Restaurant Reservations - Version 1.5.1

Version Description

This update increases security for the quick link feature to confirm/reject bookings from the admin notification email.

Download this release

Release Info

Developer NateWr
Plugin Icon 128x128 Restaurant Reservations
Version 1.5.1
Comparing to
See all releases

Code changes from version 1.5 to 1.5.1

Files changed (3) hide show
  1. includes/CustomPostTypes.class.php +22 -6
  2. readme.txt +9 -2
  3. restaurant-reservations.php +2 -1
includes/CustomPostTypes.class.php CHANGED
@@ -162,8 +162,15 @@ class rtbCustomPostTypes {
162
  */
163
  public function delete_booking( $id ) {
164
 
165
- if ( !current_user_can( 'manage_bookings' ) ) {
166
- return;
 
 
 
 
 
 
 
167
  }
168
 
169
  // If we're already looking at trashed posts, delete it for good.
@@ -190,17 +197,18 @@ class rtbCustomPostTypes {
190
  */
191
  function update_booking_status( $id, $status ) {
192
 
193
- if ( !current_user_can( 'manage_bookings' ) ) {
194
- return;
 
195
  }
196
-
197
  if ( !$this->is_valid_booking_status( $status ) ) {
198
  return false;
199
  }
200
 
201
  $booking = get_post( $id );
202
 
203
- if ( is_wp_error( $booking ) || !is_object( $booking ) ) {
204
  return false;
205
  }
206
 
@@ -227,5 +235,13 @@ class rtbCustomPostTypes {
227
  return isset( $this->booking_statuses[$status] ) ? true : false;
228
  }
229
 
 
 
 
 
 
 
 
 
230
  }
231
  } // endif;
162
  */
163
  public function delete_booking( $id ) {
164
 
165
+ $id = absint( $id );
166
+ if ( !current_user_can( 'manage_bookings' ) || !current_user_can( 'edit_posts', $id ) ) {
167
+ return false;
168
+ }
169
+
170
+ $booking = get_post( $id );
171
+
172
+ if ( !$this->is_valid_booking_post_object( $booking ) ) {
173
+ return false;
174
  }
175
 
176
  // If we're already looking at trashed posts, delete it for good.
197
  */
198
  function update_booking_status( $id, $status ) {
199
 
200
+ $id = absint( $id );
201
+ if ( !current_user_can( 'manage_bookings' ) || !current_user_can( 'edit_posts', $id ) ) {
202
+ return false;
203
  }
204
+
205
  if ( !$this->is_valid_booking_status( $status ) ) {
206
  return false;
207
  }
208
 
209
  $booking = get_post( $id );
210
 
211
+ if ( !$this->is_valid_booking_post_object( $booking ) ) {
212
  return false;
213
  }
214
 
235
  return isset( $this->booking_statuses[$status] ) ? true : false;
236
  }
237
 
238
+ /**
239
+ * Check if booking is a valid Post object with the correct post type
240
+ * @since 0.0.1
241
+ */
242
+ public function is_valid_booking_post_object( $booking ) {
243
+ return !is_wp_error( $booking ) && is_object( $booking ) && $booking->post_type == RTB_BOOKING_POST_TYPE;
244
+ }
245
+
246
  }
247
  } // endif;
readme.txt CHANGED
@@ -3,9 +3,9 @@ Contributors: NateWr
3
  Author URI: https://github.com/NateWr
4
  Plugin URL: http://themeofthecrop.com
5
  Requires at Least: 3.8
6
- Tested Up To: 4.4
7
  Tags: restaurant, reservations, bookings, table bookings, restaurant reservation, table reservation
8
- Stable tag: 1.5
9
  License: GPLv2 or later
10
  Donate link: http://themeofthecrop.com
11
 
@@ -106,6 +106,10 @@ The addon, [Custom Fields for Restaurant Reservations](http://themeofthecrop.com
106
 
107
  == Changelog ==
108
 
 
 
 
 
109
  = 1.5 (2015-12-17) =
110
  * Fix: pickadate iOS bug
111
  * Fix: Bookings table's Today view didn't respect WordPress timezone setting
@@ -256,6 +260,9 @@ The addon, [Custom Fields for Restaurant Reservations](http://themeofthecrop.com
256
 
257
  == Upgrade Notice ==
258
 
 
 
 
259
  = 1.5 =
260
  This update adds the ability to configure which columns are visible in the bookings table. It works with the Custom Fields addon. If you have added fields using custom code, please read the release notification at themeofthecrop.com before updating.
261
 
3
  Author URI: https://github.com/NateWr
4
  Plugin URL: http://themeofthecrop.com
5
  Requires at Least: 3.8
6
+ Tested Up To: 4.4.2
7
  Tags: restaurant, reservations, bookings, table bookings, restaurant reservation, table reservation
8
+ Stable tag: 1.5.1
9
  License: GPLv2 or later
10
  Donate link: http://themeofthecrop.com
11
 
106
 
107
  == Changelog ==
108
 
109
+ = 1.5.1 (2016-02-19) =
110
+ * Fix: increase security of the quicklink feature for confirming/rejecting bookings
111
+ * Fix: Improve wp-cli compatibility
112
+
113
  = 1.5 (2015-12-17) =
114
  * Fix: pickadate iOS bug
115
  * Fix: Bookings table's Today view didn't respect WordPress timezone setting
260
 
261
  == Upgrade Notice ==
262
 
263
+ = 1.5.1 =
264
+ This update increases security for the quick link feature to confirm/reject bookings from the admin notification email.
265
+
266
  = 1.5 =
267
  This update adds the ability to configure which columns are visible in the bookings table. It works with the Custom Fields addon. If you have added fields using custom code, please read the release notification at themeofthecrop.com before updating.
268
 
restaurant-reservations.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: Restaurant Reservations
4
  * Plugin URI: http://themeofthecrop.com
5
  * Description: Accept restaurant reservations and bookings online.
6
- * Version: 1.5
7
  * Author: Theme of the Crop
8
  * Author URI: http://themeofthecrop.com
9
  * License: GNU General Public License v2.0 or later
@@ -297,4 +297,5 @@ class rtbInit {
297
  }
298
  } // endif;
299
 
 
300
  $rtb_controller = new rtbInit();
3
  * Plugin Name: Restaurant Reservations
4
  * Plugin URI: http://themeofthecrop.com
5
  * Description: Accept restaurant reservations and bookings online.
6
+ * Version: 1.5.1
7
  * Author: Theme of the Crop
8
  * Author URI: http://themeofthecrop.com
9
  * License: GNU General Public License v2.0 or later
297
  }
298
  } // endif;
299
 
300
+ global $rtb_controller;
301
  $rtb_controller = new rtbInit();