Changeset 1527897

Timestamp:

11/04/2016 07:27:48 AM (9 years ago)

Author:

froman118

Message:

Permission and security fixes

Location:

my-link-order/trunk

Files:

• mylinkorder.php (modified) (12 diffs)
• readme.txt (modified) (2 diffs)

my-link-order/trunk/mylinkorder.php

@@ -4 +4 @@
 Plugin URI: http://www.geekyweekly.com/mylinkorder
 Description: My Link Order allows you to set the order in which links and link categories will appear in the sidebar. Uses a drag and drop interface for ordering. Adds a widget with additional options for easy installation on widgetized themes.
-Version: 4.3
+Version: 4.4.2
 Author: Andrew Charlton
 Author URI: http://www.geekyweekly.com
 Author Email: [email protected]
 */
+
+function mylinkorder_init() {
 
 function mylinkorder_menu()
@@ -50 +52 @@
     $catID = 0;
     
+    current_user_can('manage_links'); 
+    
     if (isset($_POST['btnCats']))
         $catID = $_POST['cats'];
     elseif (isset($_POST['hdnCatID'])) 
         $catID = $_POST['hdnCatID'];
+        
+    if(!is_numeric($catID))
+        return '<div id="message" class="error fade"><p>'. __('An error occured.', 'mylinkorder').'</p></div>';
 
     if (isset($_POST['btnReturnParent']))
@@ -71 +78 @@
     
     if (isset($_POST['btnOrderCats'])) { 
+        check_admin_referer('update_cats_mylinkorder');
         $idString = $_POST['hdnMyLinkOrder'];
         $catIDs = explode(",", $idString);
         $result = count($catIDs);
-        for($i = 0; $i <= $result; $i++)
+        for($i = 0; $i < $result; $i++)
         {
             $str = str_replace("id_", "", $catIDs[$i]);
+            
+            if(!is_numeric($str))
+                return '<div id="message" class="error fade"><p>'. __('An error occured, order has not been saved.', 'mylinkorder').'</p></div>';
+            
             $wpdb->query( $wpdb->prepare("UPDATE $wpdb->terms SET term_order = %d WHERE term_id = %d", $i, $str) );
         }
@@ -84 +96 @@
     
     if (isset($_POST['btnOrderLinks'])) { 
+        check_admin_referer('update_mylinkorder_'.$catID);
         $idString = $_POST['hdnMyLinkOrder'];
         $linkIDs = explode(",", $idString);
         $result = count($linkIDs);
-        for($i = 0; $i <= $result; $i++)
+        for($i = 0; $i < $result; $i++)
         {
             $str = str_replace("id_", "", $linkIDs[$i]);
+            
+            if(!is_numeric($str))
+                return '<div id="message" class="error fade"><p>'. __('An error occured, order has not been saved.', 'mylinkorder').'</p></div>';
+                
             $wpdb->query($wpdb->prepare("UPDATE $wpdb->links SET link_order = %d WHERE link_id =%d ", $i, $str));
         }
@@ -108 +125 @@
         $cat_name = $wpdb->get_var($wpdb->prepare("SELECT name FROM $wpdb->terms WHERE term_id= %d", $catID));
     ?>
+        <?php wp_nonce_field('update_mylinkorder_'.$catID); ?>
         <h3><?php _e('Order Links for', 'mylinkorder') ?> <?php _e($cat_name) ?></h3>
 
@@ -128 +146 @@
         
         <p><?php _e('Choose a category from the drop down to order the links in that category or order the categories by dragging and dropping them.', 'mylinkorder') ?></p>
-    
+        <?php wp_nonce_field('update_cats_mylinkorder'); ?>
         <h3><?php _e('Order Links', 'mylinkorder') ?></h3>
     
@@ -225 +243 @@
     <?php
 }
+}
 
 function mylinkorder_applyorderfilter($orderby, $args)
@@ -235 +254 @@
 
 add_filter('get_terms_orderby', 'mylinkorder_applyorderfilter', 10, 2);
+add_action('plugins_loaded', 'mylinkorder_init');
 add_action('init', 'mylinkorder_loadtranslation');
 
@@ -244 +264 @@
 
     function __construct() {
-        $widget_ops = array('classname' => 'widget_mylinkorder', 'description' => __( 'Enhanced Link widget provided by My Link Order') );
+        $widget_ops = array('classname' => 'widget_mylinkorder widget_links', 'description' => __( 'Enhanced Link widget provided by My Link Order') );
         parent::__construct('mylinkorder', __('My Link Order'), $widget_ops);   }
 
@@ -273 +293 @@
 
         $before_widget = preg_replace('/id="[^"]*"/','id="%id"', $before_widget);
-        mylinkorder_list_bookmarks(apply_filters('widget_links_args', array('title_before' => $before_title, 'title_after' => $after_title, 'class' => 'linkcat widget',
+        mylinkorder_list_bookmarks(apply_filters('widget_links_args', array('title_before' => $before_title, 'title_after' => $after_title, 'class' => 'linkcat widget ',
             'category_before' => $before_widget, 'category_after' => $after_widget, 'exclude' => $exclude, 'include' => $include,
             'title_li' => $title_li, 'category_orderby' => $category_orderby, 'category_order' => $category_order, 'orderby' => $orderby, 'order' => $order,
@@ -480 +500 @@
         'title_before' => '<h2>', 'title_after' => '</h2>',
         'category_orderby' => 'name', 'category_order' => 'ASC',
-        'class' => 'linkcat', 'category_before' => '<li id="%id" class="%class">',
+        'class' => 'linkcat', 'category_before' => '<li id="%id" class="%class widget_links">',
         'category_after' => '</li>'
     );
@@ -668 +688 @@
 
     $results = $wpdb->get_results($query);
-
+    
     $cache[ $key ] = $results;
     wp_cache_set( 'get_bookmarks', $cache, 'bookmark' );

my-link-order/trunk/readme.txt

@@ -4 +4 @@
 Tags: link, category, categories, order, sidebar, widget
 Requires at least: 2.8
-Tested up to: 4.3
-Stable tag: 4.3
+Tested up to: 4.4.2
+Stable tag: 4.4.2
 
 My Link Order allows you to set the order in which links and link categories will appear in the sidebar.
@@ -25 +25 @@
 
 == Changelog ==
+= 4.4.2 =
+* Permission check and security improvement.
 = 4.3 =
 * PHP7 constructor update