Skip to content
Permalink
Browse files Browse the repository at this point in the history
- fixed vulnerability with uploading cover/profile photo for other us…
…er ID;

- re-written member directory meta queries;
- fixed search line additional slashes;
  • Loading branch information
nikitasinelnikov committed Jan 8, 2020
1 parent f0e3bc9 commit 2496825
Show file tree
Hide file tree
Showing 5 changed files with 309 additions and 489 deletions.
1 change: 1 addition & 0 deletions includes/admin/core/class-admin-settings.php
Expand Up @@ -120,6 +120,7 @@ function same_page_update_ajax() {

//member directory data
$metakeys[] = 'um_member_directory_data';
$metakeys[] = '_um_verified';

$skip_fields = UM()->builtin()->get_fields_without_metakey();
$skip_fields = array_merge( $skip_fields, UM()->member_directory()->core_search_fields );
Expand Down
11 changes: 11 additions & 0 deletions includes/core/class-files.php
Expand Up @@ -287,6 +287,12 @@ function ajax_resize_image() {
}

$user_id = empty( $_REQUEST['user_id'] ) ? get_current_user_id() : $_REQUEST['user_id'];

if ( ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
$ret['error'] = esc_js( __( 'You haven\'t ability to edit this user', 'ultimate-member' ) );
wp_send_json_error( $ret );
}

$image_path = um_is_file_owner( $src, $user_id, true );
if ( ! $image_path ) {
wp_send_json_error( esc_js( __( 'Invalid file ownership', 'ultimate-member' ) ) );
Expand Down Expand Up @@ -319,6 +325,11 @@ function ajax_image_upload() {
UM()->fields()->set_id = $_POST['set_id'];
UM()->fields()->set_mode = $_POST['set_mode'];

if ( ! UM()->roles()->um_current_user_can( 'edit', $user_id ) ) {
$ret['error'] = __( 'You haven\'t ability to edit this user', 'ultimate-member' );
wp_send_json_error( $ret );
}

/**
* UM hook
*
Expand Down

0 comments on commit 2496825

Please sign in to comment.