Changeset 7089

Timestamp:

05/28/2020 04:31:32 PM (4 years ago)

Author:

johnjamesjacoby

Message:

Settings: Only allow users with the edit_users capability to toggle the Super Moderators option.

This commit also rearranges some settings for improved UX, and adds descriptive text to the "Super Moderators" and "Forum Moderators" settings for improved clarity.

This commit addresses a responsibly disclosed security concern, and does not have a public issue in Trac.

In branches/2.6, for 2.6.5.

Location:

branches/2.6/src/includes/admin

Files:

• classes/class-bbp-admin.php (modified) (1 diff)
• settings.php (modified) (11 diffs)

branches/2.6/src/includes/admin/classes/class-bbp-admin.php

@@ -586 +586 @@
             // Loop through fields for this section
             foreach ( (array) $fields as $field_id => $field ) {
+
+                // Skip field if user is not capable
+                if ( ! empty( $field['capability'] ) && ! current_user_can( $field['capability'] ) ) {
+                    continue;
+                }
 
                 // Add the field

branches/2.6/src/includes/admin/settings.php

@@ -164 +164 @@
         'bbp_settings_features' => array(
 
+            // Allow auto embedding setting
+            '_bbp_use_autoembed' => array(
+                'title'             => esc_html__( 'Auto-embed links', 'bbpress' ),
+                'callback'          => 'bbp_admin_setting_callback_use_autoembed',
+                'sanitize_callback' => 'intval',
+                'args'              => array()
+            ),
+
+            // Set reply threading level
+            '_bbp_thread_replies_depth' => array(
+                'title'             => esc_html__( 'Reply Threading', 'bbpress' ),
+                'callback'          => 'bbp_admin_setting_callback_thread_replies_depth',
+                'sanitize_callback' => 'intval',
+                'args'              => array()
+            ),
+
+            // Allow threaded replies
+            '_bbp_allow_threaded_replies' => array(
+                'sanitize_callback' => 'intval',
+                'args'              => array()
+            ),
+
             // Allow topic and reply revisions
             '_bbp_allow_revisions' => array(
@@ -200 +222 @@
                 'title'             => esc_html__( 'Topic tags', 'bbpress' ),
                 'callback'          => 'bbp_admin_setting_callback_topic_tags',
-                'sanitize_callback' => 'intval',
-                'args'              => array()
-            ),
-
-            // Allow per-forum moderators
-            '_bbp_allow_forum_mods' => array(
-                'title'             => esc_html__( 'Forum Moderators', 'bbpress' ),
-                'callback'          => 'bbp_admin_setting_callback_forum_mods',
-                'sanitize_callback' => 'intval',
-                'args'              => array()
-            ),
-
-            // Allow moderators to edit users
-            '_bbp_allow_super_mods' => array(
-                'title'             => esc_html__( 'Super Moderators', 'bbpress' ),
-                'callback'          => 'bbp_admin_setting_callback_super_mods',
                 'sanitize_callback' => 'intval',
                 'args'              => array()
@@ -236 +242 @@
             ),
 
-            // Allow auto embedding setting
-            '_bbp_use_autoembed' => array(
-                'title'             => esc_html__( 'Auto-embed links', 'bbpress' ),
-                'callback'          => 'bbp_admin_setting_callback_use_autoembed',
+            // Allow per-forum moderators
+            '_bbp_allow_forum_mods' => array(
+                'title'             => esc_html__( 'Forum Moderators', 'bbpress' ),
+                'callback'          => 'bbp_admin_setting_callback_forum_mods',
                 'sanitize_callback' => 'intval',
                 'args'              => array()
             ),
 
-            // Set reply threading level
-            '_bbp_thread_replies_depth' => array(
-                'title'             => esc_html__( 'Reply Threading', 'bbpress' ),
-                'callback'          => 'bbp_admin_setting_callback_thread_replies_depth',
-                'sanitize_callback' => 'intval',
-                'args'              => array()
-            ),
-
-            // Allow threaded replies
-            '_bbp_allow_threaded_replies' => array(
-                'sanitize_callback' => 'intval',
+            // Allow moderators to edit users
+            '_bbp_allow_super_mods' => array(
+                'title'             => esc_html__( 'Super Moderators', 'bbpress' ),
+                'callback'          => 'bbp_admin_setting_callback_super_mods',
+                'sanitize_callback' => 'intval',
+                'capability'        => 'edit_users',
                 'args'              => array()
             )
@@ -838 +839 @@
     <input name="_bbp_allow_forum_mods" id="_bbp_allow_forum_mods" type="checkbox" value="1" <?php checked( bbp_allow_forum_mods( true ) ); bbp_maybe_admin_setting_disabled( '_bbp_allow_forum_mods' ); ?> />
     <label for="_bbp_allow_forum_mods"><?php esc_html_e( 'Allow forums to have dedicated moderators', 'bbpress' ); ?></label>
+    <p class="description"><?php esc_html_e( 'This does not include the ability to edit users.', 'bbpress' ); ?></p>
 
 <?php
@@ -851 +853 @@
 
     <input name="_bbp_allow_super_mods" id="_bbp_allow_super_mods" type="checkbox" value="1" <?php checked( bbp_allow_super_mods( false ) ); bbp_maybe_admin_setting_disabled( '_bbp_allow_super_mods' ); ?> />
-    <label for="_bbp_allow_super_mods"><?php esc_html_e( 'Allow moderators to edit other users', 'bbpress' ); ?></label>
+    <label for="_bbp_allow_super_mods"><?php esc_html_e( 'Allow Moderators and Keymasters to edit users', 'bbpress' ); ?></label>
+    <p class="description"><?php esc_html_e( 'This includes roles, passwords, and email addresses.', 'bbpress' ); ?></p>
 
 <?php
@@ -969 +972 @@
     if ( ! empty( $theme_options ) ) : ?>
 
-        <select name="_bbp_theme_package_id" id="_bbp_theme_package_id" <?php bbp_maybe_admin_setting_disabled( '_bbp_theme_package_id' ); ?>><?php echo $theme_options ?></select>
+        <select name="_bbp_theme_package_id" id="_bbp_theme_package_id" <?php bbp_maybe_admin_setting_disabled( '_bbp_theme_package_id' ); ?>><?php echo $theme_options; ?></select>
         <label for="_bbp_theme_package_id"><?php esc_html_e( 'will serve all bbPress templates', 'bbpress' ); ?></label>
 
@@ -1465 +1468 @@
         // Button & text
         $button = '<a href="' . esc_url( $new_url ) . '">' . esc_html__( 'create a new one', 'bbpress' ) . '</a>';
-        $text   = esc_html__( 'Use %s to contain your group forums, or %s', 'bbpress' );
+        $text   = esc_html__( 'Use %s to contain your group forums, or %s', 'bbpress' ); //phpcs:ignore
     } else {
         $text = esc_html__( 'Use %s to contain your group forums', 'bbpress' );
@@ -1518 +1521 @@
 
     <div class="wrap">
-        <h1 class="wp-heading-inline"><?php esc_html_e( 'Forums Settings', 'bbpress' ) ?></h1>
+        <h1 class="wp-heading-inline"><?php esc_html_e( 'Forums Settings', 'bbpress' ); ?></h1>
         <hr class="wp-header-end">
 
@@ -1568 +1571 @@
     } ?>
 
-    <select name="_bbp_converter_platform" id="_bbp_converter_platform"><?php echo $options ?></select>
+    <select name="_bbp_converter_platform" id="_bbp_converter_platform"><?php echo $options; ?></select>
     <p class="description"><?php esc_html_e( 'The previous forum software', 'bbpress' ); ?></p>
 
@@ -1793 +1796 @@
     // Starting or continuing?
     $progress_text = ! empty( $step )
-        ? sprintf( esc_html__( 'Previously stopped at step %d of %d', 'bbpress' ), $step, $max )
+        ? sprintf( esc_html__( 'Previously stopped at step %1$d of %2$d', 'bbpress' ), $step, $max )
         : esc_html__( 'Ready to go.', 'bbpress' ); ?>
 
@@ -1958 +1961 @@
  * @param bool $slug
  */
-function bbp_form_option( $option, $default = '' , $slug = false ) {
+function bbp_form_option( $option, $default = '', $slug = false ) {
     echo bbp_get_form_option( $option, $default, $slug );
 }