Skip to:
Content

bbPress.org


Ignore:
Timestamp:
05/28/2020 03:43:58 PM (6 years ago)
Author:
johnjamesjacoby
Message:

Signups: Ensure that the dynamic role exists before setting it.

This commit introduces several new helper functions for validating Forum roles before saving & assigning them to new user accounts.

It also adds relevant capability checks to prevent unauthorized users from performing role assignments.

In branches/2.6, for 2.6.5.

See #3157.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/2.6/src/includes/users/capabilities.php

    r7059 r7087  
    149149 * @param int $user_id
    150150 *
    151  * @return string
     151 * @return mixed False if no change. String of new role if changed.
    152152 */
    153153function bbp_set_user_role( $user_id = 0, $new_role = '' ) {
     
    160160    if ( ! empty( $user ) ) {
    161161
    162         // Get users forum role
     162        // Get user forum role
    163163        $role = bbp_get_user_role( $user_id );
    164164
     
    167167            $new_role = false;
    168168
    169         // Users role is different than the new role
    170         } else {
     169        // User role is different than the new (valid) role
     170        } elseif ( bbp_is_valid_role( $new_role ) ) {
    171171
    172172            // Remove the old role
     
    305305    // Set the new forums role
    306306    bbp_set_user_role( $user_id, $new_role );
     307}
     308
     309/**
     310 * Check if a role string is valid
     311 *
     312 * @since 2.6.5
     313 *
     314 * @param string $role
     315 *
     316 * @return bool True if role is valid. False if role is not valid.
     317 */
     318function bbp_is_valid_role( $role = '' ) {
     319
     320    // Default return value
     321    $retval = false;
     322
     323    // Skip if no role to check
     324    if ( ! empty( $role ) && is_string( $role ) ) {
     325
     326        // Get the dynamic role IDs
     327        $roles = array_keys( bbp_get_dynamic_roles() );
     328
     329        // Skip if no known role IDs
     330        if ( ! empty( $roles ) ) {
     331
     332            // Is role in dynamic roles array?
     333            $retval = in_array( $role, $roles, true );
     334        }
     335    }
     336
     337    // Filter & return
     338    return (bool) apply_filters( 'bbp_is_valid_role', $retval, $role );
    307339}
    308340
Note: See TracChangeset for help on using the changeset viewer.