Version Description
Security update for ajax calls
Download this release
Release Info
| Developer | adispiac |
| Plugin |  User registration & user profile – Profile Builder |
| Version | 2.4.1 |
| Comparing to | |
| See all releases | |
Code changes from version 2.4.0 to 2.4.1
- assets/lib/wck-api/wordpress-creation-kit.php +60 -0
- front-end/class-formbuilder.php +1 -1
- index.php +2 -2
- readme.txt +4 -1
assets/lib/wck-api/wordpress-creation-kit.php
CHANGED
|
@@ -712,6 +712,43 @@ class Wordpress_Creation_Kit_PB{
|
|
| 712 |
|
| 713 |
return $errors;
|
| 714 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 715 |
|
| 716 |
|
| 717 |
/* ajax add a reccord to the meta */
|
|
@@ -730,6 +767,12 @@ class Wordpress_Creation_Kit_PB{
|
|
| 730 |
else
|
| 731 |
$values = array();
|
| 732 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 733 |
$values = apply_filters( "wck_add_meta_filter_values_{$meta}", $values );
|
| 734 |
|
| 735 |
/* check required fields */
|
|
@@ -790,6 +833,11 @@ class Wordpress_Creation_Kit_PB{
|
|
| 790 |
if( !empty( $_POST['values'] ) )
|
| 791 |
$values = $_POST['values'];
|
| 792 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 793 |
|
| 794 |
$values = apply_filters( "wck_update_meta_filter_values_{$meta}", $values, $element_id );
|
| 795 |
|
|
@@ -922,6 +970,12 @@ class Wordpress_Creation_Kit_PB{
|
|
| 922 |
$element_id = absint( $_POST['element_id'] );
|
| 923 |
else
|
| 924 |
$element_id = '';
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 925 |
|
| 926 |
if( $this->args['context'] == 'post_meta' )
|
| 927 |
$results = get_post_meta($id, $meta, true);
|
|
@@ -988,6 +1042,12 @@ class Wordpress_Creation_Kit_PB{
|
|
| 988 |
$elements_id = $_POST['values'];
|
| 989 |
else
|
| 990 |
$elements_id = array();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 991 |
|
| 992 |
do_action( 'wck_before_reorder_meta', $meta, $id, $elements_id );
|
| 993 |
|
| 712 |
|
| 713 |
return $errors;
|
| 714 |
}
|
| 715 |
+
|
| 716 |
+
/* Checks to see wether the current user can modify data */
|
| 717 |
+
function wck_verify_user_capabilities( $context, $meta = '', $id = 0 ) {
|
| 718 |
+
|
| 719 |
+
$return = true;
|
| 720 |
+
|
| 721 |
+
// Meta is an option
|
| 722 |
+
if( $context == 'option' && !current_user_can( 'manage_options' ) )
|
| 723 |
+
$return = false;
|
| 724 |
+
|
| 725 |
+
// Meta is post related
|
| 726 |
+
if( $context == 'post_meta' && is_user_logged_in() ) {
|
| 727 |
+
|
| 728 |
+
// Current user must be able to edit posts
|
| 729 |
+
if( !current_user_can( 'edit_posts' ) )
|
| 730 |
+
$return = false;
|
| 731 |
+
|
| 732 |
+
// If the user can't edit others posts the current post must be his/hers
|
| 733 |
+
elseif( !current_user_can( 'edit_others_posts' ) ) {
|
| 734 |
+
|
| 735 |
+
$current_post = get_post( $id );
|
| 736 |
+
$current_user = wp_get_current_user();
|
| 737 |
+
|
| 738 |
+
if( $current_user->ID != $current_post->post_author )
|
| 739 |
+
$return = false;
|
| 740 |
+
|
| 741 |
+
}
|
| 742 |
+
|
| 743 |
+
}
|
| 744 |
+
|
| 745 |
+
// Return
|
| 746 |
+
if( $return )
|
| 747 |
+
return $return;
|
| 748 |
+
else
|
| 749 |
+
return array( 'error' => __( 'You are not allowed to do this.', 'wck' ), 'errorfields' => '' );
|
| 750 |
+
|
| 751 |
+
}
|
| 752 |
|
| 753 |
|
| 754 |
/* ajax add a reccord to the meta */
|
| 767 |
else
|
| 768 |
$values = array();
|
| 769 |
|
| 770 |
+
// Security checks
|
| 771 |
+
if( true !== ( $error = self::wck_verify_user_capabilities( $this->args['context'], $meta, $id ) ) ) {
|
| 772 |
+
header( 'Content-type: application/json' );
|
| 773 |
+
die( json_encode( $error ) );
|
| 774 |
+
}
|
| 775 |
+
|
| 776 |
$values = apply_filters( "wck_add_meta_filter_values_{$meta}", $values );
|
| 777 |
|
| 778 |
/* check required fields */
|
| 833 |
if( !empty( $_POST['values'] ) )
|
| 834 |
$values = $_POST['values'];
|
| 835 |
|
| 836 |
+
// Security checks
|
| 837 |
+
if( true !== ( $error = self::wck_verify_user_capabilities( $this->args['context'], $meta, $id ) ) ) {
|
| 838 |
+
header( 'Content-type: application/json' );
|
| 839 |
+
die( json_encode( $error ) );
|
| 840 |
+
}
|
| 841 |
|
| 842 |
$values = apply_filters( "wck_update_meta_filter_values_{$meta}", $values, $element_id );
|
| 843 |
|
| 970 |
$element_id = absint( $_POST['element_id'] );
|
| 971 |
else
|
| 972 |
$element_id = '';
|
| 973 |
+
|
| 974 |
+
// Security checks
|
| 975 |
+
if( true !== ( $error = self::wck_verify_user_capabilities( $this->args['context'], $meta, $id ) ) ) {
|
| 976 |
+
header( 'Content-type: application/json' );
|
| 977 |
+
die( json_encode( $error ) );
|
| 978 |
+
}
|
| 979 |
|
| 980 |
if( $this->args['context'] == 'post_meta' )
|
| 981 |
$results = get_post_meta($id, $meta, true);
|
| 1042 |
$elements_id = $_POST['values'];
|
| 1043 |
else
|
| 1044 |
$elements_id = array();
|
| 1045 |
+
|
| 1046 |
+
// Security checks
|
| 1047 |
+
if( true !== ( $error = self::wck_verify_user_capabilities( $this->args['context'], $meta, $id ) ) ) {
|
| 1048 |
+
header( 'Content-type: application/json' );
|
| 1049 |
+
die( json_encode( $error ) );
|
| 1050 |
+
}
|
| 1051 |
|
| 1052 |
do_action( 'wck_before_reorder_meta', $meta, $id, $elements_id );
|
| 1053 |
|
front-end/class-formbuilder.php
CHANGED
|
@@ -81,7 +81,7 @@ class Profile_Builder_Form_Creator{
|
|
| 81 |
function wppb_retrieve_custom_settings(){
|
| 82 |
$this->args['login_after_register'] = apply_filters( 'wppb_automatically_login_after_register', 'No' ); //used only for the register-form settings
|
| 83 |
$this->args['redirect_activated'] = apply_filters( 'wppb_redirect_default_setting', '' );
|
| 84 |
-
$this->args['redirect_url'] = apply_filters( 'wppb_redirect_default_location', ($this->args['redirect_url'] != '') ? $this->args['redirect_url'] :
|
| 85 |
/* for register forms check to see if we have a custom redirect "Redirect After Register" */
|
| 86 |
if( PROFILE_BUILDER == 'Profile Builder Pro' ) {
|
| 87 |
if( ( $this->args['form_type'] == 'register' || $this->args['form_type'] == 'edit_profile' ) && ( ! current_user_can( 'manage_options' ) ) ) {
|
| 81 |
function wppb_retrieve_custom_settings(){
|
| 82 |
$this->args['login_after_register'] = apply_filters( 'wppb_automatically_login_after_register', 'No' ); //used only for the register-form settings
|
| 83 |
$this->args['redirect_activated'] = apply_filters( 'wppb_redirect_default_setting', '' );
|
| 84 |
+
$this->args['redirect_url'] = apply_filters( 'wppb_redirect_default_location', ($this->args['redirect_url'] != '') ? $this->args['redirect_url'] : '' );
|
| 85 |
/* for register forms check to see if we have a custom redirect "Redirect After Register" */
|
| 86 |
if( PROFILE_BUILDER == 'Profile Builder Pro' ) {
|
| 87 |
if( ( $this->args['form_type'] == 'register' || $this->args['form_type'] == 'edit_profile' ) && ( ! current_user_can( 'manage_options' ) ) ) {
|
index.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
Plugin Name: Profile Builder
|
| 4 |
Plugin URI: https://www.cozmoslabs.com/wordpress-profile-builder/
|
| 5 |
Description: Login, registration and edit profile shortcodes for the front-end. Also you can chose what fields should be displayed or add new (custom) ones both in the front-end and in the dashboard.
|
| 6 |
-
Version: 2.4.
|
| 7 |
Author: Cozmoslabs, Madalin Ungureanu, Antohe Cristian, Barina Gabriel, Mihai Iova
|
| 8 |
Author URI: https://www.cozmoslabs.com/
|
| 9 |
License: GPL2
|
|
@@ -73,7 +73,7 @@ function wppb_free_plugin_init() {
|
|
| 73 |
*
|
| 74 |
*
|
| 75 |
*/
|
| 76 |
-
define('PROFILE_BUILDER_VERSION', '2.4.
|
| 77 |
define('WPPB_PLUGIN_DIR', plugin_dir_path(__FILE__));
|
| 78 |
define('WPPB_PLUGIN_URL', plugin_dir_url(__FILE__));
|
| 79 |
define('WPPB_SERVER_MAX_UPLOAD_SIZE_BYTE', apply_filters('wppb_server_max_upload_size_byte_constant', wppb_return_bytes(ini_get('upload_max_filesize'))));
|
| 3 |
Plugin Name: Profile Builder
|
| 4 |
Plugin URI: https://www.cozmoslabs.com/wordpress-profile-builder/
|
| 5 |
Description: Login, registration and edit profile shortcodes for the front-end. Also you can chose what fields should be displayed or add new (custom) ones both in the front-end and in the dashboard.
|
| 6 |
+
Version: 2.4.1
|
| 7 |
Author: Cozmoslabs, Madalin Ungureanu, Antohe Cristian, Barina Gabriel, Mihai Iova
|
| 8 |
Author URI: https://www.cozmoslabs.com/
|
| 9 |
License: GPL2
|
| 73 |
*
|
| 74 |
*
|
| 75 |
*/
|
| 76 |
+
define('PROFILE_BUILDER_VERSION', '2.4.1' );
|
| 77 |
define('WPPB_PLUGIN_DIR', plugin_dir_path(__FILE__));
|
| 78 |
define('WPPB_PLUGIN_URL', plugin_dir_url(__FILE__));
|
| 79 |
define('WPPB_SERVER_MAX_UPLOAD_SIZE_BYTE', apply_filters('wppb_server_max_upload_size_byte_constant', wppb_return_bytes(ini_get('upload_max_filesize'))));
|
readme.txt
CHANGED
|
@@ -5,7 +5,7 @@ Tags: user registration, user registration form, user fields, extra user fields,
|
|
| 5 |
|
| 6 |
Requires at least: 3.1
|
| 7 |
Tested up to: 4.5.3
|
| 8 |
-
Stable tag: 2.4.
|
| 9 |
License: GPLv2 or later
|
| 10 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 11 |
|
|
@@ -147,6 +147,9 @@ This plugin adds/removes user fields in the front-end. Both default and extra pr
|
|
| 147 |
10. Profile Builder Login Widget
|
| 148 |
|
| 149 |
== Changelog ==
|
|
|
|
|
|
|
|
|
|
| 150 |
= 2.4.0 =
|
| 151 |
* Now we check checkboxes default value to not be empty in the front end forms
|
| 152 |
* Display name with email confirmation now is set to First name Last name or Nickname if they exist
|
| 5 |
|
| 6 |
Requires at least: 3.1
|
| 7 |
Tested up to: 4.5.3
|
| 8 |
+
Stable tag: 2.4.1
|
| 9 |
License: GPLv2 or later
|
| 10 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 11 |
|
| 147 |
10. Profile Builder Login Widget
|
| 148 |
|
| 149 |
== Changelog ==
|
| 150 |
+
= 2.4.1 =
|
| 151 |
+
Security update for ajax calls
|
| 152 |
+
|
| 153 |
= 2.4.0 =
|
| 154 |
* Now we check checkboxes default value to not be empty in the front end forms
|
| 155 |
* Display name with email confirmation now is set to First name Last name or Nickname if they exist
|
