Changeset 7087 for branches/2.6/src/includes/users/signups.php

Timestamp:

05/28/2020 03:43:58 PM (6 years ago)

Author:

johnjamesjacoby

Message:

Signups: Ensure that the dynamic role exists before setting it.

This commit introduces several new helper functions for validating Forum roles before saving & assigning them to new user accounts.

It also adds relevant capability checks to prevent unauthorized users from performing role assignments.

In branches/2.6, for 2.6.5.

See #3157.

File:

• branches/2.6/src/includes/users/signups.php (modified) (6 diffs)

branches/2.6/src/includes/users/signups.php

@@ -20 +20 @@
  */
 function bbp_add_user_form_role_field() {
-?>
+
+    // Bail if current user cannot promote users
+    if ( ! current_user_can( 'promote_users' ) ) {
+        return;
+    } ?>
 
     <table class="form-table">
@@ -67 +71 @@
 function bbp_user_add_role_to_signup_meta( $meta = array() ) {
 
-    // Posted role
-    $forum_role = isset( $_POST['bbp-forums-role'] )
+    // Bail if already added
+    if ( ! empty( $meta['bbp_new_role'] ) ) {
+        return $meta;
+    }
+
+    // Role to validate
+    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
         ? sanitize_key( $_POST['bbp-forums-role'] )
-        : bbp_get_default_role();
-
-    // Role keys
-    $roles = array_keys( bbp_get_dynamic_roles() );
-
-    // Bail if posted role is not in dynamic roles
-    if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
+        : '';
+
+    // Validate the signup role
+    $valid_role = bbp_validate_registration_role( $to_validate );
+
+    // Bail if errors
+    if ( bbp_has_errors() ) {
         return $meta;
     }
 
     // Add role to meta
-    $meta['bbp_new_role'] = $forum_role;
+    $meta['bbp_new_role'] = $valid_role;
 
     // Return meta
@@ -98 +107 @@
 function bbp_user_add_role_on_invite( $user_id = '', $role = '', $newuser_key = '' ) {
 
-    // Posted role
-    $forum_role = isset( $_POST['bbp-forums-role'] )
+    // Role to validate
+    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
         ? sanitize_key( $_POST['bbp-forums-role'] )
-        : bbp_get_default_role();
-
-    // Role keys
-    $roles = array_keys( bbp_get_dynamic_roles() );
-
-    // Bail if posted role is not in dynamic roles
-    if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
+        : '';
+
+    // Validate the signup role
+    $valid_role = bbp_validate_registration_role( $to_validate );
+
+    // Bail if errors
+    if ( bbp_has_errors() ) {
         return;
     }
@@ -118 +127 @@
 
     // Add the new role
-    $user_option['bbp_new_role'] = $forum_role;
+    $user_option['bbp_new_role'] = $valid_role;
 
     // Update the invitation
@@ -133 +142 @@
 function bbp_user_add_role_on_register( $user_id = '' ) {
 
-    // Posted role
-    $forum_role = isset( $_POST['bbp-forums-role'] )
+    // Role to validate
+    $to_validate = ! empty( $_POST['bbp-forums-role'] ) && is_string( $_POST['bbp-forums-role'] )
         ? sanitize_key( $_POST['bbp-forums-role'] )
-        : bbp_get_default_role();
-
-    // Role keys
-    $roles = array_keys( bbp_get_dynamic_roles() );
-
-    // Bail if posted role is not in dynamic roles
-    if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
+        : '';
+
+    // Validate the signup role
+    $valid_role = bbp_validate_registration_role( $to_validate );
+
+    // Bail if errors
+    if ( bbp_has_errors() ) {
         return;
     }
 
     // Set the user role
-    bbp_set_user_role( $user_id, $forum_role );
+    bbp_set_user_role( $user_id, $valid_role );
 }
 
@@ -159 +168 @@
 function bbp_user_add_role_on_activate( $user_id = 0, $password = '', $meta = array() ) {
 
-    // Posted role
-    $forum_role = isset( $meta['bbp_new_role'] )
+    // Role to validate
+    $to_validate = ! empty( $meta['bbp_new_role'] ) && is_string( $meta['bbp_new_role'] )
         ? sanitize_key( $meta['bbp_new_role'] )
-        : bbp_get_default_role();
-
-    // Sanitize role
-    $roles = array_keys( bbp_get_dynamic_roles() );
-
-    // Bail if posted role is not in dynamic roles
-    if ( empty( $forum_role ) || ! in_array( $forum_role, $roles, true ) ) {
+        : '';
+
+    // Validate the signup role
+    $valid_role = bbp_validate_activation_role( $to_validate );
+
+    // Bail if errors
+    if ( bbp_has_errors() ) {
         return;
     }
 
     // Set the user role
-    bbp_set_user_role( $user_id, $forum_role );
-}
+    bbp_set_user_role( $user_id, $valid_role );
+}
+
+/** Validators ****************************************************************/
+
+/**
+ * Validate the Forum role during signup
+ *
+ * This helper function performs a number of generic checks, and encapsulates
+ * the logic used to validate if a Forum Role is valid, typically during new
+ * user registration, but also when adding an existing user to a site in
+ * Multisite installations.
+ *
+ * @since 2.6.5
+ *
+ * @param string $to_validate A role ID to validate
+ * @return string A valid role ID, or empty string on error
+ */
+function bbp_validate_signup_role( $to_validate = '' ) {
+
+    // Default return value
+    $retval = '';
+
+    // Add error if role is empty
+    if ( empty( $to_validate ) ) {
+        bbp_add_error( 'bbp_signup_role_empty', __( '<strong>ERROR</strong>: Empty role.', 'bbpress' ) );
+    }
+
+    // Add error if posted role is not a valid role
+    if ( ! bbp_is_valid_role( $to_validate ) ) {
+        bbp_add_error( 'bbp_signup_role_invalid', __( '<strong>ERROR</strong>: Invalid role.', 'bbpress' ) );
+    }
+
+    // If no errors, set return value to the role to validate
+    if ( ! bbp_has_errors() ) {
+        $retval = $to_validate;
+    }
+
+    // Filter & return
+    return (string) apply_filters( 'bbp_validate_signup_role', $retval, $to_validate );
+}
+
+/**
+ * Validate the Forum role during the registration process
+ *
+ * @since 2.6.5
+ *
+ * @param string $to_validate A well-formed (string) role ID to validate
+ * @return string A valid role ID, or empty string on error
+ */
+function bbp_validate_registration_role( $to_validate = '' ) {
+
+    // Default return value
+    $retval = bbp_get_default_role();
+
+    // Conditionally handle posted values for capable users
+    if ( is_admin() && current_user_can( 'create_users' ) ) {
+        $retval = $to_validate;
+    }
+
+    // Validate & return
+    return bbp_validate_signup_role( $retval );
+}
+
+/**
+ * Validate the Forum role during activation
+ *
+ * This function exists simply for parity with registrations, and to maintain an
+ * intentional layer of abstraction from the more generic function it uses.
+ *
+ * @since 2.6.5
+ *
+ * @param string $to_validate A well-formed (string) role ID to validate
+ * @return string A valid role ID, or empty string on error
+ */
+function bbp_validate_activation_role( $to_validate = '' ) {
+
+    // Validate & return
+    return bbp_validate_signup_role( $to_validate );
+}