Ticket #8284: 8284.patch
File 8284.patch, 3.2 KB (added by , 4 years ago) |
---|
-
src/bp-members/classes/class-bp-signup.php
diff --git src/bp-members/classes/class-bp-signup.php src/bp-members/classes/class-bp-signup.php index 339e00c2c..9cd7d6e2e 100644
class BP_Signup { 121 121 * Fetch signups based on parameters. 122 122 * 123 123 * @since 2.0.0 124 * @since 6.0.0 Adds a whitelist of allowed orderby parameters. 124 125 * 125 126 * @param array $args { 126 127 * The argument to retrieve desired signups. 127 128 * @type int $offset Offset amount. Default 0. 128 129 * @type int $number How many to fetch. Default 1. 129 130 * @type bool|string $usersearch Whether or not to search for a username. Default false. 130 * @type string $orderby Order By parameter. Default 'signup_id'. 131 * @type string $orderby Order By parameter. Possible values are `signup_id`, `login`, `email`, 132 * `registered`, `activated`. Default `signup_id`. 131 133 * @type string $order Order direction. Default 'DESC'. 132 134 * @type bool $include Whether or not to include more specific query params. 133 135 * @type string $activation_key Activation key to search for. … … class BP_Signup { 158 160 'bp_core_signups_get_args' 159 161 ); 160 162 161 // @todo whitelist sanitization 162 if ( $r['orderby'] !== 'signup_id' ) { 163 // Whitelist sanitization. 164 if ( ! in_array( $r['orderby'], array( 'login', 'email', 'registered', 'activated' ), true ) ) { 165 $r['orderby'] = 'signup_id'; 166 } 167 168 if ( 'login' === $r['orderby'] || 'email' === $r['orderby'] ) { 163 169 $r['orderby'] = 'user_' . $r['orderby']; 164 170 } 165 171 -
tests/phpunit/testcases/members/class-bp-signup.php
diff --git tests/phpunit/testcases/members/class-bp-signup.php tests/phpunit/testcases/members/class-bp-signup.php index 2507d25cc..4a420d414 100644
class BP_Tests_BP_Signup extends BP_UnitTestCase { 195 195 $this->assertEquals( array( $s2, $s1, $s3 ), $ss['signups'] ); 196 196 } 197 197 198 /** 199 * @group get 200 */ 201 public function test_get_with_orderby_login_asc() { 202 $s1 = self::factory()->signup->create( array( 203 'user_login' => 'fghij', 204 ) ); 205 $s2 = self::factory()->signup->create( array( 206 'user_login' => 'abcde', 207 ) ); 208 $s3 = self::factory()->signup->create( array( 209 'user_login' => 'zzzzz', 210 ) ); 211 212 $ss = BP_Signup::get( array( 213 'orderby' => 'login', 214 'number' => 3, 215 'order' => 'ASC', 216 'fields' => 'ids', 217 ) ); 218 219 $this->assertEquals( array( $s2, $s1, $s3 ), $ss['signups'] ); 220 } 221 222 /** 223 * @group get 224 */ 225 public function test_get_with_orderby_registered_asc() { 226 $now = time(); 227 228 $s1 = self::factory()->signup->create( array( 229 'registered' => date( 'Y-m-d H:i:s', $now - 50 ), 230 ) ); 231 $s2 = self::factory()->signup->create( array( 232 'registered' => date( 'Y-m-d H:i:s', $now - 100 ), 233 ) ); 234 $s3 = self::factory()->signup->create( array( 235 'registered' => date( 'Y-m-d H:i:s', $now - 10 ), 236 ) ); 237 238 $ss = BP_Signup::get( array( 239 'orderby' => 'registered', 240 'number' => 3, 241 'order' => 'ASC', 242 'fields' => 'ids', 243 ) ); 244 245 $this->assertEquals( array( $s2, $s1, $s3 ), $ss['signups'] ); 246 } 247 198 248 /** 199 249 * @group get 200 250 */