Skip to:
Content

bbPress.org

Changeset 7087


Ignore:
Timestamp:
05/28/2020 03:43:58 PM (6 weeks ago)
Author:
johnjamesjacoby
Message:

Signups: Ensure that the dynamic role exists before setting it.

This commit introduces several new helper functions for validating Forum roles before saving & assigning them to new user accounts.

It also adds relevant capability checks to prevent unauthorized users from performing role assignments.

In branches/2.6, for 2.6.5.

See #3157.

Location:
branches/2.6/src/includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2.6/src/includes/core/actions.php

    r7073 r7087  
    408408add_action( 'clean_post_cache', 'bbp_clean_post_cache', 10, 2 );
    409409
    410 // User Creation
     410// User Registration
     411add_action( 'added_existing_user', 'bbp_user_add_role_on_register', 10, 1 );
     412add_action( 'bbp_user_register',   'bbp_user_add_role_on_register', 10, 1 );
     413
     414// Invite a New User
    411415add_action( 'invite_user',         'bbp_user_add_role_on_invite',   10, 3 );
     416
     417// Multisite Activation (does not work in wp-activate.php)
    412418add_action( 'wpmu_activate_user',  'bbp_user_add_role_on_activate', 10, 3 );
    413 add_action( 'bbp_user_register',   'bbp_user_add_role_on_register', 10, 1 );
    414 add_action( 'added_existing_user', 'bbp_user_add_role_on_register', 10, 1 );
    415 add_action( 'register_new_user',   'bbp_user_add_role_on_register', 10, 1 );
    416419
    417420/**
  • branches/2.6/src/includes/users/capabilities.php

    r7059 r7087  
    149149 * @param int $user_id
    150150 *
    151  * @return string
     151 * @return mixed False if no change. String of new role if changed.
    152152 */
    153153function bbp_set_user_role( $user_id = 0, $new_role = '' ) {
     
    160160    if ( ! empty( $user ) ) {
    161161
    162         // Get users forum role
     162        // Get user forum role
    163163        $role = bbp_get_user_role( $user_id );
    164164
     
    167167            $new_role = false;
    168168
    169         // Users role is different than the new role
    170         } else {
     169        // User role is different than the new (valid) role
     170        } elseif ( bbp_is_valid_role( $new_role ) ) {
    171171
    172172            // Remove the old role
     
    305305    // Set the new forums role
    306306    bbp_set_user_role( $user_id, $new_role );
     307}
     308
     309/**
     310 * Check if a role string is valid
     311 *
     312 * @since 2.6.5
     313 *
     314 * @param string $role
     315 *
     316 * @return bool True if role is valid. False if role is not valid.
     317 */
     318function bbp_is_valid_role( $role = '' ) {
     319
     320    // Default return value
     321    $retval = false;
     322
     323    // Skip if no role to check
     324    if ( ! empty( $role ) && is_string( $role ) ) {
     325
     326        // Get the dynamic role IDs
     327        $roles = array_keys( bbp_get_dynamic_roles() );
     328
     329        // Skip if no known role IDs
     330        if ( ! empty( $roles ) ) {
     331
     332            // Is role in dynamic roles array?
     333            $retval = in_array( $role, $roles, true );
     334        }
     335    }
     336
     337    // Filter & return
     338    return (bool) apply_filters( 'bbp_is_valid_role', $retval, $role );
    307339}
    308340
  • branches/2.6/src/includes/users/signups.php

    r6675 r7087  
    2020 */
    2121function bbp_add_user_form_role_field() {
    22 ?>
     22
     23    // Bail if current user cannot promote users
     24    if ( ! current_user_can( 'promote_users' ) ) {
     25        return;
     26    } ?>
    2327
    2428    <table class="form-table">
     
    6771function bbp_user_add_role_to_signup_meta( $meta = array() ) {
    6872
    69     // Posted role
    70     $forum_role = isset( $_POST['bbp-forums-role'] )
     73    // Bail if already added
     74    if ( ! empty( $meta['bbp_new_role'] ) ) {
     75        return $meta;
     76    }
     77
     78    // Role to validate
     79    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
    7180        ? sanitize_key( $_POST['bbp-forums-role'] )
    72         : bbp_get_default_role();
    73 
    74     // Role keys
    75     $roles = array_keys( bbp_get_dynamic_roles() );
    76 
    77     // Bail if posted role is not in dynamic roles
    78     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     81        : '';
     82
     83    // Validate the signup role
     84    $valid_role = bbp_validate_registration_role( $to_validate );
     85
     86    // Bail if errors
     87    if ( bbp_has_errors() ) {
    7988        return $meta;
    8089    }
    8190
    8291    // Add role to meta
    83     $meta['bbp_new_role'] = $forum_role;
     92    $meta['bbp_new_role'] = $valid_role;
    8493
    8594    // Return meta
     
    98107function bbp_user_add_role_on_invite( $user_id = '', $role = '', $newuser_key = '' ) {
    99108
    100     // Posted role
    101     $forum_role = isset( $_POST['bbp-forums-role'] )
     109    // Role to validate
     110    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
    102111        ? sanitize_key( $_POST['bbp-forums-role'] )
    103         : bbp_get_default_role();
    104 
    105     // Role keys
    106     $roles = array_keys( bbp_get_dynamic_roles() );
    107 
    108     // Bail if posted role is not in dynamic roles
    109     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     112        : '';
     113
     114    // Validate the signup role
     115    $valid_role = bbp_validate_registration_role( $to_validate );
     116
     117    // Bail if errors
     118    if ( bbp_has_errors() ) {
    110119        return;
    111120    }
     
    118127
    119128    // Add the new role
    120     $user_option['bbp_new_role'] = $forum_role;
     129    $user_option['bbp_new_role'] = $valid_role;
    121130
    122131    // Update the invitation
     
    133142function bbp_user_add_role_on_register( $user_id = '' ) {
    134143
    135     // Posted role
    136     $forum_role = isset( $_POST['bbp-forums-role'] )
     144    // Role to validate
     145    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
    137146        ? sanitize_key( $_POST['bbp-forums-role'] )
    138         : bbp_get_default_role();
    139 
    140     // Role keys
    141     $roles = array_keys( bbp_get_dynamic_roles() );
    142 
    143     // Bail if posted role is not in dynamic roles
    144     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     147        : '';
     148
     149    // Validate the signup role
     150    $valid_role = bbp_validate_registration_role( $to_validate );
     151
     152    // Bail if errors
     153    if ( bbp_has_errors() ) {
    145154        return;
    146155    }
    147156
    148157    // Set the user role
    149     bbp_set_user_role( $user_id, $forum_role );
     158    bbp_set_user_role( $user_id, $valid_role );
    150159}
    151160
     
    159168function bbp_user_add_role_on_activate( $user_id = 0, $password = '', $meta = array() ) {
    160169
    161     // Posted role
    162     $forum_role = isset( $meta['bbp_new_role'] )
     170    // Role to validate
     171    $to_validate = ! empty( $meta['bbp_new_role'] ) && is_string( $meta['bbp_new_role'] )
    163172        ? sanitize_key( $meta['bbp_new_role'] )
    164         : bbp_get_default_role();
    165 
    166     // Sanitize role
    167     $roles = array_keys( bbp_get_dynamic_roles() );
    168 
    169     // Bail if posted role is not in dynamic roles
    170     if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
     173        : '';
     174
     175    // Validate the signup role
     176    $valid_role = bbp_validate_activation_role( $to_validate );
     177
     178    // Bail if errors
     179    if ( bbp_has_errors() ) {
    171180        return;
    172181    }
    173182
    174183    // Set the user role
    175     bbp_set_user_role( $user_id, $forum_role );
    176 }
     184    bbp_set_user_role( $user_id, $valid_role );
     185}
     186
     187/** Validators ****************************************************************/
     188
     189/**
     190 * Validate the Forum role during signup
     191 *
     192 * This helper function performs a number of generic checks, and encapsulates
     193 * the logic used to validate if a Forum Role is valid, typically during new
     194 * user registration, but also when adding an existing user to a site in
     195 * Multisite installations.
     196 *
     197 * @since 2.6.5
     198 *
     199 * @param string $to_validate A role ID to validate
     200 * @return string A valid role ID, or empty string on error
     201 */
     202function bbp_validate_signup_role( $to_validate = '' ) {
     203
     204    // Default return value
     205    $retval = '';
     206
     207    // Add error if role is empty
     208    if ( empty( $to_validate ) ) {
     209        bbp_add_error( 'bbp_signup_role_empty', __( '<strong>ERROR</strong>: Empty role.', 'bbpress' ) );
     210    }
     211
     212    // Add error if posted role is not a valid role
     213    if ( ! bbp_is_valid_role( $to_validate ) ) {
     214        bbp_add_error( 'bbp_signup_role_invalid', __( '<strong>ERROR</strong>: Invalid role.', 'bbpress' ) );
     215    }
     216
     217    // If no errors, set return value to the role to validate
     218    if ( ! bbp_has_errors() ) {
     219        $retval = $to_validate;
     220    }
     221
     222    // Filter & return
     223    return (string) apply_filters( 'bbp_validate_signup_role', $retval, $to_validate );
     224}
     225
     226/**
     227 * Validate the Forum role during the registration process
     228 *
     229 * @since 2.6.5
     230 *
     231 * @param string $to_validate A well-formed (string) role ID to validate
     232 * @return string A valid role ID, or empty string on error
     233 */
     234function bbp_validate_registration_role( $to_validate = '' ) {
     235
     236    // Default return value
     237    $retval = bbp_get_default_role();
     238
     239    // Conditionally handle posted values for capable users
     240    if ( is_admin() && current_user_can( 'create_users' ) ) {
     241        $retval = $to_validate;
     242    }
     243
     244    // Validate & return
     245    return bbp_validate_signup_role( $retval );
     246}
     247
     248/**
     249 * Validate the Forum role during activation
     250 *
     251 * This function exists simply for parity with registrations, and to maintain an
     252 * intentional layer of abstraction from the more generic function it uses.
     253 *
     254 * @since 2.6.5
     255 *
     256 * @param string $to_validate A well-formed (string) role ID to validate
     257 * @return string A valid role ID, or empty string on error
     258 */
     259function bbp_validate_activation_role( $to_validate = '' ) {
     260
     261    // Validate & return
     262    return bbp_validate_signup_role( $to_validate );
     263}
Note: See TracChangeset for help on using the changeset viewer.