Changeset 10386 for trunk/src/bp-groups/bp-groups-admin.php

Timestamp:

12/02/2015 08:47:28 PM (10 years ago)

Author:

djpaul

Message:

Improve input handling on a variety of admin screens (trunk).

An internal audit revealed some screens which react to form submission where we were not sanitising input as well as we could have been. We've added extra typecasting and existence checks to avoid mishandling causing PHP Notices.

Additionally, we moved a list of hardcoded BuddyPress "pages" (registration and account activation) into a filterable function to allow plugin developers to more easily customise or add to these, which also gives us the benefit of being able to use that function as a sanitisation whitelist, without duplicating that hardcoded list.

Props boonebgorges, DJPaul

File:

• trunk/src/bp-groups/bp-groups-admin.php (modified) (1 diff)

trunk/src/bp-groups/bp-groups-admin.php

@@ -311 +311 @@
                 // Process only those users who have had their roles changed.
                 foreach ( (array) $_POST['bp-groups-role'] as $user_id => $new_role ) {
+                    $user_id = (int) $user_id;
 
                     $existing_role = isset( $_POST['bp-groups-existing-role'][$user_id] ) ? $_POST['bp-groups-existing-role'][$user_id] : '';
 
                     if ( $existing_role != $new_role ) {
+                        $result = false;
 
                         switch ( $new_role ) {