Changeset 2584039
- Timestamp:
- 08/17/2021 08:52:20 AM (5 years ago)
- Location:
- wp-upload-restriction/trunk
- Files:
-
- 5 edited
-
content.php (modified) (2 diffs)
-
js/wp-upload-restriction.js (modified) (3 diffs)
-
readme.txt (modified) (2 diffs)
-
settings.php (modified) (1 diff)
-
wp-upload-restriction.php (modified) (12 diffs)
Legend:
- Unmodified
- Added
- Removed
-
wp-upload-restriction/trunk/content.php
r2533439 r2584039 11 11 <div> 12 12 <label for="ext_<?php echo $i; ?>"> 13 <input id="ext_<?php echo $i; ?>" type="checkbox" name="types[]" class="chk-mime-types" <?php echo $checked; ?> value="<?php echo $ext; ?>::<?php echo $type; ?>"> <?php echo $this->processExtention($ext); ?>13 <input id="ext_<?php echo $i; ?>" type="checkbox" name="types[]" class="chk-mime-types" <?php echo $checked; ?> value="<?php echo esc_attr($ext); ?>::<?php echo esc_attr($type); ?>"> <?php echo $this->processExtention($ext); ?> 14 14 </label> 15 15 </div> … … 26 26 <input type="checkbox" name="restrict_upload_size" value="1" <?php echo $restrict_upload_size ? 'checked="checked"' : ''; ?>> <lable for="restrict_upload_size"><?php _e('Restrict upload size to', 'wp_upload_restriction'); ?></lable> 27 27 <label> 28 <input type="text" maxlength="5" size="6" name="upload_size" value="<?php echo $upload_size; ?>">28 <input type="text" maxlength="5" size="6" name="upload_size" value="<?php echo esc_attr($upload_size); ?>"> 29 29 <select name="upload_size_unit"> 30 30 <option value="KB" <?php echo $upload_size_unit == 'KB' ? 'selected="selected"' : ''; ?>>KB</option> -
wp-upload-restriction/trunk/js/wp-upload-restriction.js
r2533439 r2584039 13 13 var d = new Date(); 14 14 var data = { 15 'action': 'get_selected_mimes_by_role', 16 'role': $('#current-role').val() 15 action : 'get_selected_mimes_by_role', 16 role : $('#current-role').val(), 17 wpur_nonce : wpur_ajax_nonce 17 18 }; 18 19 … … 54 55 action : 'save_custom_type', 55 56 ext : $('#extensions').val(), 56 mime : $('#mime_type').val() 57 mime : $('#mime_type').val(), 58 wpur_nonce : wpur_ajax_nonce 57 59 }; 58 60 … … 85 87 var data = { 86 88 action : 'delete_custom_type', 87 ext : ext 89 ext : ext, 90 wpur_nonce : wpur_ajax_nonce 88 91 }; 89 92 -
wp-upload-restriction/trunk/readme.txt
r2552518 r2584039 2 2 Contributors: msh134 3 3 Tags: upload, media, developer tool 4 Tested up to: 5. 7.25 Stable tag: 2.2. 34 Tested up to: 5.8 5 Stable tag: 2.2.5 6 6 License: GPLv2 or later 7 7 … … 33 33 34 34 == Changelog == 35 = 2.2.5 = 36 * Fixed security issues. 37 35 38 = 2.2.3 = 36 39 * Minor fixes. -
wp-upload-restriction/trunk/settings.php
r1904410 r2584039 5 5 $roles = $wpUploadRestriction->getAllRoles(); 6 6 $custom_types_html = $wpUploadRestriction->prepareCustomTypeHTML(); 7 $ajax_nonce = wp_create_nonce('wpur-ajax-req'); 7 8 ?> 9 <script type="text/javascript">var wpur_ajax_nonce = "<?php echo $ajax_nonce; ?>";</script> 8 10 <div id="message" class="updated fade"><p><?php _e('Settings saved.', 'wp_upload_restriction') ?></p></div> 9 11 <div id="error_message" class="error fade"><p><?php _e('Settings could not be saved.', 'wp_upload_restriction') ?></p></div> -
wp-upload-restriction/trunk/wp-upload-restriction.php
r2552518 r2584039 4 4 Plugin URI: https://wordpress.org/plugins/wp-upload-restriction/ 5 5 Description: This plugin allows you to control upload of files based on file types and sizes. 6 Version: 2.2. 36 Version: 2.2.5 7 7 Author: Sajjad Hossain 8 8 Author URI: http://www.sajjadhossain.com … … 55 55 public function adminInit() { 56 56 load_plugin_textdomain('wp_upload_restriction', false, $this->plugin_path . '/languages'); 57 wp_register_style('wp-upload-restrictions-styles', plugins_url('css/wp-upload-restrictions-styles.css', __FILE__), [], '2.2. 2');57 wp_register_style('wp-upload-restrictions-styles', plugins_url('css/wp-upload-restrictions-styles.css', __FILE__), [], '2.2.5'); 58 58 } 59 59 … … 65 65 public function enqueueJS($hook){ 66 66 if( 'wp-upload-restriction/settings.php' == $hook ) { 67 wp_enqueue_script( 'wp-upload-restriction-js', plugins_url('js/wp-upload-restriction.js', __FILE__), array('jquery'), '2.2. 2' );67 wp_enqueue_script( 'wp-upload-restriction-js', plugins_url('js/wp-upload-restriction.js', __FILE__), array('jquery'), '2.2.5' ); 68 68 } 69 } 70 71 /** 72 * Add a submenu for settings page under Settings menu 73 */ 74 public function addAdminMenu() { 75 add_submenu_page('options-general.php', 'WP Upload Restriction', 'WP Upload Restriction', 'manage_options', 'wp-upload-restriction/settings.php'); 76 } 77 78 /** 79 * Add settings link in Plugins page. 80 * 81 * @param array $links 82 * @param string $file 83 * @return array 84 */ 85 public function addSettingsLink($links, $file) { 86 87 if (is_null($this->plugin_name)) { 88 $this->plugin_name = plugin_basename(__FILE__); 89 } 90 91 if ($file == $this->plugin_name) { 92 $settings_link = '<a href="options-general.php?page=wp-upload-restriction/settings.php">' . __('Settings', 'wp_upload_restriction') . '</a>'; 93 array_unshift($links, $settings_link); 94 } 95 96 return $links; 97 } 98 99 /** 100 * Deletes selected MIMEs option 101 */ 102 public function uninstall() { 103 global $wp_roles; 104 105 delete_option('wpur_selected_mimes'); 106 delete_site_option('wpur_db_version'); 107 108 foreach($wp_roles->roles as $role => $details){ 109 delete_option('wpur_selected_mimes_' . $role); 110 } 69 111 } 70 112 … … 146 188 147 189 /** 148 * Add a submenu for settings page under Settings menu149 */150 public function addAdminMenu() {151 add_submenu_page('options-general.php', 'WP Upload Restriction', 'WP Upload Restriction', 'manage_options', 'wp-upload-restriction/settings.php');152 }153 154 /**155 * Add settings link in Plugins page.156 *157 * @param array $links158 * @param string $file159 * @return array160 */161 public function addSettingsLink($links, $file) {162 163 if (is_null($this->plugin_name)) {164 $this->plugin_name = plugin_basename(__FILE__);165 }166 167 if ($file == $this->plugin_name) {168 $settings_link = '<a href="options-general.php?page=wp-upload-restriction/settings.php">' . __('Settings', 'wp_upload_restriction') . '</a>';169 array_unshift($links, $settings_link);170 }171 172 return $links;173 }174 175 /**176 * Deletes selected MIMEs option177 */178 public function uninstall() {179 global $wp_roles;180 181 delete_option('wpur_selected_mimes');182 delete_site_option('wpur_db_version');183 184 foreach($wp_roles->roles as $role => $details){185 delete_option('wpur_selected_mimes_' . $role);186 }187 }188 189 /**190 190 * Process settings form post. 191 191 * … … 193 193 */ 194 194 public function saveSelectedMimeTypesByRole() { 195 $request_method = filter_input(INPUT_SERVER, 'REQUEST_METHOD'); 196 $nonce = filter_input(INPUT_POST, 'wpur_nonce'); 197 $role = filter_input(INPUT_POST, 'role'); 198 $mime_types = filter_input(INPUT_POST, 'types', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY); 199 $restrict_upload_size = filter_input(INPUT_POST, 'restrict_upload_size', FILTER_SANITIZE_NUMBER_INT); 200 $upload_size = filter_input(INPUT_POST, 'upload_size', FILTER_SANITIZE_NUMBER_INT); 201 $upload_size_unit = filter_input(INPUT_POST, 'upload_size_unit'); 202 203 if ($request_method == 'POST' 204 && wp_verify_nonce($nonce, 'wp-upload-restrict') 205 && !empty($role) 206 && in_array($role, $this->getAllRolesArray())) { 207 208 $this->setRolesMaxUploadSize($role, $restrict_upload_size, $upload_size, $upload_size_unit); 209 210 if (!empty($mime_types)) { 211 $types = array(); 212 foreach ($mime_types as $type_str) { 213 list($ext, $mime) = explode('::', $type_str); 214 $types[$ext] = $mime; 195 if($this->canUserAccess()){ 196 $request_method = filter_input(INPUT_SERVER, 'REQUEST_METHOD'); 197 $nonce = filter_input(INPUT_POST, 'wpur_nonce'); 198 $role = sanitize_text_field(filter_input(INPUT_POST, 'role')); 199 200 if ($request_method == 'POST' 201 && wp_verify_nonce($nonce, 'wp-upload-restrict') 202 && !empty($role) 203 && in_array($role, $this->getAllRolesArray())) { 204 205 $mime_types = array_map(function($value){ 206 return sanitize_text_field($value); 207 }, filter_input(INPUT_POST, 'types', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY)); 208 $restrict_upload_size = sanitize_text_field(filter_input(INPUT_POST, 'restrict_upload_size', FILTER_SANITIZE_NUMBER_INT)); 209 $upload_size = sanitize_text_field(filter_input(INPUT_POST, 'upload_size', FILTER_SANITIZE_NUMBER_INT)); 210 $upload_size_unit = sanitize_text_field(filter_input(INPUT_POST, 'upload_size_unit')); 211 212 $this->setRolesMaxUploadSize($role, $restrict_upload_size, $upload_size, $upload_size_unit); 213 214 if (!empty($mime_types)) { 215 $types = array(); 216 foreach ($mime_types as $type_str) { 217 list($ext, $mime) = explode('::', $type_str); 218 $types[$ext] = $mime; 219 } 220 221 update_option('wpur_selected_mimes_' . $role, $types); 222 echo 'yes'; 215 223 } 216 217 update_option('wpur_selected_mimes_' . $role, $types);218 echo 'yes';219 }220 else {221 update_option('wpur_selected_mimes_' . $role, array());222 echo 'yes'; 223 }224 else { 225 update_option('wpur_selected_mimes_' . $role, array()); 226 echo 'yes'; 227 } 228 wp_die(); 229 } 230 231 echo 'no'; 224 232 wp_die(); 225 233 } 226 227 echo 'no';228 wp_die();229 234 } 230 235 … … 237 242 public function processExtention($ext) { 238 243 if (strpos($ext, '|')) { 239 $pieces = explode('|', $ext); 244 $pieces = array_map(function($value){ 245 return esc_attr($value); 246 }, explode('|', $ext)); 240 247 $ext = implode(', ', $pieces); 241 248 } … … 270 277 */ 271 278 public function getSelectedMimeTypesByRole(){ 272 $ role = filter_input(INPUT_POST, 'role');273 274 if(!empty($role) && in_array($role, $this->getAllRolesArray())){279 $nonce = filter_input(INPUT_POST, 'wpur_nonce'); 280 if($this->canUserAccess() && wp_verify_nonce($nonce, 'wpur-ajax-req')){ 281 $role = filter_input(INPUT_POST, 'role'); 275 282 276 $wp_mime_types = $this->getWPSupportedMimeTypes(); 277 $selected_mimes = $this->getSelectedMimeTypes($role); 278 $restrict_upload_size = $this->isUploadSizeRestricted($role); 279 $upload_size_unit = get_option('wpur_max_upload_unit_' . $role, 'MB'); 280 $upload_size = $this->getRoleMaxUploadSize($role, false, $upload_size_unit); 281 282 $check_all = $selected_mimes === false; 283 284 ob_start(); 285 require_once dirname(__FILE__) . '/content.php'; 286 $content = ob_get_contents(); 287 ob_end_clean(); 288 echo $content; 289 290 wp_die(); 283 if(!empty($role) && in_array($role, $this->getAllRolesArray())){ 284 285 $wp_mime_types = $this->getWPSupportedMimeTypes(); 286 $selected_mimes = $this->getSelectedMimeTypes($role); 287 $restrict_upload_size = $this->isUploadSizeRestricted($role); 288 $upload_size_unit = get_option('wpur_max_upload_unit_' . $role, 'MB'); 289 $upload_size = $this->getRoleMaxUploadSize($role, false, $upload_size_unit); 290 291 $check_all = $selected_mimes === false; 292 293 ob_start(); 294 require_once dirname(__FILE__) . '/content.php'; 295 $content = ob_get_contents(); 296 ob_end_clean(); 297 echo $content; 298 299 wp_die(); 300 } 291 301 } 292 302 } … … 322 332 * Returns an array of all roles machine names 323 333 * 324 * @global type$wp_roles325 * @return type334 * @global array $wp_roles 335 * @return array 326 336 */ 327 337 private function getAllRolesArray(){ … … 390 400 */ 391 401 public function saveCustomType(){ 392 $custom_types = $this->getCustomTypes(); 393 394 if(empty($custom_types)){ 395 $custom_types = array(); 396 } 397 398 $ext = filter_input(INPUT_POST, 'ext'); 399 $mime = filter_input(INPUT_POST, 'mime'); 400 401 if($ext && $mime){ 402 $custom_types[$ext] = $mime; 403 update_option('wpur_custom_types', $custom_types); 404 405 echo json_encode(array( 406 'success'=> 'yes', 407 'types' => $this->prepareCustomTypeHTML() 408 )); 409 } 410 else{ 411 echo json_encode(array( 412 'success' => 'no', 413 'error' => __('Required information is missing.', 'wp_upload_restriction') 414 )); 415 } 416 417 wp_die(); 402 $nonce = filter_input(INPUT_POST, 'wpur_nonce'); 403 if($this->canUserAccess() && wp_verify_nonce($nonce, 'wpur-ajax-req')){ 404 $custom_types = $this->getCustomTypes(); 405 406 if(empty($custom_types)){ 407 $custom_types = array(); 408 } 409 410 $ext = sanitize_text_field(filter_input(INPUT_POST, 'ext')); 411 $mime = sanitize_text_field(filter_input(INPUT_POST, 'mime')); 412 413 if($ext && $mime){ 414 $custom_types[$ext] = $mime; 415 update_option('wpur_custom_types', $custom_types); 416 417 echo json_encode(array( 418 'success'=> 'yes', 419 'types' => $this->prepareCustomTypeHTML() 420 )); 421 } 422 else{ 423 echo json_encode(array( 424 'success' => 'no', 425 'error' => __('Required information is missing.', 'wp_upload_restriction') 426 )); 427 } 428 429 wp_die(); 430 } 418 431 } 419 432 … … 422 435 */ 423 436 public function deleteCustomType(){ 424 $ext = filter_input(INPUT_POST, 'ext'); 425 426 if($ext) { 427 $custom_types = $this->getCustomTypes(); 428 if(!empty($custom_types) && !empty($custom_types[$ext])){ 429 unset($custom_types[$ext]); 430 update_option('wpur_custom_types', $custom_types); 431 $this->revokeGrantFromRoles($ext); 432 } 433 434 echo 'yes'; 435 } 436 else{ 437 echo 'no'; 438 } 439 440 wp_die(); 437 $nonce = filter_input(INPUT_POST, 'wpur_nonce'); 438 if($this->canUserAccess() && wp_verify_nonce($nonce, 'wpur-ajax-req')){ 439 $ext = sanitize_text_field(filter_input(INPUT_POST, 'ext')); 440 441 if($ext) { 442 $custom_types = $this->getCustomTypes(); 443 if(!empty($custom_types) && !empty($custom_types[$ext])){ 444 unset($custom_types[$ext]); 445 update_option('wpur_custom_types', $custom_types); 446 $this->revokeGrantFromRoles($ext); 447 } 448 449 echo 'yes'; 450 } 451 else{ 452 echo 'no'; 453 } 454 455 wp_die(); 456 } 441 457 } 442 458 … … 497 513 foreach ($custom_types as $ext => $mime) { 498 514 $html .= '<tr id="row-' . $i . '"> 499 <td>' . $ext. '</td>500 <td>' . $mime. '</td>501 <td><a href="#" data-row="row-' . $i . '" data="' . $ext. '" class="del-mime">Delete</a></td>515 <td>' . esc_attr($ext) . '</td> 516 <td>' . esc_attr($mime) . '</td> 517 <td><a href="#" data-row="row-' . $i . '" data="' . esc_attr($ext) . '" class="del-mime">Delete</a></td> 502 518 </tr>'; 503 519 $i++; … … 562 578 delete_option('wpur_selected_mimes'); 563 579 } 580 581 /** 582 * Check user's access 583 */ 584 private function canUserAccess(){ 585 return current_user_can('manage_options'); 586 } 564 587 } 565 588
Note: See TracChangeset
for help on using the changeset viewer.