WordPress.org
Get WordPress

Plugin Directory

Changeset 2959610


Ignore:
Timestamp:
08/28/2023 10:44:51 PM (3 years ago)
Author:
babatechs
Message:

added security patch

Location:
lock-user-account
Files:
16 added
3 edited

Legend:

Unmodified
Added
Removed

  • lock-user-account/trunk/includes/class-user-meta.php

    r2410754 r2959610  
    2525        add_filter( 'manage_users_custom_column', array( $this, 'output_column' ), 10, 3 );
    2626       
    27         //  Add filter to process bulk action request
    28         add_filter( 'handle_bulk_actions-users', array( $this, 'process_lock_action' ), 10, 3 );
     27        //  Add action to process bulk action request
     28        add_action( 'admin_init', array( $this, 'process_lock_action' ) );
    2929    }
    3030   
     
    3333     *
    3434     * @param array $actions    Array of users bulk actions
    35      * @return array            Array with adition of Lock action
     35     * @return array            Array with addition of Lock action
    3636     */
    3737    public function register_bulk_action( $actions ){
     
    6868    /**
    6969     * Processing Lock and Unlock users on request of bulk action
    70      *
    71      * @param string $sendback          Redirect back URL
    72      * @param string $current_action    Current screen id
    73      * @param array $userids            Array of users IDs
    74      * @return string                   Redirect back URL
    7570     */
    76     public function process_lock_action( $sendback, $current_action, $userids ){
    77         //  Process lock request
    78         if( 'lock' === $current_action ){
    79             $current_user_id = get_current_user_id();
    80             foreach( $userids as $userid ){
    81                 if( $userid == $current_user_id ) continue;
    82                 update_user_meta( (int)$userid, sanitize_key( 'baba_user_locked' ), 'yes' );
     71    public function process_lock_action(){
     72       
     73        if ( isset( $_GET['_wpnonce'] ) && ! empty( $_GET['_wpnonce'] ) && wp_get_referer() == '/wp-admin/users.php' ){
     74            $action  = filter_input( INPUT_GET, 'action', FILTER_SANITIZE_STRING );
     75           
     76            //  check the action is not supposed to catch
     77            if( 'lock' !== $action && 'unlock' !== $action ){
     78                return;
     79            }
     80           
     81            //  security check one
     82            if ( ! check_admin_referer( 'bulk-users' ) ) {
     83                return;
     84            }
     85           
     86            //  security check two
     87            if( ! current_user_can( 'create_users' ) ){
     88                return;
     89            }
     90           
     91            //  secure input for user ids
     92            $userids = [];
     93            if( isset( $_GET['users'] ) && is_array( $_GET['users'] ) && !empty( $_GET['users'] ) ){
     94                foreach( $_GET['users'] as $user_id ){
     95                    $userids[] = (int)$user_id;
     96                }
     97            }
     98            else{
     99                return;
     100            }
     101           
     102            //  Process lock request
     103            if( 'lock' === $action ){
     104                $current_user_id = get_current_user_id();
     105                foreach( $userids as $userid ){
     106                    if( $userid == $current_user_id ) continue;
     107                    update_user_meta( (int)$userid, sanitize_key( 'baba_user_locked' ), 'yes' );
     108                }
     109            }
     110           
     111            //  Process unlock request
     112            elseif( 'unlock' === $action ){
     113                foreach( $userids as $userid ){
     114                    update_user_meta( (int)$userid, sanitize_key( 'baba_user_locked' ), '' );
     115                }
    83116            }
    84117        }
    85         //  Process unlock request
    86         elseif( 'unlock' === $current_action ){
    87             foreach( $userids as $userid ){
    88                 update_user_meta( (int)$userid, sanitize_key( 'baba_user_locked' ), '' );
    89             }
    90         }
    91         return $sendback;
    92118    }
    93119}

  • lock-user-account/trunk/lock-user-account.php

    r2649041 r2959610  
    44 * Plugin URI: http://teknigar.com
    55 * Description: Lock user accounts with custom message
    6  * Version: 1.0.3
     6 * Version: 1.0.4
    77 * Author: teknigar
    88 * Author URI: http://teknigar.com

  • lock-user-account/trunk/readme.txt

    r2779828 r2959610  
    44Requires at least: 4.3
    55Tested up to: 6.0.2
    6 Stable tag: 1.0.3
     6Stable tag: 1.0.4
    77License: GPLv2 or later
    88License URI: https://www.gnu.org/licenses/gpl-2.0.html
     
    5656Prevented current user from being locked
    5757
     58= 1.0.4 =
     59Updated for WP 5.8
     60Added security patch
     61
    5862== Upgrade Notice ==
    5963
    60 = 1.0.3 =
     64= 1.0.4 =
    6165Updated version
Note: See TracChangeset for help on using the changeset viewer.