Changeset 3385033

Timestamp:

10/27/2025 08:22:24 AM (3 months ago)

Author:

amirition

Message:

Update to version 1.1.7 from GitHub

Location:

document-library-lite

Files:

• tags/1.1.7 (copied) (copied from document-library-lite/trunk)
• tags/1.1.7/changelog.txt (modified) (1 diff)
• tags/1.1.7/document-library-lite.php (modified) (2 diffs)
• tags/1.1.7/readme.txt (modified) (2 diffs)
• tags/1.1.7/src/Document_Library_Shortcode.php (modified) (1 diff)
• tags/1.1.7/src/Frontend_Scripts.php (modified) (1 diff)
• tags/1.1.7/src/Simple_Document_Library.php (modified) (1 diff)
• tags/1.1.7/src/Table/Ajax_Handler.php (modified) (3 diffs)
• tags/1.1.7/vendor/composer/installed.php (modified) (2 diffs)
• trunk/changelog.txt (modified) (1 diff)
• trunk/document-library-lite.php (modified) (2 diffs)
• trunk/readme.txt (modified) (2 diffs)
• trunk/src/Document_Library_Shortcode.php (modified) (1 diff)
• trunk/src/Frontend_Scripts.php (modified) (1 diff)
• trunk/src/Simple_Document_Library.php (modified) (1 diff)
• trunk/src/Table/Ajax_Handler.php (modified) (3 diffs)
• trunk/vendor/composer/installed.php (modified) (2 diffs)

document-library-lite/tags/1.1.7/changelog.txt

@@ +1 @@
+= 1.1.7 = 
+Release date 27 October 2025
+
+* Dev: Updated internal libraries
+* Fix: Enhanced security for AJAX requests and adjusted post status handling
+
 = 1.1.6 = 
 Release date 08 October 2025

document-library-lite/tags/1.1.7/document-library-lite.php

@@ -12 +12 @@
  * Plugin URI:      https://barn2.com/kb-categories/document-library-free-kb/
  * Description:     Add documents and display them in a searchable document library.
- * Version:         1.1.6
+ * Version:         1.1.7
  * Author:          Barn2 Plugins
  * Author URI:      https://barn2.com
@@ -33 +33 @@
 }
 
-const PLUGIN_VERSION = '1.1.6';
+const PLUGIN_VERSION = '1.1.7';
 const PLUGIN_FILE    = __FILE__;
 

document-library-lite/tags/1.1.7/readme.txt

@@ -6 +6 @@
 Tested up to: 6.8
 Requires PHP: 7.4
-Stable tag: 1.1.6
+Stable tag: 1.1.7
 License: GPL-3.0
 License URI: https://www.gnu.org/licenses/gpl.html
@@ -206 +206 @@
 == Changelog ==
 
-= 1.1.6 = 
-Release date 08 October 2025
+= 1.1.7 = 
+Release date 27 October 2025
 
 * Dev: Updated internal libraries
-* Fix: Lazy loading did not working in block themes
+* Fix: Enhanced security for AJAX requests and adjusted post status handling
 
 See changelog.txt for more details.

document-library-lite/tags/1.1.7/src/Document_Library_Shortcode.php

@@ -62 +62 @@
             self::$script_params = [
                 'ajax_url'    => admin_url( 'admin-ajax.php' ),
-                'ajax_nonce'  => 'document-library',
+                'ajax_nonce'  => wp_create_nonce( 'dll_load_posts' ),
                 'ajax_action' => 'dll_load_posts',
                 'lazy_load'   => $table->args['lazy_load'],

document-library-lite/tags/1.1.7/src/Frontend_Scripts.php

@@ -75 +75 @@
 
         $script_params = [
+            'ajax_nonce' => wp_create_nonce( 'dll_load_posts' ),
             'language' => apply_filters(
                 'document_library_lite_language_defaults',

document-library-lite/tags/1.1.7/src/Simple_Document_Library.php

@@ -493 +493 @@
         $valid_post_statuses = [ 'publish', 'pending', 'draft', 'future', 'any' ];
         $args[ 'status' ] = in_array( $args['status'], $valid_post_statuses ) ? $args[ 'status' ] : 'publish';
-        
+            
         return $args;
     }

document-library-lite/tags/1.1.7/src/Table/Ajax_Handler.php

@@ -24 +24 @@
         add_action( 'wp_ajax_dll_load_posts', [ $this, 'load_posts' ] );
         add_action( 'wp_ajax_nopriv_dll_load_posts', [ $this, 'load_posts' ] );
-
     }
     
@@ -31 +30 @@
 
     public function load_posts() {
-        $args = Options::handle_shortcode_attribute_aliases( $_POST[ 'args' ] );
+        // Parse and sanitize incoming args
+        $args = isset( $_POST['args'] ) ? Options::handle_shortcode_attribute_aliases( wp_unslash( $_POST['args'] ) ) : [];
         $args = shortcode_atts( Options::get_defaults(), $args, self::SHORTCODE );
+
+        $requested_status = isset( $args['status'] ) ? $args['status'] : 'publish';
+        $is_logged_in = is_user_logged_in();
+
+        // Unauthenticated users can ONLY see published content
+        if ( ! $is_logged_in ) {
+            $args['status'] = 'publish';
+        }
+        // Authenticated users requesting non-published content must provide nonce and capability
+        elseif ( $requested_status !== 'publish' ) {
+            $nonce = '';
+            if ( isset( $_POST['_ajax_nonce'] ) ) {
+                $nonce = sanitize_text_field( wp_unslash( $_POST['_ajax_nonce'] ) );
+            } elseif ( isset( $_POST['ajax_nonce'] ) ) {
+                $nonce = sanitize_text_field( wp_unslash( $_POST['ajax_nonce'] ) );
+            }
+
+            if ( ! $nonce || ! wp_verify_nonce( $nonce, 'dll_load_posts' ) ) {
+                wp_send_json_error( [ 'message' => 'Security check failed' ], 403 );
+            }
+
+            if ( ! current_user_can( 'edit_posts' ) ) {
+                wp_send_json_error( [ 'message' => 'Insufficient permissions' ], 403 );
+            }
+        }
 
         $table = new simple_Document_Library( $args );
@@ -38 +63 @@
 
         // Return the response as JSON
-        wp_send_json($response);   
+        wp_send_json( $response );
     
     }

document-library-lite/tags/1.1.7/vendor/composer/installed.php

@@ -4 +4 @@
         'pretty_version' => 'dev-main',
         'version' => 'dev-main',
-        'reference' => 'ff62aee7e34351f3d8a11bb4c94a40c6a0e8888c',
+        'reference' => 'cb7ae2775014c7bbcb88edc0e119b09b8afd891d',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -14 +14 @@
             'pretty_version' => 'dev-main',
             'version' => 'dev-main',
-            'reference' => 'ff62aee7e34351f3d8a11bb4c94a40c6a0e8888c',
+            'reference' => 'cb7ae2775014c7bbcb88edc0e119b09b8afd891d',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',

document-library-lite/trunk/changelog.txt

@@ +1 @@
+= 1.1.7 = 
+Release date 27 October 2025
+
+* Dev: Updated internal libraries
+* Fix: Enhanced security for AJAX requests and adjusted post status handling
+
 = 1.1.6 = 
 Release date 08 October 2025

document-library-lite/trunk/document-library-lite.php

@@ -12 +12 @@
  * Plugin URI:      https://barn2.com/kb-categories/document-library-free-kb/
  * Description:     Add documents and display them in a searchable document library.
- * Version:         1.1.6
+ * Version:         1.1.7
  * Author:          Barn2 Plugins
  * Author URI:      https://barn2.com
@@ -33 +33 @@
 }
 
-const PLUGIN_VERSION = '1.1.6';
+const PLUGIN_VERSION = '1.1.7';
 const PLUGIN_FILE    = __FILE__;
 

document-library-lite/trunk/readme.txt

@@ -6 +6 @@
 Tested up to: 6.8
 Requires PHP: 7.4
-Stable tag: 1.1.6
+Stable tag: 1.1.7
 License: GPL-3.0
 License URI: https://www.gnu.org/licenses/gpl.html
@@ -206 +206 @@
 == Changelog ==
 
-= 1.1.6 = 
-Release date 08 October 2025
+= 1.1.7 = 
+Release date 27 October 2025
 
 * Dev: Updated internal libraries
-* Fix: Lazy loading did not working in block themes
+* Fix: Enhanced security for AJAX requests and adjusted post status handling
 
 See changelog.txt for more details.

document-library-lite/trunk/src/Document_Library_Shortcode.php

@@ -62 +62 @@
             self::$script_params = [
                 'ajax_url'    => admin_url( 'admin-ajax.php' ),
-                'ajax_nonce'  => 'document-library',
+                'ajax_nonce'  => wp_create_nonce( 'dll_load_posts' ),
                 'ajax_action' => 'dll_load_posts',
                 'lazy_load'   => $table->args['lazy_load'],

document-library-lite/trunk/src/Frontend_Scripts.php

@@ -75 +75 @@
 
         $script_params = [
+            'ajax_nonce' => wp_create_nonce( 'dll_load_posts' ),
             'language' => apply_filters(
                 'document_library_lite_language_defaults',

document-library-lite/trunk/src/Simple_Document_Library.php

@@ -493 +493 @@
         $valid_post_statuses = [ 'publish', 'pending', 'draft', 'future', 'any' ];
         $args[ 'status' ] = in_array( $args['status'], $valid_post_statuses ) ? $args[ 'status' ] : 'publish';
-        
+            
         return $args;
     }

document-library-lite/trunk/src/Table/Ajax_Handler.php

@@ -24 +24 @@
         add_action( 'wp_ajax_dll_load_posts', [ $this, 'load_posts' ] );
         add_action( 'wp_ajax_nopriv_dll_load_posts', [ $this, 'load_posts' ] );
-
     }
     
@@ -31 +30 @@
 
     public function load_posts() {
-        $args = Options::handle_shortcode_attribute_aliases( $_POST[ 'args' ] );
+        // Parse and sanitize incoming args
+        $args = isset( $_POST['args'] ) ? Options::handle_shortcode_attribute_aliases( wp_unslash( $_POST['args'] ) ) : [];
         $args = shortcode_atts( Options::get_defaults(), $args, self::SHORTCODE );
+
+        $requested_status = isset( $args['status'] ) ? $args['status'] : 'publish';
+        $is_logged_in = is_user_logged_in();
+
+        // Unauthenticated users can ONLY see published content
+        if ( ! $is_logged_in ) {
+            $args['status'] = 'publish';
+        }
+        // Authenticated users requesting non-published content must provide nonce and capability
+        elseif ( $requested_status !== 'publish' ) {
+            $nonce = '';
+            if ( isset( $_POST['_ajax_nonce'] ) ) {
+                $nonce = sanitize_text_field( wp_unslash( $_POST['_ajax_nonce'] ) );
+            } elseif ( isset( $_POST['ajax_nonce'] ) ) {
+                $nonce = sanitize_text_field( wp_unslash( $_POST['ajax_nonce'] ) );
+            }
+
+            if ( ! $nonce || ! wp_verify_nonce( $nonce, 'dll_load_posts' ) ) {
+                wp_send_json_error( [ 'message' => 'Security check failed' ], 403 );
+            }
+
+            if ( ! current_user_can( 'edit_posts' ) ) {
+                wp_send_json_error( [ 'message' => 'Insufficient permissions' ], 403 );
+            }
+        }
 
         $table = new simple_Document_Library( $args );
@@ -38 +63 @@
 
         // Return the response as JSON
-        wp_send_json($response);   
+        wp_send_json( $response );
     
     }

document-library-lite/trunk/vendor/composer/installed.php

@@ -4 +4 @@
         'pretty_version' => 'dev-main',
         'version' => 'dev-main',
-        'reference' => 'ff62aee7e34351f3d8a11bb4c94a40c6a0e8888c',
+        'reference' => 'cb7ae2775014c7bbcb88edc0e119b09b8afd891d',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -14 +14 @@
             'pretty_version' => 'dev-main',
             'version' => 'dev-main',
-            'reference' => 'ff62aee7e34351f3d8a11bb4c94a40c6a0e8888c',
+            'reference' => 'cb7ae2775014c7bbcb88edc0e119b09b8afd891d',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',