Changeset 3221099

Timestamp:

01/12/2025 03:01:34 PM (13 months ago)

Author:

sourov

Message:

3.1.2dev

Location:

user-meta/trunk

Files:

• controllers/ShortcodesController.php (modified) (1 diff)
• models/MethodsModel.php (modified) (1 diff)
• models/SupportHtmlModel.php (modified) (1 diff)
• readme.txt (modified) (2 diffs)
• user-meta.php (modified) (1 diff)

user-meta/trunk/controllers/ShortcodesController.php

@@ -97 +97 @@
 
         $publicProfile = new PublicProfile($form, $call, $style);
-        return $publicProfile->generate();
+
+        if (!$userMeta->isPro()) {
+            // show public profile only to user with 'edit_user' capability
+            if (current_user_can('edit_users')) {
+                return $publicProfile->generate();
+            }
+            else {
+                return $userMeta->showError(esc_html__('You do not have permission to view this user profile!', $userMeta->name));
+            }
+        }
+        else {
+            return $publicProfile->generate();
+        }        
     }
  

user-meta/trunk/models/MethodsModel.php

@@ -81 +81 @@
             // elseif ( ! get_option( 'users_can_register' ) )
         } elseif ($actionType == 'public') {
+            if (!current_user_can('edit_users') && !$userMeta->isPro()) {
+                return $userMeta->showError(esc_html__('You do not have permission to view this user profile!', $userMeta->name));
+            }
             if (! empty($_REQUEST['user_id'])) {
                 $userID = esc_attr($_REQUEST['user_id']);

user-meta/trunk/models/SupportHtmlModel.php

@@ -62 +62 @@
         $html .= '<p><div><strong>' . __('Registration shortcode', $userMeta->name) . '</strong></div>[user-meta-registration form="Form_Name"]</p>';
         $html .= '<p><div><strong>' . __('Profile / Registration', $userMeta->name) . '</strong></div><div>[user-meta type=profile-registration form="Form_Name"]</div><div><em>(To show user profile if user logged in, or showing registration form, if user not logged in.)</em></div></p>';
-        $html .= '<p><div><strong>' . __('Public profile', $userMeta->name) . '</strong></div><div>[user-meta type=public form="Form_Name"] or [user-meta-public-profile form="Form_Name"]</div><div><em>(To show public profile if user_id parameter provided as GET request. For the later one, optional parameters: call="id/email/username", style="table/plain/line")</em></div></p>';
+        if ($userMeta->isPro()) {
+            $html .= '<p><div><strong>' . __('Public profile', $userMeta->name) . '</strong></div><div>[user-meta type=public form="Form_Name"] or [user-meta-public-profile form="Form_Name"]</div><div><em>(To show public profile if user_id parameter provided as GET request. For the later one, optional parameters: call="id/email/username", style="table/plain/line")</em></div></p>';
+        }
         $html .= '<p><div><strong>' . __('Login shortcode', $userMeta->name) . '</strong></div>[user-meta-login] OR [user-meta-login form="Form_Name"]</p>';
         if ($userMeta->isPro()) {

user-meta/trunk/readme.txt

@@ -5 +5 @@
 Requires PHP: 5.6.0
 Tested up to: 6.7.1
-Stable tag: 3.1
+Stable tag: 3.1.2
 Copyright: User Meta, https://user-meta.com
 License: GPLv2
@@ -163 +163 @@
 
 == Changelog ==
+
+= 3.1.2 =
+* Fix: Security fix
+* Public profile shortcode functionality reduced and output restricted 
 
 = 3.0 =

user-meta/trunk/user-meta.php

@@ -4 +4 @@
  * Plugin URI: https://user-meta.com
  * Description: A well-designed, feature-rich, and easy to use user management plugin.
- * Version: 3.1.1dev
+ * Version: 3.1.2dev
  * Requires at least: 4.7
  * Requires PHP: 5.6.0