Changeset 3356360

Timestamp:

09/04/2025 10:40:44 PM (4 months ago)

Author:

bbioon

Message:

Security update

Location:

wc-purchase-orders

Files:

• tags/1.0.3/includes/class-bbpo-purchase-orders-files.php (modified) (8 diffs)
• tags/1.0.3/public/js/wc-purchase-orders-public.js (modified) (3 diffs)
• trunk/includes/class-bbpo-purchase-orders-files.php (modified) (8 diffs)
• trunk/public/js/wc-purchase-orders-public.js (modified) (3 diffs)

wc-purchase-orders/tags/1.0.3/includes/class-bbpo-purchase-orders-files.php

@@ -1 +1 @@
 <?php
+/**
+ * The file that defines the purchase orders file handler.
+ *
+ * @package BBPO_Purchase_Orders
+ */
+
 if ( ! defined( 'ABSPATH' ) ) {
-    exit; // Exit if accessed directly
+    exit; // Exit if accessed directly.
 }
+
 /**
  * The purchase orders file handler.
  *
  * @since      1.0.0
- * @package    Woocommerce_Payment_Processor
- * @subpackage Woocommerce_Payment_Processor/includes
- * @author     AHMAD WAEL <[email protected]>
+ * @package    BBPO_Purchase_Orders
+ * @subpackage BBPO_Purchase_Orders/includes
+ * @author     Ahmad Wael <[email protected]>
  */
 class BBPO_Purchase_Orders_Files {
@@ -70 +77 @@
     public function file_upload() {
         if ( isset( $_POST['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wcpo-nonce' ) ) {
-            $current_year  = date( 'Y' );
-            $current_month = date( 'm' );
+            $current_year  = gmdate( 'Y' );
+            $current_month = gmdate( 'm' );
             $allowed       = array(
                 'application/msword' => 'doc',
@@ -78 +85 @@
             );
             if ( ! isset( $_FILES['wcpo-document-file'] ) ) {
-                wp_send_json_error(
+                $this->send_error_signal(
                     array(
                         'code'    => 'file_not_provided',
@@ -85 +92 @@
                 );
             }
+            if ( ! isset( $_FILES['wcpo-document-file']['type'] ) ) {
+                $this->send_error_signal(
+                    array(
+                        'code'    => 'file_type_not_provided',
+                        'message' => esc_html__( 'This file you are trying to upload is missing!', 'wc-purchase-orders' ),
+                    )
+                );
+            }
+            if ( ! isset( $_FILES['wcpo-document-file']['size'] ) ) {
+                $this->send_error_signal(
+                    array(
+                        'code'    => 'file_size_not_provided',
+                        'message' => esc_html__( 'This file size you are trying to upload is missing!', 'wc-purchase-orders' ),
+                    )
+                );
+            }
             if ( ! in_array( $_FILES['wcpo-document-file']['type'], array_keys( $allowed ), true ) ) {
-                wp_send_json_error(
+                $this->send_error_signal(
                     array(
                         'code'    => 'file_not_allowed',
@@ -94 +117 @@
             }
             if ( $_FILES['wcpo-document-file']['size'] > 2097152 ) { // 2 MB (size is also in bytes)
-                wp_send_json_error(
+                $this->send_error_signal(
                     array(
                         'code'    => 'file_too_big',
@@ -121 +144 @@
                 $new_file_path = $path . $file_name;
                 rename( $file['file'], $new_file_path );
-                wp_send_json_success(
+                $this->send_success_signal(
                     array(
                         'file_url'  => $upload_dir['baseurl'] . $dir . $file_name,
                         'file_path' => $dir . $file_name,
                         'file_type' => sanitize_text_field( $allowed[ $_FILES['wcpo-document-file']['type'] ] ),
-                    )
-                );
-            }
-            wp_send_json_error(
+                        'file_name' => $file_name,
+                    )
+                );
+            }
+            $this->send_error_signal(
                 array(
                     'code'    => 'file_error',
@@ -136 +160 @@
             );
         }
-        wp_send_json_error(
+        $this->send_error_signal(
             array(
                 'code'    => 'nonce_failed',
@@ -151 +175 @@
     public function delete_file() {
         if ( isset( $_REQUEST['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'wcpo-nonce' ) ) {
-            if ( empty( $_POST['file_path'] ) ) {
-                wp_send_json_error(
-                    array(
-                        'code'    => 'file_path_required',
-                        'message' => esc_html__( 'File path is required', 'wc-purchase-orders' ),
-                    )
-                );
-            }
-
-            $file_path = wp_upload_dir()['basedir'] . sanitize_text_field( $_POST['file_path'] );
+            if ( empty( $_POST['file_name'] ) ) {
+                $this->send_error_signal(
+                    array(
+                        'code'    => 'file_name_required',
+                        'message' => esc_html__( 'File name is required', 'wc-purchase-orders' ),
+                    )
+                );
+            }
+
+            $upload_dir    = wp_upload_dir();
+            $current_year  = gmdate( 'Y' );
+            $current_month = gmdate( 'm' );
+            $dir           = DIRECTORY_SEPARATOR . 'wc-purchase-orders' . DIRECTORY_SEPARATOR . $current_year . DIRECTORY_SEPARATOR . $current_month . DIRECTORY_SEPARATOR;
+            $file_path     = $upload_dir['basedir'] . $dir . sanitize_file_name( wp_unslash( $_POST['file_name'] ) );
             if ( $this->validate_file_path( $file_path ) ) {
                 // delete file.

wc-purchase-orders/tags/1.0.3/public/js/wc-purchase-orders-public.js

@@ -1 +1 @@
 (function ($) {
     'use strict';
-
+    
+    let file_name = '';
+    
     // upload purchase order
     $(document).on('change', '#wcpo-document-file', function (e) {
@@ -25 +27 @@
                     if(response.success) {
                         previewArea.empty().show();
+                        file_name = response.data.file_name;
                         $('input[name="wcpo-document-file-path"]').val(response.data.file_path);
                         previewArea.append('<span class="wcpo-remove">x</span><span>' + file.name + '</span><img src="' + wcpo_object.icons_url + response.data.file_type + '.png">')
@@ -43 +46 @@
             $.ajax({
                 type: "post", dataType: "json", url: wcpo_object.ajax_url, data: {
-                    action: "wcpo_delete_purchase_order_file", file_path: file.val(), nonce: wcpo_object.nonce
+                    action: "wcpo_delete_purchase_order_file", 
+                    nonce: wcpo_object.nonce,
+                    file_name: file_name
                 }, success: function (response) {
                     file.val('')

wc-purchase-orders/trunk/includes/class-bbpo-purchase-orders-files.php

@@ -1 +1 @@
 <?php
+/**
+ * The file that defines the purchase orders file handler.
+ *
+ * @package BBPO_Purchase_Orders
+ */
+
 if ( ! defined( 'ABSPATH' ) ) {
-    exit; // Exit if accessed directly
+    exit; // Exit if accessed directly.
 }
+
 /**
  * The purchase orders file handler.
  *
  * @since      1.0.0
- * @package    Woocommerce_Payment_Processor
- * @subpackage Woocommerce_Payment_Processor/includes
- * @author     AHMAD WAEL <[email protected]>
+ * @package    BBPO_Purchase_Orders
+ * @subpackage BBPO_Purchase_Orders/includes
+ * @author     Ahmad Wael <[email protected]>
  */
 class BBPO_Purchase_Orders_Files {
@@ -70 +77 @@
     public function file_upload() {
         if ( isset( $_POST['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wcpo-nonce' ) ) {
-            $current_year  = date( 'Y' );
-            $current_month = date( 'm' );
+            $current_year  = gmdate( 'Y' );
+            $current_month = gmdate( 'm' );
             $allowed       = array(
                 'application/msword' => 'doc',
@@ -78 +85 @@
             );
             if ( ! isset( $_FILES['wcpo-document-file'] ) ) {
-                wp_send_json_error(
+                $this->send_error_signal(
                     array(
                         'code'    => 'file_not_provided',
@@ -85 +92 @@
                 );
             }
+            if ( ! isset( $_FILES['wcpo-document-file']['type'] ) ) {
+                $this->send_error_signal(
+                    array(
+                        'code'    => 'file_type_not_provided',
+                        'message' => esc_html__( 'This file you are trying to upload is missing!', 'wc-purchase-orders' ),
+                    )
+                );
+            }
+            if ( ! isset( $_FILES['wcpo-document-file']['size'] ) ) {
+                $this->send_error_signal(
+                    array(
+                        'code'    => 'file_size_not_provided',
+                        'message' => esc_html__( 'This file size you are trying to upload is missing!', 'wc-purchase-orders' ),
+                    )
+                );
+            }
             if ( ! in_array( $_FILES['wcpo-document-file']['type'], array_keys( $allowed ), true ) ) {
-                wp_send_json_error(
+                $this->send_error_signal(
                     array(
                         'code'    => 'file_not_allowed',
@@ -94 +117 @@
             }
             if ( $_FILES['wcpo-document-file']['size'] > 2097152 ) { // 2 MB (size is also in bytes)
-                wp_send_json_error(
+                $this->send_error_signal(
                     array(
                         'code'    => 'file_too_big',
@@ -121 +144 @@
                 $new_file_path = $path . $file_name;
                 rename( $file['file'], $new_file_path );
-                wp_send_json_success(
+                $this->send_success_signal(
                     array(
                         'file_url'  => $upload_dir['baseurl'] . $dir . $file_name,
                         'file_path' => $dir . $file_name,
                         'file_type' => sanitize_text_field( $allowed[ $_FILES['wcpo-document-file']['type'] ] ),
-                    )
-                );
-            }
-            wp_send_json_error(
+                        'file_name' => $file_name,
+                    )
+                );
+            }
+            $this->send_error_signal(
                 array(
                     'code'    => 'file_error',
@@ -136 +160 @@
             );
         }
-        wp_send_json_error(
+        $this->send_error_signal(
             array(
                 'code'    => 'nonce_failed',
@@ -151 +175 @@
     public function delete_file() {
         if ( isset( $_REQUEST['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'wcpo-nonce' ) ) {
-            if ( empty( $_POST['file_path'] ) ) {
-                wp_send_json_error(
-                    array(
-                        'code'    => 'file_path_required',
-                        'message' => esc_html__( 'File path is required', 'wc-purchase-orders' ),
-                    )
-                );
-            }
-
-            $file_path = wp_upload_dir()['basedir'] . sanitize_text_field( $_POST['file_path'] );
+            if ( empty( $_POST['file_name'] ) ) {
+                $this->send_error_signal(
+                    array(
+                        'code'    => 'file_name_required',
+                        'message' => esc_html__( 'File name is required', 'wc-purchase-orders' ),
+                    )
+                );
+            }
+
+            $upload_dir    = wp_upload_dir();
+            $current_year  = gmdate( 'Y' );
+            $current_month = gmdate( 'm' );
+            $dir           = DIRECTORY_SEPARATOR . 'wc-purchase-orders' . DIRECTORY_SEPARATOR . $current_year . DIRECTORY_SEPARATOR . $current_month . DIRECTORY_SEPARATOR;
+            $file_path     = $upload_dir['basedir'] . $dir . sanitize_file_name( wp_unslash( $_POST['file_name'] ) );
             if ( $this->validate_file_path( $file_path ) ) {
                 // delete file.

wc-purchase-orders/trunk/public/js/wc-purchase-orders-public.js

@@ -1 +1 @@
 (function ($) {
     'use strict';
-
+    
+    let file_name = '';
+    
     // upload purchase order
     $(document).on('change', '#wcpo-document-file', function (e) {
@@ -25 +27 @@
                     if(response.success) {
                         previewArea.empty().show();
+                        file_name = response.data.file_name;
                         $('input[name="wcpo-document-file-path"]').val(response.data.file_path);
                         previewArea.append('<span class="wcpo-remove">x</span><span>' + file.name + '</span><img src="' + wcpo_object.icons_url + response.data.file_type + '.png">')
@@ -43 +46 @@
             $.ajax({
                 type: "post", dataType: "json", url: wcpo_object.ajax_url, data: {
-                    action: "wcpo_delete_purchase_order_file", file_path: file.val(), nonce: wcpo_object.nonce
+                    action: "wcpo_delete_purchase_order_file", 
+                    nonce: wcpo_object.nonce,
+                    file_name: file_name
                 }, success: function (response) {
                     file.val('')