My Private Site - Version 3.0.10

Version Description

  • Fixed a bunch of over-eager security checks
Download this release

Release Info

Developer dgewirtz
Plugin Icon 128x128 My Private Site
Version 3.0.10
Comparing to
See all releases

Code changes from version 3.0.9 to 3.0.10

Files changed (7) hide show
  1. admin/advanced.php +76 -80
  2. admin/landing-page.php +25 -29
  3. admin/membership.php +22 -24
  4. admin/public-pages.php +2 -2
  5. admin/site-privacy.php +1 -1
  6. jonradio-private-site.php +2 -2
  7. readme.txt +5 -2
admin/advanced.php CHANGED
@@ -73,7 +73,7 @@ function my_private_site_admin_advanced_section_data( $section_options ) {
73
  'id' => 'jr_ps_admin_advanced_enable_custom_login',
74
  'type' => 'checkbox',
75
  'after' => 'Enable custom login page',
76
- // 'desc' => 'This is the same advanced option displayed on the General Settings admin panel' ),
77
  )
78
  );
79
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_advanced_enable_custom_login', $handler_function );
@@ -135,9 +135,9 @@ function my_private_site_admin_advanced_section_data( $section_options ) {
135
  'id' => 'jr_ps_admin_advanced_custom_landing',
136
  'type' => 'checkbox',
137
  'after' => 'Allow landing location for custom login pages. ' .
138
- '<br><span style="color:red">This is dangerous. It could permanently lock you out of your site.<br>' .
139
- '<h1 style="color:red">If you lock yourself out, I will not be able to help you get back in!</h1>',
140
- // 'desc' => 'This is the same advanced option displayed on the General Settings admin panel' ),
141
  )
142
  );
143
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_advanced_custom_landing', $handler_function );
@@ -258,110 +258,106 @@ function my_private_site_admin_logs_section_data( $section_options ) {
258
  // advanced - PROCESS FORM SUBMISSIONS
259
  function my_private_site_tab_advanced_process_buttons() {
260
  // Process Save changes button
 
 
 
261
 
262
- $_POST = apply_filters( 'validate_page_slug_my_private_site_tab_advanced', $_POST );
263
- $settings = get_option( 'jr_ps_settings' );
264
-
265
- if ( isset( $_POST['jr_ps_admin_advanced_url'], $_POST['jr_ps_admin_advanced_url_nonce'] ) ) {
266
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_advanced_url_nonce'], 'jr_ps_admin_advanced_url' ) ) {
267
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
268
  }
269
- $url = my_private_site_validate_url( esc_url_raw( $_POST['jr_ps_admin_advanced_url'] ) );
270
- if ( $url != false ) {
271
- $url = jr_v1_sanitize_url( $url );
 
 
 
 
 
 
 
 
272
  } else {
273
  $url = '';
274
  }
275
- } else {
276
- $url = '';
277
- }
278
 
279
- if ( ! function_exists( 'my_private_site_pp_plugin_updater' ) ) {
280
- if ( isset( $_POST['jr_ps_admin_advanced_password_reset_url'], $_POST['jr_ps_admin_advanced_password_reset_url_nonce'] ) ) {
281
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_advanced_password_reset_url_nonce'], 'jr_ps_admin_advanced_password_reset_url' ) ) {
282
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
283
  }
284
- $reset_url = my_private_site_validate_url( esc_url_raw( $_POST['jr_ps_admin_advanced_password_reset_url'] ) );
285
- if ( $reset_url != '' && $reset_url == false ) {
 
 
 
 
 
286
  my_private_site_flag_cmb2_submit_button_error(
287
  'jr_ps_button_advanced_save',
288
- 'Valid password reset URL must be provided.'
289
  );
 
290
  return;
291
  }
292
- if ( $reset_url == false ) {
293
- $settings['excl_url'] = array();
294
- } else {
295
- $settings['excl_url'] = array(); // clear it just to be sure
296
- $url_array = jr_v1_prep_url( $reset_url );
297
- $add_array = array(
298
- $reset_url,
299
- $url_array,
300
  );
301
- $settings['excl_url'] = array( $add_array );
302
- }
303
- }
304
- }
305
 
306
- if ( isset( $_POST['jr_ps_admin_advanced_enable_custom_login'], $_POST['jr_ps_admin_advanced_enable_custom_login_nonce'] ) ) {
307
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_advanced_enable_custom_login_nonce'], 'jr_ps_admin_advanced_enable_custom_login' ) ) {
308
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
309
- }
310
- // make sure a valid URL has been provided or set to empty
311
-
312
- if ( $url == '' ) {
313
- my_private_site_flag_cmb2_submit_button_error(
314
- 'jr_ps_button_advanced_save',
315
- 'URL must be provided if "Enable custom login page" is checked.'
316
- );
317
- return;
318
  }
319
 
320
- $settings['custom_login'] = true;
321
- $settings['login_url'] = $url;
322
- } else {
323
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_advanced_enable_custom_login_nonce'], 'jr_ps_admin_advanced_enable_custom_login' ) ) {
324
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
325
- }
326
- if ( $url != '' ) {
327
- my_private_site_flag_cmb2_submit_button_error(
328
- 'jr_ps_button_advanced_save',
329
- 'Please check "Enable custom login page" to save custom login URL.'
330
- );
331
- return;
332
  }
333
- $settings['custom_login'] = false;
334
- $settings['login_url'] = '';
335
- }
336
 
337
- // if (isset($_POST["jr_ps_admin_advanced_compatibility_mode"])) {
338
- // $compatibility_mode = trim($_POST['jr_ps_admin_advanced_compatibility_mode']);
339
- // $settings['compatibility_mode'] = $compatibility_mode;
340
- // }
341
 
342
- if ( isset( $_POST['jr_ps_admin_advanced_custom_landing'], $_POST['jr_ps_admin_advanced_custom_landing_nonce'] ) ) {
343
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_advanced_custom_landing_nonce'], 'jr_ps_admin_advanced_custom_landing' ) ) {
344
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
345
- }
346
- $settings['override_omit'] = true;
347
- } else {
348
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_advanced_custom_landing_nonce'], 'jr_ps_admin_advanced_custom_landing' ) ) {
349
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
350
- }
351
- $settings['override_omit'] = false;
352
  }
353
 
354
  if ( isset( $_POST['jr_ps_button_settings_logs_delete'], $_POST['jr_ps_button_settings_logs_delete_nonce'] ) ) {
355
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_settings_logs_delete_nonce'], 'jr_ps_button_settings_logs_delete' ) ) {
356
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
357
  }
358
  delete_option( 'jr_ps_log' );
359
  my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_settings_logs_delete' );
 
360
  return;
361
  }
362
-
363
- $result = update_option( 'jr_ps_settings', $settings );
364
- my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_advanced_save' );
365
  }
366
 
367
  function my_private_site_admin_advanced_preload( $data, $object_id, $args, $field ) {
73
  'id' => 'jr_ps_admin_advanced_enable_custom_login',
74
  'type' => 'checkbox',
75
  'after' => 'Enable custom login page',
76
+ // 'desc' => 'This is the same advanced option displayed on the General Settings admin panel' ),
77
  )
78
  );
79
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_advanced_enable_custom_login', $handler_function );
135
  'id' => 'jr_ps_admin_advanced_custom_landing',
136
  'type' => 'checkbox',
137
  'after' => 'Allow landing location for custom login pages. ' .
138
+ '<br><span style="color:red">This is dangerous. It could permanently lock you out of your site.<br>' .
139
+ '<h1 style="color:red">If you lock yourself out, I will not be able to help you get back in!</h1>',
140
+ // 'desc' => 'This is the same advanced option displayed on the General Settings admin panel' ),
141
  )
142
  );
143
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_advanced_custom_landing', $handler_function );
258
  // advanced - PROCESS FORM SUBMISSIONS
259
  function my_private_site_tab_advanced_process_buttons() {
260
  // Process Save changes button
261
+ // This is a callback that has to be passed the full array for consideration
262
+ // phpcs:ignore WordPress.Security.NonceVerification
263
+ $_POST = apply_filters( 'validate_page_slug_my_private_site_tab_advanced', $_POST );
264
 
265
+ if ( isset( $_POST['jr_ps_button_advanced_save'], $_POST['jr_ps_button_advanced_save_nonce'] ) ) {
266
+ if ( ! wp_verify_nonce( $_POST['jr_ps_button_advanced_save_nonce'], 'jr_ps_button_advanced_save' ) ) {
267
+ wp_die( 'Security violation detected [A007]. Access denied.', 'Security violation', array( 'response' => 403 ) );
 
 
 
268
  }
269
+
270
+ $settings = get_option( 'jr_ps_settings' );
271
+ // these just check for value existence
272
+ // phpcs:ignore WordPress.Security.NonceVerification
273
+ if ( isset( $_POST['jr_ps_admin_advanced_url'] ) ) {
274
+ $url = my_private_site_validate_url( esc_url_raw( $_POST['jr_ps_admin_advanced_url'] ) );
275
+ if ( $url != false ) {
276
+ $url = jr_v1_sanitize_url( $url );
277
+ } else {
278
+ $url = '';
279
+ }
280
  } else {
281
  $url = '';
282
  }
 
 
 
283
 
284
+ if ( ! function_exists( 'my_private_site_pp_plugin_updater' ) ) {
285
+ // these just check for value existence
286
+ // phpcs:ignore WordPress.Security.NonceVerification
287
+ if ( isset( $_POST['jr_ps_admin_advanced_password_reset_url'] ) ) {
288
+ $reset_url = my_private_site_validate_url( esc_url_raw( $_POST['jr_ps_admin_advanced_password_reset_url'] ) );
289
+ if ( $reset_url != '' && $reset_url == false ) {
290
+ my_private_site_flag_cmb2_submit_button_error(
291
+ 'jr_ps_button_advanced_save',
292
+ 'Valid password reset URL must be provided.'
293
+ );
294
+
295
+ return;
296
+ }
297
+ if ( $reset_url == false ) {
298
+ $settings['excl_url'] = array();
299
+ } else {
300
+ $settings['excl_url'] = array(); // clear it just to be sure
301
+ $url_array = jr_v1_prep_url( $reset_url );
302
+ $add_array = array(
303
+ $reset_url,
304
+ $url_array,
305
+ );
306
+ $settings['excl_url'] = array( $add_array );
307
+ }
308
  }
309
+ }
310
+
311
+ // these just check for value existence
312
+ // phpcs:ignore WordPress.Security.NonceVerification
313
+ if ( isset( $_POST['jr_ps_admin_advanced_enable_custom_login'] ) ) {
314
+ // make sure a valid URL has been provided or set to empty
315
+ if ( $url == '' ) {
316
  my_private_site_flag_cmb2_submit_button_error(
317
  'jr_ps_button_advanced_save',
318
+ 'URL must be provided if "Enable custom login page" is checked.'
319
  );
320
+
321
  return;
322
  }
323
+ $settings['custom_login'] = true;
324
+ $settings['login_url'] = $url;
325
+ } else {
326
+ if ( $url != '' ) {
327
+ my_private_site_flag_cmb2_submit_button_error(
328
+ 'jr_ps_button_advanced_save',
329
+ 'Please check "Enable custom login page" to save custom login URL.'
 
330
  );
 
 
 
 
331
 
332
+ return;
333
+ }
334
+ $settings['custom_login'] = false;
335
+ $settings['login_url'] = '';
 
 
 
 
 
 
 
 
336
  }
337
 
338
+ // these just check for value existence
339
+ // phpcs:ignore WordPress.Security.NonceVerification
340
+ if ( isset( $_POST['jr_ps_admin_advanced_custom_landing'] ) ) {
341
+ $settings['override_omit'] = true;
342
+ } else {
343
+ $settings['override_omit'] = false;
 
 
 
 
 
 
344
  }
 
 
 
345
 
346
+ update_option( 'jr_ps_settings', $settings );
347
+ my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_advanced_save' );
 
 
348
 
349
+ return;
 
 
 
 
 
 
 
 
 
350
  }
351
 
352
  if ( isset( $_POST['jr_ps_button_settings_logs_delete'], $_POST['jr_ps_button_settings_logs_delete_nonce'] ) ) {
353
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_settings_logs_delete_nonce'], 'jr_ps_button_settings_logs_delete' ) ) {
354
+ wp_die( 'Security violation detected [A015]. Access denied.', 'Security violation', array( 'response' => 403 ) );
355
  }
356
  delete_option( 'jr_ps_log' );
357
  my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_settings_logs_delete' );
358
+
359
  return;
360
  }
 
 
 
361
  }
362
 
363
  function my_private_site_admin_advanced_preload( $data, $object_id, $args, $field ) {
admin/landing-page.php CHANGED
@@ -9,7 +9,6 @@
9
  * Copyright (c) 2015-2020 by David Gewirtz
10
  */
11
 
12
-
13
  // landing_page - MENU ////
14
  function my_private_site_admin_landing_page_menu() {
15
  $args = array(
@@ -131,40 +130,37 @@ function my_private_site_tab_landing_page_process_buttons() {
131
  // Process Save changes button
132
  // This is a callback that has to be passed the full array for consideration
133
  // phpcs:ignore WordPress.Security.NonceVerification
134
- $_POST = apply_filters( 'validate_page_slug_my_private_site_tab_landing_page', $_POST );
135
- $settings = get_option( 'jr_ps_settings' );
136
 
137
- if ( isset( $_POST['jr_ps_admin_landing_page_url'], $_POST['jr_ps_admin_landing_page_url_nonce'] ) ) {
138
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_landing_page_url_nonce'], 'jr_ps_admin_landing_page_url' ) ) {
139
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
140
  }
141
- $settings['specific_url'] = $_POST['jr_ps_admin_landing_page_url'];
142
- } else {
143
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_landing_page_url_nonce'], 'jr_ps_admin_landing_page_url' ) ) {
144
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
 
 
 
 
145
  }
146
- $settings['specific_url'] = '';
147
- }
148
- if ( isset( $_POST['jr_ps_admin_landing_page_option'], $_POST['jr_ps_admin_landing_page_option_nonce'] ) ) {
149
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_landing_page_option_nonce'], 'jr_ps_admin_landing_page_option' ) ) {
150
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
151
  }
152
- $settings['landing'] = $_POST['jr_ps_admin_landing_page_option'];
153
- }
154
- if ( isset( $_POST['jr_ps_admin_landing_page_wplogin'], $_POST['jr_ps_admin_landing_page_wplogin_nonce'] ) ) {
155
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_landing_page_wplogin_nonce'], 'jr_ps_admin_landing_page_wplogin' ) ) {
156
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
 
157
  }
158
- $settings['wplogin_php'] = true;
159
- } else {
160
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_landing_page_wplogin_nonce'], 'jr_ps_admin_landing_page_wplogin' ) ) {
161
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
162
- }
163
- $settings['wplogin_php'] = false;
164
- }
165
 
166
- $result = update_option( 'jr_ps_settings', $settings );
167
- my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_landing_page_save' );
 
168
  }
169
 
170
  function my_private_site_admin_landing_page_preload( $data, $object_id, $args, $field ) {
9
  * Copyright (c) 2015-2020 by David Gewirtz
10
  */
11
 
 
12
  // landing_page - MENU ////
13
  function my_private_site_admin_landing_page_menu() {
14
  $args = array(
130
  // Process Save changes button
131
  // This is a callback that has to be passed the full array for consideration
132
  // phpcs:ignore WordPress.Security.NonceVerification
133
+ $_POST = apply_filters( 'validate_page_slug_my_private_site_tab_landing_page', $_POST );
 
134
 
135
+ if ( isset( $_POST['jr_ps_button_landing_page_save'], $_POST['jr_ps_button_landing_page_save_nonce'] ) ) {
136
+ if ( ! wp_verify_nonce( $_POST['jr_ps_button_landing_page_save_nonce'], 'jr_ps_button_landing_page_save' ) ) {
137
+ wp_die( 'Security violation detected [A001]. Access denied.', 'Security violation', array( 'response' => 403 ) );
138
  }
139
+
140
+ $settings = get_option( 'jr_ps_settings' );
141
+ // these just check for value existence
142
+ // phpcs:ignore WordPress.Security.NonceVerification
143
+ if ( isset( $_POST['jr_ps_admin_landing_page_url'] ) ) {
144
+ $settings['specific_url'] = $_POST['jr_ps_admin_landing_page_url'];
145
+ } else {
146
+ $settings['specific_url'] = '';
147
  }
148
+ // these just check for value existence
149
+ // phpcs:ignore WordPress.Security.NonceVerification
150
+ if ( isset( $_POST['jr_ps_admin_landing_page_option'] ) ) {
151
+ $settings['landing'] = $_POST['jr_ps_admin_landing_page_option'];
 
152
  }
153
+ // these just check for value existence
154
+ // phpcs:ignore WordPress.Security.NonceVerification
155
+ if ( isset( $_POST['jr_ps_admin_landing_page_wplogin'] ) ) {
156
+ $settings['wplogin_php'] = true;
157
+ } else {
158
+ $settings['wplogin_php'] = false;
159
  }
 
 
 
 
 
 
 
160
 
161
+ $result = update_option( 'jr_ps_settings', $settings );
162
+ my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_landing_page_save' );
163
+ }
164
  }
165
 
166
  function my_private_site_admin_landing_page_preload( $data, $object_id, $args, $field ) {
admin/membership.php CHANGED
@@ -55,7 +55,7 @@ function my_private_site_admin_membership_section_data( $section_options ) {
55
 
56
  $section_options = apply_filters( 'my_private_site_tab_membership_section_data', $section_options );
57
 
58
- $section_desc = '<i>Choose whether users are allowed to self-register on this private site.</i>';
59
  $section_desc .= '<i> Both checkboxes must be checked for users to be able to self-register.</i>';
60
 
61
  $section_options->add_field(
@@ -73,7 +73,7 @@ function my_private_site_admin_membership_section_data( $section_options ) {
73
  'id' => 'jr_ps_admin_membership_register',
74
  'type' => 'checkbox',
75
  'after' => 'Anyone can register',
76
- // 'desc' => 'This is the same Membership option displayed on the General Settings admin panel' ),
77
  )
78
  );
79
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_membership_register', $handler_function );
@@ -84,7 +84,7 @@ function my_private_site_admin_membership_section_data( $section_options ) {
84
  'id' => 'jr_ps_admin_membership_reveal',
85
  'type' => 'checkbox',
86
  'after' => 'Do not block standard User Registration page (required to self-register)',
87
- // 'desc' => 'This is the same Membership option displayed on the General Settings admin panel' ),
88
  )
89
  );
90
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_membership_reveal', $handler_function );
@@ -108,31 +108,29 @@ function my_private_site_tab_membership_process_buttons() {
108
  // phpcs:ignore WordPress.Security.NonceVerification
109
  $_POST = apply_filters( 'validate_page_slug_my_private_site_tab_membership', $_POST );
110
 
111
- $settings = get_option( 'jr_ps_settings' );
112
- if ( isset( $_POST['jr_ps_admin_membership_register'], $_POST['jr_ps_admin_membership_register_nonce'] ) ) {
113
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_membership_register_nonce'], 'jr_ps_admin_membership_register' ) ) {
114
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
115
  }
116
- update_option( 'users_can_register', true );
117
- } else {
118
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_membership_register_nonce'], 'jr_ps_admin_membership_register' ) ) {
119
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
120
- }
121
- update_option( 'users_can_register', false );
122
- }
123
- if ( isset( $_POST['jr_ps_admin_membership_reveal'], $_POST['jr_ps_admin_membership_reveal_nonce'] ) ) {
124
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_membership_reveal_nonce'], 'jr_ps_admin_membership_reveal' ) ) {
125
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
126
  }
127
- $settings['reveal_registration'] = true;
128
- } else {
129
- if ( ! wp_verify_nonce( $_POST['jr_ps_admin_membership_reveal_nonce'], 'jr_ps_admin_membership_reveal' ) ) {
130
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
 
 
131
  }
132
- $settings['reveal_registration'] = false;
 
133
  }
134
- $result = update_option( 'jr_ps_settings', $settings );
135
- my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_membership_save' );
136
  }
137
 
138
  function my_private_site_admin_membership_preload( $data, $object_id, $args, $field ) {
55
 
56
  $section_options = apply_filters( 'my_private_site_tab_membership_section_data', $section_options );
57
 
58
+ $section_desc = '<i>Choose whether users are allowed to self-register on this private site.</i>';
59
  $section_desc .= '<i> Both checkboxes must be checked for users to be able to self-register.</i>';
60
 
61
  $section_options->add_field(
73
  'id' => 'jr_ps_admin_membership_register',
74
  'type' => 'checkbox',
75
  'after' => 'Anyone can register',
76
+ // 'desc' => 'This is the same Membership option displayed on the General Settings admin panel' ),
77
  )
78
  );
79
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_membership_register', $handler_function );
84
  'id' => 'jr_ps_admin_membership_reveal',
85
  'type' => 'checkbox',
86
  'after' => 'Do not block standard User Registration page (required to self-register)',
87
+ // 'desc' => 'This is the same Membership option displayed on the General Settings admin panel' ),
88
  )
89
  );
90
  my_private_site_preload_cmb2_field_filter( 'jr_ps_admin_membership_reveal', $handler_function );
108
  // phpcs:ignore WordPress.Security.NonceVerification
109
  $_POST = apply_filters( 'validate_page_slug_my_private_site_tab_membership', $_POST );
110
 
111
+ if ( isset( $_POST['jr_ps_button_membership_save'], $_POST['jr_ps_button_membership_save_nonce'] ) ) {
112
+ if ( ! wp_verify_nonce( $_POST['jr_ps_button_membership_save_nonce'], 'jr_ps_button_membership_save' ) ) {
113
+ wp_die( 'Security violation detected [A016]. Access denied.', 'Security violation', array( 'response' => 403 ) );
 
114
  }
115
+
116
+ $settings = get_option( 'jr_ps_settings' );
117
+ // these just check for value existence
118
+ // phpcs:ignore WordPress.Security.NonceVerification
119
+ if ( isset( $_POST['jr_ps_admin_membership_register'] ) ) {
120
+ update_option( 'users_can_register', true );
121
+ } else {
122
+ update_option( 'users_can_register', false );
 
 
123
  }
124
+ // these just check for value existence
125
+ // phpcs:ignore WordPress.Security.NonceVerification
126
+ if ( isset( $_POST['jr_ps_admin_membership_reveal'] ) ) {
127
+ $settings['reveal_registration'] = true;
128
+ } else {
129
+ $settings['reveal_registration'] = false;
130
  }
131
+ $result = update_option( 'jr_ps_settings', $settings );
132
+ my_private_site_flag_cmb2_submit_button_success( 'jr_ps_button_membership_save' );
133
  }
 
 
134
  }
135
 
136
  function my_private_site_admin_membership_preload( $data, $object_id, $args, $field ) {
admin/public-pages.php CHANGED
@@ -142,13 +142,13 @@ function my_private_site_tab_public_pages_process_buttons() {
142
 
143
  if ( isset( $_POST['jr_ps_button_public_pages_public_home'], $_POST['jr_ps_button_public_pages_public_home_nonce'] ) ) {
144
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_public_pages_public_home_nonce'], 'jr_ps_button_public_pages_public_home' ) ) {
145
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
146
  }
147
  if ( isset( $_POST['my_private_site_admin_public_pages_site_home'] ) ) {
148
  $settings['excl_home'] = true;
149
  } else {
150
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_public_pages_public_home_nonce'], 'jr_ps_button_public_pages_public_home' ) ) {
151
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
152
  }
153
  $settings['excl_home'] = false;
154
  }
142
 
143
  if ( isset( $_POST['jr_ps_button_public_pages_public_home'], $_POST['jr_ps_button_public_pages_public_home_nonce'] ) ) {
144
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_public_pages_public_home_nonce'], 'jr_ps_button_public_pages_public_home' ) ) {
145
+ wp_die( 'Security violation detected [A009]. Access denied.', 'Security violation', array( 'response' => 403 ) );
146
  }
147
  if ( isset( $_POST['my_private_site_admin_public_pages_site_home'] ) ) {
148
  $settings['excl_home'] = true;
149
  } else {
150
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_public_pages_public_home_nonce'], 'jr_ps_button_public_pages_public_home' ) ) {
151
+ wp_die( 'Security violation detected [A010]. Access denied.', 'Security violation', array( 'response' => 403 ) );
152
  }
153
  $settings['excl_home'] = false;
154
  }
admin/site-privacy.php CHANGED
@@ -147,7 +147,7 @@ function my_private_site_tab_site_privacy_process_buttons() {
147
 
148
  if ( isset( $_POST['jr_ps_button_site_privacy_save'], $_POST['jr_ps_button_site_privacy_save_nonce'] ) ) {
149
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_site_privacy_save_nonce'], 'jr_ps_button_site_privacy_save' ) ) {
150
- wp_die( 'Security violation detected. Access denied.', 'Security violation', array( 'response' => 403 ) );
151
  }
152
  // these just check for value existence
153
  // phpcs:ignore WordPress.Security.NonceVerification
147
 
148
  if ( isset( $_POST['jr_ps_button_site_privacy_save'], $_POST['jr_ps_button_site_privacy_save_nonce'] ) ) {
149
  if ( ! wp_verify_nonce( $_POST['jr_ps_button_site_privacy_save_nonce'], 'jr_ps_button_site_privacy_save' ) ) {
150
+ wp_die( 'Security violation detected [A006]. Access denied.', 'Security violation', array( 'response' => 403 ) );
151
  }
152
  // these just check for value existence
153
  // phpcs:ignore WordPress.Security.NonceVerification
jonradio-private-site.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: My Private Site
4
  Plugin URI: http://zatzlabs.com/plugins/
5
  Description: Easily secure posts, pages, or your entire WordPress site by requiring visitors to login.
6
- Version: 3.0.9
7
  Author: David Gewirtz
8
  Author URI: http://zatzlabs.com/plugins/
9
  License: GPLv2
@@ -27,7 +27,7 @@ License: GPLv2
27
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28
  */
29
 
30
- // Signal that parent SDK was initiated.
31
 
32
  /*
33
  Exit if .php file accessed directly
3
  Plugin Name: My Private Site
4
  Plugin URI: http://zatzlabs.com/plugins/
5
  Description: Easily secure posts, pages, or your entire WordPress site by requiring visitors to login.
6
+ Version: 3.0.10
7
  Author: David Gewirtz
8
  Author URI: http://zatzlabs.com/plugins/
9
  License: GPLv2
27
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28
  */
29
 
30
+ // Security violation detected. Access denied. Codes up to [A016].
31
 
32
  /*
33
  Exit if .php file accessed directly
readme.txt CHANGED
@@ -2,9 +2,9 @@
2
  Contributors: dgewirtz
3
  Donate link: http://zatzlabs.com/lab-notes/
4
  Tags: login, visibility, private, security, plugin, pages, page, posts, post
5
- Requires at least: 3.8
6
  Tested up to: 6.0
7
- Stable tag: 3.0.9
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -92,6 +92,9 @@ Whenever you change your WordPress Permalinks (Settings-Permalinks in Admin pane
92
 
93
  == Changelog ==
94
 
 
 
 
95
  = 3.0.9 =
96
  * Fixed compatibility switch bug
97
 
2
  Contributors: dgewirtz
3
  Donate link: http://zatzlabs.com/lab-notes/
4
  Tags: login, visibility, private, security, plugin, pages, page, posts, post
5
+ Requires at least: 4.0
6
  Tested up to: 6.0
7
+ Stable tag: 3.0.10
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
92
 
93
  == Changelog ==
94
 
95
+ = 3.0.10 =
96
+ * Fixed a bunch of over-eager security checks
97
+
98
  = 3.0.9 =
99
  * Fixed compatibility switch bug
100