Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3285238

Timestamp:

04/30/2025 09:06:29 PM (11 months ago)

Author:

mediaticus

Message:

Deploy version 1.6.7

Location:

subaccounts-for-woocommerce/trunk

Files:

: 3 edited

public/my-account.php (modified) (1 diff)
readme.txt (modified) (3 diffs)
subaccounts-for-woocommerce.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

subaccounts-for-woocommerce/trunk/public/my-account.php

-                      r3272812
+                      r3285238
     // Make sure we don't interfere My Account -> Addresses forms.
+    if ( is_wc_endpoint_url( 'subaccounts' ) ) {
+    if ( ! is_wc_endpoint_url( 'subaccounts' ) )
+        return;
+    // Retrieve (Ajax) user_id of customer which is currently being edited My Account -> Subaccounts -> Manage Subaccounts.
+    if ( isset( $_POST['sfwc_frontend_edit_subaccount_user_id'] ) ) {
+        $user_id = absint( sanitize_text_field( $_POST['sfwc_frontend_edit_subaccount_user_id'] ) );
+    } else {
+        return;
+    }
+    // Before proceeding check if nonce is in place and verfy it. Leave this after checking: isset( $_POST['sfwc_frontend_edit_subaccount_user_id'] )
+    if ( ! isset( $_POST['sfwc_nonce_frontend_edit_subaccount_form'] ) || isset( $_POST['sfwc_nonce_frontend_edit_subaccount_form'] ) && ! wp_verify_nonce( $_POST['sfwc_nonce_frontend_edit_subaccount_form'], 'sfwc_nonce_frontend_edit_subaccount_action' ) ) {
+        wc_add_notice( esc_html__( 'Nonce could not be verified.', 'subaccounts-for-woocommerce' ), 'error');
+        return;
+    }
+    $parent_id = get_current_user_id();
+    $sfwc_options = (array) get_option('sfwc_options');
+    $sfwc_option_selected_roles = ( isset( $sfwc_options['sfwc_option_selected_roles'] ) ) ? $sfwc_options['sfwc_option_selected_roles'] : array('customer', 'subscriber');
+    $parent_account_level_type = get_user_meta( $parent_id, 'sfwc_account_level_type', true );
+    $subaccount_account_level_type = get_user_meta( $user_id, 'sfwc_account_level_type', true );
+    if ( is_user_logged_in() && sfwc_is_current_user_role_valid() && sfwc_is_current_user_role_enabled() && ( $parent_account_level_type == 'supervisor' || $parent_account_level_type == 'manager' ) ) {
         /**
+         *
+         * Validation.
+         *
          */
+        // Retrieve (Ajax) user_id of customer which is currently being edited My Account -> Subaccounts -> Manage Subaccounts.
+        if ( isset( $_POST['sfwc_frontend_edit_subaccount_user_id'] ) ) {
+            $user_id = absint( sanitize_text_field( $_POST['sfwc_frontend_edit_subaccount_user_id'] ) );
+        } else {
+        // Get children (array) of currently logged in user.
+        $children_ids = get_user_meta( $parent_id, 'sfwc_children', true );
+        /**
+         * Remove no longer existing users from the $children_ids array
+         * in case a user has been deleted (but still present within 'sfwc_children' meta of an ex parent account).
+         */
+        $existing_children_ids = array();
+        if ( ! empty ( $children_ids ) ) {
+            if ( $parent_account_level_type == 'supervisor' ) {
+                foreach ( $children_ids as $single_id ) {
+                    // Check if user still exists.
+                    $user_exists = get_userdata( $single_id );
+                    if ( $user_exists !== false ) {
+                        // Check if user role is valid and enabled from plugin settings.
+                        if ( sfwc_is_user_role_valid( $single_id ) && sfwc_is_user_role_enabled( $single_id ) && get_user_meta( $single_id, 'sfwc_account_level_type', true ) == 'manager' ) {
+                            $existing_children_ids[] = $single_id;
+                            // In case currently logged in user is a Supervisor we get also subaccounts of the Manager.
+                            $children_ids_deep = get_user_meta( $single_id, 'sfwc_children', true );
+                            if ( ! empty ( $children_ids_deep ) ) {
+                                foreach ( $children_ids_deep as $single_id_deep ) {
+                                    // Check if user still exists.
+                                    $user_exists = get_userdata( $single_id_deep );
+                                    if ( $user_exists !== false ) {
+                                        // Check if user role is valid and enabled from plugin settings.
+                                        if ( sfwc_is_user_role_valid( $single_id_deep ) && sfwc_is_user_role_enabled( $single_id_deep ) &&
+                                             get_user_meta( $single_id_deep, 'sfwc_account_level_type', true ) !== 'supervisor' &&
+                                             get_user_meta( $single_id_deep, 'sfwc_account_level_type', true ) !== 'manager' )
+                                        {
+                                            $existing_children_ids[] = $single_id_deep;
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            } elseif ( $parent_account_level_type == 'manager' ) {
+                foreach ( $children_ids as $single_id ) {
+                    // Check if user still exists.
+                    $user_exists = get_userdata( $single_id );
+                    if ( $user_exists !== false ) {
+                        // Check if user role is valid and enabled from plugin settings.
+                        if ( sfwc_is_user_role_valid( $single_id ) && sfwc_is_user_role_enabled( $single_id ) &&
+                             get_user_meta( $single_id, 'sfwc_account_level_type', true ) !== 'supervisor' &&
+                             get_user_meta( $single_id, 'sfwc_account_level_type', true ) !== 'manager' )
+                        {
+                            $existing_children_ids[] = $single_id;
+                        }
+                    }
+                }
+            }
+        }
+        /**
+         * Validation
+         *
+         * - Verify that the ID of the user being edited belongs to a subaccount of the currently logged-in parent account;
+         * - Verify the account level type of the subaccount.
+         */
+        if (
+            ! in_array( $user_id, $existing_children_ids ) ||
+            ( $parent_account_level_type == 'supervisor' && $subaccount_account_level_type == 'supervisor' ) ||
+            ( $parent_account_level_type == 'manager' && ( $subaccount_account_level_type == 'supervisor' || $subaccount_account_level_type == 'manager' ) )
+        ) {
+            wc_add_notice( esc_html__( 'You are not allowed to edit this user.', 'subaccounts-for-woocommerce' ), 'error');
             return;
+        }
+        // Before proceeding check if nonce is in place and verfy it.
+        // Leave this after checking: isset( $_POST['sfwc_frontend_edit_subaccount_user_id'] )
+        if ( ! isset( $_POST['sfwc_nonce_frontend_edit_subaccount_form'] ) || isset( $_POST['sfwc_nonce_frontend_edit_subaccount_form'] ) && ! wp_verify_nonce( $_POST['sfwc_nonce_frontend_edit_subaccount_form'], 'sfwc_nonce_frontend_edit_subaccount_action' ) ) {
+            wc_add_notice( esc_html__( 'Nonce could not be verified.', 'subaccounts-for-woocommerce' ), 'error');
+            return;
+        }

subaccounts-for-woocommerce/trunk/readme.txt

-                      r3273751
+                      r3285238
 Tested up to: 6.8
 Requires PHP: 5.7
 Stable tag: 1.6.6
+Stable tag: 1.6.7
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 1.6.7 =
+*Release Date April 30, 2025*
+* **Improvement** – Fix Broken Authentication vulnerability.
 = 1.6.6 =
 *Release Date April 15, 2025*
 …
 * **Fix** – Fix undefined `filter_account_type` on Edit Subaccount page in frontend.
 * **Tweak** – Display `Account`, `Contact Us` and `Add-ons` submenu items as plugin tabs in the backend.
 * **Tweak** – Provide both an HTML `class` and a unique HTML `id` for each navigation tab present in the `Subaccount` page on frontend.
+* **Tweak** – Provide both a HTML `class` and a unique HTML `id` for each navigation tab present in the `Subaccount` page on frontend.
 * **Tweak** – Provide HTML classes for each table column on the frontend `Manage Subaccounts` table.
 * **Tweak** – Changed the HTML markup of the fields in the "Account Details" section of the `Edit Subaccount` frontend form.

subaccounts-for-woocommerce/trunk/subaccounts-for-woocommerce.php

-                      r3273751
+                      r3285238
  * Plugin URI: https://subaccounts.pro/
  * Description: Subaccounts for WooCommerce allows the creation of subaccounts for your WooCommerce customers and subscribers.
  * Version: 1.6.6
+ * Version: 1.6.7
  * Requires Plugins: woocommerce
  * Author: Mediaticus
 …
  * Tested up to: 6.8
+ *
  * WC tested up to: 9.8.1
+ * WC tested up to: 9.8.3
  * Requires PHP: 5.7
+ *
 …
 if ( ! defined( 'SFWC_CURRENT_VERSION' ) ) {
     define( 'SFWC_CURRENT_VERSION', '1.6.6' ); // MAJOR.MINOR.PATCH
+    define( 'SFWC_CURRENT_VERSION', '1.6.7' ); // MAJOR.MINOR.PATCH
+}

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3285238

Legend:

subaccounts-for-woocommerce/trunk/public/my-account.php

subaccounts-for-woocommerce/trunk/readme.txt

subaccounts-for-woocommerce/trunk/subaccounts-for-woocommerce.php

Download in other formats: