Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/wp-google-map-plugin/classes/wpgmp-pro-feature-ui.php
+++ b/wp-google-map-plugin/classes/wpgmp-pro-feature-ui.php
@@ -6,7 +6,15 @@
class WPGMP_Pro_Feature_UI_Modifier {
+ private $page_slug = false;
+
public function __construct() {
+
+ $page_name = isset($_GET['page']) ? sanitize_text_field($_GET['page']) : '';
+ if (strpos($page_name, 'wpgmp') !== false) {
+ $this->page_slug = true;
+ }
+
add_filter( 'wpgmp_form_footer_html', [ $this, 'append_pro_upgrade_modal_to_footer' ] );
add_filter( 'wpgmp_field_group_label', [ $this, 'add_pro_suffix_to_label' ], 10, 2 );
add_filter( 'wpgmp_input_label', [ $this, 'add_pro_suffix_to_label' ], 10, 2 );
@@ -18,65 +26,72 @@
}
public function wpgmp_template_directory($is_pro,$directory,$name,$atts) {
-
- if(strstr($directory,'layout')) {
- return true;
- }
-
- if(!strstr($directory,'default') and strstr($name,"item_skin")) {
- return true;
+ if ($this->page_slug) {
+ if(strstr($directory,'layout')) {
+ return true;
+ }
+
+ if(!strstr($directory,'default') and strstr($name,"item_skin")) {
+ return true;
+ }
}
-
-
return $is_pro;
}
public function wpgmp_element_before_start_row($element,$name,$atts) {
-
- if ( WPGMP_Helper::wpgmp_is_feature_available($name, 'google') ) {
- $not_available_class = 'fc-feature-not-available';
- } else{
- $not_available_class = '';
+ if ($this->page_slug) {
+ if ( WPGMP_Helper::wpgmp_is_feature_available($name, 'google') ) {
+ $not_available_class = 'fc-feature-not-available';
+ } else{
+ $not_available_class = '';
+ }
+
+ if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] == 'group') {
+ $pro_feature_class = 'fc-pro-feature';
+ $element = '<dt><section id="'.$name.'" class="fc-form-group {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class.'">';
+ }
+
+ if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] != 'group' && $atts['type'] != 'submit' && $atts['type'] != 'button') {
+ $pro_feature_class_lock = 'fc-pro-feature-lock';
+ $element = '<section class="fc-form-group fc-row {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class_lock .'">';
+ }
}
- if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] == 'group') {
- $pro_feature_class = 'fc-pro-feature';
- $element = '<dt><section id="'.$name.'" class="fc-form-group {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class.'">';
- }
-
- if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] != 'group' && $atts['type'] != 'submit' && $atts['type'] != 'button') {
- $pro_feature_class_lock = 'fc-pro-feature-lock';
- $element = '<section class="fc-form-group fc-row {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class_lock .'">';
- }
-
return $element;
- }
+ }
public function handle_pro_submit_button( $element, $name, $atts ) {
- $no_sticky = ( isset( $atts['no-sticky'] ) && $atts['no-sticky'] === 'true' ) ? 'fc-no-sticky' : 'fc-sticky';
+ if ($this->page_slug) {
+ $no_sticky = ( isset( $atts['no-sticky'] ) && $atts['no-sticky'] === 'true' ) ? 'fc-no-sticky' : 'fc-sticky';
- if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
- $element = '<div class="' . esc_attr( $no_sticky ) . ' fc-form-footer">
- <a href="javascript:void(0);" name="' . esc_attr( $name ) . '" class="fc-btn fc-btn-purple fc-modal-open">
- <i class="wep-icon-crown wep-icon-lg"></i><span>' . esc_html__( 'Upgrade to Pro', 'wp-google-map-plugin' ) . '</span>
- </a>
- </div>';
+ if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
+ $element = '<div class="' . esc_attr( $no_sticky ) . ' fc-form-footer">
+ <a href="javascript:void(0);" name="' . esc_attr( $name ) . '" class="fc-btn fc-btn-purple fc-modal-open">
+ <i class="wep-icon-crown wep-icon-lg"></i><span>' . esc_html__( 'Upgrade to Pro', 'wp-google-map-plugin' ) . '</span>
+ </a>
+ </div>';
+ }
}
return $element;
}
public function add_pro_suffix_to_label( $value, $atts ) {
- if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
- $value .= ' <span class="fc-badge fc-badge-pro">' . esc_html__( 'PRO', 'wp-google-map-plugin' ) . '</span>';
+ if ($this->page_slug) {
+ if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
+ $value .= ' <span class="fc-badge fc-badge-pro">' . esc_html__( 'PRO', 'wp-google-map-plugin' ) . '</span>';
+ }
}
return $value;
}
public function append_pro_upgrade_modal_to_footer( $output ) {
- $modal_html = WPGMP_Helper::wpgmp_render_pro_upgrade_modal();
- return $output . $modal_html;
+ if ($this->page_slug) {
+ $modal_html = WPGMP_Helper::wpgmp_render_pro_upgrade_modal();
+ return $output . $modal_html;
+ }
+ return $output;
}
}
}
--- a/wp-google-map-plugin/classes/wpgmp-security.php
+++ b/wp-google-map-plugin/classes/wpgmp-security.php
@@ -92,14 +92,21 @@
$value = trim( $value );
// Either map widht is a just a plain number.
- if ( is_numeric( $value ) ) {
- return absint( $value );
- }
+
// Or map width can be a number with % sign.
$pattern = '/^([1-9][0-9]*)(%)?$/';
if ( preg_match( $pattern, $value ) ) {
return $value;
+ }else if ( is_numeric( $value ) ) {
+ return absint( $value );
+ }else if( ! is_numeric( $value ) ){
+ $width = absint ( sanitize_text_field( $value ) );
+ if($width === 0){
+ return '100%';
+ }else{
+ return $width;
+ }
}
return '';
--- a/wp-google-map-plugin/core/class.model.php
+++ b/wp-google-map-plugin/core/class.model.php
@@ -40,6 +40,12 @@
*/
private $query = '';
/**
+ * Table columns assoicated to the model class.
+ *
+ * @var string
+ */
+ public $allowed_columns = [];
+ /**
* Table name assoicated to the model class.
*
* @var string
@@ -156,6 +162,29 @@
return true;
}
+
+ /**
+ * Load and cache the list of valid database columns for the current table.
+ *
+ * This method retrieves the
+ */
+
+ protected function load_columns() {
+
+ if ( empty( $this->table ) ) {
+ return;
+ }
+
+ global $wpdb;
+
+ $columns = $wpdb->get_results( "DESCRIBE `{$this->table}`", ARRAY_A );
+
+ if ( ! empty( $columns ) ) {
+
+ $this->allowed_columns = array_column( $columns, 'Field' );
+
+ }
+ }
/**
* Retrive records from database based on conditional array.
*
@@ -189,15 +218,17 @@
}
if ( isset( $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'] ) && 'NUMERIC' != $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'][0] && 'SET' != $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'][0] ) {
if ( 1 == $GLOBALS['configuration']['db_encoding'] ) {
- $value = $this->is_column( $fcv_array[ $i ][2] ) ? 'BASE64_DECODE(' . $fcv_array[ $i ][2] . ')' : "'" . $fcv_array[ $i ][2] . "'";
+
+ $value = $this->is_column( $fcv_array[ $i ][2] ) ? 'BASE64_DECODE(`' . trim( $fcv_array[ $i ][2], '`' ) . '`)' : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
$this->query .= 'BASE64_DECODE(`' . $fcv_array[ $i ][0] . '`) ' . $fcv_array[ $i ][1] . ' ' . $value;
} else {
- $value = $this->is_column( $fcv_array[ $i ][2] ) ? $fcv_array[ $i ][2] : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
+
+ $value = $this->is_column( $fcv_array[ $i ][2] ) ? '`' . trim( $fcv_array[ $i ][2], '`' ) . '`' : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
$this->query .= '`' . $fcv_array[ $i ][0] . '` ' . $fcv_array[ $i ][1] . ' ' . $value;
}
} else {
- $value = $this->is_column( $fcv_array[ $i ][2] ) ? $fcv_array[ $i ][2] : "'" . $fcv_array[ $i ][2] . "'";
+ $value = $this->is_column( $fcv_array[ $i ][2] ) ? '`' . trim( $fcv_array[ $i ][2], '`' ) . '`' : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
if ( 'in' == strtolower( $fcv_array[ $i ][1] ) ) {
$value = str_replace( "'", '', $value );
$value = '(' . $value . ')';
@@ -326,16 +357,18 @@
* @param string $value Column name.
* @return boolean True or False.
*/
- public static function is_column( $value ) {
-
- if ( strlen( $value ) > 2 ) {
- if ( substr( $value, 0, 1 ) == '`' && substr( $value, strlen( $value ) - 1, 1 ) == '`' ) {
- return true;
- }
- return false;
- }
-
- return false;
+ public function is_column( $value ) {
+ if ( ! is_string( $value ) || empty( $this->allowed_columns ) ) {
+ return false;
+ }
+
+ $clean = trim( $value, '`' );
+
+ if ( ! preg_match( '/^[a-zA-Z0-9_]+$/', $clean ) ) {
+ return false;
+ }
+
+ return in_array( $clean, $this->allowed_columns, true );
}
/**
* Convert XML to array.
--- a/wp-google-map-plugin/core/class.tabular.php
+++ b/wp-google-map-plugin/core/class.tabular.php
@@ -522,11 +522,34 @@
* @return string Winner element.
*/
function usort_reorder( $a, $b ) {
-
- $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field( wp_unslash( $_GET['orderby'] ) ) : '';
- $order = ( ! empty( $_GET['order'] ) ) ? sanitize_text_field( wp_unslash( $_GET['order'] ) ) : 'asc';
- $result = strcmp( $a[ $orderby ], $b[ $orderby ] );
- return ( 'asc' == $order ) ? $result : -$result;
+
+ /* ---- Allowed sortable columns (WHITELIST) ---- */
+ $sortable_columns = $this->get_sortable_columns();
+ $allowed_orderby = array_keys( $sortable_columns );
+
+ /* ---- Validate orderby ---- */
+ $orderby = isset($_GET['orderby'])
+ ? sanitize_key( wp_unslash( $_GET['orderby'] ) )
+ : $this->primary_col;
+
+ if ( ! in_array( $orderby, $allowed_orderby, true ) ) {
+ $orderby = $this->primary_col;
+ }
+
+ /* ---- Validate order ---- */
+ $order = isset($_GET['order'])
+ ? strtolower( sanitize_key( wp_unslash( $_GET['order'] ) ) )
+ : 'asc';
+
+ $order = ( $order === 'desc' ) ? 'desc' : 'asc';
+
+ /* ---- Prevent undefined index notices ---- */
+ $value_a = isset($a[$orderby]) ? $a[$orderby] : '';
+ $value_b = isset($b[$orderby]) ? $b[$orderby] : '';
+
+ $result = strcmp( (string) $value_a, (string) $value_b );
+
+ return ( $order === 'asc' ) ? $result : -$result;
}
/**
* Get bulk actions.
@@ -703,117 +726,137 @@
/**
* Prepare records before print.
*/
- function prepare_items() {
+ function prepare_items() {
+
global $wpdb;
+
$columns = $this->get_columns();
$hidden = array();
$sortable = $this->get_sortable_columns();
$this->_column_headers = array( $columns, $hidden, $sortable );
+
$this->process_bulk_action();
+
$query = ( empty( $this->sql ) ) ? 'SELECT * FROM ' . $this->table : $this->sql;
- if( isset( $_GET['page'] ) && !empty( $_GET['page'] ) ){
- $query = apply_filters('fc_manage_page_basic_query', $query , sanitize_text_field( wp_unslash( $_GET['page'] ) ) ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
- }
-
- if ( isset( $_GET['page'] ) && isset( $_REQUEST['s'] ) ) {
- $page = sanitize_text_field( wp_unslash( $_GET['page'] ) );
- $search = sanitize_text_field( wp_unslash( $_REQUEST['s'] ) );
- } else {
- $page = '';
- $search = '';
+
+ if ( isset( $_GET['page'] ) && ! empty( $_GET['page'] ) ) {
+ $query = apply_filters(
+ 'fc_manage_page_basic_query',
+ $query,
+ sanitize_text_field( wp_unslash( $_GET['page'] ) )
+ );
}
-
- if(!$this->noSql){
-
- if ( $this->admin_listing_page_name == $page && '' != $search ) {
-
+
+ $page = isset($_GET['page']) ? sanitize_text_field( wp_unslash($_GET['page']) ) : '';
+ $search = isset($_REQUEST['s']) ? sanitize_text_field( wp_unslash($_REQUEST['s']) ) : '';
+
+ if ( ! $this->noSql ) {
+
+ /* ================= SEARCH ================= */
+ if ( $this->admin_listing_page_name == $page && '' !== $search ) {
+
$s = $search;
- $first_column = '';
- $remaining_columns = array();
$prepare_query_with_placeholders = '';
$prepare_args_values = array();
-
+ $first = true;
+
foreach ( $this->columns as $column_name => $columnlabel ) {
-
- if ( "{$this->primary_col}" == $column_name ) {
- continue;
+
+ if ( $column_name === $this->primary_col ) {
+ continue;
+ }
+
+ if (
+ isset($this->searchExclude)
+ && ! empty($this->searchExclude)
+ && in_array($column_name, $this->searchExclude, true)
+ ) {
+ continue;
+ }
+
+ $prepare_args_values[] = '%' . $wpdb->esc_like( $s ) . '%';
+
+ if ( $first ) {
+ $prepare_query_with_placeholders .= " WHERE {$column_name} LIKE %s";
+ $first = false;
} else {
-
- if ( empty( $first_column ) ) {
-
- $first_column = $column_name;
- $prepare_args_values[] = $wpdb->esc_like($s);
- $prepare_query_with_placeholders = " WHERE {$column_name} LIKE '%%%s%%'";
-
-
- } else {
-
- $remaining_columns[] = $column_name;
- if ( isset($this->searchExclude) && !empty($this->searchExclude) && !in_array( $column_name, $this->searchExclude ) ) {
- $prepare_args_values[] = $wpdb->esc_like($s);
- $prepare_query_with_placeholders .= " or {$column_name} LIKE '%%%s%%'";
-
- }
-
- if(!isset($this->searchExclude) ){
- $prepare_args_values[] = $wpdb->esc_like($s);
- $prepare_query_with_placeholders .= " or {$column_name} LIKE '%%%s%%'";
- }
- }
+ $prepare_query_with_placeholders .= " OR {$column_name} LIKE %s";
}
}
-
- // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $this->table and $this->primary_col are internal class properties
- $this->data = $wpdb->get_results( $wpdb->prepare( 'SELECT * FROM '.$this->table. $prepare_query_with_placeholders. ' order by '.$this->primary_col.' desc', $prepare_args_values ) );
-
- }
- else if ( isset($_GET['orderby']) && ! empty( $_GET['orderby'] ) && isset($_GET['order']) && ! empty( $_GET['order'] ) ) {
-
- $_GET['orderby'] = sanitize_text_field( $_GET['orderby'] );
- $_GET['order'] = sanitize_text_field( $_GET['order'] );
- $orderby = ( !empty( $_GET['orderby'] ) ) ? wp_unslash( $_GET['orderby'] ) : $this->primary_col;
- $order = ( !empty( $_GET['order'] ) ) ? wp_unslash( $_GET['order'] ) : 'asc';
-
- $query_to_run = $query;
- $query_to_run .= " order by {$orderby} {$order}";
- // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $query_to_run is safe
- $this->data = $wpdb->get_results( $query_to_run );
-
- }
- else {
-
- $query_to_run = $query;
- $query_to_run .= " order by {$this->primary_col} desc";
- $query_to_run = apply_filters('fc_manage_page_default_query', $query_to_run , sanitize_text_field( wp_unslash( $_GET['page'] ) ) ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
- // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $query_to_run is safe
- $this->data = $wpdb->get_results( $query_to_run );
-
+
+ // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+ $this->data = $wpdb->get_results(
+ $wpdb->prepare(
+ 'SELECT * FROM ' . $this->table . $prepare_query_with_placeholders .
+ ' ORDER BY ' . $this->primary_col . ' DESC',
+ $prepare_args_values
+ )
+ );
+
+ /* ================= SAFE ORDER BY ================= */
+ } elseif ( isset($_GET['orderby']) && isset($_GET['order']) ) {
+
+ /* ---- WHITELIST ORDERBY ---- */
+ $sortable_columns = $this->get_sortable_columns();
+ $allowed_orderby = array_keys( $sortable_columns );
+
+ $orderby = sanitize_key( wp_unslash( $_GET['orderby'] ) );
+
+ if ( ! in_array( $orderby, $allowed_orderby, true ) ) {
+ $orderby = $this->primary_col;
}
-
- }else{
-
- if(isset($this->external) && !empty($this->external)){
- $this->data = $this->external;
+
+ /* ---- STRICT ORDER VALIDATION ---- */
+ $order = strtolower( sanitize_key( wp_unslash( $_GET['order'] ) ) );
+ $order = ( $order === 'desc' ) ? 'DESC' : 'ASC';
+
+ $query_to_run = $query;
+ $query_to_run .= " ORDER BY {$orderby} {$order}";
+
+ // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- identifiers are whitelist validated
+ $this->data = $wpdb->get_results( $query_to_run );
+
+ /* ================= DEFAULT ================= */
+ } else {
+
+ $query_to_run = $query;
+ $query_to_run .= " ORDER BY {$this->primary_col} DESC";
+
+ $query_to_run = apply_filters(
+ 'fc_manage_page_default_query',
+ $query_to_run,
+ $page
+ );
+
+ // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+ $this->data = $wpdb->get_results( $query_to_run );
}
-
- }
-
- $current_page = apply_filters('fc_tabular_set_pagination_page',$this->get_pagenum()) ; // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
- $total_items = count( $this->data );
- if ( is_array( $this->data ) && ! empty( $this->data ) ) {
- $this->found_data = @array_slice( $this->data, ( ( $current_page - 1 ) * $this->per_page ), $this->per_page );
+
} else {
- $this->found_data = array();
+
+ if ( isset($this->external) && ! empty($this->external) ) {
+ $this->data = $this->external;
+ }
}
-
- $p_data = array( 'total_items' => $total_items, 'per_page' => $this->per_page );
- $this->set_pagination_args($p_data);
+
+ $current_page = apply_filters(
+ 'fc_tabular_set_pagination_page',
+ $this->get_pagenum()
+ );
+
+ $total_items = count( $this->data );
+
+ $this->found_data = ( is_array($this->data) && ! empty($this->data) )
+ ? array_slice( $this->data, ( ($current_page - 1) * $this->per_page ), $this->per_page )
+ : array();
+
+ $this->set_pagination_args(array(
+ 'total_items' => $total_items,
+ 'per_page' => $this->per_page,
+ ));
+
$this->items = $this->found_data;
-
}
}
--- a/wp-google-map-plugin/modules/drawing/model.drawing.php
+++ b/wp-google-map-plugin/modules/drawing/model.drawing.php
@@ -36,21 +36,7 @@
}
function save() {
- global $_POST;
-
- if ( isset( $_POST['map_id'] ) ) {
- $map_id = intval( wp_unslash( $_POST['map_id'] ) );
- $data['polylines'][0] = $_POST['shapes_values'];
- $infowindow['map_polyline_setting']['shapes'] = serialize( $data );
- $in_loc_data = array(
- 'map_polyline_setting' => $infowindow['map_polyline_setting']['shapes'],
- );
- $where['map_id'] = $map_id;
-
- FlipperCode_Database::insert_or_update( TBL_MAP, $in_loc_data, $where );
- }
-
- unset( $_POST['operation'] );
+
}
}
}
--- a/wp-google-map-plugin/modules/group_map/model.group_map.php
+++ b/wp-google-map-plugin/modules/group_map/model.group_map.php
@@ -32,6 +32,7 @@
function __construct() {
$this->table = TBL_GROUPMAP;
$this->unique = 'group_map_id';
+ $this->load_columns();
$this->validations = [
'group_map_title' => [
'req' => esc_html__( 'Please enter title for marker category.', 'wp-google-map-plugin' ),
--- a/wp-google-map-plugin/modules/location/model.location.php
+++ b/wp-google-map-plugin/modules/location/model.location.php
@@ -22,6 +22,7 @@
public function __construct() {
$this->table = TBL_LOCATION;
$this->unique = 'location_id';
+ $this->load_columns();
$this->validations = array(
'location_title' => array(
'req' => esc_html__( 'Please enter location title.', 'wp-google-map-plugin' ),
--- a/wp-google-map-plugin/modules/map/model.map.php
+++ b/wp-google-map-plugin/modules/map/model.map.php
@@ -49,6 +49,7 @@
);
$this->table = TBL_MAP;
$this->unique = 'map_id';
+ $this->load_columns();
}
/**
* Admin menu for CRUD Operation
--- a/wp-google-map-plugin/modules/permissions/model.permissions.php
+++ b/wp-google-map-plugin/modules/permissions/model.permissions.php
@@ -38,66 +38,7 @@
* Save Permissions
*/
function save() {
- global $_POST;
- if ( isset( $_REQUEST['_wpnonce'] ) ) {
- $nonce = sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ); }
-
- if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {
-
- die( 'Cheating...' );
-
- }
- global $wp_roles;
- $wpgmp_roles = $wp_roles->get_names();
- unset( $wpgmp_roles['administrator'] );
- $wpgmp_permissions = array(
- 'wpgmp_admin_overview' => esc_html__('Map Overview','wp-google-map-plugin'),
- 'wpgmp_form_location' => esc_html__('Add Locations','wp-google-map-plugin'),
- 'wpgmp_manage_location' => esc_html__('Manage Locations','wp-google-map-plugin'),
- 'wpgmp_import_location' => esc_html__('Import Locations','wp-google-map-plugin'),
- 'wpgmp_form_map' => esc_html__('Create Map','wp-google-map-plugin'),
- 'wpgmp_manage_map' => esc_html__('Manage Map','wp-google-map-plugin'),
- 'wpgmp_manage_drawing' => esc_html__('Drawing','wp-google-map-plugin'),
- 'wpgmp_form_group_map' => esc_html__('Add Marker Category','wp-google-map-plugin'),
- 'wpgmp_manage_group_map' => esc_html__('Manage Marker Category','wp-google-map-plugin'),
- 'wpgmp_form_route' => esc_html__('Add Routes','wp-google-map-plugin'),
- 'wpgmp_manage_route' => esc_html__('Manage Routes','wp-google-map-plugin'),
- 'wpgmp_settings' => esc_html__('Settings','wp-google-map-plugin'),
- );
- $this->verify( $_POST );
-
- if ( is_array( $this->errors ) and ! empty( $this->errors ) ) {
- $this->throw_errors();
- }
- if ( isset( $_POST['wpgmp_save_permission'] ) ) {
-
- if ( isset( $_POST['wpgmp_map_permissions'] ) ) {
- $wpgmp_map_permissions = wp_unslash( $_POST['wpgmp_map_permissions'] );
- } else {
- $wpgmp_map_permissions = array();
- }
-
- if ( ! empty( $wpgmp_roles ) ) {
- foreach ( $wpgmp_roles as $wpgmp_role_key => $wpgmp_role_value ) {
- if ( $wpgmp_role_key == 'administrator' && is_admin() && current_user_can( 'manage_options' ) ) {
- continue; }
-
- $role = get_role( $wpgmp_role_key );
-
- if ( ! empty( $wpgmp_permissions ) ) {
- foreach ( $wpgmp_permissions as $wpgmp_mkey => $wpgmp_mvalue ) {
- if ( isset( $wpgmp_map_permissions[ $wpgmp_role_key ][ $wpgmp_mkey ] ) ) {
- $role->add_cap( $wpgmp_mkey );
- } else {
- $role->remove_cap( $wpgmp_mkey );
- }
- }
- }
- }
- }
- }
- $response['success'] = esc_html__( 'Permissions were saved successfully.', 'wp-google-map-plugin' );
- return $response;
+
}
}
--- a/wp-google-map-plugin/modules/permissions/views/manage.php
+++ b/wp-google-map-plugin/modules/permissions/views/manage.php
@@ -54,7 +54,7 @@
'current' => ( ( @array_key_exists( $wpgmp_mkey, $urole->capabilities ) == true ) ? 'true' : 'false' ),
'before' => '<div class="fc-1">',
'after' => '</div>',
- 'class' => 'fc-form-check-input chkbox_class',
+ 'class' => 'fc-form-check-input chkbox_class wpgmp_author_permission',
)
);
}
--- a/wp-google-map-plugin/modules/route/model.route.php
+++ b/wp-google-map-plugin/modules/route/model.route.php
@@ -20,6 +20,7 @@
public function __construct() {
$this->table = TBL_ROUTES;
$this->unique = 'route_id';
+ $this->load_columns();
$this->validations = array(
'route_title' => array(
'req' => esc_html__( 'Please enter route title.', 'wp-google-map-plugin' ),
@@ -55,80 +56,15 @@
}
public function fetch( $where = array() ) {
- $routes = $this->get( $this->table, $where );
-
- foreach ( (array) $routes as $route ) {
- $route->route_way_points = maybe_unserialize( $route->route_way_points );
- $route->extensions_fields = maybe_unserialize( $route->extensions_fields );
- }
-
- return apply_filters( 'wpgmp_route_results', $routes, $where );
+
}
public function save() {
- if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_REQUEST['_wpnonce'] ), 'wpgmp-nonce' ) ) {
- wp_die( esc_html__( 'You are not allowed to save changes!', 'wp-google-map-plugin' ) );
- }
-
- $this->verify( $_POST );
- $this->errors = apply_filters( 'wpgmp_route_validation', $this->errors, $_POST );
-
- $waypoints = ! empty( $_POST['route_way_points'] ) ? explode( ',', sanitize_text_field( $_POST['route_way_points'] ) ) : array();
- if ( count( $waypoints ) > 8 ) {
- $this->errors[] = esc_html__( 'Please do not select more than 8 locations.', 'wp-google-map-plugin' );
- }
-
- if ( ! empty( $this->errors ) ) {
- $this->throw_errors();
- }
-
- $data = array(
- 'route_title' => sanitize_text_field( $_POST['route_title'] ?? '' ),
- 'route_stroke_color' => sanitize_text_field( $_POST['route_stroke_color'] ?? '' ),
- 'route_stroke_opacity' => sanitize_text_field( $_POST['route_stroke_opacity'] ?? '' ),
- 'route_stroke_weight' => intval( $_POST['route_stroke_weight'] ?? 0 ),
- 'route_travel_mode' => sanitize_text_field( $_POST['route_travel_mode'] ?? '' ),
- 'route_unit_system' => sanitize_text_field( $_POST['route_unit_system'] ?? '' ),
- 'route_marker_draggable' => sanitize_text_field( $_POST['route_marker_draggable'] ?? '' ),
- 'route_optimize_waypoints' => sanitize_text_field( $_POST['route_optimize_waypoints'] ?? '' ),
- 'route_start_location' => intval( $_POST['route_start_location'] ?? 0 ),
- 'route_end_location' => intval( $_POST['route_end_location'] ?? 0 ),
- 'route_way_points' => serialize( $waypoints ),
- 'extensions_fields' => serialize( wp_unslash( $_POST['extensions_fields'] ?? array() ) ),
- );
-
- $entityID = intval( $_POST['entityID'] ?? 0 );
- $where = $entityID > 0 ? array( $this->unique => $entityID ) : '';
-
- $data = apply_filters( 'wpgmp_route_save', $data, $where );
- $result = FlipperCode_Database::insert_or_update( $this->table, $data, $where );
-
- $response = array();
- if ( false === $result ) {
- $response['error'] = esc_html__( 'Something went wrong. Please try again.', 'wp-google-map-plugin' );
- } elseif ( $entityID > 0 ) {
- $response['success'] = esc_html__( 'Route was updated successfully.', 'wp-google-map-plugin' );
- } else {
- $response['success'] = esc_html__( 'Route was added successfully.', 'wp-google-map-plugin' );
- }
- $response['last_db_id'] = $result;
-
- do_action( 'wpgmp_after_route_save', $response, $data, $entityID );
-
- return $response;
+
}
public function delete() {
- if ( isset( $_GET['route_id'] ) ) {
- $id = intval( wp_unslash( $_GET['route_id'] ) );
- $connection = FlipperCode_Database::connect();
- $query = $connection->prepare( "DELETE FROM $this->table WHERE $this->unique = %d", $id );
- $result = FlipperCode_Database::non_query( $query, $connection );
-
- do_action( 'wpgmp_after_route_deleted', $id, $result );
- return $result;
- }
- return false;
+
}
}
}
No newline at end of file
--- a/wp-google-map-plugin/wp-google-map-plugin.php
+++ b/wp-google-map-plugin/wp-google-map-plugin.php
@@ -7,7 +7,7 @@
* Author URI: https://weplugins.com/
* License: GPL v2 or later
* License URI: https://www.gnu.org/licenses/gpl-2.0.html
- * Version: 4.9.1
+ * Version: 4.9.2
* Text Domain: wp-google-map-plugin
* Domain Path: /lang
*/
@@ -74,7 +74,6 @@
add_action( 'widgets_init', [ $this, 'wpgmp_google_map_widget'] );
add_action( 'wp_enqueue_scripts', [ $this, 'wpgmp_frontend_scripts'] );
add_action( 'wp_ajax_wpgmp_ajax_call', [ $this, 'wpgmp_ajax_call'] );
- add_action( 'wp_ajax_nopriv_wpgmp_ajax_call', [ $this, 'wpgmp_ajax_call'] );
add_filter( 'media_upload_tabs', [ $this, 'wpgmp_google_map_tabs_filter']);
add_filter( 'fc-dummy-placeholders', [ $this, 'wpgmp_apply_placeholders'] );
@@ -233,23 +232,38 @@
}
}
- function wpgmp_return_final_capability($cap){
+ function wpgmp_return_final_capability( $cap ) {
- if ( current_user_can('administrator') ) {
+ global $wpdb;
+ if ( current_user_can( 'administrator' ) ) {
return $cap;
}
- // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reading page parameter for checking capability only
- $frontend_page = ( !is_admin() && isset( $_GET['location_id'] ) && !empty( $_GET['location_id'] ) && isset($_GET['doaction']) && !empty($_GET['doaction']) && isset($_GET['cap']) && !empty($_GET['cap']) && $_GET['cap'] == 'wpgmp_manage_location' ) ? true : false;
- // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reading page parameter for checking capability only
- $backend_page = ( is_admin() && isset( $_GET['location_id'] ) && !empty( $_GET['location_id'] ) && isset($_GET['doaction']) && !empty($_GET['doaction']) && isset($_GET['page']) && !empty($_GET['page']) && $_GET['page'] == 'wpgmp_manage_location' ) ? true : false;
-
- if($frontend_page || $backend_page){
-
- $model_factory = new WPGMP_Model();
- $location_obj = $model_factory->create_object( 'location' );
- $location_data = $location_obj->fetch( array( array( 'location_id', '=', $_GET['location_id'] ) ) );
- if(get_current_user_id() != $location_data[0]->location_author){
- $cap = '';
+
+ // Sanitize GET values
+ $location_id = isset( $_GET['location_id'] ) ? absint( sanitize_text_field( $_GET['location_id'] ) ) : '';
+ $doaction = isset( $_GET['doaction'] ) ? sanitize_text_field( wp_unslash( $_GET['doaction'] ) ) : '';
+ $get_cap = isset( $_GET['cap'] ) ? sanitize_text_field( wp_unslash( $_GET['cap'] ) ) : '';
+ $page = isset( $_GET['page'] ) ? sanitize_text_field( wp_unslash( $_GET['page'] ) ) : '';
+
+
+ $backend_page = (
+ is_admin() &&
+ ! empty( $location_id ) &&
+ ! empty( $doaction ) &&
+ $page === 'wpgmp_manage_location'
+ ) ? true : false;
+
+ if ( $backend_page ) {
+
+ $location_data = $wpdb->get_results( $wpdb->prepare(
+ "SELECT * FROM {$wpdb->prefix}map_locations WHERE location_id = %d",
+ intval( $location_id )
+ ) );
+
+ if ( ! empty( $location_data ) && isset( $location_data[0]->location_author ) ) {
+ if ( get_current_user_id() !== (int) $location_data[0]->location_author ) {
+ $cap = '';
+ }
}
}
@@ -1351,7 +1365,7 @@
if ( is_admin() )
$this->wpgmp_define( 'WPGMP_SLUG', 'wpgmp_view_overview' );
- $this->wpgmp_define( 'WPGMP_VERSION', '4.9.1' );
+ $this->wpgmp_define( 'WPGMP_VERSION', '4.9.2' );
$this->wpgmp_define( 'WPGMP_FOLDER', basename( dirname( __FILE__ ) ) );
$this->wpgmp_define( 'WPGMP_DIR', plugin_dir_path( __FILE__ ) );
$this->wpgmp_define( 'WPGMP_ICONS_DIR', WPGMP_DIR . '/assets/images/icons/' );
