Skip to:
Content

BuddyPress.org

Changeset 1032 for trunk/bp-xprofile.php


Ignore:
Timestamp:
02/09/2009 06:52:51 AM (17 years ago)
Author:
apeatling
Message:

Added nonce security checks to all BuddyPress actions. Fixes #454

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/bp-xprofile.php

    r1030 r1032  
    188188
    189189    /* Need to check db tables exist, activate hook no-worky in mu-plugins folder. */
    190     if ( false == ( $wpdb->get_var("SHOW TABLES LIKE '%{$bp->profile->table_name_groups}%'") ) || ( get_site_option('bp-xprofile-db-version') < BP_XPROFILE_DB_VERSION )  )
     190    if ( !$wpdb->get_var("SHOW TABLES LIKE '%{$bp->profile->table_name_groups}%'") || ( get_site_option('bp-xprofile-db-version') < BP_XPROFILE_DB_VERSION )  )
    191191        xprofile_install();
    192192   
    193     if ( ( function_exists('bp_wire_install') && false == $wpdb->get_var( "SHOW TABLES LIKE '%{$bp->profile->table_name_wire}%'" ) ) || ( get_site_option('bp-xprofile-db-version') < BP_XPROFILE_DB_VERSION )  )
     193    if ( ( function_exists('bp_wire_install') && !$wpdb->get_var( "SHOW TABLES LIKE '%{$bp->profile->table_name_wire}%'" ) ) || ( get_site_option('bp-xprofile-db-version') < BP_XPROFILE_DB_VERSION )  )
    194194        xprofile_wire_install();
    195195}
     
    345345function xprofile_action_delete_avatar() {
    346346    global $bp;
    347    
     347
    348348    if ( 'delete-avatar' != $bp->current_action )
     349        return false;
     350
     351    if ( !check_admin_referer( 'bp_delete_avatar_link' ) )
    349352        return false;
    350353   
     
    370373function xprofile_action_new_wire_post() {
    371374    global $bp;
    372    
     375
    373376    if ( $bp->current_component != $bp->wire->slug )
    374377        return false;
     
    376379    if ( 'post' != $bp->current_action )
    377380        return false;
    378    
     381       
     382    /* Check the nonce */
     383    if ( !check_admin_referer( 'bp_wire_post' ) )
     384        return false;
     385       
    379386    if ( !$wire_post_id = bp_wire_new_post( $bp->displayed_user->id, $_POST['wire-post-textarea'], $bp->profile->slug, false, $bp->profile->table_name_wire ) ) {
    380387        bp_core_add_message( __('Wire message could not be posted. Please try again.', 'buddypress'), 'error' );
     
    625632                // Loop through each field in the group
    626633                for ( $j = 0; $j < count($group->fields); $j++ ) {
    627                    
     634                                       
    628635                    // Create a new field object for this field based on the field ID.
    629636                    $field = new BP_XProfile_Field( $group->fields[$j]->id );
     
    634641                    // If the user has submitted the form - validate and save the new value for this field
    635642                    if ( isset($_GET['mode']) && 'save' == $_GET['mode'] ) {
     643                       
     644                        /* Check the nonce */
     645                        if ( !check_admin_referer( 'bp_xprofile_edit' ) )
     646                            return false;
    636647                       
    637648                        // If the current field is a datebox, we need to append '_day' to the end of the field name
     
    719730                                <input type="submit" name="save" id="save" value="'.__('Save Changes &raquo;', 'buddypress').'" />
    720731                               </p>';
     732                           
     733                $list_html .= wp_nonce_field( 'bp_xprofile_edit' );
    721734
    722735                // If the user submitted the form to save new values, and there were errors, make sure we display them.
Note: See TracChangeset for help on using the changeset viewer.