Changeset 4024 for branches/plugin/bbp-includes/bbp-forum-functions.php

Timestamp:

06/28/2012 05:24:22 PM (14 years ago)

Author:

johnjamesjacoby

Message:

Nonces:

• Use bbp_verify_nonce_request() to prevent the awkward wp_die() experience in forums.
• Add nonce checks to subscriptions and favorites.
• More aggressive returns on edit/new forum/topic/reply nonce and capability checks. Prevents surplus processing when we already know nothing more should happen.
• Bail early if bbp_has_errors() rather than wrapping around it.
• Fixes #1863.

File:

• branches/plugin/bbp-includes/bbp-forum-functions.php (modified) (8 diffs)

branches/plugin/bbp-includes/bbp-forum-functions.php

@@ -79 +79 @@
  *
  * @uses bbPress:errors::add() To log various error messages
- * @uses check_admin_referer() To verify the nonce and check the referer
+ * @uses bbp_verify_nonce_request() To verify the nonce and check the request
  * @uses bbp_is_anonymous() To check if an anonymous post is being made
  * @uses current_user_can() To check if the current user can publish forum
@@ -118 +118 @@
 
     // Nonce check
-    check_admin_referer( 'bbp-new-forum' );
+    if ( ! bbp_verify_nonce_request( 'bbp-new-forum' ) ) {
+        bbp_add_error( 'bbp_rew_forum_nonce', __( '<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress' ) );
+        return;
+    }
 
     // Define local variable(s)
@@ -130 +133 @@
     if ( !current_user_can( 'publish_forums' ) ) {
         bbp_add_error( 'bbp_forum_permissions', __( '<strong>ERROR</strong>: You do not have permission to create new forums.', 'bbpress' ) );
+        return;
     }
 
@@ -227 +231 @@
     do_action( 'bbp_new_forum_pre_extras' );
 
+    // Bail if errors
+    if ( bbp_has_errors() )
+        return;
+
     /** No Errors *************************************************************/
 
-    if ( !bbp_has_errors() ) {
-
-        /** Create new forum **************************************************/
-
-        // Add the content of the form to $forum_data as an array
-        $forum_data = array(
-            'post_author'    => $forum_author,
-            'post_title'     => $forum_title,
-            'post_content'   => $forum_content,
-            'post_parent'    => $forum_parent_id,
-            'post_status'    => $post_status,
-            'post_type'      => bbp_get_forum_post_type(),
-            'comment_status' => 'closed'
+    // Add the content of the form to $forum_data as an array
+    // Just in time manipulation of forum data before being created
+    $forum_data = apply_filters( 'bbp_new_forum_pre_insert', array(
+        'post_author'    => $forum_author,
+        'post_title'     => $forum_title,
+        'post_content'   => $forum_content,
+        'post_parent'    => $forum_parent_id,
+        'post_status'    => $post_status,
+        'post_type'      => bbp_get_forum_post_type(),
+        'comment_status' => 'closed'
+    ) );
+
+    // Insert forum
+    $forum_id = wp_insert_post( $forum_data );
+
+    /** No Errors *************************************************************/
+
+    if ( !empty( $forum_id ) && !is_wp_error( $forum_id ) ) {
+
+        /** Trash Check *******************************************************/
+
+        // If the forum is trash, or the forum_status is switched to
+        // trash, trash it properly
+        if ( ( get_post_field( 'post_status', $forum_id ) == bbp_get_trash_status_id() ) || ( $forum_data['post_status'] == bbp_get_trash_status_id() ) ) {
+
+            // Trash the reply
+            wp_trash_post( $forum_id );
+
+            // Force view=all
+            $view_all = true;
+        }
+
+        /** Spam Check ********************************************************/
+
+        // If reply or forum are spam, officially spam this reply
+        if ( $forum_data['post_status'] == bbp_get_spam_status_id() ) {
+            add_post_meta( $forum_id, '_bbp_spam_meta_status', bbp_get_public_status_id() );
+
+            // Force view=all
+            $view_all = true;
+        }
+
+        /** Update counts, etc... *********************************************/
+
+        $forum_args = array(
+            'forum_id'           => $forum_id,
+            'post_parent'        => $forum_parent_id,
+            'forum_author'       => $forum_author,
+            'last_topic_id'      => 0,
+            'last_reply_id'      => 0,
+            'last_active_id'     => 0,
+            'last_active_time'   => 0,
+            'last_active_status' => bbp_get_public_status_id()
         );
-
-        // Just in time manipulation of forum data before being created
-        $forum_data = apply_filters( 'bbp_new_forum_pre_insert', $forum_data );
-
-        // Insert forum
-        $forum_id = wp_insert_post( $forum_data );
-
-        /** No Errors *********************************************************/
-
-        if ( !empty( $forum_id ) && !is_wp_error( $forum_id ) ) {
-
-            /** Trash Check ***************************************************/
-
-            // If the forum is trash, or the forum_status is switched to
-            // trash, trash it properly
-            if ( ( get_post_field( 'post_status', $forum_id ) == bbp_get_trash_status_id() ) || ( $forum_data['post_status'] == bbp_get_trash_status_id() ) ) {
-
-                // Trash the reply
-                wp_trash_post( $forum_id );
-
-                // Force view=all
-                $view_all = true;
+        do_action( 'bbp_new_forum', $forum_args );
+
+        /** Additional Actions (After Save) ***********************************/
+
+        do_action( 'bbp_new_forum_post_extras', $forum_id );
+
+        /** Redirect **********************************************************/
+
+        // Redirect to
+        $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
+
+        // Get the forum URL
+        $redirect_url = bbp_get_forum_permalink( $forum_id, $redirect_to );
+
+        // Add view all?
+        if ( bbp_get_view_all() || !empty( $view_all ) ) {
+
+            // User can moderate, so redirect to forum with view all set
+            if ( current_user_can( 'moderate' ) ) {
+                $redirect_url = bbp_add_view_all( $redirect_url );
+
+            // User cannot moderate, so redirect to forum
+            } else {
+                $redirect_url = bbp_get_forum_permalink( $forum_id );
             }
-
-            /** Spam Check ****************************************************/
-
-            // If reply or forum are spam, officially spam this reply
-            if ( $forum_data['post_status'] == bbp_get_spam_status_id() ) {
-                add_post_meta( $forum_id, '_bbp_spam_meta_status', bbp_get_public_status_id() );
-
-                // Force view=all
-                $view_all = true;
-            }
-
-            /** Update counts, etc... *****************************************/
-
-            $forum_args = array(
-                'forum_id'           => $forum_id,
-                'post_parent'        => $forum_parent_id,
-                'forum_author'       => $forum_author,
-                'last_topic_id'      => 0,
-                'last_reply_id'      => 0,
-                'last_active_id'     => 0,
-                'last_active_time'   => 0,
-                'last_active_status' => bbp_get_public_status_id()
-            );
-            do_action( 'bbp_new_forum', $forum_args );
-
-            /** Additional Actions (After Save) *******************************/
-
-            do_action( 'bbp_new_forum_post_extras', $forum_id );
-
-            /** Redirect ******************************************************/
-
-            // Redirect to
-            $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
-
-            // Get the forum URL
-            $redirect_url = bbp_get_forum_permalink( $forum_id, $redirect_to );
-
-            // Add view all?
-            if ( bbp_get_view_all() || !empty( $view_all ) ) {
-
-                // User can moderate, so redirect to forum with view all set
-                if ( current_user_can( 'moderate' ) ) {
-                    $redirect_url = bbp_add_view_all( $redirect_url );
-
-                // User cannot moderate, so redirect to forum
-                } else {
-                    $redirect_url = bbp_get_forum_permalink( $forum_id );
-                }
-            }
-
-            // Allow to be filtered
-            $redirect_url = apply_filters( 'bbp_new_forum_redirect_to', $redirect_url, $redirect_to );
-
-            /** Successful Save ***********************************************/
-
-            // Redirect back to new forum
-            wp_safe_redirect( $redirect_url );
-
-            // For good measure
-            exit();
-
-        // Errors
-        } else {
-            $append_error = ( is_wp_error( $forum_id ) && $forum_id->get_error_message() ) ? $forum_id->get_error_message() . ' ' : '';
-            bbp_add_error( 'bbp_forum_error', __( '<strong>ERROR</strong>: The following problem(s) have been found with your forum:' . $append_error, 'bbpress' ) );
-        }
+        }
+
+        // Allow to be filtered
+        $redirect_url = apply_filters( 'bbp_new_forum_redirect_to', $redirect_url, $redirect_to );
+
+        /** Successful Save ***************************************************/
+
+        // Redirect back to new forum
+        wp_safe_redirect( $redirect_url );
+
+        // For good measure
+        exit();
+
+    // Errors
+    } else {
+        $append_error = ( is_wp_error( $forum_id ) && $forum_id->get_error_message() ) ? $forum_id->get_error_message() . ' ' : '';
+        bbp_add_error( 'bbp_forum_error', __( '<strong>ERROR</strong>: The following problem(s) have been found with your forum:' . $append_error, 'bbpress' ) );
     }
 }
@@ -340 +341 @@
  * @uses bbPress:errors::add() To log various error messages
  * @uses bbp_get_forum() To get the forum
- * @uses check_admin_referer() To verify the nonce and check the referer
+ * @uses bbp_verify_nonce_request() To verify the nonce and check the request
  * @uses bbp_is_forum_anonymous() To check if forum is by an anonymous user
  * @uses current_user_can() To check if the current user can edit the forum
@@ -386 +387 @@
     // Forum id was not passed
     if ( empty( $_POST['bbp_forum_id'] ) ) {
-        bbp_add_error( 'bbp_edit_forum_id', __( '<strong>ERROR</strong>: Forum ID not found.', 'bbpress' ) );
+        $forum_id = 0;
 
     // Forum id was passed
@@ -394 +395 @@
     }
 
+    // Nonce check
+    if ( ! bbp_verify_nonce_request( 'bbp-edit-forum_' . $forum_id ) ) {
+        bbp_add_error( 'bbp_edit_forum_nonce', __( '<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress' ) );
+        return;
+
     // Forum does not exist
-    if ( empty( $forum ) ) {
+    } elseif ( empty( $forum ) ) {
         bbp_add_error( 'bbp_edit_forum_not_found', __( '<strong>ERROR</strong>: The forum you want to edit was not found.', 'bbpress' ) );
-
-    // Forum exists
-    } else {
-
-        // Nonce check
-        check_admin_referer( 'bbp-edit-forum_' . $forum_id );
-
-        // User cannot edit this forum
-        if ( !current_user_can( 'edit_forum', $forum_id ) ) {
-            bbp_add_error( 'bbp_edit_forum_permissions', __( '<strong>ERROR</strong>: You do not have permission to edit that forum.', 'bbpress' ) );
-        }
+        return;
+
+    // User cannot edit this forum
+    } elseif ( !current_user_can( 'edit_forum', $forum_id ) ) {
+        bbp_add_error( 'bbp_edit_forum_permissions', __( '<strong>ERROR</strong>: You do not have permission to edit that forum.', 'bbpress' ) );
+        return;
     }
 
@@ -484 +485 @@
     do_action( 'bbp_edit_forum_pre_extras', $forum_id );
 
+    // Bail if errors
+    if ( bbp_has_errors() )
+        return;
+
     /** No Errors *************************************************************/
 
-    if ( !bbp_has_errors() ) {
-
-        /** Update the forum **************************************************/
-
-        // Add the content of the form to $forum_data as an array
-        $forum_data = array(
-            'ID'           => $forum_id,
-            'post_title'   => $forum_title,
-            'post_content' => $forum_content,
-            'post_status'  => $post_status,
-            'post_parent'  => $forum_parent_id
+    // Add the content of the form to $forum_data as an array
+    // Just in time manipulation of forum data before being edited
+    $forum_data = apply_filters( 'bbp_edit_forum_pre_insert', array(
+        'ID'           => $forum_id,
+        'post_title'   => $forum_title,
+        'post_content' => $forum_content,
+        'post_status'  => $post_status,
+        'post_parent'  => $forum_parent_id
+    ) );
+
+    // Insert forum
+    $forum_id = wp_update_post( $forum_data );
+
+    /** Revisions *************************************************************/
+
+    /**
+     * @todo omitted for 2.1
+    // Revision Reason
+    if ( !empty( $_POST['bbp_forum_edit_reason'] ) )
+        $forum_edit_reason = esc_attr( strip_tags( $_POST['bbp_forum_edit_reason'] ) );
+
+    // Update revision log
+    if ( !empty( $_POST['bbp_log_forum_edit'] ) && ( 1 == $_POST['bbp_log_forum_edit'] ) && ( $revision_id = wp_save_post_revision( $forum_id ) ) ) {
+        bbp_update_forum_revision_log( array(
+            'forum_id'    => $forum_id,
+            'revision_id' => $revision_id,
+            'author_id'   => bbp_get_current_user_id(),
+            'reason'      => $forum_edit_reason
+        ) );
+    }
+     */
+
+    /** No Errors *************************************************************/
+
+    if ( !empty( $forum_id ) && !is_wp_error( $forum_id ) ) {
+
+        // Update counts, etc...
+        $forum_args = array(
+            'forum_id'           => $forum_id,
+            'post_parent'        => $forum_parent_id,
+            'forum_author'       => $forum->post_author,
+            'last_topic_id'      => 0,
+            'last_reply_id'      => 0,
+            'last_active_id'     => 0,
+            'last_active_time'   => 0,
+            'last_active_status' => bbp_get_public_status_id()
         );
-
-        // Just in time manipulation of forum data before being edited
-        $forum_data = apply_filters( 'bbp_edit_forum_pre_insert', $forum_data );
-
-        // Insert forum
-        $forum_id = wp_update_post( $forum_data );
-
-        /** Revisions *********************************************************/
-
-        /**
-         * @todo omitted for 2.1
-        // Revision Reason
-        if ( !empty( $_POST['bbp_forum_edit_reason'] ) )
-            $forum_edit_reason = esc_attr( strip_tags( $_POST['bbp_forum_edit_reason'] ) );
-
-        // Update revision log
-        if ( !empty( $_POST['bbp_log_forum_edit'] ) && ( 1 == $_POST['bbp_log_forum_edit'] ) && ( $revision_id = wp_save_post_revision( $forum_id ) ) ) {
-            bbp_update_forum_revision_log( array(
-                'forum_id'    => $forum_id,
-                'revision_id' => $revision_id,
-                'author_id'   => bbp_get_current_user_id(),
-                'reason'      => $forum_edit_reason
-            ) );
-        }
-         *
-         */
-
-        /** No Errors *********************************************************/
-
-        if ( !empty( $forum_id ) && !is_wp_error( $forum_id ) ) {
-
-            // Update counts, etc...
-            $forum_args = array(
-                'forum_id'           => $forum_id,
-                'post_parent'        => $forum_parent_id,
-                'forum_author'       => $forum->post_author,
-                'last_topic_id'      => 0,
-                'last_reply_id'      => 0,
-                'last_active_id'     => 0,
-                'last_active_time'   => 0,
-                'last_active_status' => bbp_get_public_status_id()
-            );
-            do_action( 'bbp_edit_forum', $forum_args );
-
-            // If the new forum parent id is not equal to the old forum parent
-            // id, run the bbp_move_forum action and pass the forum's parent id
-            // as the first arg and new forum parent id as the second.
-            // @todo implement
-            //if ( $forum_id != $forum->post_parent )
-            //  bbp_move_forum_handler( $forum_parent_id, $forum->post_parent, $forum_id );
-
-            /** Additional Actions (After Save) *******************************/
-
-            do_action( 'bbp_edit_forum_post_extras', $forum_id );
-
-            /** Redirect ******************************************************/
-
-            // Redirect to
-            $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
-
-            // View all?
-            $view_all = bbp_get_view_all();
-
-            // Get the forum URL
-            $forum_url = bbp_get_forum_permalink( $forum_id, $redirect_to );
-
-            // Add view all?
-            if ( !empty( $view_all ) )
-                $forum_url = bbp_add_view_all( $forum_url );
-
-            // Allow to be filtered
-            $forum_url = apply_filters( 'bbp_edit_forum_redirect_to', $forum_url, $view_all, $redirect_to );
-
-            /** Successful Edit ***********************************************/
-
-            // Redirect back to new forum
-            wp_safe_redirect( $forum_url );
-
-            // For good measure
-            exit();
-
-        /** Errors ************************************************************/
-
-        } else {
-            $append_error = ( is_wp_error( $forum_id ) && $forum_id->get_error_message() ) ? $forum_id->get_error_message() . ' ' : '';
-            bbp_add_error( 'bbp_forum_error', __( '<strong>ERROR</strong>: The following problem(s) have been found with your forum:' . $append_error . 'Please try again.', 'bbpress' ) );
-        }
+        do_action( 'bbp_edit_forum', $forum_args );
+
+        // If the new forum parent id is not equal to the old forum parent
+        // id, run the bbp_move_forum action and pass the forum's parent id
+        // as the first arg and new forum parent id as the second.
+        // @todo implement
+        //if ( $forum_id != $forum->post_parent )
+        //  bbp_move_forum_handler( $forum_parent_id, $forum->post_parent, $forum_id );
+
+        /** Additional Actions (After Save) ***********************************/
+
+        do_action( 'bbp_edit_forum_post_extras', $forum_id );
+
+        /** Redirect **********************************************************/
+
+        // Redirect to
+        $redirect_to = !empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
+
+        // View all?
+        $view_all = bbp_get_view_all();
+
+        // Get the forum URL
+        $forum_url = bbp_get_forum_permalink( $forum_id, $redirect_to );
+
+        // Add view all?
+        if ( !empty( $view_all ) )
+            $forum_url = bbp_add_view_all( $forum_url );
+
+        // Allow to be filtered
+        $forum_url = apply_filters( 'bbp_edit_forum_redirect_to', $forum_url, $view_all, $redirect_to );
+
+        /** Successful Edit ***************************************************/
+
+        // Redirect back to new forum
+        wp_safe_redirect( $forum_url );
+
+        // For good measure
+        exit();
+
+    /** Errors ****************************************************************/
+
+    } else {
+        $append_error = ( is_wp_error( $forum_id ) && $forum_id->get_error_message() ) ? $forum_id->get_error_message() . ' ' : '';
+        bbp_add_error( 'bbp_forum_error', __( '<strong>ERROR</strong>: The following problem(s) have been found with your forum:' . $append_error . 'Please try again.', 'bbpress' ) );
     }
 }