Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
02/09/2009 06:52:51 AM (17 years ago)
Author:
apeatling
Message:

Added nonce security checks to all BuddyPress actions. Fixes #454

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/bp-groups/bp-groups-templatetags.php

    r1025 r1032  
    688688    global $members_template, $groups_template, $bp;
    689689
    690     echo apply_filters( 'bp_group_member_promote_link', bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/promote/' . $members_template->member->user_id );
     690    echo apply_filters( 'bp_group_member_promote_link', wp_nonce_url( bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/promote/' . $members_template->member->user_id, 'groups_promote_member' ) );
    691691}
    692692
     
    697697        $user_id = $members_template->member->user_id;
    698698   
    699     echo apply_filters( 'bp_group_member_demote_link', bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/demote/' . $user_id );
     699    echo apply_filters( 'bp_group_member_demote_link', wp_nonce_url( bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/demote/' . $user_id, 'groups_demote_member' ) );
    700700}
    701701
     
    703703    global $members_template, $groups_template, $bp;
    704704   
    705     echo apply_filters( 'bp_group_member_ban_link', bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/ban/' . $members_template->member->user_id );
     705    echo apply_filters( 'bp_group_member_ban_link', wp_nonce_url( bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/ban/' . $members_template->member->user_id, 'groups_ban_member' ) );
    706706}
    707707
     
    709709    global $members_template, $groups_template, $bp;
    710710   
    711     echo apply_filters( 'bp_group_member_unban_link', bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/unban/' . $members_template->member->user_id );
     711    echo apply_filters( 'bp_group_member_unban_link', wp_nonce_url( bp_group_permalink( $groups_template->group, false ) . '/admin/manage-members/unban/' . $members_template->member->user_id, 'groups_unban_member' ) ); 
    712712}
    713713
     
    822822           
    823823            <p><input type="submit" value="<?php _e('Create Group and Continue', 'buddypress') ?> &raquo;" id="save" name="save"/></p>
     824           
     825            <?php wp_nonce_field( 'groups_step1_save' ) ?>
    824826        <?php break; ?>
    825827       
     
    867869
    868870                <p><input type="submit" value="<?php _e('Save and Continue', 'buddypress') ?> &raquo;" id="save" name="save"/></p>
     871
     872                <?php wp_nonce_field( 'groups_step2_save' ) ?>
    869873            <?php } else { ?>
    870874                <div id="message" class="info">
     
    895899                    </div>
    896900                </div>
     901               
     902                <?php wp_nonce_field( 'groups_step3_save' ) ?>
    897903            <?php } else { ?>
    898904                <div id="message" class="info">
     
    918924                } ?>
    919925               
    920                 <p class="clear"><input type="button" value="<?php _e('Finish', 'buddypress') ?> &raquo;" id="save" name="save" onclick="location.href='<?php echo $group_link ?>'" /></p>
     926                <p class="clear"><input type="submit" value="<?php _e('Finish', 'buddypress') ?> &raquo;" id="save" name="save" /></p>
     927               
     928                <?php wp_nonce_field( 'groups_step4_save' ) ?>
     929               
    921930                <?php
    922931            } else { ?>
     
    10181027    global $groups_template, $bp;
    10191028   
    1020     echo apply_filters( 'bp_group_accept_invite_link', $bp->loggedin_user->domain . $bp->groups->slug . '/invites/accept/' . $groups_template->group->id );
     1029    echo apply_filters( 'bp_group_accept_invite_link', wp_nonce_url( $bp->loggedin_user->domain . $bp->groups->slug . '/invites/accept/' . $groups_template->group->id, 'groups_accept_invite' ) );
    10211030}
    10221031
     
    10241033    global $groups_template, $bp;
    10251034   
    1026     echo apply_filters( 'bp_group_reject_invite_link', $bp->loggedin_user->domain . $bp->groups->slug . '/invites/reject/' . $groups_template->group->id );
     1035    echo apply_filters( 'bp_group_reject_invite_link', wp_nonce_url( $bp->loggedin_user->domain . $bp->groups->slug . '/invites/reject/' . $groups_template->group->id, 'groups_reject_invite' ) );
    10271036}
    10281037
     
    10421051    global $groups_template, $bp;
    10431052   
    1044     echo apply_filters( 'bp_group_leave_confirm_link', bp_group_permalink( false, true ) . '/leave-group/yes' );   
     1053    echo apply_filters( 'bp_group_leave_confirm_link', wp_nonce_url( bp_group_permalink( false, true ) . '/leave-group/yes', 'groups_leave_group' ) ); 
    10451054}
    10461055
     
    10601069        <h4><?php _e( 'Select Friends', 'buddypress' ) ?> <img id="ajax-loader" src="<?php echo $bp->groups->image_base ?>/ajax-loader.gif" height="7" alt="Loading" style="display: none;" /></h4>
    10611070        <?php bp_group_list_invite_friends() ?>
    1062         <?php wp_nonce_field( 'invite_user' ) ?>
     1071        <?php wp_nonce_field( 'groups_invite_uninvite_user', '_wpnonce_invite_uninvite_user' ) ?>
    10631072        <input type="hidden" name="group_id" id="group_id" value="<?php echo $group_obj->id ?>" />
    10641073    </div>
     
    10811090                    <span class="activity"><?php echo $user->last_active ?></span>
    10821091                    <div class="action">
    1083                         <a class="remove" href="<?php echo site_url() . $bp->groups->slug . '/' . $group_obj->id . '/invites/remove/' . $user->id ?>" id="uid-<?php echo $user->id ?>"><?php _e( 'Remove Invite', 'buddypress' ) ?></a>
     1092                        <a class="remove" href="<?php echo wp_nonce_url( site_url( $bp->groups->slug . '/' . $group_obj->id . '/invites/remove/' . $user->id ), 'groups_invite_uninvite_user' ) ?>" id="uid-<?php echo $user->id ?>"><?php _e( 'Remove Invite', 'buddypress' ) ?></a>
    10841093                    </div>
    10851094                </li>
     
    10871096        </ul>
    10881097       
     1098        <?php wp_nonce_field( 'groups_send_invites', '_wpnonce_send_invites' ) ?>
    10891099    </div>
    10901100<?php
     
    11301140        case 'public':
    11311141            if ( BP_Groups_Member::check_is_member( $bp->loggedin_user->id, $group->id ) )
    1132                 echo '<a class="leave-group" href="' . bp_group_permalink( $group, false ) . '/leave-group">' . __('Leave Group', 'buddypress') . '</a>';                                   
     1142                echo '<a class="leave-group" href="' . wp_nonce_url( bp_group_permalink( $group, false ) . '/leave-group', 'groups_leave_group' ) . '">' . __( 'Leave Group', 'buddypress' ) . '</a>';                                 
    11331143            else
    1134                 echo '<a class="join-group" href="' . bp_group_permalink( $group, false ) . '/join">' . __('Join Group', 'buddypress') . '</a>';                   
     1144                echo '<a class="join-group" href="' . wp_nonce_url( bp_group_permalink( $group, false ) . '/join', 'groups_join_group' ) . '">' . __( 'Join Group', 'buddypress' ) . '</a>';                   
    11351145        break;
    11361146       
    11371147        case 'private':
    11381148            if ( BP_Groups_Member::check_is_member( $bp->loggedin_user->id, $group->id ) ) {
    1139                 echo '<a class="leave-group" href="' . bp_group_permalink( $group, false ) . '/leave-group">' . __('Leave Group', 'buddypress') . '</a>';                                       
     1149                echo '<a class="leave-group" href="' . wp_nonce_url( bp_group_permalink( $group, false ) . '/leave-group', 'groups_leave_group' ) . '">' . __( 'Leave Group', 'buddypress' ) . '</a>';                                     
    11401150            } else {
    11411151                if ( !bp_group_has_requested_membership( $group ) )
    1142                     echo '<a class="request-membership" href="' . bp_group_permalink( $group, false ) . '/request-membership">' . __('Request Membership', 'buddypress') . '</a>';     
     1152                    echo '<a class="request-membership" href="' . wp_nonce_url( bp_group_permalink( $group, false ) . '/request-membership', 'groups_send_membership_request' ) . '">' . __('Request Membership', 'buddypress') . '</a>';       
    11431153                else
    1144                     echo '<a class="membership-requested" href="' . bp_group_permalink( $group, false ) . '">' . __('Membership Requested', 'buddypress') . '</a>';             
     1154                    echo '<a class="membership-requested" href="' . bp_group_permalink( $group, false ) . '">' . __( 'Request Sent', 'buddypress' ) . '</a>';               
    11451155            }
    11461156        break;
Note: See TracChangeset for help on using the changeset viewer.