Changeset 3235962

Timestamp:

02/06/2025 11:26:10 AM (13 months ago)

Author:

iteras

Message:

Added bulk actions and paywall column to pages overview + fixed CSRF vulnerability

Location:

iteras/trunk

Files:

• DEVELOPMENT.txt (modified) (1 diff)
• README.txt (modified) (2 diffs)
• admin/iteras-admin.php (modified) (10 diffs)
• admin/views/admin.php (modified) (1 diff)
• iteras.php (modified) (1 diff)
• public/iteras-public.php (modified) (1 diff)

iteras/trunk/DEVELOPMENT.txt

@@ -50 +50 @@
 
   cd ..
-  svn commit -m 'New release' trunk
+  svn commit -m '<some commit message>' trunk
   svn cp trunk tags/<version>
-  svn commit -m 'New release' tags
+  svn commit -m 'Release <version>' tags

iteras/trunk/README.txt

@@ -2 +2 @@
 Tags: paywall, subscribe, subscriptions, subscription, subscribers, access-control, paid content, premium, premium content, monetize, magazine, media pass, registration, billing, membership, member, earn money
 Requires at least: 3.5.1
-Tested up to: 6.4.2
-Stable tag: 1.7.0
+Tested up to: 6.7.1
+Stable tag: 1.8.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -115 +115 @@
 
 == Changelog ==
+= 1.8.0 =
+* Paywall bulk actions and paywall column available on pages overview
+* Fixed potential CSRF problem with plugin settings form in Wordpress administration
+
 = 1.7.0 =
 * Paywall signing key is now handled separately

iteras/trunk/admin/iteras-admin.php

@@ -45 +45 @@
     add_filter( 'plugin_action_links_' . $plugin_basename, array( $this, 'add_action_links' ) );
 
-    // Add column on post list
-    add_filter( 'manage_post_posts_columns', array( $this, 'add_paywall_post_columns' ) );
-    add_action( 'manage_post_posts_custom_column', array( $this, 'populate_paywall_post_columns' ), 10, 2 );
+    // Add column on lists
+    add_filter( 'manage_post_posts_columns', array( $this, 'add_paywall_columns' ) );
+    add_action( 'manage_post_posts_custom_column', array( $this, 'populate_paywall_columns' ), 10, 2 );
+    add_filter( 'manage_page_posts_columns', array( $this, 'add_paywall_columns' ) );
+    add_action( 'manage_page_posts_custom_column', array( $this, 'populate_paywall_columns' ), 10, 2 );
     
     add_action( 'load-post.php', array( $this, 'paywall_post_meta_boxes_setup' ) );
@@ -55 +57 @@
     add_filter( 'bulk_actions-edit-post', array( $this, 'add_bulk_actions' ) );
     add_filter( 'handle_bulk_actions-edit-post', array( $this, 'execute_bulk_actions' ), 10, 3 );
+    add_filter( 'bulk_actions-edit-page', array( $this, 'add_bulk_actions' ) );
+    add_filter( 'handle_bulk_actions-edit-page', array( $this, 'execute_bulk_actions' ), 10, 3 );
   }
 
@@ -92 +96 @@
 
 
-  function add_paywall_post_columns( $columns ) {
+  function add_paywall_columns( $columns ) {
     $columns["iteras-paywalled"] = __("Paywall");
     return $columns;
@@ -98 +102 @@
 
   
-  function populate_paywall_post_columns( $column, $post_id ) {
+  function populate_paywall_columns( $column, $post_id ) {
     if ($column == "iteras-paywalled") {
       $paywalled = !!get_post_meta($post_id, Iteras::POST_META_KEY, true);
@@ -180 +184 @@
 
   function add_bulk_actions( $bulk_actions ) {
+    if ( !in_array( current_filter(), array( 'bulk_actions-edit-post', 'bulk_actions-edit-page' ), true ) ) {
+      return $bulk_actions;
+    }
+
     $settings = $this->plugin->settings;
     foreach ( $settings['paywalls'] as $p ) {
@@ -266 +274 @@
     $messages = array();
 
-    if ($_SERVER['REQUEST_METHOD'] == "POST") {
+    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+      if ( !isset( $_POST['iteras_plugin_settings_nonce'] ) || 
+           !wp_verify_nonce( $_POST['iteras_plugin_settings_nonce'], 'iteras_plugin_settings' ) ) {
+        wp_die( __( "Security check failed", $this->plugin_slug ) );
+      }
+
       $this->save_settings_form();
     }
 
-    if (array_key_exists("sync", $_POST)) {
+    if (array_key_exists('sync', $_POST)) {
       $settings = $this->plugin->settings;
       $paywalls = $this->fetch_paywalls($settings['api_key']);
@@ -285 +298 @@
         array_push($messages, array(
           "text" => __( "Synchronization of paywalls from ITERAS complete", $this->plugin_slug ),
-          "type" => "success"
+          "type" => 'success'
         ));
       }
@@ -291 +304 @@
         array_push($messages, array(
           "text" => __( "Couldn't synchronize paywalls from ITERAS", $this->plugin_slug ),
-          "type" => "error"
+          "type" => 'error'
         ));
       }
@@ -298 +311 @@
     if (ITERAS_DEBUG && array_key_exists("reset", $_POST)) {
       $this->plugin->reset_plugin();
-      _log("RESET");
     }
 
@@ -331 +343 @@
   private function save_settings_form() {
     if (!current_user_can('manage_options')) {
-      wp_die('You do not have sufficient permissions to access this page.');
-    }
+      wp_die( __('You do not have sufficient permissions to access this page.', $this->plugin_slug ) );
+    }
+
     $prev_settings = $this->plugin->settings;
     $settings = array(

iteras/trunk/admin/views/admin.php

@@ -9 +9 @@
 
   <form method="post" action="">
+    <?php wp_nonce_field( 'iteras_plugin_settings', 'iteras_plugin_settings_nonce' ); ?>
     <input name="paywall" type="hidden" value="<?=$settings['paywall_id']; ?>">
     <table class="form-table">

iteras/trunk/iteras.php

@@ -13 +13 @@
  * Plugin URI:        https://app.iteras.dk
  * Description:       Integration with ITERAS, a cloud-based state-of-the-art system for managing subscriptions/memberships and payments.
- * Version:           1.7.0
+ * Version:           1.8.0
  * Author:            ITERAS
  * Author URI:        https://www.iteras.dk

iteras/trunk/public/iteras-public.php

@@ -16 +16 @@
 class Iteras {
 
-  const VERSION = '1.7.0';
+  const VERSION = '1.8.0';
 
   const SETTINGS_KEY = "iteras_settings";