Changeset 1917088

Timestamp:

07/30/2018 09:17:23 PM (7 years ago)

Author:

mindnl

Message:

added nonces and current_user_can() for security purpose

Location:

ad-buttons/tags/3.0

Files:

• adbuttons.php (modified) (2 diffs)
• adbuttonsact.php (modified) (1 diff)
• adbuttonsadmin.php (modified) (1 diff)
• adbuttonsstats.php (modified) (2 diffs)

ad-buttons/tags/3.0/adbuttons.php

@@ -360 +360 @@
         echo $after_widget;
     }
-    
+        
     function ad_buttons_widget_control() {
         $options = $newoptions = get_option('widget_adbuttons_cfg');
-        if($_SERVER['REQUEST_METHOD'] == 'POST'){
-            if ( !empty($_POST['ad_buttons_widget_submit']) ) {
+        if($_SERVER['REQUEST_METHOD'] == 'POST' && current_user_can( 'manage_options' )) {
+            // add a nonce check here
+            //adbuttonsupdtitle
+            
+            if ( !empty($_POST['ad_buttons_widget_submit']) && wp_verify_nonce( $_POST['adbuttonsupdtitle'], 'adbuttons_updatewidgettitle' )) {
                 $newoptions['ab_title'] = sanitize_text_field( $_POST['ad_buttons_widget_title'] );
             }
@@ -373 +376 @@
         }
         $title = esc_attr($options['ab_title']);
+        // add a nonce creation here
         ?>
             <p><label for="ad_buttons_widget_title"><?php _e('Title:'); ?> <input class="widefat" id="ad_buttons_widget_title" 
             name="ad_buttons_widget_title" type="text" value="<?php echo esc_html( $title ); ?>" /></label></p>
+            <?php wp_nonce_field( 'adbuttons_updatewidgettitle', 'adbuttonsupdtitle' ); ?>
             <input type="hidden" id="ad_buttons_widget_submit" name="ad_buttons_widget_submit" value="1" /><br/>
             That's all you can set here. All other options and ad controls can be found in the <strong>Ad Buttons</strong> 

ad-buttons/tags/3.0/adbuttonsact.php

@@ -68 +68 @@
 
 // check if the form has been submitted and validate input
-if( $_SERVER['REQUEST_METHOD'] == 'POST' ){
+if( $_SERVER['REQUEST_METHOD'] == 'POST' && current_user_can( 'manage_options' )){
     if ( ! isset( $_POST['_abupd'] ) || ! wp_verify_nonce( $_POST['_abupd'], 'update-ad' )) {
         print 'Sorry, your nonce did not verify.';

ad-buttons/tags/3.0/adbuttonsadmin.php

@@ -36 +36 @@
 
 // check if the form has been submitted and validate input
-if( $_SERVER['REQUEST_METHOD'] == 'POST' ){
+if( $_SERVER['REQUEST_METHOD'] == 'POST' && current_user_can( 'manage_options' )){
     if ( ! isset( $_POST['_abupd'] ) || ! wp_verify_nonce( $_POST['_abupd'], 'update-settings' )) {
         print 'Sorry, your nonce did not verify.';

ad-buttons/tags/3.0/adbuttonsstats.php

@@ -55 +55 @@
 <p>
 <?php
-if ($cleanup === 1) {
-    
+if ($cleanup === 1 && wp_verify_nonce( $_REQUEST['adbuttonscleanup'], 'cleanupstats' ) && current_user_can( 'manage_options' )) {
+
     echo "cleaning up stats database...</br>";
     // CLEANUP PROCEDURE
@@ -84 +84 @@
 
 if ($old_records > 0) { 
-    echo "Total old records: <b>";
-    echo $old_records;  
-    echo "</b> cleaning up old records will free up space in the database. The daily totals will still be available for viewing here.</br>";
-    echo "<a class=\"button button-primary \" href=\"$nplink&cln=1\">clean up now</a>";
+    echo 'Total old records: <b>'.$old_records.'</b> cleaning up old records will free up space in the database. The daily totals will still be available for viewing here.</br>';
+    echo '<a class="button button-primary" href="'.esc_url( add_query_arg( array( 'cln' => '1', 'adbuttonscleanup' => wp_create_nonce('cleanupstats') ) ) ).'">clean up now</a>';
 }   
+
 
 ?>