User Role Editor - Version 4.40

Version Description

Download this release

Release Info

Developer shinephp
Plugin Icon 128x128 User Role Editor
Version 4.40
Comparing to
See all releases

Code changes from version 4.39 to 4.40

Files changed (6) hide show
  1. changelog.txt +10 -0
  2. includes/classes/ajax-processor.php +1 -1
  3. includes/classes/protect-admin.php +18 -9
  4. includes/classes/ure-lib.php +2 -6
  5. readme.txt +10 -79
  6. user-role-editor.php +3 -3
changelog.txt CHANGED
@@ -1,6 +1,16 @@
1
  CHANGES LOG (full version).
2
  ===========================
3
 
 
 
 
 
 
 
 
 
 
 
4
  = [4.38] 27.11.2017 =
5
  * Security: XSS vulnerability was fixed at URE's options page. Bug was discovered and fixed at tab index value numeric type checking. Tab index value is additionally escaped before output also.
6
  * Security: Deprecated code for debug output to the .log file in case of database query error was removed.
1
  CHANGES LOG (full version).
2
  ===========================
3
 
4
+ = [4.40] 31.01.2018 =
5
+ * Update: use wp_roles() function from WordPress API instead of initializing $wp_roles global variable directly.
6
+ * Fix: Bug was introduced by version 4.37 with users recalculation for "All" tab after excluding users with "administrator" role. Code worked incorrectly for Japanese locale.
7
+
8
+ = [4.39] 19.12.2017 =
9
+ * Update: Plugin settings management code moved to the separate URE_Settings class.
10
+ * Update: 'create_posts', 'create_pages' user capabilities are not added by default to WordPress built-in capabilities groups as they are supported by the Pro version only.
11
+ * Update: Type checking enhanced for values received from a user input and for variable arguments inside database queries.
12
+ * Update: Own code to build usermeta db table name was excluded. A value from $wpdb->usermeta is used instead.
13
+
14
  = [4.38] 27.11.2017 =
15
  * Security: XSS vulnerability was fixed at URE's options page. Bug was discovered and fixed at tab index value numeric type checking. Tab index value is additionally escaped before output also.
16
  * Security: Deprecated code for debug output to the .log file in case of database query error was removed.
includes/classes/ajax-processor.php CHANGED
@@ -9,7 +9,7 @@
9
 
10
 
11
  /**
12
- * Process AJAX requrest from User Role Editor
13
  *
14
  * @author vladimir
15
  */
9
 
10
 
11
  /**
12
+ * Process AJAX request from User Role Editor
13
  *
14
  * @author vladimir
15
  */
includes/classes/protect-admin.php CHANGED
@@ -181,8 +181,7 @@ class URE_Protect_Admin {
181
  }
182
  // end of exclude_administrators()
183
 
184
-
185
-
186
  private function extract_view_quantity($text) {
187
  $match = array();
188
  $result = preg_match('#\((.*?)\)#', $text, $match);
@@ -197,6 +196,15 @@ class URE_Protect_Admin {
197
  // end of extract_view_quantity()
198
 
199
 
 
 
 
 
 
 
 
 
 
200
  /*
201
  * Exclude view of users with Administrator role
202
  *
@@ -208,13 +216,14 @@ class URE_Protect_Admin {
208
  }
209
 
210
  if (isset($views['all'])) {
211
- // Decrease quant of all users to the quant of hidden admins
212
- $admins_orig = $this->extract_view_quantity($views['administrator']);
213
- $admins_int = str_replace(',', '', $admins_orig);
214
- $all_orig = $this->extract_view_quantity($views['all']);
215
- $all_orig_int = str_replace(',', '', $all_orig);
216
- $all_new = $all_orig_int - $admins_int;
217
- $views['all'] = str_replace($all_orig, $all_new, $views['all']);
 
218
  }
219
 
220
  unset($views['administrator']);
181
  }
182
  // end of exclude_administrators()
183
 
184
+
 
185
  private function extract_view_quantity($text) {
186
  $match = array();
187
  $result = preg_match('#\((.*?)\)#', $text, $match);
196
  // end of extract_view_quantity()
197
 
198
 
199
+ private function extract_int($str_val) {
200
+ $str_val1 = str_replace(',', '', $str_val); // remove ',' from numbers like '2,015'
201
+ $int_val = (int) preg_replace('/[^\-\d]*(\-?\d*).*/','$1', $str_val1); // extract numeric value strings like from '2015 bla-bla'
202
+
203
+ return $int_val;
204
+ }
205
+ // end of extract_int()
206
+
207
+
208
  /*
209
  * Exclude view of users with Administrator role
210
  *
216
  }
217
 
218
  if (isset($views['all'])) {
219
+ // Decrease quant of all users for a quant of hidden admins
220
+ $admins_orig_s = $this->extract_view_quantity($views['administrator']);
221
+ $admins_int = $this->extract_int($admins_orig_s);
222
+ $all_orig_s = $this->extract_view_quantity($views['all']);
223
+ $all_orig_int = $this->extract_int($all_orig_s);
224
+ $all_new_int = $all_orig_int - $admins_int;
225
+ $all_new_s = number_format_i18n($all_new_int);
226
+ $views['all'] = str_replace($all_orig_s, $all_new_s, $views['all']);
227
  }
228
 
229
  unset($views['administrator']);
includes/classes/ure-lib.php CHANGED
@@ -112,7 +112,7 @@ class URE_Lib extends URE_Base_Lib {
112
  $this->notification = $value;
113
 
114
  }
115
- // end of esc_html()
116
 
117
 
118
  public function set_apply_to_all($value) {
@@ -560,15 +560,11 @@ class URE_Lib extends URE_Base_Lib {
560
  * @return array
561
  */
562
  public function get_user_roles() {
563
- global $wp_roles;
564
-
565
- if (!isset($wp_roles)) {
566
- $wp_roles = new WP_Roles();
567
- }
568
 
569
  if (!empty($this->bbpress)) { // bbPress plugin is active
570
  $this->roles = $this->bbpress->get_roles();
571
  } else {
 
572
  $this->roles = $wp_roles->roles;
573
  }
574
 
112
  $this->notification = $value;
113
 
114
  }
115
+ // end of set_notification()
116
 
117
 
118
  public function set_apply_to_all($value) {
560
  * @return array
561
  */
562
  public function get_user_roles() {
 
 
 
 
 
563
 
564
  if (!empty($this->bbpress)) { // bbPress plugin is active
565
  $this->roles = $this->bbpress->get_roles();
566
  } else {
567
+ $wp_roles = wp_roles();
568
  $this->roles = $wp_roles->roles;
569
  }
570
 
readme.txt CHANGED
@@ -2,9 +2,9 @@
2
  Contributors: shinephp
3
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=vladimir%40shinephp%2ecom&lc=RU&item_name=ShinePHP%2ecom&item_number=User%20Role%20Editor%20WordPress%20plugin&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
4
  Tags: user, role, editor, security, access, permission, capability
5
- Requires at least: 4.0
6
- Tested up to: 4.9.1
7
- Stable tag: 4.39
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -80,6 +80,10 @@ https://translate.wordpress.org/projects/wp-plugins/user-role-editor/
80
 
81
  == Changelog =
82
 
 
 
 
 
83
  = [4.39] 19.12.2017 =
84
  * Update: Plugin settings management code moved to the separate URE_Settings class.
85
  * Update: 'create_posts', 'create_pages' user capabilities are not added by default to WordPress built-in capabilities groups as they are supported by the Pro version only.
@@ -91,78 +95,6 @@ https://translate.wordpress.org/projects/wp-plugins/user-role-editor/
91
  * Security: Deprecated code for debug output to the .log file in case of database query error was removed.
92
  * Security: Multiple select jQuery plugin (https://github.com/wenzhixin/multiple-select/) was updated to the latest available version 1.2.1, which fixed XSS vulnerability, existed in earlier versions.
93
 
94
- = [4.37] 01.11.2017 =
95
- * New: New option was added to the "Settings->User Role Editor->General" tab. It's possible to set a default value for a quant of columns at capabilities section of the main User Role Editor page.
96
- * Update: User capabilities are shown for custom post types which use the WordPress built-in 'post' or 'page' capability type. (0/0) was shown earlier instead of the quantity of user capabilities really used.
97
- * Update: Restriction was added for 'do_not_allow' user capability (used internally by WordPress). You can not add it manually.
98
- * Fix: URE hides users with 'administrator' role by default from any other user. Quantity of users of 'All' view (tab) at 'Users' page is decreased now for the quantity of hidden administrators.
99
-
100
- = [4.36.1] 02.10.2017 =
101
- * Update: Direct access to the global $current_user variable was excluded. Current user data is initialized via WordPress core functions wp_get_current_user() or get_current_user_id().
102
-
103
- = [4.36] 19.09.2017 =
104
- * New: It's possible to set any URE's option value programmatically: use custom filter 'ure_get_option_<option_name>'. It takes a single parameter with current/default value for required options.
105
- Full list of User Role Editor options is available here: https://www.role-editor.com/documentation/options-list
106
- * Update: Users page - Grant Roles. It's possible to change just "Other roles" for multiple users and leave their primary roles untouched. Just leave a "Primary role" field empty. If you select the "- No role for this site -" option from a "Primary role" drop-down list, plugin will revoke all roles from the selected users.
107
- * Update: Options page screen help text was updated.
108
- * Fix: Additional (other) default roles set at URE's settings page are not granted to a new user now, if they were deselected at a 'Add New User' page.
109
-
110
- = [4.35.3] 20.07.2017 =
111
- * Fix: Multiple roles assignment (including default roles) did not work at "Users->Add New" new-user.php (contexts: add-existing-user, add-new-user) page for WordPress multisite.
112
-
113
- = [4.35.2] 18.07.2017 =
114
- * Fix: Multiple default roles (if defined at URE's settings) are selected automatically at new-user.php (context: add-new-user) page.
115
- * Update: Code enhancement for protection of users with 'administrator' role from each other. Current user can see his own record and edit own profile.
116
-
117
- = [4.35.1] 10.07.2017 =
118
- * Fix: "Grant Roles" button at the bottom of "Users" page did not work as had the same ID as a similar button at the top of this page.
119
- * Update: when bbPress plugin is active, "Grant Roles" does not revoke bbPress role granted to user anymore.
120
- * Fix: The same ID "move_from_no_role" and "move_from_no_role_dialog" were included twice to the "Users" page.
121
-
122
- = [4.35] 11.06.2017 =
123
- * Update: Bulk capabilities selection checkbox is not shown for 'administrator' role for single site WP, and is shown if current user is superadmin for multisite WP. It was done to exclude sudden revoke of all capabilities from the 'administrator' role.
124
- * Update: Full copy of JQuery UI 1.11.4 custom theme CSS file (jquery-ui.css) was included.
125
- * Fix: User->User Role Editor page apparently loads own jQuery UI CSS (instead of use of WordPress default one) in order to exclude the conflicts with themes and plugins which can load own jQuery UI CSS globally not for own pages only.
126
- * Fix: "Change Log" link was replaced with secure https://www.role-editor.com/changelog
127
-
128
- = [4.34] 02.06.2017 =
129
- * New: Multisite 'upgrade_network' capability support was added for compatibility with WordPress 4.8.
130
- * New: Multisite 'delete_sites' capability support was added.
131
- * Update: Users->Grant Roles: if a single user was selected for "Grant Roles" bulk action, dialog will show the current roles of selected user with checkboxes turned ON (pre-selected).
132
- * Fix: Transients caching was removed from URE_Lib::_get_post_types() function. It cached post types list too early in some cases.
133
- * Fix: jQuery UI CSS was updated to fix minor view inconsistency at the URE's Settings page.
134
- * Fix: "Reset" presentation code remainders were removed from the main User Role Editor page.
135
- * Fix: 'manage_links' capability was included into a wrong subgroup instead of "Core->General". It was a mistake in the capabilities group counters for that reason.
136
-
137
- = [4.33] 19.05.2017 =
138
- * Fix: "Users->Without Roles", "Users->Grant Roles" are shown only to the users with 'edit_users' capability.
139
- * Fix: Roles were updated for all sites of all networks for WordPress multisite. "Apply to All Sites" option updates roles inside a current network only.
140
- * Update: "Reset" button moved from the "Users->User Role Editor" main page to the "Settings->User Role Editor->Tools" tab.
141
- * Update: "Users->Grant Roles" button worked only for superadmin or user with 'ure_manage_options' capability. User with 'edit_users' can use this feature now.
142
- * New: boolean filter 'ure_bulk_grant_roles' allows to not show "Users->Grant Roles" button if you don't need it.
143
- * New: boolean filter 'ure_users_select_primary_role' can hide 'Primary role' selection controls from the user profile edit page.
144
- * New: boolean filter 'ure_users_show_wp_change_role' can hide "Change Role" bulk action selection control from the Users page. So it's possible to configure permissions for user who can change just other roles of a user without changing his primary role.
145
- * Update: Settings tabs and dialog stylesheets was updated to jQuery UI 1.11.4 default theme.
146
-
147
- = [4.32.3] 03.04.2017 =
148
- * Fix: Boolean false was sent to WordPress core wp_enqueue_script() function as the 2nd parameter instead of an empty string. We should respect the type of parameter which code author supposed to use initially.
149
- * Fix: Bulk grant to users multiple roles JavaScript code is loaded now for users.php page only, not globally.
150
-
151
- = [4.32.2] 17.03.2017 =
152
- * Fix: "Users->Grant Roles" button did not work with switched off option "Count Users without role" at "Settings->User Role Editor->Additional Modules" tab. "JQuery UI" library was not loaded.
153
- * Update: minimal PHP version was raised to 5.3.
154
-
155
- = [4.32.1] 09.03.2017 =
156
- * Fix: URL to users.php page was built incorrectly after bulk roles assignment to the users selected at the 1st page of a users list.
157
-
158
- = [4.32] 09.03.2017 =
159
- * New: Button "Grant Roles" allows to "Assign multiple roles to the selected users" directly from the "Users" page.
160
- * Update: singleton template was applied to the main User_Role_Editor class. While GLOBALS['user-role-editor'] reference to the instance of User_Role_Editor class is still available for the compatibility purpose, call to User_Role_Editor::get_instance() is the best way now to get a reference to the instance of User_Role_Editor class.
161
- * Fix: Missed 'unfiltered_html' capability is shown now at the 'General' capabilities group too.
162
-
163
- = [4.31.1] 06.01.2017 =
164
- * Fix: WP transients get/set were removed from URE_Own_Capabilities class. It leaded to the MySQL deadlock in some cases.
165
- * Update: Base_Lib::get_request_var() sanitizes user input by PHP's filter_var() in addition to WordPress core's esc_attr().
166
 
167
  For full list of changes applied to User Role Editor plugin look changelog.txt file.
168
 
@@ -174,7 +106,6 @@ You can find more information about "User Role Editor" plugin at [this page](htt
174
  I am ready to answer on your questions about plugin usage. Use [plugin page comments](http://www.shinephp.com/user-role-editor-wordpress-plugin/) for that.
175
 
176
  == Upgrade Notice ==
177
- = [4.38] 27.11.2017 =
178
- * Security: XSS vulnerability was fixed at URE's options page. Bug was discovered and fixed at tab index value numeric type checking. Tab index value is additionally escaped before output also.
179
- * Security: Deprecated code for debug output to the .log file in case of database query error was removed.
180
- * Security: Multiple select jQuery plugin (https://github.com/wenzhixin/multiple-select/) was updated to the latest available version 1.2.1, which fixed XSS vulnerability, existed in earlier versions.
2
  Contributors: shinephp
3
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=vladimir%40shinephp%2ecom&lc=RU&item_name=ShinePHP%2ecom&item_number=User%20Role%20Editor%20WordPress%20plugin&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
4
  Tags: user, role, editor, security, access, permission, capability
5
+ Requires at least: 4.3
6
+ Tested up to: 4.9.2
7
+ Stable tag: 4.40
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
80
 
81
  == Changelog =
82
 
83
+ = [4.40] 31.01.2018 =
84
+ * Update: use wp_roles() function from WordPress API instead of initializing $wp_roles global variable directly.
85
+ * Fix: Bug was introduced by version 4.37 with users recalculation for "All" tab after excluding users with "administrator" role. Code worked incorrectly for Japanese locale.
86
+
87
  = [4.39] 19.12.2017 =
88
  * Update: Plugin settings management code moved to the separate URE_Settings class.
89
  * Update: 'create_posts', 'create_pages' user capabilities are not added by default to WordPress built-in capabilities groups as they are supported by the Pro version only.
95
  * Security: Deprecated code for debug output to the .log file in case of database query error was removed.
96
  * Security: Multiple select jQuery plugin (https://github.com/wenzhixin/multiple-select/) was updated to the latest available version 1.2.1, which fixed XSS vulnerability, existed in earlier versions.
97
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
98
 
99
  For full list of changes applied to User Role Editor plugin look changelog.txt file.
100
 
106
  I am ready to answer on your questions about plugin usage. Use [plugin page comments](http://www.shinephp.com/user-role-editor-wordpress-plugin/) for that.
107
 
108
  == Upgrade Notice ==
109
+ = [4.40] 31.01.2018 =
110
+ * Update: use wp_roles() function from WordPress API instead of initializing $wp_roles global variable directly.
111
+ * Fix: Bug was introduced by version 4.37 with users recalculation for "All" tab after excluding users with "administrator" role. Code worked incorrectly for Japanese locale.
 
user-role-editor.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: User Role Editor
4
  Plugin URI: https://www.role-editor.com
5
  Description: Change/add/delete WordPress user roles and capabilities.
6
- Version: 4.39
7
  Author: Vladimir Garagulya
8
  Author URI: https://www.role-editor.com
9
  Text Domain: user-role-editor
@@ -23,7 +23,7 @@ if (defined('URE_PLUGIN_URL')) {
23
  wp_die('It seems that other version of User Role Editor is active. Please deactivate it before use this version');
24
  }
25
 
26
- define('URE_VERSION', '4.39');
27
  define('URE_PLUGIN_URL', plugin_dir_url(__FILE__));
28
  define('URE_PLUGIN_DIR', plugin_dir_path(__FILE__));
29
  define('URE_PLUGIN_BASE_NAME', plugin_basename(__FILE__));
@@ -40,7 +40,7 @@ $exit_msg = sprintf( 'User Role Editor requires PHP %s or newer.', $ure_required
40
  URE_Lib::check_version( PHP_VERSION, $ure_required_php_version, $exit_msg, __FILE__ );
41
 
42
  // check WP version
43
- $ure_required_wp_version = '4.0';
44
  $exit_msg = sprintf( 'User Role Editor requires WordPress %s or newer.', $ure_required_wp_version ) .
45
  '<a href="http://codex.wordpress.org/Upgrading_WordPress"> ' . 'Please update!' . '</a>';
46
  URE_Lib::check_version(get_bloginfo('version'), $ure_required_wp_version, $exit_msg, __FILE__ );
3
  Plugin Name: User Role Editor
4
  Plugin URI: https://www.role-editor.com
5
  Description: Change/add/delete WordPress user roles and capabilities.
6
+ Version: 4.40
7
  Author: Vladimir Garagulya
8
  Author URI: https://www.role-editor.com
9
  Text Domain: user-role-editor
23
  wp_die('It seems that other version of User Role Editor is active. Please deactivate it before use this version');
24
  }
25
 
26
+ define('URE_VERSION', '4.40');
27
  define('URE_PLUGIN_URL', plugin_dir_url(__FILE__));
28
  define('URE_PLUGIN_DIR', plugin_dir_path(__FILE__));
29
  define('URE_PLUGIN_BASE_NAME', plugin_basename(__FILE__));
40
  URE_Lib::check_version( PHP_VERSION, $ure_required_php_version, $exit_msg, __FILE__ );
41
 
42
  // check WP version
43
+ $ure_required_wp_version = '4.3';
44
  $exit_msg = sprintf( 'User Role Editor requires WordPress %s or newer.', $ure_required_wp_version ) .
45
  '<a href="http://codex.wordpress.org/Upgrading_WordPress"> ' . 'Please update!' . '</a>';
46
  URE_Lib::check_version(get_bloginfo('version'), $ure_required_wp_version, $exit_msg, __FILE__ );