Changeset 12635

Timestamp:

04/26/2020 03:58:20 AM (5 years ago)

Author:

imath

Message:

BP Signup: add a whitelist of available orderby arguments

The BP Signup::get() method orderby argument's possible values are : signup_id, login, email, registered and activated. The Default value remains signup_id.

Fixes #8284

Location:

trunk

Files:

• src/bp-members/classes/class-bp-signup.php (modified) (3 diffs)
• tests/phpunit/testcases/members/class-bp-signup.php (modified) (1 diff)

trunk/src/bp-members/classes/class-bp-signup.php

@@ -122 +122 @@
      *
      * @since 2.0.0
+     * @since 6.0.0 Adds a whitelist of allowed orderby parameters.
      *
      * @param array $args {
@@ -128 +129 @@
      *     @type int         $number         How many to fetch. Default 1.
      *     @type bool|string $usersearch     Whether or not to search for a username. Default false.
-     *     @type string      $orderby        Order By parameter. Default 'signup_id'.
+     *     @type string      $orderby        Order By parameter. Possible values are `signup_id`, `login`, `email`,
+     *                                       `registered`, `activated`. Default `signup_id`.
      *     @type string      $order          Order direction. Default 'DESC'.
      *     @type bool        $include        Whether or not to include more specific query params.
@@ -159 +161 @@
         );
 
-        // @todo whitelist sanitization
-        if ( $r['orderby'] !== 'signup_id' ) {
+        // Whitelist sanitization.
+        if ( ! in_array( $r['orderby'], array( 'login', 'email', 'registered', 'activated' ), true ) ) {
+            $r['orderby'] = 'signup_id';
+        }
+
+        if ( 'login' === $r['orderby'] || 'email' === $r['orderby'] ) {
             $r['orderby'] = 'user_' . $r['orderby'];
         }

trunk/tests/phpunit/testcases/members/class-bp-signup.php

@@ -199 +199 @@
      * @group get
      */
+    public function test_get_with_orderby_login_asc() {
+        $s1 = self::factory()->signup->create( array(
+            'user_login' => 'fghij',
+        ) );
+        $s2 = self::factory()->signup->create( array(
+            'user_login' => 'abcde',
+        ) );
+        $s3 = self::factory()->signup->create( array(
+            'user_login' => 'zzzzz',
+        ) );
+
+        $ss = BP_Signup::get( array(
+            'orderby' => 'login',
+            'number' => 3,
+            'order' => 'ASC',
+            'fields' => 'ids',
+        ) );
+
+        $this->assertEquals( array( $s2, $s1, $s3 ), $ss['signups'] );
+    }
+
+    /**
+     * @group get
+     */
+    public function test_get_with_orderby_registered_asc() {
+        $now = time();
+
+        $s1 = self::factory()->signup->create( array(
+            'registered' => date( 'Y-m-d H:i:s', $now - 50 ),
+        ) );
+        $s2 = self::factory()->signup->create( array(
+            'registered' => date( 'Y-m-d H:i:s', $now - 100 ),
+        ) );
+        $s3 = self::factory()->signup->create( array(
+            'registered' => date( 'Y-m-d H:i:s', $now - 10 ),
+        ) );
+
+        $ss = BP_Signup::get( array(
+            'orderby' => 'registered',
+            'number' => 3,
+            'order' => 'ASC',
+            'fields' => 'ids',
+        ) );
+
+        $this->assertEquals( array( $s2, $s1, $s3 ), $ss['signups'] );
+    }
+
+    /**
+     * @group get
+     */
     public function test_get_with_include() {
         $s1 = self::factory()->signup->create();