Skip to:
Content

bbPress.org

Changeset 7086


Ignore:
Timestamp:
05/28/2020 03:38:54 PM (6 weeks ago)
Author:
johnjamesjacoby
Message:

Signups: Ensure that the dynamic role exists before setting it.

This commit introduces several new helper functions for validating Forum roles before saving & assigning them to new user accounts.

It also adds relevant capability checks to prevent unauthorized users from performing role assignments.

In trunk, for 2.7.0.

See #3157.

Location:
trunk/src/includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/includes/core/actions.php

    r7072 r7086  
    408408add_action( 'clean_post_cache', 'bbp_clean_post_cache', 10, 2 );
    409409
    410 // User Creation
     410// User Registration
     411add_action( 'added_existing_user', 'bbp_user_add_role_on_register', 10, 1 );
     412add_action( 'bbp_user_register',   'bbp_user_add_role_on_register', 10, 1 );
     413
     414// Invite a New User
    411415add_action( 'invite_user',         'bbp_user_add_role_on_invite',   10, 3 );
     416
     417// Multisite Activation (does not work in wp-activate.php)
    412418add_action( 'wpmu_activate_user',  'bbp_user_add_role_on_activate', 10, 3 );
    413 add_action( 'bbp_user_register',   'bbp_user_add_role_on_register', 10, 1 );
    414 add_action( 'added_existing_user', 'bbp_user_add_role_on_register', 10, 1 );
    415 add_action( 'register_new_user',   'bbp_user_add_role_on_register', 10, 1 );
    416419
    417420/**
  • trunk/src/includes/users/capabilities.php

    r7060 r7086  
    149149 * @param int $user_id
    150150 *
    151  * @return string
     151 * @return mixed False if no change. String of new role if changed.
    152152 */
    153153function bbp_set_user_role( $user_id = 0, $new_role = '' ) {
     
    160160    if ( ! empty( $user ) ) {
    161161
    162         // Get users forum role
     162        // Get user forum role
    163163        $role = bbp_get_user_role( $user_id );
    164164
     
    167167            $new_role = false;
    168168
    169         // Users role is different than the new role
    170         } else {
     169        // User role is different than the new (valid) role
     170        } elseif ( bbp_is_valid_role( $new_role ) ) {
    171171
    172172            // Remove the old role
     
    305305    // Set the new forums role
    306306    bbp_set_user_role( $user_id, $new_role );
     307}
     308
     309/**
     310 * Check if a role ID is valid
     311 *
     312 * This helper function accepts a role ID as a string, and compares it against
     313 * the array of registered dynamic roles.
     314 *
     315 * Use this function anytime you are manually attempting to set a user role
     316 * without using the bbp_set_user_role() function, or if you need to halt
     317 * additional processing during role validation.
     318 *
     319 * @since 2.6.5
     320 *
     321 * @param string $role A well-formed (string) role ID to validate
     322 *
     323 * @return bool True if role is valid. False if role is not valid.
     324 */
     325function bbp_is_valid_role( $role = '' ) {
     326
     327    // Default return value
     328    $retval = false;
     329
     330    // Skip if no role to check
     331    if ( ! empty( $role ) && is_string( $role ) ) {
     332
     333        // Get the dynamic role IDs
     334        $roles = array_keys( bbp_get_dynamic_roles() );
     335
     336        // Skip if no known role IDs
     337        if ( ! empty( $roles ) ) {
     338
     339            // Is role in dynamic roles array?
     340            $retval = in_array( $role, $roles, true );
     341        }
     342    }
     343
     344    // Filter & return
     345    return (bool) apply_filters( 'bbp_is_valid_role', $retval, $role );
    307346}
    308347
  • trunk/src/includes/users/signups.php

    r6675 r7086  
    2020 */
    2121function bbp_add_user_form_role_field() {
    22 ?>
     22
     23    // Bail if current user cannot promote users
     24    if ( ! current_user_can( 'promote_users' ) ) {
     25        return;
     26    } ?>
    2327
    2428    <table class="form-table">
     
    6771function bbp_user_add_role_to_signup_meta( $meta = array() ) {
    6872
    69     // Posted role
    70     $forum_role = isset( $_POST['bbp-forums-role'] )
     73    // Bail if already added
     74    if ( ! empty( $meta['bbp_new_role'] ) ) {
     75        return $meta;
     76    }
     77
     78    // Role to validate
     79    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
    7180        ? sanitize_key( $_POST['bbp-forums-role'] )
    72         : bbp_get_default_role();
    73 
    74     // Role keys
    75     $roles = array_keys( bbp_get_dynamic_roles() );
    76 
    77     // Bail if posted role is not in dynamic roles
    78     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     81        : '';
     82
     83    // Validate the signup role
     84    $valid_role = bbp_validate_registration_role( $to_validate );
     85
     86    // Bail if errors
     87    if ( bbp_has_errors() ) {
    7988        return $meta;
    8089    }
    8190
    8291    // Add role to meta
    83     $meta['bbp_new_role'] = $forum_role;
     92    $meta['bbp_new_role'] = $valid_role;
    8493
    8594    // Return meta
     
    95104 * @param array  $role        The role of invited user.
    96105 * @param string $newuser_key The key of the invitation.
     106 *
     107 * @return void
    97108 */
    98109function bbp_user_add_role_on_invite( $user_id = '', $role = '', $newuser_key = '' ) {
    99110
    100     // Posted role
    101     $forum_role = isset( $_POST['bbp-forums-role'] )
     111    // Role to validate
     112    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
    102113        ? sanitize_key( $_POST['bbp-forums-role'] )
    103         : bbp_get_default_role();
    104 
    105     // Role keys
    106     $roles = array_keys( bbp_get_dynamic_roles() );
    107 
    108     // Bail if posted role is not in dynamic roles
    109     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     114        : '';
     115
     116    // Validate the signup role
     117    $valid_role = bbp_validate_registration_role( $to_validate );
     118
     119    // Bail if errors
     120    if ( bbp_has_errors() ) {
     121        return;
     122    }
     123
     124    // Bail if malformed user key
     125    if ( empty( $newuser_key ) || ! is_string( $newuser_key ) ) {
    110126        return;
    111127    }
     
    118134
    119135    // Add the new role
    120     $user_option['bbp_new_role'] = $forum_role;
     136    $user_option['bbp_new_role'] = $valid_role;
    121137
    122138    // Update the invitation
     
    130146 *
    131147 * @param int $user_id
     148 *
     149 * @return void
    132150 */
    133151function bbp_user_add_role_on_register( $user_id = '' ) {
    134152
    135     // Posted role
    136     $forum_role = isset( $_POST['bbp-forums-role'] )
     153    // Role to validate
     154    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
    137155        ? sanitize_key( $_POST['bbp-forums-role'] )
    138         : bbp_get_default_role();
    139 
    140     // Role keys
    141     $roles = array_keys( bbp_get_dynamic_roles() );
    142 
    143     // Bail if posted role is not in dynamic roles
    144     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     156        : '';
     157
     158    // Validate the signup role
     159    $valid_role = bbp_validate_registration_role( $to_validate );
     160
     161    // Bail if errors
     162    if ( bbp_has_errors() ) {
    145163        return;
    146164    }
    147165
    148166    // Set the user role
    149     bbp_set_user_role( $user_id, $forum_role );
     167    bbp_set_user_role( $user_id, $valid_role );
    150168}
    151169
     
    155173 * @since 2.6.0 bbPress (r6674)
    156174 *
    157  * @param int $user_id User ID.
     175 * @param int    $user_id  User ID
     176 * @param string $password User password
     177 * @param array  $meta     Array of metadata
     178 *
     179 * @return void
    158180 */
    159181function bbp_user_add_role_on_activate( $user_id = 0, $password = '', $meta = array() ) {
    160182
    161     // Posted role
    162     $forum_role = isset( $meta['bbp_new_role'] )
     183    // Role to validate
     184    $to_validate = ! empty( $meta['bbp_new_role'] ) && is_string( $meta['bbp_new_role'] )
    163185        ? sanitize_key( $meta['bbp_new_role'] )
    164         : bbp_get_default_role();
    165 
    166     // Sanitize role
    167     $roles = array_keys( bbp_get_dynamic_roles() );
    168 
    169     // Bail if posted role is not in dynamic roles
    170     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     186        : '';
     187
     188    // Validate the signup role
     189    $valid_role = bbp_validate_activation_role( $to_validate );
     190
     191    // Bail if errors
     192    if ( bbp_has_errors() ) {
    171193        return;
    172194    }
    173195
    174196    // Set the user role
    175     bbp_set_user_role( $user_id, $forum_role );
    176 }
     197    bbp_set_user_role( $user_id, $valid_role );
     198}
     199
     200/** Validators ****************************************************************/
     201
     202/**
     203 * Validate the Forum role during signup
     204 *
     205 * This helper function performs a number of generic checks, and encapsulates
     206 * the logic used to validate if a Forum Role is valid, typically during new
     207 * user registration, but also when adding an existing user to a site in
     208 * Multisite installations.
     209 *
     210 * @since 2.6.5
     211 *
     212 * @param string $to_validate A role ID to validate
     213 *
     214 * @return string A valid role ID, or empty string on error
     215 */
     216function bbp_validate_signup_role( $to_validate = '' ) {
     217
     218    // Default return value
     219    $retval = '';
     220
     221    // Add error if role is empty
     222    if ( empty( $to_validate ) ) {
     223        bbp_add_error( 'bbp_signup_role_empty', __( '<strong>ERROR</strong>: Empty role.', 'bbpress' ) );
     224    }
     225
     226    // Add error if posted role is not a valid role
     227    if ( ! bbp_is_valid_role( $to_validate ) ) {
     228        bbp_add_error( 'bbp_signup_role_invalid', __( '<strong>ERROR</strong>: Invalid role.', 'bbpress' ) );
     229    }
     230
     231    // If no errors, set return value to the role to validate
     232    if ( ! bbp_has_errors() ) {
     233        $retval = $to_validate;
     234    }
     235
     236    // Filter & return
     237    return (string) apply_filters( 'bbp_validate_signup_role', $retval, $to_validate );
     238}
     239
     240/**
     241 * Validate the Forum role during the registration process
     242 *
     243 * @since 2.6.5
     244 *
     245 * @param string $to_validate A role ID to validate
     246 *
     247 * @return string A valid role ID, or empty string on error
     248 */
     249function bbp_validate_registration_role( $to_validate = '' ) {
     250
     251    // Default return value
     252    $retval = bbp_get_default_role();
     253
     254    /**
     255     * Conditionally accept admin-area posted values for capable users. This is
     256     * to allow for Site/Network Admins to assign a default role when inviting
     257     * or creating a new User account.
     258     */
     259    if ( is_admin() && current_user_can( 'create_users' ) ) {
     260        $retval = $to_validate;
     261    }
     262
     263    // Validate & return
     264    return bbp_validate_signup_role( $retval );
     265}
     266
     267/**
     268 * Validate the Forum role during multisite activation
     269 *
     270 * This function exists simply for parity with registrations, and to maintain an
     271 * intentional layer of abstraction from the more generic function it uses.
     272 *
     273 * Note: this will not fire inside of wp-activate.php unless it is hooked in
     274 * during sunrise.php, and is considered an advanced use-case.
     275 *
     276 * @since 2.6.5
     277 *
     278 * @param string $to_validate A role ID to validate
     279 *
     280 * @return string A valid role ID, or empty string on error
     281 */
     282function bbp_validate_activation_role( $to_validate = '' ) {
     283
     284    // Validate & return
     285    return bbp_validate_signup_role( $to_validate );
     286}
Note: See TracChangeset for help on using the changeset viewer.