Skip to:
Content

BuddyPress.org

Changeset 10329 for trunk


Ignore:
Timestamp:
11/11/2015 03:22:53 AM (6 years ago)
Author:
boonebgorges
Message:

Improve sanitization of email notification settings.

Props boonebgorges, johnjamesjacoby, imath, dcavins.
See #6707.

Location:
trunk
Files:
2 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-settings/bp-settings-actions.php

    r10137 r10329  
    304304    check_admin_referer( 'bp_settings_notifications' );
    305305
    306     if ( isset( $_POST['notifications'] ) ) {
    307         foreach ( (array) $_POST['notifications'] as $key => $value ) {
    308             bp_update_user_meta( (int) bp_displayed_user_id(), $key, $value );
    309         }
    310     }
     306    bp_settings_update_notification_settings( bp_displayed_user_id(), (array) $_POST['notifications'] );
    311307
    312308    // Switch feedback for super admins
  • trunk/src/bp-settings/bp-settings-functions.php

    r10137 r10329  
    99// Exit if accessed directly.
    1010defined( 'ABSPATH' ) || exit;
     11
     12/**
     13 * Update email notification settings for a specific user.
     14 *
     15 * @since 2.3.5
     16 *
     17 * @param int   $user_id  ID of the user whose settings are being updated.
     18 * @param array $settings Settings array.
     19 */
     20function bp_settings_update_notification_settings( $user_id, $settings ) {
     21    $user_id = (int) $user_id;
     22
     23    $settings = bp_settings_sanitize_notification_settings( $settings );
     24    foreach ( $settings as $setting_key => $setting_value ) {
     25        bp_update_user_meta( $user_id, $setting_key, $setting_value );
     26    }
     27}
     28
     29/**
     30 * Sanitize email notification settings as submitted by a user.
     31 *
     32 * @since 2.3.5
     33 *
     34 * @param array $settings Array of settings.
     35 * @return array Sanitized settings.
     36 */
     37function bp_settings_sanitize_notification_settings( $settings = array() ) {
     38    $sanitized_settings = array();
     39
     40    if ( empty( $settings ) ) {
     41        return $sanitized_settings;
     42    }
     43
     44    // Get registered notification keys.
     45    $registered_notification_settings = bp_settings_get_registered_notification_keys();
     46
     47    /*
     48     * We sanitize values for core notification keys.
     49     *
     50     * @todo use register_meta()
     51     */
     52    $core_notification_settings = array(
     53        'notification_messages_new_message',
     54        'notification_activity_new_mention',
     55        'notification_activity_new_reply',
     56        'notification_groups_invite',
     57        'notification_groups_group_updated',
     58        'notification_groups_admin_promotion',
     59        'notification_groups_membership_request',
     60        'notification_membership_request_completed',
     61        'notification_friends_friendship_request',
     62        'notification_friends_friendship_accepted',
     63    );
     64
     65    foreach ( (array) $settings as $key => $value ) {
     66        // Skip if not a registered setting.
     67        if ( ! in_array( $key, $registered_notification_settings, true ) ) {
     68            continue;
     69        }
     70
     71        // Force core keys to 'yes' or 'no' values.
     72        if ( in_array( $key, $core_notification_settings, true ) ) {
     73            $value = 'yes' === $value ? 'yes' : 'no';
     74        }
     75
     76        $sanitized_settings[ $key ] = $value;
     77    }
     78
     79    return $sanitized_settings;
     80}
     81
     82/**
     83 * Build a dynamic whitelist of notification keys, based on what's hooked to 'bp_notification_settings'.
     84 *
     85 * @since 2.3.5
     86 *
     87 * @return array
     88 */
     89function bp_settings_get_registered_notification_keys() {
     90
     91    ob_start();
     92    do_action( 'bp_notification_settings' );
     93    $screen = ob_get_clean();
     94
     95    $matched = preg_match_all( '/<input[^>]+name="notifications\[([^\]]+)\]/', $screen, $matches );
     96
     97    if ( $matched && isset( $matches[1] ) ) {
     98        $key_whitelist = $matches[1];
     99    } else {
     100        $key_whitelist = array();
     101    }
     102
     103    return $key_whitelist;
     104}
Note: See TracChangeset for help on using the changeset viewer.