Changeset 3442404
- Timestamp:
- 01/19/2026 10:16:28 AM (7 weeks ago)
- Location:
- wemail
- Files:
-
- 16 edited
- 1 copied
-
tags/2.0.8 (copied) (copied from wemail/trunk)
-
tags/2.0.8/includes/Rest/Csv.php (modified) (4 diffs)
-
tags/2.0.8/includes/Rest/Forms.php (modified) (1 diff)
-
tags/2.0.8/includes/WeMail.php (modified) (1 diff)
-
tags/2.0.8/readme.txt (modified) (2 diffs)
-
tags/2.0.8/vendor/autoload.php (modified) (1 diff)
-
tags/2.0.8/vendor/composer/autoload_real.php (modified) (5 diffs)
-
tags/2.0.8/vendor/composer/autoload_static.php (modified) (2 diffs)
-
tags/2.0.8/wemail.php (modified) (1 diff)
-
trunk/includes/Rest/Csv.php (modified) (4 diffs)
-
trunk/includes/Rest/Forms.php (modified) (1 diff)
-
trunk/includes/WeMail.php (modified) (1 diff)
-
trunk/readme.txt (modified) (2 diffs)
-
trunk/vendor/autoload.php (modified) (1 diff)
-
trunk/vendor/composer/autoload_real.php (modified) (5 diffs)
-
trunk/vendor/composer/autoload_static.php (modified) (2 diffs)
-
trunk/wemail.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
wemail/tags/2.0.8/includes/Rest/Csv.php
r3359591 r3442404 6 6 use WP_REST_Response; 7 7 use WP_REST_Server; 8 use WP_User_Query;9 8 10 9 class Csv { … … 31 30 array( 32 31 'methods' => WP_REST_Server::READABLE, 33 'permission_callback' => array( $this, ' permission' ),32 'permission_callback' => array( $this, 'can_csv_upload' ), 34 33 'callback' => array( $this, 'csv_file_info' ), 35 34 ), … … 49 48 array( 50 49 'methods' => WP_REST_Server::READABLE, 51 'permission_callback' => array( $this, ' permission' ),50 'permission_callback' => array( $this, 'can_meta_fields' ), 52 51 'callback' => array( $this, 'meta_fields' ), 53 52 ), … … 67 66 array( 68 67 'methods' => WP_REST_Server::READABLE, 69 'permission_callback' => array( $this, ' permission' ),68 'permission_callback' => array( $this, 'can_get_subscribers' ), 70 69 'callback' => array( $this, 'subscribers' ), 71 70 ), 72 71 ) 73 72 ); 74 }75 76 public function permission( $request ) {77 $api_key = $request->get_header( 'X-WeMail-Key' );78 79 $user_email = $request->get_header( 'x-wemail-user' );80 81 if ( ! empty( $user_email ) ) {82 $user = get_user_by( 'email', $user_email );83 84 if ( $user ) {85 wp_set_current_user( $user->ID );86 return wemail()->user->can( 'create_subscriber' );87 }88 }89 90 if ( ! empty( $api_key ) ) {91 $query = new WP_User_Query(92 array(93 'fields' => 'ID',94 'meta_key' => 'wemail_api_key',95 'meta_value' => $api_key,96 )97 );98 99 if ( $query->get_total() ) {100 $results = $query->get_results();101 $user_id = array_pop( $results );102 103 wp_set_current_user( $user_id );104 105 return wemail()->user->can( 'create_subscriber' );106 }107 }108 109 return false;110 73 } 111 74 -
wemail/tags/2.0.8/includes/Rest/Forms.php
r3164699 r3442404 122 122 } 123 123 124 /** 125 * Permission callback for form endpoints 126 * Requires WordPress authentication, weMail role-based capability checks, and nonce verification 127 * 128 * @param \WP_REST_Request $request 129 * 130 * @return bool 131 */ 124 132 public function permission( $request ) { 133 // 1. Require WordPress authentication (user must be logged in) 134 if ( ! is_user_logged_in() ) { 135 return false; 136 } 137 138 // 2. Check user has appropriate weMail role-based capabilities 139 if ( ! function_exists( 'wemail' ) || ! method_exists( wemail(), 'user' ) ) { 140 return false; 141 } 142 143 if ( ! wemail()->user->can( 'manage_form' ) ) { 144 return false; 145 } 146 147 // 3. Require nonce verification for CSRF protection 125 148 $nonce = $request->get_header( 'X-WP-Nonce' ); 126 127 if ( $nonce && wp_verify_nonce( $nonce, 'wp_rest' ) ) { 128 return true; 129 } 130 131 return false; 149 if ( ! $nonce || ! wp_verify_nonce( $nonce, 'wp_rest' ) ) { 150 return false; 151 } 152 153 return true; 132 154 } 133 155 -
wemail/tags/2.0.8/includes/WeMail.php
r3423372 r3442404 24 24 * @var string 25 25 */ 26 public $version = '2.0. 7';26 public $version = '2.0.8'; 27 27 28 28 /** -
wemail/tags/2.0.8/readme.txt
r3423372 r3442404 5 5 Requires at least: 5.6 6 6 Tested up to: 6.8.3 7 Stable tag: 2.0. 77 Stable tag: 2.0.8 8 8 Requires PHP: 7.4 9 9 License: GPLv2 or later … … 278 278 279 279 == Changelog == 280 v2.0.8 - (19th Jan, 2026) = 281 * Refactor permission callbacks for form and CSV handling 282 * Fix Wordfence security scan issues 283 280 284 v2.0.7 - (19th Dec, 2025) = 281 285 * Handle API calls when the API key is missing -
wemail/tags/2.0.8/vendor/autoload.php
r3423372 r3442404 5 5 require_once __DIR__ . '/composer/autoload_real.php'; 6 6 7 return ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc125::getLoader();7 return ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7::getLoader(); -
wemail/tags/2.0.8/vendor/composer/autoload_real.php
r3423372 r3442404 3 3 // autoload_real.php @generated by Composer 4 4 5 class ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc1255 class ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7 6 6 { 7 7 private static $loader; … … 25 25 require __DIR__ . '/platform_check.php'; 26 26 27 spl_autoload_register(array('ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc125', 'loadClassLoader'), true, true);27 spl_autoload_register(array('ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7', 'loadClassLoader'), true, true); 28 28 self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(\dirname(__FILE__))); 29 spl_autoload_unregister(array('ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc125', 'loadClassLoader'));29 spl_autoload_unregister(array('ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7', 'loadClassLoader')); 30 30 31 31 $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded()); … … 33 33 require __DIR__ . '/autoload_static.php'; 34 34 35 call_user_func(\Composer\Autoload\ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::getInitializer($loader));35 call_user_func(\Composer\Autoload\ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::getInitializer($loader)); 36 36 } else { 37 37 $map = require __DIR__ . '/autoload_namespaces.php'; … … 54 54 55 55 if ($useStaticLoader) { 56 $includeFiles = Composer\Autoload\ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$files;56 $includeFiles = Composer\Autoload\ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$files; 57 57 } else { 58 58 $includeFiles = require __DIR__ . '/autoload_files.php'; 59 59 } 60 60 foreach ($includeFiles as $fileIdentifier => $file) { 61 composerRequire 18fef7787195e2a0a9a89e28738fc125($fileIdentifier, $file);61 composerRequirebc7f456b1ad6c710a056c0877d6ff1c7($fileIdentifier, $file); 62 62 } 63 63 … … 71 71 * @return void 72 72 */ 73 function composerRequire 18fef7787195e2a0a9a89e28738fc125($fileIdentifier, $file)73 function composerRequirebc7f456b1ad6c710a056c0877d6ff1c7($fileIdentifier, $file) 74 74 { 75 75 if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) { -
wemail/tags/2.0.8/vendor/composer/autoload_static.php
r3423372 r3442404 5 5 namespace Composer\Autoload; 6 6 7 class ComposerStaticInit 18fef7787195e2a0a9a89e28738fc1257 class ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7 8 8 { 9 9 public static $files = array ( … … 206 206 { 207 207 return \Closure::bind(function () use ($loader) { 208 $loader->prefixLengthsPsr4 = ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$prefixLengthsPsr4;209 $loader->prefixDirsPsr4 = ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$prefixDirsPsr4;210 $loader->classMap = ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$classMap;208 $loader->prefixLengthsPsr4 = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$prefixLengthsPsr4; 209 $loader->prefixDirsPsr4 = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$prefixDirsPsr4; 210 $loader->classMap = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$classMap; 211 211 212 212 }, null, ClassLoader::class); -
wemail/tags/2.0.8/wemail.php
r3423372 r3442404 7 7 * Author: weDevs 8 8 * Author URI: https://getwemail.io/?utm_source=wp-org&utm_medium=author-uri 9 * Version: 2.0. 79 * Version: 2.0.8 10 10 * License: GPL-3.0 11 11 * License URI: https://www.gnu.org/licenses/gpl-2.0.html -
wemail/trunk/includes/Rest/Csv.php
r3359591 r3442404 6 6 use WP_REST_Response; 7 7 use WP_REST_Server; 8 use WP_User_Query;9 8 10 9 class Csv { … … 31 30 array( 32 31 'methods' => WP_REST_Server::READABLE, 33 'permission_callback' => array( $this, ' permission' ),32 'permission_callback' => array( $this, 'can_csv_upload' ), 34 33 'callback' => array( $this, 'csv_file_info' ), 35 34 ), … … 49 48 array( 50 49 'methods' => WP_REST_Server::READABLE, 51 'permission_callback' => array( $this, ' permission' ),50 'permission_callback' => array( $this, 'can_meta_fields' ), 52 51 'callback' => array( $this, 'meta_fields' ), 53 52 ), … … 67 66 array( 68 67 'methods' => WP_REST_Server::READABLE, 69 'permission_callback' => array( $this, ' permission' ),68 'permission_callback' => array( $this, 'can_get_subscribers' ), 70 69 'callback' => array( $this, 'subscribers' ), 71 70 ), 72 71 ) 73 72 ); 74 }75 76 public function permission( $request ) {77 $api_key = $request->get_header( 'X-WeMail-Key' );78 79 $user_email = $request->get_header( 'x-wemail-user' );80 81 if ( ! empty( $user_email ) ) {82 $user = get_user_by( 'email', $user_email );83 84 if ( $user ) {85 wp_set_current_user( $user->ID );86 return wemail()->user->can( 'create_subscriber' );87 }88 }89 90 if ( ! empty( $api_key ) ) {91 $query = new WP_User_Query(92 array(93 'fields' => 'ID',94 'meta_key' => 'wemail_api_key',95 'meta_value' => $api_key,96 )97 );98 99 if ( $query->get_total() ) {100 $results = $query->get_results();101 $user_id = array_pop( $results );102 103 wp_set_current_user( $user_id );104 105 return wemail()->user->can( 'create_subscriber' );106 }107 }108 109 return false;110 73 } 111 74 -
wemail/trunk/includes/Rest/Forms.php
r3164699 r3442404 122 122 } 123 123 124 /** 125 * Permission callback for form endpoints 126 * Requires WordPress authentication, weMail role-based capability checks, and nonce verification 127 * 128 * @param \WP_REST_Request $request 129 * 130 * @return bool 131 */ 124 132 public function permission( $request ) { 133 // 1. Require WordPress authentication (user must be logged in) 134 if ( ! is_user_logged_in() ) { 135 return false; 136 } 137 138 // 2. Check user has appropriate weMail role-based capabilities 139 if ( ! function_exists( 'wemail' ) || ! method_exists( wemail(), 'user' ) ) { 140 return false; 141 } 142 143 if ( ! wemail()->user->can( 'manage_form' ) ) { 144 return false; 145 } 146 147 // 3. Require nonce verification for CSRF protection 125 148 $nonce = $request->get_header( 'X-WP-Nonce' ); 126 127 if ( $nonce && wp_verify_nonce( $nonce, 'wp_rest' ) ) { 128 return true; 129 } 130 131 return false; 149 if ( ! $nonce || ! wp_verify_nonce( $nonce, 'wp_rest' ) ) { 150 return false; 151 } 152 153 return true; 132 154 } 133 155 -
wemail/trunk/includes/WeMail.php
r3423372 r3442404 24 24 * @var string 25 25 */ 26 public $version = '2.0. 7';26 public $version = '2.0.8'; 27 27 28 28 /** -
wemail/trunk/readme.txt
r3423372 r3442404 5 5 Requires at least: 5.6 6 6 Tested up to: 6.8.3 7 Stable tag: 2.0. 77 Stable tag: 2.0.8 8 8 Requires PHP: 7.4 9 9 License: GPLv2 or later … … 278 278 279 279 == Changelog == 280 v2.0.8 - (19th Jan, 2026) = 281 * Refactor permission callbacks for form and CSV handling 282 * Fix Wordfence security scan issues 283 280 284 v2.0.7 - (19th Dec, 2025) = 281 285 * Handle API calls when the API key is missing -
wemail/trunk/vendor/autoload.php
r3423372 r3442404 5 5 require_once __DIR__ . '/composer/autoload_real.php'; 6 6 7 return ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc125::getLoader();7 return ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7::getLoader(); -
wemail/trunk/vendor/composer/autoload_real.php
r3423372 r3442404 3 3 // autoload_real.php @generated by Composer 4 4 5 class ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc1255 class ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7 6 6 { 7 7 private static $loader; … … 25 25 require __DIR__ . '/platform_check.php'; 26 26 27 spl_autoload_register(array('ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc125', 'loadClassLoader'), true, true);27 spl_autoload_register(array('ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7', 'loadClassLoader'), true, true); 28 28 self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(\dirname(__FILE__))); 29 spl_autoload_unregister(array('ComposerAutoloaderInit 18fef7787195e2a0a9a89e28738fc125', 'loadClassLoader'));29 spl_autoload_unregister(array('ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7', 'loadClassLoader')); 30 30 31 31 $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded()); … … 33 33 require __DIR__ . '/autoload_static.php'; 34 34 35 call_user_func(\Composer\Autoload\ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::getInitializer($loader));35 call_user_func(\Composer\Autoload\ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::getInitializer($loader)); 36 36 } else { 37 37 $map = require __DIR__ . '/autoload_namespaces.php'; … … 54 54 55 55 if ($useStaticLoader) { 56 $includeFiles = Composer\Autoload\ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$files;56 $includeFiles = Composer\Autoload\ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$files; 57 57 } else { 58 58 $includeFiles = require __DIR__ . '/autoload_files.php'; 59 59 } 60 60 foreach ($includeFiles as $fileIdentifier => $file) { 61 composerRequire 18fef7787195e2a0a9a89e28738fc125($fileIdentifier, $file);61 composerRequirebc7f456b1ad6c710a056c0877d6ff1c7($fileIdentifier, $file); 62 62 } 63 63 … … 71 71 * @return void 72 72 */ 73 function composerRequire 18fef7787195e2a0a9a89e28738fc125($fileIdentifier, $file)73 function composerRequirebc7f456b1ad6c710a056c0877d6ff1c7($fileIdentifier, $file) 74 74 { 75 75 if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) { -
wemail/trunk/vendor/composer/autoload_static.php
r3423372 r3442404 5 5 namespace Composer\Autoload; 6 6 7 class ComposerStaticInit 18fef7787195e2a0a9a89e28738fc1257 class ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7 8 8 { 9 9 public static $files = array ( … … 206 206 { 207 207 return \Closure::bind(function () use ($loader) { 208 $loader->prefixLengthsPsr4 = ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$prefixLengthsPsr4;209 $loader->prefixDirsPsr4 = ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$prefixDirsPsr4;210 $loader->classMap = ComposerStaticInit 18fef7787195e2a0a9a89e28738fc125::$classMap;208 $loader->prefixLengthsPsr4 = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$prefixLengthsPsr4; 209 $loader->prefixDirsPsr4 = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$prefixDirsPsr4; 210 $loader->classMap = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$classMap; 211 211 212 212 }, null, ClassLoader::class); -
wemail/trunk/wemail.php
r3423372 r3442404 7 7 * Author: weDevs 8 8 * Author URI: https://getwemail.io/?utm_source=wp-org&utm_medium=author-uri 9 * Version: 2.0. 79 * Version: 2.0.8 10 10 * License: GPL-3.0 11 11 * License URI: https://www.gnu.org/licenses/gpl-2.0.html
Note: See TracChangeset
for help on using the changeset viewer.