $uri); $redirect = add_query_arg('user[]', $user_id, $redirect); } - $uri = add_query_arg('confirm', 1, $uri); - $redirect = add_query_arg('_refer', urlencode($uri), $redirect); + $uri = add_query_arg('_refer', $_POST['_wp_http_referer'], $redirect); + $redirect = add_query_arg('confirm', 1, $uri); exit( wp_redirect($redirect) ); diff --git a/admin/core/um-admin-notices.php b/admin/core/um-admin-notices.php index 9586ed72..fd2b3ebd 100644 --- a/admin/core/um-admin-notices.php +++ b/admin/core/um-admin-notices.php @@ -161,18 +161,20 @@ class UM_Admin_Notices { case 'confirm_delete': - $confirm_uri = urldecode($_REQUEST['_refer']); + $confirm_uri = sanitize_text_field( urldecode($_REQUEST['_wp_http_referer']) ); $users = ''; - foreach( $_REQUEST['user'] as $user_id ) { - $user = get_userdata( $user_id ); - $users .= '#' . $user_id . ': ' . $user->user_login . '
'; + if( isset( $_REQUEST['user'] ) ){ + foreach( $_REQUEST['user'] as $user_id ) { + $user = get_userdata( $user_id ); + $users .= '#' . $user_id . ': ' . $user->user_login . '
'; + } } $ignore = admin_url('users.php'); $messages[0]['err_content'] = sprintf(__('Are you sure you want to delete the selected user(s)? The following users will be deleted:

%s

This cannot be undone!','ultimatemember'), $users); - $messages[0]['err_content'] .= '

' . __('Remove','ultimatemember') . '  ' . __('Undo','ultimatemember') . '

'; + $messages[0]['err_content'] .= '

' . __('Remove','ultimatemember') . '  ' . __('Undo','ultimatemember') . '

'; break; From 2874e9227029bb720c99b770f36684e338c4304a Mon Sep 17 00:00:00 2001 From: champsupertramp Date: Wed, 9 Dec 2015 10:53:13 +0800 Subject: [PATCH 2/4] Enable WPML support to all UM url/links --- core/um-short-functions.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/um-short-functions.php b/core/um-short-functions.php index 662496d3..4716ffa1 100644 --- a/core/um-short-functions.php +++ b/core/um-short-functions.php @@ -424,7 +424,10 @@ function um_profile_id() { $url = add_query_arg( 'updated', esc_attr( $updated ), $url ); } - if ( function_exists('icl_get_current_language') && icl_get_current_language() != icl_get_default_language() && $slug == 'account' ) { + if ( function_exists('icl_get_current_language') && icl_get_current_language() != icl_get_default_language() ) { + + $url = um_get_url_for_language( $ultimatemember->permalinks->core[ $slug ], icl_get_current_language() ); + if ( get_post_meta( get_the_ID() , '_um_wpml_account', true ) == 1 ) { $url = get_permalink( get_the_ID() ); } From 1151000c1136228d2ef0cf05f9502d0bbbb821c5 Mon Sep 17 00:00:00 2001 From: champsupertramp Date: Wed, 9 Dec 2015 15:51:19 +0800 Subject: [PATCH 3/4] Fixed manage user roles, status and filters --- admin/core/um-admin-users.php | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/admin/core/um-admin-users.php b/admin/core/um-admin-users.php index 47535993..229aa8cf 100644 --- a/admin/core/um-admin-users.php +++ b/admin/core/um-admin-users.php @@ -159,9 +159,9 @@ class UM_Admin_Users { global $ultimatemember; $admin_err = 0; - + if (isset($_REQUEST) && !empty ($_REQUEST) ){ - + // bulk change role if (isset($_REQUEST['users']) && is_array($_REQUEST['users']) && isset($_REQUEST['um_changeit']) && $_REQUEST['um_changeit'] != '' && isset($_REQUEST['um_change_role']) && !empty($_REQUEST['um_change_role']) ){ @@ -171,7 +171,7 @@ class UM_Admin_Users { check_admin_referer('bulk-users'); $users = $_REQUEST['users']; - $new_role = $_REQUEST['um_change_role']; + $new_role = current( array_filter( $_REQUEST['um_change_role'] ) ); foreach($users as $user_id){ $ultimatemember->user->set( $user_id ); @@ -207,9 +207,9 @@ class UM_Admin_Users { check_admin_referer('bulk-users'); $users = $_REQUEST['users']; - $bulk_action = $_REQUEST['um_bulk_action']; - - if ( $bulk_action == 'um_delete' ) { // this needs confirmation + $bulk_action = current( array_filter( $_REQUEST['um_bulk_action']) ); + + if ( in_array('um_delete', $bulk_action ) > -1 ) { // this needs confirmation $uri = admin_url('users.php'); $userids = array_map( 'intval', (array) $_REQUEST['users'] ); @@ -254,8 +254,9 @@ class UM_Admin_Users { } // filter by user role - if ( isset($_REQUEST['um_filter_role']) && ! isset( $_REQUEST['new_role'] ) && $_REQUEST['um_filter_role'] ) { - exit( wp_redirect( admin_url('users.php?um_role=' . $_REQUEST['um_filter_role'] ) ) ); + if ( isset($_REQUEST['um_filter_role']) && ( ! isset( $_REQUEST['new_role'] ) || empty( $_REQUEST['new_role'] ) ) && $_REQUEST['um_filter_role'] ) { + $filter_role = current( array_filter( $_REQUEST['um_filter_role'] ) ); + exit( wp_redirect( admin_url('users.php?um_role=' .$filter_role ) ) ); } } @@ -271,7 +272,7 @@ class UM_Admin_Users {
- query->get_roles(); @@ -287,7 +288,7 @@ class UM_Admin_Users {
- user->get_bulk_admin_actions(); ?> @@ -299,7 +300,7 @@ class UM_Admin_Users {
- query->get_roles( $add_default = 'Community role…' ) as $key => $value) { ?> From 3b2f95b538adc50e3bf63a2aca5e48836ac097f8 Mon Sep 17 00:00:00 2001 From: champsupertramp Date: Wed, 9 Dec 2015 16:00:56 +0800 Subject: [PATCH 4/4] Add slash in base url filter for multisite --- core/um-filters-files.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/um-filters-files.php b/core/um-filters-files.php index e74f1bcc..93e7d855 100644 --- a/core/um-filters-files.php +++ b/core/um-filters-files.php @@ -11,7 +11,7 @@ if ( get_current_blog_id() == '1' ) return $dir; - $split = explode('sites',$dir); + $split = explode('sites/',$dir); $um_dir = 'ultimatemember/'; $dir = $split[0] . $um_dir;