Skip to:
Content

bbPress.org


Ignore:
Timestamp:
05/28/2020 03:38:54 PM (6 years ago)
Author:
johnjamesjacoby
Message:

Signups: Ensure that the dynamic role exists before setting it.

This commit introduces several new helper functions for validating Forum roles before saving & assigning them to new user accounts.

It also adds relevant capability checks to prevent unauthorized users from performing role assignments.

In trunk, for 2.7.0.

See #3157.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/includes/users/capabilities.php

    r7060 r7086  
    149149 * @param int $user_id
    150150 *
    151  * @return string
     151 * @return mixed False if no change. String of new role if changed.
    152152 */
    153153function bbp_set_user_role( $user_id = 0, $new_role = '' ) {
     
    160160    if ( ! empty( $user ) ) {
    161161
    162         // Get users forum role
     162        // Get user forum role
    163163        $role = bbp_get_user_role( $user_id );
    164164
     
    167167            $new_role = false;
    168168
    169         // Users role is different than the new role
    170         } else {
     169        // User role is different than the new (valid) role
     170        } elseif ( bbp_is_valid_role( $new_role ) ) {
    171171
    172172            // Remove the old role
     
    305305    // Set the new forums role
    306306    bbp_set_user_role( $user_id, $new_role );
     307}
     308
     309/**
     310 * Check if a role ID is valid
     311 *
     312 * This helper function accepts a role ID as a string, and compares it against
     313 * the array of registered dynamic roles.
     314 *
     315 * Use this function anytime you are manually attempting to set a user role
     316 * without using the bbp_set_user_role() function, or if you need to halt
     317 * additional processing during role validation.
     318 *
     319 * @since 2.6.5
     320 *
     321 * @param string $role A well-formed (string) role ID to validate
     322 *
     323 * @return bool True if role is valid. False if role is not valid.
     324 */
     325function bbp_is_valid_role( $role = '' ) {
     326
     327    // Default return value
     328    $retval = false;
     329
     330    // Skip if no role to check
     331    if ( ! empty( $role ) && is_string( $role ) ) {
     332
     333        // Get the dynamic role IDs
     334        $roles = array_keys( bbp_get_dynamic_roles() );
     335
     336        // Skip if no known role IDs
     337        if ( ! empty( $roles ) ) {
     338
     339            // Is role in dynamic roles array?
     340            $retval = in_array( $role, $roles, true );
     341        }
     342    }
     343
     344    // Filter & return
     345    return (bool) apply_filters( 'bbp_is_valid_role', $retval, $role );
    307346}
    308347
Note: See TracChangeset for help on using the changeset viewer.