Changeset 5133

Timestamp:

10/21/2013 08:19:16 PM (12 years ago)

Author:

johnjamesjacoby

Message:

About Page:

• On activation, check that current user can access About page before redirecting to it.
• Once activated, only add About & Settings links if current user can access those pages.
• Before making the current user a Keymaster, make sure they do not have a previous forum role, preventing role escalation if the current user was previously demoted.
• Fixes #2443.

Location:

trunk/includes

Files:

• admin/admin.php (modified) (3 diffs)
• admin/functions.php (modified) (2 diffs)
• admin/tools.php (modified) (1 diff)
• core/update.php (modified) (2 diffs)

trunk/includes/admin/admin.php

@@ -488 +488 @@
 
         // Return normal links if not bbPress
-        if ( plugin_basename( bbpress()->file ) !== $file )
+        if ( plugin_basename( bbpress()->file ) !== $file ) {
             return $links;
+        }
+
+        // New links to merge into existing links
+        $new_links = array();
+
+        // Settings page link
+        if ( current_user_can( 'bbp_settings_page' ) ) {
+            $new_links['settings'] = '<a href="' . add_query_arg( array( 'page' => 'bbpress'   ), admin_url( 'options-general.php' ) ) . '">' . esc_html__( 'Settings', 'bbpress' ) . '</a>';
+        }
+
+        // About page link
+        if ( current_user_can( 'bbp_about_page' ) ) {
+            $new_links['about']    = '<a href="' . add_query_arg( array( 'page' => 'bbp-about' ), admin_url( 'index.php'           ) ) . '">' . esc_html__( 'About',    'bbpress' ) . '</a>';
+        }
 
         // Add a few links to the existing links array
-        return array_merge( $links, array(
-            'settings' => '<a href="' . add_query_arg( array( 'page' => 'bbpress'   ), admin_url( 'options-general.php' ) ) . '">' . esc_html__( 'Settings', 'bbpress' ) . '</a>',
-            'about'    => '<a href="' . add_query_arg( array( 'page' => 'bbp-about' ), admin_url( 'index.php'           ) ) . '">' . esc_html__( 'About',    'bbpress' ) . '</a>'
-        ) );
+        return array_merge( $links, $new_links );
     }
 
@@ -1331 +1342 @@
     public function suggest_topic() {
 
-        // TRy to get some topics
+        // Try to get some topics
         $topics = get_posts( array(
             's'         => like_escape( $_REQUEST['q'] ),
@@ -1647 +1658 @@
                     <a class="button" href="update-core.php?page=bbpress-update"><?php esc_html_e( 'Go Back', 'bbpress' ); ?></a>
 
-                    <?php break; ?>
-
                 <?php
 

trunk/includes/admin/functions.php

@@ -174 +174 @@
 
     // Bail if no activation redirect
-    if ( ! get_transient( '_bbp_activation_redirect' ) )
-        return;
+    if ( ! get_transient( '_bbp_activation_redirect' ) ) {
+        return;
+    }
 
     // Delete the redirect transient
@@ -181 +182 @@
 
     // Bail if activating from network, or bulk
-    if ( is_network_admin() || isset( $_GET['activate-multi'] ) )
-        return;
+    if ( is_network_admin() || isset( $_GET['activate-multi'] ) ) {
+        return;
+    }
+
+    // Bail if the current user cannot see the about page
+    if ( ! current_user_can( 'bbp_about_page' ) ) {
+        return;
+    }
 
     // Redirect to bbPress about page

trunk/includes/admin/tools.php

@@ -1069 +1069 @@
 
         <h2 class="nav-tab-wrapper"><?php bbp_tools_admin_tabs( __( 'Reset Forums', 'bbpress' ) ); ?></h2>
-        <p><?php esc_html_e( 'This will revert your forums back to a brand new installation. This process cannot be undone. <strong>Backup your database before proceeding</strong>.', 'bbpress' ); ?></p>
+        <p><?php esc_html_e( 'Revert your forums back to a brand new installation. This process cannot be undone.', 'bbpress' ); ?></p>
+        <p><strong><?php esc_html_e( 'Backup your database before proceeding.', 'bbpress' ); ?></strong></p>
 
         <form class="settings" method="post" action="">

trunk/includes/core/update.php

@@ -338 +338 @@
 
     // Bail if the current user can't activate plugins since previous pageload
-    if ( ! current_user_can( 'activate_plugins' ) )
-        return;
+    if ( ! current_user_can( 'activate_plugins' ) ) {
+        return;
+    }
 
     // Get the current user ID
@@ -346 +347 @@
 
     // Bail if user is not actually a member of this site
-    if ( ! is_user_member_of_blog( $user_id, $blog_id ) )
-        return;
-
-    // Bail if the current user is already a keymaster
-    if ( bbp_is_user_keymaster( $user_id ) )
-        return;
+    if ( ! is_user_member_of_blog( $user_id, $blog_id ) ) {
+        return;
+    }
+
+    // Bail if the current user already has a forum role to prevent
+    // unexpected role and capability escalation.
+    if ( bbp_get_user_role( $user_id ) ) {
+        return;
+    }
 
     // Make the current user a keymaster
     bbp_set_user_role( $user_id, bbp_get_keymaster_role() );
-}
+
+    // Reload the current user so caps apply immediately
+    wp_get_current_user();
+}