Changeset 5629 for branches/2.5/includes/admin/users.php

Timestamp:

03/06/2015 04:27:09 PM (11 years ago)

Author:

johnjamesjacoby

Message:

Add nonce to bulk-user dropdown. Props jdgrimes. (2.5 branch)

File:

• branches/2.5/includes/admin/users.php (modified) (3 diffs)

branches/2.5/includes/admin/users.php

@@ -143 +143 @@
             <?php endforeach; ?>
         </select><?php submit_button( __( 'Change', 'bbpress' ), 'secondary', 'bbp-change-role', false );
+
+        wp_nonce_field( 'bbp-bulk-users', 'bbp-bulk-users-nonce' );
     }
 
@@ -157 +159 @@
     public function user_role_bulk_change() {
 
-        // Bail if current user cannot promote users 
-        if ( !current_user_can( 'promote_users' ) )
-            return;
-
         // Bail if no users specified
         if ( empty( $_REQUEST['users'] ) )
@@ -172 +170 @@
         $dynamic_roles = bbp_get_dynamic_roles();
         if ( empty( $dynamic_roles[ $_REQUEST['bbp-new-role'] ] ) )
+            return;
+
+        // Bail if nonce check fails
+        check_admin_referer( 'bbp-bulk-users', 'bbp-bulk-users-nonce' );
+
+        // Bail if current user cannot promote users 
+        if ( !current_user_can( 'promote_users' ) )
             return;