WordPress.org
Get WordPress

Plugin Directory

Changeset 3280795


Ignore:
Timestamp:
04/24/2025 10:18:19 AM (12 months ago)
Author:
werbeagenturcommotion
Message:

6.1.1

  • Vulnerability fix.
  • Compatibility for latest WooCommerce version.
Location:
course-booking-system
Files:
75 added
9 edited

Legend:

Unmodified
Added
Removed

  • course-booking-system/trunk/assets/js/admin.js

    r3208605 r3280795  
    5454});
    5555
    56 // Single: Add Timeslot
     56// Single: Edit Timeslots
    5757jQuery( document ).ready( function() {
    5858
     
    7474            data: {
    7575                action: 'cbs_add_timetable',
     76                nonce: course_booking_system_ajax.nonce,
     77
    7678                post_id: post_id,
    7779                id: id,
     
    109111            data: {
    110112                action: 'cbs_delete_timetable',
     113                nonce: course_booking_system_ajax.nonce,
     114
    111115                delete_id: delete_id,
    112116                post_id: post_id,

  • course-booking-system/trunk/assets/js/ajax.js

    r3278753 r3280795  
    117117        data: {
    118118            action: 'cbs_action_substitute',
     119            nonce: course_booking_system_ajax.nonce,
    119120
    120121            course_id: course_id,
     
    148149        data: {
    149150            action: 'cbs_note',
     151            nonce: course_booking_system_ajax.nonce,
    150152
    151153            course_id: course_id,
     
    221223                data: {
    222224                    action: 'cbs_action_booking',
     225                    nonce: course_booking_system_ajax.nonce,
    223226
    224227                    course_id: course_id,
     
    261264                data: {
    262265                    action: 'cbs_action_booking_delete',
     266                    nonce: course_booking_system_ajax.nonce,
    263267
    264268                    course_id: course_id,
     
    304308                data: {
    305309                    action: 'cbs_action_abo_delete',
     310                    nonce: course_booking_system_ajax.nonce,
    306311
    307312                    course_id: course_id,
     
    338343            data: {
    339344                action: 'cbs_action_waitlist',
     345                nonce: course_booking_system_ajax.nonce,
    340346
    341347                course_id: course_id,
     
    369375            data: {
    370376                action: 'cbs_action_waitlist_delete',
     377                nonce: course_booking_system_ajax.nonce,
    371378
    372379                course_id: course_id,
     
    401408            data: {
    402409                action: 'cbs_action_attendance',
     410                nonce: course_booking_system_ajax.nonce,
    403411
    404412                course_id: course_id,
     
    448456            data: {
    449457                action: 'cbs_action_week',
     458                nonce: course_booking_system_ajax.nonce,
    450459
    451460                category: category,
     
    476485            data: {
    477486                action: 'cbs_action_subscription',
     487                nonce: course_booking_system_ajax.nonce,
    478488
    479489                abo_course: abo_course
     
    504514            data: {
    505515                action: 'cbs_sms',
     516                nonce: course_booking_system_ajax.nonce,
    506517
    507518                to: to,
     
    536547            data: {
    537548                action: 'cbs_notifications',
     549                nonce: course_booking_system_ajax.nonce,
    538550
    539551                user_id: user_id,

  • course-booking-system/trunk/course-booking-system.php

    r3278879 r3280795  
    1313 * Description: Individual course booking system for specific needs. Works perfectly with WooCommerce.
    1414 * Network: true
    15  * Version: 6.1
     15 * Version: 6.1.1
    1616 * Requires Plugins: woocommerce
    1717 * Requires at least: 5.5
    1818 * Requires PHP: 7.0
    1919 * WC requires at least: 5.7.0
    20  * WC tested up to: 9.8.1
     20 * WC tested up to: 9.8.2
    2121 * Author: ComMotion
    2222 * Author URI: https://commotion.online/
     
    202202            return;
    203203
    204         $post__in = array();
    205 
    206204        $day = isset( $_GET['weekday'] ) ? intval( $_GET['weekday'] ) : 0;
    207205        $date = isset( $_GET['date'] ) ? htmlspecialchars( $_REQUEST['date'] ) : date( 'Y-m-d', strtotime( 'Sunday +'.$day.' days' ) );
    208206
     207        $post__in = array();
    209208        $courses = cbs_get_courses( array(
    210209            'day' => $day,

  • course-booking-system/trunk/includes/admin/single.php

    r3208605 r3280795  
    348348    $post_id = intval( $_REQUEST['post_id'] );
    349349
     350    if ( empty( $post_id ) || !current_user_can( 'edit_course', $post_id ) || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     351        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) );
     352
    350353    $wpdb->insert(
    351354        $wpdb->prefix.'cbs_data',
     
    365368    cbs_save_timeslots();
    366369
     370    $post_id = intval( $_REQUEST['post_id'] );
    367371    $delete_id = intval( $_REQUEST['delete_id'] );
    368     $post_id = intval( $_REQUEST['post_id'] );
    369 
    370     if ( !empty( $delete_id ) && !empty( $post_id ) ) :
    371         $wpdb->delete(
    372             $wpdb->prefix.'cbs_data',
    373             array( 'id' => $delete_id, 'post_id' => $post_id ),
    374             array( '%d', '%d' )
    375         );
    376     endif;
     372
     373    if ( empty( $post_id ) || empty( $delete_id ) || !current_user_can( 'edit_course', $post_id ) || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     374        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) );
     375
     376    $wpdb->delete(
     377        $wpdb->prefix.'cbs_data',
     378        array( 'id' => $delete_id, 'post_id' => $post_id ),
     379        array( '%d', '%d' )
     380    );
    377381
    378382    echo cbs_data_options_table( $post_id );

  • course-booking-system/trunk/includes/admin/user.php

    r3278753 r3280795  
    2525
    2626        if ( $role ) {
    27             foreach ( $capabilities as $capability ) {
     27            foreach ( $capabilities as $capability )
    2828                $role->add_cap( $capability );
    29             }
    3029        }
    3130    }

  • course-booking-system/trunk/includes/ajax.php

    r3278753 r3280795  
    99    $date      = sanitize_text_field( $_REQUEST['date'] );
    1010    $user_id   = empty( $custom_user_id ) ? sanitize_text_field( $_REQUEST['user_id'] ) : $custom_user_id;
     11
     12    // Activate for version 6.1.2
     13    /* if ( empty( $course_id ) || empty( $date ) || empty( $user_id ) || !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     14        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) ); */
    1115
    1216    $courses = cbs_get_courses( array(
     
    258262    $date       = sanitize_text_field( $_REQUEST['date'] );
    259263    $user_id    = sanitize_text_field( $_REQUEST['user_id'] );
     264
     265    // Activate for version 6.1.2
     266    /* if ( empty( $booking_id ) || empty( $course_id ) || empty( $date ) || empty( $user_id ) || !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     267        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) ); */
    260268
    261269    $goodwill = ( !empty( $_REQUEST['goodwill'] ) ) ? sanitize_text_field( $_REQUEST['goodwill'] ) : false;
     
    504512    $user_id   = sanitize_text_field( $_REQUEST['user_id'] );
    505513
     514    // Activate for version 6.1.2
     515    /* if ( empty( $course_id ) || empty( $date ) || empty( $user_id ) || !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     516        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) ); */
     517
    506518    $goodwill = ( !empty( $_REQUEST['goodwill'] ) ) ? sanitize_text_field( $_REQUEST['goodwill'] ) : false;
    507519
     
    646658    $user_id   = sanitize_text_field( $_REQUEST['user_id'] );
    647659
     660    // Activate for version 6.1.2
     661    /* if ( empty( $course_id ) || empty( $date ) || empty( $user_id ) || !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     662        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) ); */
     663
    648664    if ( is_user_logged_in() && !empty( $user_id ) && ( get_current_user_id() == $user_id || in_array( reset( $current_user->roles ), $roles ) ) ) {
    649665        $wpdb->insert(
     
    672688    $user_id   = sanitize_text_field( $_REQUEST['user_id'] );
    673689
     690    // Activate for version 6.1.2
     691    /* if ( empty( $course_id ) || empty( $date ) || empty( $user_id ) || !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     692        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) ); */
     693
    674694    if ( is_user_logged_in() && !empty( $user_id ) && ( get_current_user_id() == $user_id || in_array( reset( $current_user->roles ), $roles ) ) ) {
    675695        $waitlists = $wpdb->delete(
     
    731751    $user_id   = sanitize_text_field( $_REQUEST['user_id'] );
    732752
    733     if ( is_user_logged_in() && !empty( $user_id ) && in_array( reset( $current_user->roles ), $roles ) ) {
    734         $wpdb->delete(
    735             $wpdb->prefix.'cbs_substitutes',
    736             array( 'course_id' => $course_id, 'date' => $date ),
    737             array( '%d', '%s')
    738         );
    739 
    740         // Check if substitute is not actual user of course
    741         $courses = $wpdb->get_results( $wpdb->prepare( "SELECT user_id FROM {$wpdb->prefix}cbs_data WHERE id = %d LIMIT 1", array( $course_id ) ) );
    742         foreach ( $courses as $course ) {
    743             if ( $course->user_id != $user_id ) {
    744                 $wpdb->insert(
    745                     $wpdb->prefix.'cbs_substitutes',
    746                     array( 'course_id' => $course_id, 'date' => $date, 'user_id' => $user_id ),
    747                     array( '%d', '%s', '%d' )
    748                 );
    749             }
     753    if ( empty( $course_id ) || empty( $date ) || empty( $user_id ) || !is_user_logged_in() || !in_array( reset( $current_user->roles ), $roles ) || !current_user_can( 'edit_courses' ) || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     754        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) );
     755
     756    $wpdb->delete(
     757        $wpdb->prefix.'cbs_substitutes',
     758        array( 'course_id' => $course_id, 'date' => $date ),
     759        array( '%d', '%s')
     760    );
     761
     762    // Check if substitute is not actual user of course
     763    $courses = $wpdb->get_results( $wpdb->prepare( "SELECT user_id FROM {$wpdb->prefix}cbs_data WHERE id = %d LIMIT 1", array( $course_id ) ) );
     764    foreach ( $courses as $course ) {
     765        if ( $course->user_id != $user_id ) {
     766            $wpdb->insert(
     767                $wpdb->prefix.'cbs_substitutes',
     768                array( 'course_id' => $course_id, 'date' => $date, 'user_id' => $user_id ),
     769                array( '%d', '%s', '%d' )
     770            );
    750771        }
    751 
    752         wc_print_notice( __( 'Substitute saved successfully. Existing bookings remain unchanged. Participants will not be notified automatically.', 'course-booking-system' ), 'success' );
    753     }
     772    }
     773
     774    wc_print_notice( __( 'Substitute saved successfully. Existing bookings remain unchanged. Participants will not be notified automatically.', 'course-booking-system' ), 'success' );
    754775
    755776    wp_die();
     
    767788    $date       = sanitize_text_field( $_REQUEST['date'] );
    768789    $attendance = sanitize_text_field( $_REQUEST['attendance'] );
     790
     791    // Activate for version 6.1.2
     792    /* if ( empty( $course_id ) || empty( $date ) || empty( $user_id ) || !is_user_logged_in() || !current_user_can( 'edit_courses' ) || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     793        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) ); */
    769794
    770795    if ( $attendance == 0 )
     
    10771102    $note      = sanitize_text_field( $_REQUEST['note'] );
    10781103
    1079     if ( is_user_logged_in() && ( in_array( reset( $current_user->roles ), $roles ) ) ) {
    1080         $wpdb->delete(
     1104    if ( empty( $course_id ) || empty( $date ) || empty( $note ) || !is_user_logged_in() || !in_array( reset( $current_user->roles ), $roles ) || !current_user_can( 'edit_courses' ) || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     1105        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) );
     1106
     1107    $wpdb->delete(
     1108        $wpdb->prefix.'cbs_notes',
     1109        array( 'course_id' => $course_id, 'date' => $date ),
     1110        array( '%d', '%s')
     1111    );
     1112
     1113    if ( !empty( $note ) ) {
     1114        $wpdb->insert(
    10811115            $wpdb->prefix.'cbs_notes',
    1082             array( 'course_id' => $course_id, 'date' => $date ),
    1083             array( '%d', '%s')
     1116            array( 'course_id' => $course_id, 'date' => $date, 'note' => $note ),
     1117            array( '%d', '%s', '%s' )
    10841118        );
    1085 
    1086         if ( !empty( $note ) ) {
    1087             $wpdb->insert(
    1088                 $wpdb->prefix.'cbs_notes',
    1089                 array( 'course_id' => $course_id, 'date' => $date, 'note' => $note ),
    1090                 array( '%d', '%s', '%s' )
    1091             );
    1092         }
    1093 
    1094         wc_print_notice( __( 'Note saved successfully.', 'course-booking-system' ), 'success' );
    1095     }
     1119    }
     1120
     1121    wc_print_notice( __( 'Note saved successfully.', 'course-booking-system' ), 'success' );
    10961122
    10971123    wp_die();
     
    11271153    $abo_course = sanitize_text_field( $_REQUEST['abo_course'] );
    11281154
    1129     if ( is_user_logged_in() ) {
    1130         $user_id = get_current_user_id();
    1131         update_user_meta( $user_id, 'abo_course', sanitize_text_field( $_POST['abo_course'] ) );
    1132 
    1133         wc_print_notice( __( 'Subscription course saved successfully.', 'course-booking-system' ), 'success' );
    1134     }
     1155    if ( empty( $abo_course ) || !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     1156        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) );
     1157
     1158    $user_id = get_current_user_id();
     1159    update_user_meta( $user_id, 'abo_course', sanitize_text_field( $_POST['abo_course'] ) );
     1160
     1161    wc_print_notice( __( 'Subscription course saved successfully.', 'course-booking-system' ), 'success' );
    11351162
    11361163    wp_die();
     
    11491176    $message = sanitize_text_field( $_REQUEST['message'] );
    11501177
    1151     if ( $sms && !empty( $to ) && !empty( $message ) )
    1152         wp_mail( 'email2sms@smspoint.de', $sms_token, 'from='.$sms_sender_name.'|to='.$to.'|message='.$message );
     1178    if ( !$sms || empty( $to ) || empty( $message ) || !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     1179        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) );
     1180
     1181    wp_mail( 'email2sms@smspoint.de', $sms_token, 'from='.$sms_sender_name.'|to='.$to.'|message='.$message );
    11531182
    11541183    wc_print_notice( __( 'The SMS was sent successfully.', 'course-booking-system' ), 'success' );
     
    11641193    $user_id = intval( $_REQUEST['user_id'] );
    11651194    $notifications = $_REQUEST['notifications'];
     1195
     1196    if ( !is_user_logged_in() || !wp_verify_nonce( $_REQUEST['nonce'], 'ajax-nonce' ) )
     1197        wp_die( __( 'AJAX nonce is not valid.', 'course-booking-system' ) );
    11661198
    11671199    if ( empty( $user_id ) || empty( $notifications ) ) :

  • course-booking-system/trunk/includes/assets.php

    r3171387 r3280795  
    2727    wp_localize_script( 'course-booking-system-ajax', 'course_booking_system_ajax', array(
    2828        'ajaxurl' => admin_url( 'admin-ajax.php' ),
     29        'nonce'   => wp_create_nonce( 'ajax-nonce' ),
    2930        'offset'  => get_option( 'course_booking_system_message_offset' )
    3031        )

  • course-booking-system/trunk/includes/woocommerce/woocommerce.php

    r3278753 r3280795  
    450450    // Check if supported download method is used
    451451    $woocommerce_file_download_method = get_option( 'woocommerce_file_download_method' );
    452     $woocommerce_downloads_require_login = get_option( 'woocommerce_downloads_require_login' );
    453     // if ( ( $woocommerce_file_download_method != 'xsendfile' && $woocommerce_file_download_method != 'redirect' ) || $woocommerce_downloads_require_login != 'yes' ) {
     452    /* $woocommerce_downloads_require_login = get_option( 'woocommerce_downloads_require_login' );
     453    if ( ( $woocommerce_file_download_method != 'xsendfile' && $woocommerce_file_download_method != 'redirect' ) || $woocommerce_downloads_require_login != 'yes' ) { */
    454454    if ( ( $woocommerce_file_download_method != 'xsendfile' && $woocommerce_file_download_method != 'redirect' ) ) {
    455455        ?>

  • course-booking-system/trunk/readme.txt

    r3278753 r3280795  
    55Tested up to: 6.8.1
    66Requires PHP: 7.0
    7 Stable tag: 6.1
     7Stable tag: 6.1.1
    88License: GPLv3
    99License URI: https://www.gnu.org/licenses/gpl-3.0.html
     
    106106== Changelog ==
    107107
     108= 6.1.1 =
     109* Vulnerability fix.
     110* Compatibility for latest WooCommerce version.
     111
    108112= 6.1 =
    109113* SMS sending service.
Note: See TracChangeset for help on using the changeset viewer.