Navigation Menu

Skip to content

Commit

Permalink
add check_ajax_referer in upload image alternative
Browse files Browse the repository at this point in the history
  • Loading branch information
@hunk
hunk committed Aug 3, 2016
1 parent 691ca60 commit ec1dec8
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 69 deletions.
57 changes: 36 additions & 21 deletions admin/mf_ajax_call.php
View file
Expand Up @@ -22,7 +22,7 @@ public function mf_sort_field($data){
$order = $data['order'];
$order = split(',',$order);
array_walk( $order, create_function( '&$v,$k', '$v = str_replace("order_","",$v);' ));

if( $thing = mf_custom_fields::save_order_field( $data['group_id'], $order ) ) {
print "1";
die;
Expand All @@ -33,7 +33,7 @@ public function mf_sort_field($data){

public function check_name_post_type($data){
global $mf_domain;

$type = $data['post_type'];
$id = $data['post_type_id'];
$check = mf_posttype::check_post_type($type,$id);
Expand All @@ -48,28 +48,28 @@ public function check_name_post_type($data){

public function check_name_custom_group($data){
global $mf_domain;

$name = $data['group_name'];
$post_type = $data['post_type'];
$id = $data['group_id'];
$resp = array('success' => 1);

$check = mf_custom_group::check_group($name,$post_type,$id);
if($check){
$resp = array('success' => 0, 'msg' => __('The name of Group exist in this post type, Please choose a different name.',$mf_domain) );
}

echo json_encode($resp);
}

public function check_name_custom_field($data){
global $mf_domain;

$name = $data['field_name'];
$post_type = $data['post_type'];
$id = $data['field_id'];
$resp = array('success' => 1);

$check = mf_custom_fields::check_group($name,$post_type,$id);
if($check){
$resp = array('success' => 0, 'msg' => __('The name of Field exist in this post type, Please choose a different name.',$mf_domain) );
Expand All @@ -79,7 +79,7 @@ public function check_name_custom_field($data){

public function check_type_custom_taxonomy($data){
global $mf_domain;

$type = $data['taxonomy_type'];
$id = $data['taxonomy_id'];
$check = mf_custom_taxonomy::check_custom_taxonomy($type,$id);
Expand Down Expand Up @@ -118,13 +118,13 @@ public function change_custom_field($data){

public function set_default_categories($data){
global $wpdb;

$post_type_key = sprintf('_cat_%s',$data['post_type']);
$cats = preg_split('/\|\|\|/', $data['cats']);
$cats = maybe_serialize($cats);

$table = $wpdb->postmeta;

$check_parent = $wpdb->prepare(
"SELECT meta_id FROM $wpdb->postmeta ".
" WHERE meta_key='%s'",
Expand Down Expand Up @@ -152,20 +152,35 @@ public function set_default_categories($data){
}
$wpdb->query($sql);
$resp = array('success' => 1);

//update_post_meta(-2, $post_type, $cats);

echo json_encode($resp);
}

public static function remove_upload_file() {

if (isset($_FILES['file']) && (!empty($_FILES['file']['tmp_name']))){
if ($_FILES['file']['error'] == UPLOAD_ERR_OK){
$file_path = $_FILES['file']['tmp_name'];
@unlink($file_path);
}
}

}

public function upload_ajax($data){
global $mf_domain;
// pr($data);
// pr($_FILES);
// $resp = array('ok' => true,$_FILES,$data);
// echo json_encode($resp);

if( !check_ajax_referer( 'mf_nonce_ajax', 'security', false ) ) {
mf_ajax_call::remove_upload_file();
$resp = array('success' => false, 'msg' => __('Sorry, your nonce did not verify..',$mf_domain) );
echo json_encode($resp);
die;
}

if ( !current_user_can('upload_files') ){
mf_ajax_call::remove_upload_file();
$resp = array('success' => false, 'msg' => __('You do not have sufficient permissions to upload images.',$mf_domain) );
echo json_encode($resp);
die;
Expand All @@ -184,13 +199,13 @@ public function upload_ajax($data){
$special_chars = array(' ','`','"','\'','\\','/'," ","#","$","%","^","&","*","!","~","","\"","","'","=","?","/","[","]","(",")","|","<",">",";","\\",",","+","-");
$filename = str_replace($special_chars,'',$_FILES['file']['name']);
$filename = time() . $filename;

@move_uploaded_file( $_FILES['file']['tmp_name'], MF_FILES_DIR . $filename );
@chmod(MF_FILES_DIR . $filename, 0644);
$info = pathinfo(MF_FILES_DIR . $filename);

$thumb = aux_image($filename,"w=150&h=120&zc=1",'image_alt');

$resp = array(
'success' => true,
'name' => $filename,
Expand Down Expand Up @@ -229,7 +244,7 @@ public function valid_mime($mime,$file_type){
'audio/x-wav',
'audio/mp3'
);

if($file_type == "image"){
if(in_array($mime,$imagesExts)){
return true;
Expand All @@ -243,7 +258,7 @@ public function valid_mime($mime,$file_type){
//are safety for the "files" type of field
return true;
}
return false;
return false;
}

public function get_thumb($data){
Expand Down Expand Up @@ -273,4 +288,4 @@ public function get_thumb($data){

}

}
}
87 changes: 44 additions & 43 deletions admin/mf_post.php
View file
Expand Up @@ -31,13 +31,13 @@ function mf_check_wp_gallery_version() {
*/
function mf_post_add_metaboxes() {
global $post,$mf_post_values;
//if the user are going to add a new link

//if the user are going to add a new link
//the var $post is not defined and we do nothing
if(!isset($post)) {
return false;
}

$mf_post_values = $this->mf_get_post_values($post->ID);

//Getting the post types
Expand Down Expand Up @@ -168,7 +168,7 @@ public function mf_draw_field($field,$group_id,$group_index =1,$field_index =1 ,
$id = sprintf('mf_field_%d_%d_%d_%d_ui',$group_id,$group_index,$field['id'],$field_index);
$delete_id = sprintf('delete_field_repeat-%d_%d_%d_%d',$group_id,$group_index,$field['id'],$field_index);
$add_id = sprintf('mf_field_repeat-%d_%d_%d_%d',$group_id,$group_index,$field['id'],$field_index);
$field_style = ($field_index == 1)? 'style="display: none; "' : '';
$field_style = ($field_index == 1)? 'style="display: none; "' : '';

$name = sprintf('field-%s',$field['name']);
$tool = sprintf('<small class="mf_tip"><em>%s</em><span class="mf_helptext">%s</span></small>',__( 'What\'s this?', $mf_domain ),'%s');
Expand Down Expand Up @@ -406,8 +406,8 @@ public function load_js_css_base(){
global $mf_domain;

wp_enqueue_style( 'mf_field_base', MF_BASENAME.'css/mf_field_base.css' );
wp_enqueue_script( 'tmpl', MF_BASENAME.'js/third_party/jquery.tmpl.js');
wp_enqueue_script( 'mf_field_base', MF_BASENAME.'js/mf_field_base.js');
wp_enqueue_script( 'tmpl', MF_BASENAME.'js/third_party/jquery.tmpl.js');
wp_enqueue_script( 'mf_field_base', MF_BASENAME.'js/mf_field_base.js');
wp_enqueue_script( 'mf_sortable_groups', MF_BASENAME.'js/mf_sortable_groups.js', array( 'jquery-ui-sortable' ) );

$mceAddString = "mceAddControl";
Expand All @@ -424,18 +424,19 @@ public function load_js_css_base(){
'mf_validation_error_msg' => __('Sorry, some required fields are missing. Please provide values for any highlighted fields and try again.',$mf_domain),
'mf_image_media_set' => __('Insert into field',$mf_domain),
'mf_mceAddString' => $mceAddString,
'mf_mceRemoveString' => $mceRemoveString
'mf_mceRemoveString' => $mceRemoveString,
'mf_nonce_ajax' => wp_create_nonce( "mf_nonce_ajax" )
);
wp_localize_script( 'mf_field_base', 'mf_js', $js_vars );
wp_localize_script( 'mf_field_base', 'mf_js', $js_vars );

}

/* enqueue css and js of fields */
public function load_js_css_fields(){
//Loading any custom field if is required

//Loading any custom field if is required
if( !empty( $_GET['post']) && is_numeric( $_GET['post'] ) ) {//when the post already exists
$post_type = get_post_type($_GET['post']);
$post_type = get_post_type($_GET['post']);
}else{ //Creating a new post
$post_type = (!empty($_GET['post_type'])) ? $_GET['post_type'] : 'post';
}
Expand All @@ -458,7 +459,7 @@ public function load_js_css_fields(){
$type = $field."_field";
$type = new $type();
$properties = $type->get_properties();

if ( $properties['js'] ) {
wp_enqueue_script(
'mf_field_'.$field,
Expand All @@ -467,7 +468,7 @@ public function load_js_css_fields(){
null,
true
);

/* idear forma por si se necesita mas de dos js*/
if( isset($properties['js_internal']) ){
wp_enqueue_script(
Expand All @@ -481,21 +482,21 @@ public function load_js_css_fields(){
}

if ( $properties['css'] ) {
wp_enqueue_style(
wp_enqueue_style(
'mf_field_'.$field,
MF_BASENAME.'field_types/'.$field.'_field/'.$field.'_field.css'
);
}

if ( !empty($properties['css_dependencies'] )) {
foreach($properties['css_dependencies'] as $css_script) {
wp_enqueue_style($css_script);
}
}

/* load css internal */
if(isset($properties['css_internal'])){
wp_enqueue_style(
wp_enqueue_style(
'mf_field_'.preg_replace('/\./','_',$properties['css_internal']),
MF_BASENAME.'field_types/'.$field.'_field/'.$properties['css_internal']
);
Expand All @@ -509,41 +510,41 @@ public function check_exist_visual_editor(){

if( isset($_GET['action']) && $_GET['action'] == 'trash' ) {//when the post already exists
return;
}
}

if( !empty( $_GET['post']) && is_numeric( $_GET['post'] ) ) {//when the post already exists
$post_type = get_post_type($_GET['post']);
$post_type = get_post_type($_GET['post']);
}else{ //Creating a new post
$post_type = (!empty($_GET['post_type'])) ? $_GET['post_type'] : 'post';
}

$mf_posttype = new mf_posttype();
$pt = $mf_posttype->get_post_type($post_type);

if ($pt && !isset($pt['support']['editor'])) {
echo "<style>#postdivrich {display:none; }</style>";
}

}

}

public function media_buttons_add_mf(){

print '<div style="display:none;">';
do_action( 'media_buttons' );
print '</div>';
print '</div>';
}

public function register_media_button($buttons) {
array_push($buttons, "separator","add_image","add_video","add_audio","add_media");
return $buttons;
}

public function tmce_not_remove_p_and_br(){
?>
<script type="text/javascript">
//<![CDATA[
//<![CDATA[
jQuery('body').bind('afterPreWpautop', function(e, o){
o.data = o.unfiltered
.replace(/caption\]\[caption/g, 'caption] [caption')
Expand All @@ -557,40 +558,40 @@ public function tmce_not_remove_p_and_br(){
</script>
<?php
}

public function general_option_multiline(){

/* load aditional options for multiline */
add_filter('mce_buttons', array($this,'register_media_button'));

if( mf_settings::get('dont_remove_tags') == '1'){
add_action( 'admin_print_footer_scripts', array($this,'tmce_not_remove_p_and_br'), 50 );
}

}

public function categories_of_post_type(){

global $wpdb;
$assignedCategoryIds = array();

if( count($_GET) == 0){ $_GET['post_type'] = 'post'; }

if (isset($_GET['post_type'])) {
$post_type_key = sprintf('_cat_%s',$_GET['post_type']);

$sql ="SELECT meta_value FROM ".$wpdb->postmeta." WHERE meta_key='".$post_type_key."' ";
$check = $wpdb->get_row($sql);
if ($check) {
$cata = $check->meta_value;
$assignedCategoryIds = maybe_unserialize($cata);
}
}


?>
<script type="text/javascript">
var mf_categories = new Array(<?php echo '"'.implode('","',$assignedCategoryIds).'"' ?>);
var mf_categories = new Array(<?php echo '"'.implode('","',$assignedCategoryIds).'"' ?>);
jQuery(document).ready(function($) {

if(mf_categories.length == 1 && mf_categories[0] == "" ){
Expand All @@ -606,15 +607,15 @@ public function categories_of_post_type(){
<?php
}
public function set_categories(){

add_action( 'admin_print_footer_scripts', array($this,'categories_of_post_type'), 50 );
}


//MF Meta box for select template
function mf_metabox_template () {
global $post;

if ( 0 != count( get_page_templates() ) ) {

$template = get_post_meta($post->ID, '_wp_mf_page_template', TRUE);
Expand All @@ -624,7 +625,7 @@ function mf_metabox_template () {
<option value='default'><?php _e('Default Template'); ?></option>
<?php page_template_dropdown($template); ?>
</select>
<?php
<?php
}
}
}

0 comments on commit ec1dec8

Please sign in to comment.