Changeset 3407477

Timestamp:

12/02/2025 03:08:23 AM (12 days ago)

Author:

shinephp

Message:

• Update: Marked as compatible with WordPress 6.9
• Update: Minor code enhancements according to the "Plugin Check" tool recommendations.
• Update: "Users->Grant Roles" HTML code download optimization to exclude cases when URE's "Grant Roles" data flickers or stays visible while Users page is opening.

Location:

user-role-editor/trunk

Files:

• includes/classes/ajax-processor.php (modified) (5 diffs)
• includes/classes/grant-roles.php (modified) (9 diffs)
• includes/classes/settings.php (modified) (2 diffs)
• includes/classes/tools.php (modified) (1 diff)
• includes/classes/user-view.php (modified) (2 diffs)
• includes/settings-template.php (modified) (7 diffs)
• js/users-grant-roles.js (modified) (2 diffs)
• readme.txt (modified) (3 diffs)
• user-role-editor.php (modified) (2 diffs)

user-role-editor/trunk/includes/classes/ajax-processor.php

@@ -44 +44 @@
         $promote_users_actions = array(
             'grant_roles',
-            'get_user_roles',
             'add_role_to_user',
             'revoke_role_from_user'
@@ -231 +230 @@
     // end of get_users_without_role()
     
+
+    protected function get_grant_roles() {
+        
+        $answer = URE_Grant_Roles::get_dialog_html();
+        
+        return $answer;
+        
+    }
+    // end of get_grant_roles_dialog_html()
+    
+
     
     protected function grant_roles() {
@@ -261 +271 @@
     // end of add_role_to_user()
     
-    protected function get_user_roles() {
-        
-        $answer = URE_Grant_Roles::get_user_roles();
-        
-        return $answer;
-        
-    }
-    // end of get_user_roles()
-    
-    
+        
     protected function get_role_caps() {
         
@@ -351 +352 @@
                 $answer = $this->get_users_without_role();
                 break;
+            case 'get_grant_roles':
+                $answer = $this->get_grant_roles();
+                break;
             case 'grant_roles':
                 $answer = $this->grant_roles();
@@ -359 +363 @@
             case 'revoke_role_from_user':
                 $answer = $this->revoke_role_from_user();
-                break;
-            case 'get_user_roles':
-                $answer = $this->get_user_roles();
                 break;
             case 'get_role_caps': 

user-role-editor/trunk/includes/classes/grant-roles.php

@@ -329 +329 @@
         }
                 
-        $users = $_POST['users'];        
+        $users =  isset( $_POST['users'] ) ? $_POST['users'] : false;
         if ( !self::validate_users( $users ) ) {
             $answer = array('result'=>'error', 'message'=>esc_html__('Can not edit user or invalid data at the users list', 'user-role-editor') );
@@ -368 +368 @@
     
     
-    public static function get_user_roles() {
-
-        if ( !current_user_can( 'promote_users' ) ) {
-            $answer = array('result'=>'error', 'message'=>esc_html__('Not enough permissions', 'user-role-editor'));
-            return $answer;
-        }
-        
-        $lib = URE_Lib::get_instance();
-        $user_id = (int) $lib->get_request_var('user_id', 'post', 'int');
-        if (empty($user_id)) {
-            $answer = array('result'=>'error', 'message'=>esc_html__('Wrong request, valid user ID was missed', 'user-role-editor'));
+    private static function get_user_roles( $user_id ) {
+        
+        $answer = array('primary_role'=>'', 'other_roles'=>array() );
+        if ( empty($user_id) ) {            
             return $answer;
         }
     
         $user = get_user_by('id', $user_id);
-        if (empty($user)) {
-            $answer = array('result'=>'error', 'message'=>esc_html__('Requested user does not exist', 'user-role-editor'));
+        if ( empty( $user ) ) {
             return $answer;
         }
@@ -391 +383 @@
         $primary_role = array_shift($other_roles);
         
-        $answer = array('result'=>'success', 'primary_role'=>$primary_role, 'other_roles'=>$other_roles, 'message'=>'User roles were sent');
+        $answer = array('primary_role'=>$primary_role, 'other_roles'=>$other_roles );
         
         return $answer;
     }
     // end of get_user_roles()
-    
-    
-    
-    private function select_primary_role_html() {
-        
+        
+    
+    private static function select_primary_role_html( $primary_role ) {
+        
+        $lib = URE_Lib::get_instance();
         $select_primary_role = apply_filters('ure_users_select_primary_role', true);
-        if (!$select_primary_role && !$this->lib->is_super_admin()) {
+        if (!$select_primary_role && !$lib->is_super_admin()) {
             return;
         }
@@ -412 +404 @@
 <?php            
         // print the full list of roles with the primary one selected.
-        wp_dropdown_roles('');
+        wp_dropdown_roles( $primary_role );
         echo '<option value="'. self::NO_ROLE_FOR_THIS_SITE .'">' . esc_html__('&mdash; No role for this site &mdash;', 'user-role-editor') . '</option>'. PHP_EOL;
 ?>        
@@ -422 +414 @@
             
     
-    private function select_other_roles_html() {
+    private static function select_other_roles_html( $other_roles ) {
+        $lib = URE_Lib::get_instance();
 ?>        
         <div id="other_roles_container">
@@ -434 +427 @@
         $use_pll = function_exists('pll__');    
         
-        $show_admin_role = $this->lib->show_admin_role_allowed();        
-        $roles = $this->lib->get_all_editable_roles(); 
+        $show_admin_role = $lib->show_admin_role_allowed();        
+        $roles = $lib->get_all_editable_roles(); 
         foreach ($roles as $role_id => $role) {
             if (!$show_admin_role && $role_id=='administrator') {
                 continue;
             }
+            $selected = ( in_array( $role_id, $other_roles ) ) ? 'checked="checked"': '';
             $role_name = $use_pll ? pll__( $role['name'] ) : $role['name'];
             echo '<label for="wp_role_' . $role_id . '"><input type="checkbox"  id="wp_role_' . $role_id .
-                 '" name="ure_roles[]" value="' . $role_id . '" />&nbsp;' .
+                 '" name="ure_roles[]" value="' . $role_id . '" '. $selected .'/>&nbsp;' .
             esc_html( $role_name ) .' ('. $role_id .')</label><br />'. PHP_EOL;
         }
@@ -451 +445 @@
     // end of select_other_roles_html()
     
+       
+    public static function get_dialog_html() {
+        
+        if ( !current_user_can('promote_users') ) {
+            $answer = array('result'=>'error', 'message'=>esc_html__('Not enough permissions', 'user-role-editor'));
+            return $answer;
+        }
+        
+        $lib = URE_Lib::get_instance();
+        $user_id = $lib->get_request_var('user_id', 'post', 'int');
+        $data = self::get_user_roles( $user_id );
+        ob_start();
+        self::select_primary_role_html( $data['primary_role'] );
+        self::select_other_roles_html( $data['other_roles'] );
+        $output = ob_get_clean();
+        $answer = array('result'=>'success', 'message'=>'Grant roles dialog HTML', 'html'=>$output );
+        
+        return $answer;
+    }
+    // end of get_dialog_html()
+
     
     private function get_roles_options_list() {
@@ -461 +476 @@
     }
     // end of get_roles_options_list()
-    
-    
-    public function show_roles_manage_html() {
+
+        
+    public function show_roles_manage_html( $which ) {
                       
         if ( !current_user_can( 'promote_users' ) ) {
             return;
         }
-        $button_number =  (self::$counter>0) ? '_2': '';
+        $button_number =  ( $which==='bottom') ? '_2': '';
+        // escaped for secure output already
         $roles_options_list = self::get_roles_options_list();
+        ob_start();
 ?>        
         &nbsp;&nbsp;
@@ -493 +510 @@
         
 <?php
-    if (self::$counter==0) {
+        if ( $which==='bottom' ) {
 ?>
             <div id="ure_grant_roles_dialog" class="ure-dialog">
-                <div id="ure_grant_roles_content">
-<?php                
-                $this->select_primary_role_html();
-                $this->select_other_roles_html();
-?>                
-                </div>
+                <div id="ure_grant_roles_container"></div>
             </div>
 <?php
-        URE_View::output_task_status_div();
-        self::$counter++;
-    }
-        
+         URE_View::output_task_status_div();
+        }
+        $output = ob_get_clean();
+        echo $output;
     }
     // end of show_grant_roles_html()

user-role-editor/trunk/includes/classes/settings.php

@@ -20 +20 @@
             'ure_default_roles_update',
             'ure_settings_tools_exec');
-        foreach($update_buttons as $update_button) {
-            if (!isset($_POST[$update_button])) {
+        foreach( $update_buttons as $update_button ) {
+            if ( !isset( $_POST[$update_button] ) ) {
                 continue;
             }
-            if (!wp_verify_nonce($_POST['_wpnonce'], 'user-role-editor')) {
+            if ( !wp_verify_nonce($_POST['_wpnonce'], 'user-role-editor') ) {
                 wp_die('Security check failed');
             }
@@ -203 +203 @@
             echo '<label for="wp_role_' . $role_id .'"><input type="checkbox"   id="wp_role_' . $role_id . 
                 '" name="wp_role_' . $role_id . '" value="' . $role_id . '"' . $checked .' />&nbsp;' . 
-                $role['name'] . '</label><br />';
+                esc_html( $role['name'] ) . '</label><br />';
           }     
            

user-role-editor/trunk/includes/classes/tools.php

@@ -42 +42 @@
             <input type="hidden" name="ure_settings_tools_exec" value="1" />
             <input type="hidden" name="ure_reset_roles_exec" value="1" />
-            <input type="hidden" name="ure_tab_idx" value="<?php echo $tab_idx; ?>" />
+            <input type="hidden" name="ure_tab_idx" value="<?php echo (int) $tab_idx; ?>" />
         </form>                
     </div>    

user-role-editor/trunk/includes/classes/user-view.php

@@ -63 +63 @@
             $anchor_end = '';
         }
-        $user_info = ' <span style="font-weight: bold;">' . $anchor_start . $this->user_to_edit->user_login;
+        $user_info = ' <span style="font-weight: bold;">' . $anchor_start . esc_html( $this->user_to_edit->user_login );
         if ($this->user_to_edit->display_name !== $this->user_to_edit->user_login) {
-            $user_info .= ' (' . $this->user_to_edit->display_name . ')';
+            $user_info .= ' ('. esc_html( $this->user_to_edit->display_name ) .')';
         }
         $user_info .= $anchor_end . '</span>';
@@ -189 +189 @@
         $bbp_user_role = bbp_get_user_role($this->user_to_edit->ID);
         if (!empty($bbp_user_role)) {
-            echo $dynamic_roles[$bbp_user_role]['name']; 
+            echo esc_html( $dynamic_roles[$bbp_user_role]['name'] );
         }
     }

user-role-editor/trunk/includes/settings-template.php

@@ -50 +50 @@
     <div id="ure_tabs-1">
     <div id="ure-settings-form">
-        <form method="post" action="<?php echo $link; ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >   
+        <form method="post" action="<?php echo esc_url( $link ); ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >   
             <table id="ure_settings">
 <?php
@@ -131 +131 @@
     
     <div id="ure_tabs-2">
-        <form name="ure_additional_modules" method="post" action="<?php echo $link; ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >
+        <form name="ure_additional_modules" method="post" action="<?php echo esc_url( $link ); ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >
             <table id="ure_addons">
 <?php
@@ -163 +163 @@
     
     <div id="ure_tabs-3">
-        <form name="ure_default_roles" method="post" action="<?php echo $link; ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >
+        <form name="ure_default_roles" method="post" action="<?php echo esc_url( $link ); ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >
 <?php 
     if ( ! $multisite ) {
         esc_html_e( 'Primary default role: ', 'user-role-editor' );
+        // User input is not used - ignore Plugin Check warning
         echo $view->role_default_html;
 ?>
@@ -184 +185 @@
         <hr>
         <?php wp_nonce_field( 'user-role-editor' ); ?>
-            <input type="hidden" name="ure_tab_idx" value="<?php echo $tabs_index[3]; ?>" />
+            <input type="hidden" name="ure_tab_idx" value="<?php echo (int) $tabs_index[3]; ?>" />
             <p class="submit">
                 <input type="submit" class="button-primary" name="ure_default_roles_update" value="<?php esc_html_e( 'Save', 'user-role-editor' ) ?>" />
@@ -196 +197 @@
     <div id="ure_tabs-4">
         <div id="ure-settings-form-ms">
-            <form name="ure_settings_ms" method="post" action="<?php echo $link; ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >
+            <form name="ure_settings_ms" method="post" action="<?php echo esc_url( $link ); ?>?page=settings-<?php echo URE_PLUGIN_FILE; ?>" >
                 <table id="ure_settings_ms">
 <?php
@@ -216 +217 @@
                 </table>
 <?php wp_nonce_field( 'user-role-editor' ); ?>   
-                <input type="hidden" name="ure_tab_idx" value="<?php echo $tabs_index[4]; ?>" />
+                <input type="hidden" name="ure_tab_idx" value="<?php echo (int) $tabs_index[4]; ?>" />
             <p class="submit">
                 <input type="submit" class="button-primary" name="ure_settings_ms_update" value="<?php esc_html_e( 'Save', 'user-role-editor' ); ?>" />
@@ -251 +252 @@
     if ($ure_tab_idx>0 && $ure_tab_idx<=count($tabs_index)) {
 ?>
-        $('#ure_tabs').tabs('option', 'active', <?php echo $ure_tab_idx; ?>);
+        $('#ure_tabs').tabs('option', 'active', <?php echo (int) $ure_tab_idx; ?>);
 <?php
     }

user-role-editor/trunk/js/users-grant-roles.js

@@ -41 +41 @@
 
 
-function ure_show_grant_roles_dialog_pre_selected(response) {
-    jQuery('#ure_task_status').hide();
-    if (response!==null && response.result=='error') {
-        alert(response.message);
-        return;
-    }
-    if (response.primary_role!==null && response.primary_role.length>0 && jQuery('#primary_role').length>0) {
-        jQuery('#primary_role').val(response.primary_role);
-    }
-    
-    if (response.other_roles!==null && response.other_roles.length>0) {
-        for(i=0;i<response.other_roles.length;i++) {
-            jQuery('#wp_role_'+ response.other_roles[i]).prop('checked', true);
-        }
-    }
-    
-    ure_show_grant_roles_dialog();
-    
-}
-
-
-function ure_get_selected_user_roles(users) {
+function ure_grant_roles() {  
+    
+    var primary_role = jQuery('#primary_role').val();
+    var other_roles = ure_get_selected_checkboxes('ure_roles');
     jQuery('#ure_task_status').show();
-    var user_id = users.shift();
+    var users = ure_get_selected_checkboxes('users');
     var data = {
         'action': 'ure_ajax',
-        'sub_action':'get_user_roles', 
-        'user_id': user_id, 
-        'wp_nonce': ure_users_grant_roles_data.wp_nonce};
-    jQuery.post(ajaxurl, data, ure_show_grant_roles_dialog_pre_selected, 'json');
-}
-
-
-function ure_unselect_roles() {
-    jQuery('#primary_role').val([]);
-    
-    // uncheck all checked checkboxes if there are any
-    jQuery('input[type="checkbox"][name="ure_roles\\[\\]"]:checked').map(function() { 
-        this.checked = false; 
-    });
-}
-
-function ure_prepare_grant_roles_dialog() {
-    var users = ure_get_selected_checkboxes('users');
-    if (users.length==0) {
-        alert(ure_users_grant_roles_data.select_users_first);
-        return;
-    } 
-    
-    if (users.length==1) {
-        ure_get_selected_user_roles(users);
-    } else {
-        ure_unselect_roles();        
-        ure_show_grant_roles_dialog();
-    }
-    
-}
-
-
-function ure_show_grant_roles_dialog() {
+        'sub_action':'grant_roles', 
+        'users': users, 
+        'primary_role': primary_role,
+        'other_roles': other_roles,
+        'wp_nonce': ure_users_grant_roles_data.wp_nonce
+    };
+    jQuery.post(ajaxurl, data, ure_page_reload, 'json');
+    
+    return true;
+}
+
+
+function ure_show_grant_roles_dialog( data ) {
     
     jQuery('#ure_grant_roles_dialog').dialog({
@@ -116 +77 @@
                 jQuery(this).dialog('close');
                 return true;
-            },
+                },
             Cancel: function () {
                 jQuery(this).dialog('close');
                 return false;
+                }
             }
-        }
-    });
-}
-
-
-function ure_grant_roles() {    
-    var primary_role = jQuery('#primary_role').val();
-    var other_roles = ure_get_selected_checkboxes('ure_roles');
-    jQuery('#ure_task_status').show();
-    var users = ure_get_selected_checkboxes('users');
-    var data = {
-        'action': 'ure_ajax',
-        'sub_action':'grant_roles', 
-        'users': users, 
-        'primary_role': primary_role,
-        'other_roles': other_roles,
-        'wp_nonce': ure_users_grant_roles_data.wp_nonce
-    };
-    jQuery.post(ajaxurl, data, ure_page_reload, 'json');
-    
-    return true;
+        });
+    jQuery('#ure_grant_roles_container').html( data.html );
+
+}
+
+
+function ure_get_user_roles_markup( user_id ) {
+    jQuery.ajax({
+        url: ajaxurl,
+        type: 'POST',
+        dataType: 'html',
+        data: {
+            action: 'ure_ajax',
+            sub_action: 'get_grant_roles',
+            user_id : user_id,
+            wp_nonce: ure_users_grant_roles_data.wp_nonce
+        },
+        success: function(response) {
+            var data = jQuery.parseJSON( response );
+            if (typeof data.result !== 'undefined') {
+                if (data.result === 'success') {                    
+                    ure_show_grant_roles_dialog( data );
+                } else if (data.result === 'failure') {
+                    alert(data.message);
+                } else {
+                    alert('Wrong response: ' + response)
+                }
+            } else {
+                alert('Wrong response: ' + response)
+            }
+        },
+        error: function(XMLHttpRequest, textStatus, exception) {
+            alert("Ajax failure\n" + XMLHttpRequest.statusText);
+        },
+        async: true
+    });    
+}
+
+
+function ure_prepare_grant_roles_dialog() {
+    var users = ure_get_selected_checkboxes('users');
+    if ( users.length===0 ) {
+        alert(ure_users_grant_roles_data.select_users_first);
+        return;
+    }
+    var user_id = ( users.length===1) ? users[0] : 0;
+    ure_get_user_roles_markup( user_id );
 }
 

user-role-editor/trunk/readme.txt

@@ -3 +3 @@
 Tags: user, role, editor, security, access
 Requires at least: 4.4
-Tested up to: 6.8
+Tested up to: 6.9
 Stable tag: 4.64.5
 Requires PHP: 7.3
@@ -82 +82 @@
 
 == Changelog =
+
+= [4.64.6] 01.12.2025 =
+* Update: Marked as compatible with WordPress 6.9
+* Update: Minor code enhancements according to the "Plugin Check" tool recommendations.
+* Update: "Users->Grant Roles" HTML code download optimization to exclude cases when URE's "Grant Roles" data flickers or stays visible while Users page is opening.
+
 = [4.64.5] 16.04.2025 =
 * Update: Marked as compatible with WordPress 6.8
 * Update: Minor changes were applied to the CSS/JS loading code to minimize "Plugin Check" tool warnings.
 * Plugin headers were extended at role-editor.php and readme.txt files according to wordpress.org recommendations.
-
-= [4.64.4] 15.12.2024 =
-* Security Fix: Users - "Add Role", "Revoke Role" buttons: Cross-Site request forgery to privilege escalation was possible due to missed nonce validation. This issue was discovered and responsibly reported by vgo0.
 
 File changelog.txt contains the full list of changes.
@@ -100 +103 @@
 == Upgrade Notice ==
 
-= [4.64.5] 16.04.2025 =
-* Update: Marked as compatible with WordPress 6.8
-* Update: Minor changes were applied to the CSS/JS loading code to minimize "Plugin Check" tool warnings.
+= [4.64.6] 01.12.2025 =
+* Update: Marked as compatible with WordPress 6.9
+* Update: Minor code enhancements according to the "Plugin Check" tool recommendations.
+* Update: "Users->Grant Roles" HTML code download optimization to exclude cases when URE's "Grant Roles" data flickers or stays visible while Users page is opening.

user-role-editor/trunk/user-role-editor.php

@@ -4 +4 @@
 Plugin URI:         https://www.role-editor.com
 Description:        Change/add/delete WordPress user roles and capabilities.
-Version:            4.64.5
+Version:            4.64.6
 Requires at least:  4.4
 Requires PHP:       7.3
@@ -34 +34 @@
 }
 
-define( 'URE_VERSION', '4.64.5' );
+define( 'URE_VERSION', '4.64.6' );
 define( 'URE_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'URE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );