Plugin Directory

Changeset 2456786 for ulisting


Ignore:
Timestamp:
01/15/2021 07:38:53 AM (4 years ago)
Author:
stylemix
Message:

update 1.7

Location:
ulisting
Files:
1311 added
30 edited

Legend:

Unmodified
Added
Removed
  • ulisting/trunk/README.txt

    r2454754 r2456786  
    66Requires at least: 4.6
    77Tested up to: 5.6
    8 Stable tag: 1.6.6
     8Stable tag: 1.7
    99License: GPLv2 or later
    1010License URI: https://www.gnu.org/licenses/gpl-2.0.html
     
    173173
    174174== Changelog ==
     175
     176= 1.7 =
     177- Security update
     178- added: Additional Ajax Security Nonces
     179- added: Additional Form Validators and Sanitizers
     180- added: Extra User Role Capability checkers
     181- added: Before Registration check "WordPress > Settings > Membership" option
     182- fixed: "ajax_nonpriv" hooks removed from Authorized Requests
    175183
    176184= 1.6.6 =
  • ulisting/trunk/assets/js/admin/srm-listing-single-page-builder.js

    r2285543 r2456786  
    8484                formData.append('listing_type_id', vm.listing_type_id);
    8585                formData.append('id', 'ulisting_single_page_layout_' + _id);
     86                formData.append('nonce', ulistingAjaxNonce);
    8687
    8788                vm.$set(vm.image, 'message', '');
     
    100101            var vm = this;
    101102            vm.load = true;
    102             this.$http.post("ulisting-builder/listing-single-page/get_data", {'listing_type_id': vm.listing_type_id}).then(function (response) {
     103            this.$http.post("ulisting-builder/listing-single-page/get_data", {
     104                'listing_type_id': vm.listing_type_id,
     105                'nonce': ulistingAjaxNonce
     106            }).then(function (response) {
    103107                if (response.body.success) {
    104108                    vm.sections = response.body.data.sections;
     
    141145            this.$http.post("ulisting-builder/listing-single-page/get-layout", {
    142146                layout_id: layout.id,
    143                 listing_type_id: vm.listing_type_id
     147                listing_type_id: vm.listing_type_id,
     148                nonce: ulistingAjaxNonce
    144149            }).then(function (response) {
    145150                if (response.body.success) {
     
    158163                name: vm.layout_selected.name,
    159164                sections: vm.sections,
    160                 listing_type_id: vm.listing_type_id
     165                listing_type_id: vm.listing_type_id,
     166                nonce: ulistingAjaxNonce
    161167            };
    162168            this.$http.post("ulisting-builder/listing-single-page/save_layout", vm.layout).then(function (response) {
     
    180186                name: vm.layout_selected.name,
    181187                sections: vm.sections,
    182                 listing_type_id: vm.listing_type_id
     188                listing_type_id: vm.listing_type_id,
     189                nonce: ulistingAjaxNonce
    183190            };
    184191
     
    200207            this.$http.post("ulisting-builder/listing-single-page/delete-layout", {
    201208                layout_id: vm.layout_selected.id,
    202                 listing_type_id: vm.listing_type_id
     209                listing_type_id: vm.listing_type_id,
     210                nonce: ulistingAjaxNonce
    203211            }).then(function (response) {
    204212                vm.form_load = false;
  • ulisting/trunk/assets/js/admin/stm-item-card-layout.js

    r2285543 r2456786  
    6666            var vm = this;
    6767            vm.load = true;
    68             this.$http.get("ulisting-builder/listing-item-card-layout/get-data",{params:{listing_type_id:vm.listing_type_id}}).then(function(response){
     68            this.$http.get("ulisting-builder/listing-item-card-layout/get-data", {
     69                    params: {
     70                        listing_type_id:vm.listing_type_id,
     71                        nonce: ulistingAjaxNonce
     72                    }
     73                }).then(function(response){
    6974                if(response.body.success){
    7075                    vm.config      = response.body.data.config;
     
    9499                {
    95100                    listing_type_id: vm.listing_type_id,
    96                     layout_id: vm.active_layout.id
     101                    layout_id: vm.active_layout.id,
     102                    nonce: ulistingAjaxNonce
    97103                }
    98104            ).then(function(response){
     
    119125                    layout: vm.active_layout,
    120126                    sections: vm.sections,
     127                    nonce: ulistingAjaxNonce
    121128                }
    122129                ).then(function(response){
  • ulisting/trunk/assets/js/admin/stm-setting-inventory-layout.js

    r2285543 r2456786  
    101101                formData.append('type', 'inventory');
    102102                formData.append('id', 'ulisting_type_page_layout_' + _id);
     103                formData.append('nonce', ulistingAjaxNonce);
    103104
    104105                vm.$set(vm.image, 'message', '');
     
    122123                name: vm.layout_selected.name,
    123124                sections: vm.sections,
     125                nonce: ulistingAjaxNonce
    124126            };
    125127            this.$http.post("ulisting-builder/listing-type-layout/save_layout", vm.layout).then(function (response) {
     
    173175            };
    174176            vm.create_panel = false;
    175             this.$http.post("ulisting-builder/listing-type-layout/get-layout", {listing_type_layout_id: layout.id}).then(function (response) {
     177            this.$http.post("ulisting-builder/listing-type-layout/get-layout", {
     178                listing_type_layout_id: layout.id,
     179                nonce: ulistingAjaxNonce
     180            }).then(function (response) {
    176181                if (response.body.success) {
    177182                    vm.sections = response.body.data.section;
     
    199204                name: vm.layout_selected.name,
    200205                sections: vm.sections,
     206                nonce: ulistingAjaxNonce
    201207            };
    202208
     
    218224            var vm = this;
    219225            vm.form_load = true;
    220             this.$http.post("ulisting-builder/listing-type-layout/delete-layout", {listing_type_layout_id: vm.layout_selected.id}).then(function (response) {
     226            this.$http.post("ulisting-builder/listing-type-layout/delete-layout", {
     227                listing_type_layout_id: vm.layout_selected.id,
     228                nonce: ulistingAjaxNonce
     229            }).then(function (response) {
    221230                vm.form_load = false;
    222231                if (response.body.success) {
  • ulisting/trunk/assets/js/admin/stm-user-search.js

    r2056519 r2456786  
    1919        },
    2020        search: (loading, search, vm) => {
    21             vm.$http.get('ulisting-user/search',{params:{search:search}}).then(function(response){
     21            vm.$http.get('ulisting-user/search',{params:{
     22                search: search,
     23                nonce: ulistingAjaxNonce
     24            }}).then(function(response){
    2225                loading(false);
    2326                vm.options = response.body
  • ulisting/trunk/assets/js/admin/ulisting-import.js

    r2399927 r2456786  
    3636        progress_import(){
    3737            var vm = this;
    38             vm.$http.post('ulisting-import/progress', { step:vm.step_progress, key:vm.info_progress[vm.step_progress] }).then(function(response){
     38            vm.$http.post('ulisting-import/progress', {
     39                step: vm.step_progress,
     40                key: vm.info_progress[vm.step_progress],
     41                nonce: ulistingAjaxNonce
     42            }).then(function(response){
    3943
    4044                vm.progress_data += response.body.data+" \n ";
  • ulisting/trunk/assets/js/frontend/comment/ulisting-comment.js

    r2078920 r2456786  
    3131            form_data.append("type",vm.type);
    3232            form_data.append("object_id",vm.object_id);
     33            form_data.append("nonce",ulistingAjaxNonce);
    3334            if(vm.rating)
    3435                form_data.append("rating",vm.rating);
     
    6061                "offset":vm.offset,
    6162                "comment_type":vm.type,
    62                 "user_id":vm.object_id
     63                "user_id":vm.object_id,
     64                "nonce":ulistingAjaxNonce
    6365            };
    6466            this.$http.get("ulisting-comment/get",{params:params}).then(function(response){
  • ulisting/trunk/assets/js/frontend/stm-agent-add.js

    r2285543 r2456786  
    3131                'password_repeat' : vm.password_repeat,
    3232                'role' : 'agent',
    33                 'agency_id' : ulisting_user_agent_add_data.agency_id
     33                'agency_id' : ulisting_user_agent_add_data.agency_id,
     34                'nonce' : ulistingAjaxNonce
    3435            };
    3536
  • ulisting/trunk/assets/js/frontend/stm-profile-edit.js

    r2321586 r2456786  
    4949            formData.append('last_name', vm.last_name);
    5050            formData.append('email', vm.email);
     51            formData.append('nonce', ulistingAjaxNonce);
    5152
    5253            for(index in vm.custom_fields)
     
    8182            let formData = new FormData();
    8283            formData.append('user_id', vm.user_id);
     84            formData.append('nonce', ulistingAjaxNonce);
    8385            if(vm.old_password)
    8486                formData.append('old_password', vm.old_password);
  • ulisting/trunk/assets/js/frontend/stm-register.js

    r2386800 r2456786  
    5959                'role' : vm.role,
    6060                'password' : vm.password,
    61                 'password_repeat' : vm.password_repeat
     61                'password_repeat' : vm.password_repeat,
     62                'nonce' : ulistingAjaxNonce
    6263            };
    6364
  • ulisting/trunk/assets/js/frontend/ulisting-inventory-list.js

    r2353792 r2456786  
    179179                    search_form_type: vm.search_form_type,
    180180                    value: vm.query_data,
    181                     query_data: vm.query_data
     181                    query_data: vm.query_data,
     182                    nonce: ulistingAjaxNonce
    182183                }).then(function (response) {
    183184                if (response.body.success) {
  • ulisting/trunk/assets/js/frontend/ulisting-my-listing.js

    r2399927 r2456786  
    138138            const vm = this;
    139139            vm.loading = true;
    140             this.$http.post("ulisting-user/draft_or_delete", {user_id:vm.user_id, listing_id:id, status}).then(function(response){
     140            this.$http.post("ulisting-user/draft_or_delete", {
     141                user_id:vm.user_id,
     142                listing_id:id,
     143                status,
     144                nonce: ulistingAjaxNonce
     145            }).then(function(response){
    141146                vm.message = response.body.message;
    142147
     
    156161            const vm = this;
    157162            vm.loading = true;
    158             this.$http.post("ulisting-user/deletelisting", {user_id:vm.user_id, listing_id:id}).then(function(response){
     163            this.$http.post("ulisting-user/deletelisting", {
     164                user_id: vm.user_id,
     165                listing_id: id,
     166                nonce: ulistingAjaxNonce
     167            }).then(function(response){
    159168                vm.message = response.body.message;
    160169                if(response.body.errors)
     
    176185            vm.feature_plan_select = 0;
    177186            vm.feature_plan_select_is_one_tome = false;
    178             this.$http.post("ulisting-user/get_feature_plan", {user_id:vm.user_id, listing_id:id}).then(function(response){
     187            this.$http.post("ulisting-user/get_feature_plan", {
     188                user_id: vm.user_id,
     189                listing_id: id,
     190                nonce: ulistingAjaxNonce
     191            }).then(function(response){
    179192                vm.loading = false;
    180193                vm.message = response.body.message;
  • ulisting/trunk/includes/admin/enqueue.php

    r2391643 r2456786  
    6363    wp_add_inline_script('vue', "const UlistingEventBus = new Vue();");
    6464    wp_add_inline_script('stm-listing-admin', "var currentAjaxUrl = '".admin_url( 'admin-ajax.php', 'relative' )."'", 'before');
     65    wp_add_inline_script('stm-listing-admin', "var ulistingAjaxNonce = '".\uListing\Classes\StmVerifyNonce::createAjaxNonce()."'", 'before');
    6566    wp_add_inline_script('vue-resource', "Vue.http.options.root = '".site_url()."/1/api';");
    6667
  • ulisting/trunk/includes/admin/views/listing-settings/email-settings.php

    r2403161 r2456786  
    164164
    165165            update({id, option_name} = {}) {
    166                 this.payload[option_name] = {id, option_name};
     166                this.payload[option_name] = id;
    167167            },
    168168
     
    171171                const data = {
    172172                    socials: this.socials,
    173                     images: this.payload
     173                    images: this.payload,
     174                    nonce: ulistingAjaxNonce
    174175                }
    175176                this.$http.post(currentAjaxUrl + '?action=stm_update_email_data', data).then(response => {
  • ulisting/trunk/includes/admin/views/listing-settings/user-roles.php

    r2391643 r2456786  
    399399                vm.message = null;
    400400                vm.loading = true;
    401                 this.$http.post("ulisting-user/role/save", {roles:vm.roles}).then(function(response){
     401                this.$http.post("ulisting-user/role/save", {
     402                    roles: vm.roles,
     403                    nonce: ulistingAjaxNonce
     404                }).then(function(response){
    402405                    vm.loading = false;
    403406                    vm.message = response.body['message'];
  • ulisting/trunk/includes/classes/StmAjaxAction.php

    r2399927 r2456786  
    88     * @param string   $tag             The name of the action to which the $function_to_add is hooked.
    99     * @param callable $function_to_add The name of the function you wish to be called.
     10     * @param boolean  $nopriv          Optional. Boolean argument for adding wp_ajax_nopriv_action. Default false.
    1011     * @param int      $priority        Optional. Used to specify the order in which the functions
    1112     *                                  associated with a particular action are executed. Default 10.
     
    1617     * @return true Will always return true.
    1718     */
    18     public static function addAction($tag, $function_to_add, $priority = 10, $accepted_args = 1) {
     19    public static function addAction($tag, $function_to_add, $nopriv = false, $priority = 10, $accepted_args = 1) {
    1920        add_action('wp_ajax_'.$tag, $function_to_add, $priority = 10, $accepted_args = 1);
    20         add_action('wp_ajax_nopriv_'.$tag, $function_to_add);
     21        if ( $nopriv ) add_action('wp_ajax_nopriv_'.$tag, $function_to_add);
    2122        return true;
    2223    }
    2324
    2425    public static function init() {
    25         StmAjaxAction::addAction('stm_listing_login', [ StmListingAuth::class ,'stm_listing_login']);
    26         StmAjaxAction::addAction('stm_listing_register', [ StmListingAuth::class ,'stm_listing_register']);
     26        StmAjaxAction::addAction('stm_listing_login', [ StmListingAuth::class ,'stm_listing_login'], true);
     27        StmAjaxAction::addAction('stm_listing_register', [ StmListingAuth::class ,'stm_listing_register'], true);
    2728        StmAjaxAction::addAction('stm_listing_profile_edit', [ StmListingAuth::class ,'stm_listing_profile_edit']);
    2829        StmAjaxAction::addAction('stm_listing_ajax', [ StmListing::class ,'listing_ajax']);
     
    3536        StmAjaxAction::addAction('stm_agencies_switcher', [ StmListingSettings::class ,'install_uninstall_ulisting_agencies']);
    3637        StmAjaxAction::addAction('stm_settings_payment_method', [ StmPaymentMethod::class ,'ajax_settings_payment_method']);
    37         StmAjaxAction::addAction('stm_user_click', [ UlistingPageStatistics::class , 'page_statistics_for_user_phone_click']);
    38         StmAjaxAction::addAction('stm_listing_quick_view', [ StmListing::class ,'listing_quick_view_ajax']);
     38        StmAjaxAction::addAction('stm_user_click', [ UlistingPageStatistics::class , 'page_statistics_for_user_phone_click'], true);
     39        StmAjaxAction::addAction('stm_listing_quick_view', [ StmListing::class ,'listing_quick_view_ajax'], true);
    3940
    4041        $ajax_actions = apply_filters("ulisting_ajax", []);
    4142        foreach ($ajax_actions as $ajax_action) {
    4243            if(isset($ajax_action['is_admin']) AND !$ajax_action['is_admin'])
    43                 StmAjaxAction::addAction($ajax_action['tag'], $ajax_action['action']);
     44                StmAjaxAction::addAction($ajax_action['tag'], $ajax_action['action'], true);
    4445        }
    4546
  • ulisting/trunk/includes/classes/StmInventoryLayout.php

    r2285543 r2456786  
    159159
    160160        if(isset($request_data['listing_type_layout_id']) AND $layout = get_option($request_data['listing_type_layout_id'])){
    161             delete_option($request_data['listing_type_layout_id']);
     161            delete_option(sanitize_text_field($request_data['listing_type_layout_id']));
    162162            $result['success'] = true;
    163163        }
  • ulisting/trunk/includes/classes/StmListingAttribute.php

    r2454754 r2456786  
    176176
    177177    public static function ajaxActionCreate() {
    178         StmVerifyNonce::nerifyNonce($_POST['wpnonce'], 'stm_attribute_ajax_create');
     178        StmVerifyNonce::verifyNonce($_POST['wpnonce'], 'stm_attribute_ajax_create');
    179179        $_POST['StmListingAttribute']['title'] = StmListingAttribute::deslash($_POST['StmListingAttribute']['title']);
    180180        $model = StmListingAttribute::create($_POST['StmListingAttribute'])->save();
  • ulisting/trunk/includes/classes/StmListingAttributeOption.php

    r2386800 r2456786  
    5656    public static function ajaxActionSave()
    5757    {
    58         StmVerifyNonce::nerifyNonce($_POST['_wpnonce_add-tag'], 'stm_attributes_add_option_ajax3');
     58        StmVerifyNonce::verifyNonce($_POST['_wpnonce_add-tag'], 'stm_attributes_add_option_ajax3');
    5959    }
    6060
  • ulisting/trunk/includes/classes/StmListingAuth.php

    r2399927 r2456786  
    6161        $request_body = file_get_contents('php://input');
    6262        $data = json_decode($request_body, true);
     63
     64        if ( ! StmVerifyNonce::verifyAjaxNonce() ) {
     65            wp_send_json($result);
     66        }
     67
     68        if ( ! get_option( 'users_can_register' ) ) {
     69            $result['message'] = esc_html__('User registration is not allowed in this site.', 'ulisting');
     70            wp_send_json($result);
     71        }
    6372
    6473        $data_for_validate = $data;
     
    94103         * @var $agency_id ;
    95104         */
     105
     106        // Check if User Role is allowed
     107        $userRole = new UlistingUserRole();
     108        if ( ! in_array( $role, array_keys($userRole->roles) ) ) {
     109            $result['message'] = esc_html__('This user role is not allowed.', 'ulisting');
     110            wp_send_json($result);
     111        }
    96112
    97113        $user = wp_create_user($login, $password, $email);
     
    143159            'status'  => 'error'
    144160        );
     161
     162        if ( ! StmVerifyNonce::verifyAjaxNonce() || ! is_user_logged_in() ) {
     163            wp_send_json($result);
     164        }
     165
    145166        $validator = new Validation();
    146167        $data_for_validate = $validator->sanitize(array_merge($_POST,$_FILES));
     
    170191         */
    171192
    172         if($user = new StmUser($user_id) AND $user->ID) {
     193        if($user = new StmUser($user_id) AND $user->ID AND $user->ID == get_current_user_id()) {
    173194
    174195            do_action("ulisting_profile_edit", ['user' => $user, 'data' => $validated_data]);
  • ulisting/trunk/includes/classes/StmListingSettings.php

    r2428506 r2456786  
    199199     */
    200200    public static function stm_update_email_data() {
     201        if ( ! current_user_can( 'manage_options' ) || ! StmVerifyNonce::verifyAjaxNonce() ) {
     202            return false;
     203        }
     204
    201205        $result = [
    202206            'status'  => 'success',
     
    211215        }
    212216
    213         if (isset($request_data['images']) && !empty($request_data['images'])) {
    214             foreach ($request_data['images'] as $image)
    215                 update_option($image['option_name'], $image['id']);
     217        if ( isset($request_data['images']) && is_array($request_data['images']) ) {
     218            if ( array_key_exists('ulisting_email_banner', $request_data['images']) ) {
     219                update_option('ulisting_email_banner', sanitize_text_field($request_data['images']['ulisting_email_banner']));
     220            }
     221            if ( array_key_exists('ulisting_email_logo', $request_data['images']) ) {
     222                update_option('ulisting_email_logo', sanitize_text_field($request_data['images']['ulisting_email_logo']));
     223            }
    216224        }
    217225        wp_send_json($result);
  • ulisting/trunk/includes/classes/StmListingSingleLayout.php

    r2391643 r2456786  
    11351135            update_post_meta(
    11361136                $listing_type->ID,
    1137                 $request_data['id'],
     1137                sanitize_text_field($request_data['id']),
    11381138                ulisting_json_encode(["name" => $request_data['name'],"section" => $sections ])
    11391139            );
     
    12361236
    12371237            if(isset($_POST['listing_type_id']) && $_POST['type'] === 'single')
    1238                 update_post_meta($_POST['listing_type_id'], $_POST['id'], $content);
     1238                update_post_meta(sanitize_text_field($_POST['listing_type_id']), $_POST['id'], $content);
    12391239            elseif ($_POST['type'] === 'inventory')
    1240                 update_option($_POST['id'], $content);
     1240                update_option(sanitize_text_field($_POST['id']), $content);
    12411241
    12421242            $result['success'] = true;
  • ulisting/trunk/includes/classes/StmUser.php

    r2428506 r2456786  
    490490        $listing_id = ( isset($request_data['listing_id']) ) ? $request_data['listing_id'] : null;
    491491        $listing = StmListing::find_one($listing_id);
    492         if ( $listing_id ) {
     492
     493        if ( $listing_id && $listing->getUser()->ID == $request_data['user_id'] ) {
    493494            $args = [
    494495                'listing_id' => $listing_id,
     
    538539        $back_slots = get_option('ulisting_back_slots');
    539540        $back_slots = strval($back_slots) === 'true';
    540 
    541         if ($listingUserRelation) {
    542             if ($listingUserRelation->user_id != $request_data['user_id']) return $result;
    543         }
    544541
    545542        if ($listing_id) {
     
    557554            }
    558555
    559             wp_delete_post( $listing_id, 'false' );
    560             $result['success'] = true;
     556            if ( $listingUserRelation->user_id == $request_data['user_id'] ) {
     557                wp_delete_post( $listing_id, 'false' );
     558                $result['success'] = true;
     559            }
    561560        }
    562561        return $result;
  • ulisting/trunk/includes/classes/StmVerifyNonce.php

    r2056519 r2456786  
    44class StmVerifyNonce {
    55
    6     public static function nerifyNonce($wpnonce, $action, $message = null) {
     6    public static function verifyNonce($wpnonce, $action, $message = null) {
    77        if ( ! wp_verify_nonce( $wpnonce, $action) ) {
    88            if($message)
     
    1111        }
    1212    }
     13
     14    public static function createAjaxNonce() {
     15        return wp_create_nonce( 'ulisting-ajax-nonce' );
     16    }
     17
     18    public static function verifyAjaxNonce() {
     19        if ( isset( $_REQUEST['nonce'] ) ) {
     20            $nonce          = $_REQUEST['nonce'];
     21        } else {
     22            $request_body   = file_get_contents('php://input');
     23            $request_data   = json_decode($request_body, true);
     24            $nonce          = ( isset( $request_data['nonce'] ) ) ? $request_data['nonce'] : '';
     25        }
     26
     27        return wp_verify_nonce( $nonce, 'ulisting-ajax-nonce' );
     28    }
    1329}
  • ulisting/trunk/includes/classes/UlistingPageStatistics.php

    r2261556 r2456786  
    6565     */
    6666    public static function getRealIpAddr() {
    67         if (!empty($_SERVER['HTTP_CLIENT_IP'])) { //check ip from share internet
    68             $ip=$_SERVER['HTTP_CLIENT_IP'];
    69         } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))  { //to check ip is pass from proxy
    70             $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    71         } else {
    72             $ip=$_SERVER['REMOTE_ADDR'];
     67        $ip = '';
     68        if ( !empty($_SERVER['HTTP_CLIENT_IP']) && filter_var($_SERVER['HTTP_CLIENT_IP'], FILTER_VALIDATE_IP) ) { //check ip from share internet
     69            $ip = $_SERVER['HTTP_CLIENT_IP'];
     70        } elseif ( !empty($_SERVER['HTTP_X_FORWARDED_FOR'])  && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) )  { //to check ip is pass from proxy
     71            $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
     72        } elseif ( filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) ) {
     73            $ip = $_SERVER['REMOTE_ADDR'];
    7374        }
    7475        return $ip;
     
    115116        else
    116117            $page_statistics->where("meta.`meta_key`", "ip")
    117                             ->where("meta.`meta_value`", self::getRealIpAddr());
     118                            ->where("meta.`meta_value`", sanitize_text_field(self::getRealIpAddr()));
    118119
    119120        if(!$page_statistics->findOne()){
     
    169170            ->select(" page_statistics.id, page_statistics.type, page_statistics.`created_date`  , count(page_statistics.id) as count ")
    170171            ->asTable("page_statistics")
    171             ->where_raw("page_statistics.`object_id` = " . $params["listing_id"] . " OR page_statistics.`object_id` = " . $params["user_id"])
     172            ->where_raw("page_statistics.`object_id` = " . sanitize_text_field($params["listing_id"]) . " OR page_statistics.`object_id` = " . sanitize_text_field($params["user_id"]))
    172173            ->where_raw(" page_statistics.`created_date` between '".$start_date."' and '".$end_date."' ")
    173174            ->group_by(" HOUR(page_statistics.`created_date`), page_statistics.`id`, page_statistics.`type`")
  • ulisting/trunk/includes/classes/vendor/autoload.php

    r2056519 r2456786  
    1717require_once ULISTING_PATH.'/includes/classes/vendor/wp-router/responses/class-wp-template-response.php';
    1818require_once ULISTING_PATH.'/includes/classes/vendor/wp-router/responses/class-wp-redirect-response.php';
     19require_once ULISTING_PATH.'/includes/classes/vendor/wp-router/middleware/class-wp-manage-options.php';
     20require_once ULISTING_PATH.'/includes/classes/vendor/wp-router/middleware/class-wp-verify-nonce.php';
  • ulisting/trunk/includes/enqueue.php

    r2243783 r2456786  
    3131    wp_enqueue_script('vuejs-paginate', ULISTING_URL . '/assets/js/vue/vuejs-paginate.js', array('vue'), $v);
    3232    wp_add_inline_script('vue-resource', "Vue.http.options.root = '".site_url()."/1/api';");
     33    wp_add_inline_script('vue', "var ulistingAjaxNonce = '".\uListing\Classes\StmVerifyNonce::createAjaxNonce()."'", 'before');
    3334
    34     _enqueue_osm_scripts_styles($v);
     35    _enqueue_osm_scripts_styles($v);
    3536}
    3637
  • ulisting/trunk/includes/lib/email-manager/templates/single.php

    r2399927 r2456786  
    200200                if ( content && content.innerHTML)
    201201                    this.emailData.content = content.innerHTML;
     202                    this.emailData.nonce = ulistingAjaxNonce;
    202203                this.$http.post('ulisting-email/single', this.emailData)
    203204                    .then(response => {
  • ulisting/trunk/includes/route.php

    r2399927 r2456786  
    3535 */
    3636$wp_router->post( array(
    37         'uri'  => ULISTING_BASE_URL.'/ulisting-user/role/save',
    38         'uses' => function(){
     37        'uri'           => ULISTING_BASE_URL.'/ulisting-user/role/save',
     38        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     39        'uses'          => function(){
    3940            wp_send_json(\uListing\Classes\UlistingUserRole::save_role_api());
    4041            die;
     
    5960 */
    6061$wp_router->get( array(
    61         'uri'  => ULISTING_BASE_URL.'/ulisting-user/search',
    62         'uses' => function(){
     62        'uri'           => ULISTING_BASE_URL.'/ulisting-user/search',
     63        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     64        'uses'          => function(){
    6365            if(isset($_GET['search']))
    6466                wp_send_json(\uListing\Classes\StmUser::search($_GET['search']));
     
    7072
    7173$wp_router->post( array(
    72         'uri'  => ULISTING_BASE_URL.'/ulisting-user/get_feature_plan',
    73         'uses' => function(){
     74        'uri'           => ULISTING_BASE_URL.'/ulisting-user/get_feature_plan',
     75        'middlewares'   => [ 'UlistingVerifyNonce' ],
     76        'uses'          => function(){
    7477            wp_send_json(\uListing\Classes\StmUser::get_fueatrue_plan_api());
    7578            die;
     
    7982
    8083$wp_router->post( array(
    81         'uri'  => ULISTING_BASE_URL.'/ulisting-user/draft_or_delete',
    82         'uses' => function(){
     84        'uri'           => ULISTING_BASE_URL.'/ulisting-user/draft_or_delete',
     85        'middlewares'   => [ 'UlistingVerifyNonce' ],
     86        'uses'          => function(){
    8387            wp_send_json(\uListing\Classes\StmUser::draft_or_delete_listing());
    8488            die;
     
    8892
    8993$wp_router->post( array(
    90         'uri'  => ULISTING_BASE_URL.'/ulisting-user/deletelisting',
    91         'uses' => function(){
     94        'uri'           => ULISTING_BASE_URL.'/ulisting-user/deletelisting',
     95        'middlewares'   => [ 'UlistingVerifyNonce' ],
     96        'uses'          => function(){
    9297            wp_send_json(\uListing\Classes\StmUser::delete_listing());
    9398            die;
     
    97102
    98103$wp_router->post( array(
    99         'uri'  => ULISTING_BASE_URL.'/ulisting-user/update-password',
    100         'uses' => function(){
     104        'uri'           => ULISTING_BASE_URL.'/ulisting-user/update-password',
     105        'middlewares'   => [ 'UlistingVerifyNonce' ],
     106        'uses'          => function(){
    101107            wp_send_json(\uListing\Classes\StmUser::update_password_api());
    102108            die;
     
    109115 */
    110116$wp_router->get( array(
    111         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-item-card-layout/get-data',
    112         'uses' => function(){
     117        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-item-card-layout/get-data',
     118        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     119        'uses'          => function(){
    113120            wp_send_json(StmListingItemCardLayout::get_builder_data());
    114121            die;
     
    118125
    119126$wp_router->post( array(
    120         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-item-card-layout/save',
    121         'uses' => function(){
     127        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-item-card-layout/save',
     128        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     129        'uses'          => function(){
    122130            wp_send_json(StmListingItemCardLayout::save_layout());
    123131            die;
     
    127135
    128136$wp_router->post( array(
    129         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-item-card-layout/get-layout',
    130         'uses' => function(){
     137        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-item-card-layout/get-layout',
     138        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     139        'uses'          => function(){
    131140            wp_send_json(StmListingItemCardLayout::get_layout());
    132141            die;
     
    139148 */
    140149$wp_router->get( array(
    141         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/get_data',
    142         'uses' => function(){
     150        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/get_data',
     151        'middlewares'   => [ 'UlistingManageOptions' ],
     152        'uses'          => function(){
    143153            wp_send_json(StmInventoryLayout::get_builder_data());
    144154            die;
     
    148158
    149159$wp_router->post( array(
    150         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/save_layout',
    151         'uses' => function(){
     160        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/save_layout',
     161        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     162        'uses'          => function(){
    152163            wp_send_json(StmInventoryLayout::save_layout());
    153164            die;
     
    157168
    158169$wp_router->get( array(
    159         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/layout-list',
    160         'uses' => function(){
     170        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/layout-list',
     171        'middlewares'   => [ 'UlistingManageOptions' ],
     172        'uses'          => function(){
    161173            wp_send_json(StmInventoryLayout::get_layout_list());
    162174            die;
     
    166178
    167179$wp_router->post( array(
    168         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/get-layout',
    169         'uses' => function(){
     180        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/get-layout',
     181        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     182        'uses'          => function(){
    170183            wp_send_json(StmInventoryLayout::get_layout());
    171184            die;
     
    175188
    176189$wp_router->post( array(
    177         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/delete-layout',
    178         'uses' => function(){
     190        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-type-layout/delete-layout',
     191        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     192        'uses'          => function(){
    179193            wp_send_json(StmInventoryLayout::get_layout_delete());
    180194            die;
     
    187201 */
    188202$wp_router->post( array(
    189         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/get_data',
    190         'uses' => function(){
     203        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/get_data',
     204        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     205        'uses'          => function(){
    191206            wp_send_json(StmListingSingleLayout::get_builder_data());
    192207            die;
     
    195210);
    196211
    197 /**
    198  * Listing single page builder
    199  */
    200 $wp_router->post( array(
    201         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-single-layout/new-layout',
    202         'uses' => function(){
     212$wp_router->post( array(
     213        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-single-layout/new-layout',
     214        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     215        'uses'          => function(){
    203216            wp_send_json(StmListingSingleLayout::import_new_layout());
    204217            die;
     
    208221
    209222$wp_router->post( array(
    210         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/save_layout',
    211         'uses' => function(){
     223        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/save_layout',
     224        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     225        'uses'          => function(){
    212226            wp_send_json(StmListingSingleLayout::save_layout());
    213227            die;
     
    217231
    218232$wp_router->get( array(
    219         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/layout-list',
    220         'uses' => function(){
     233        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/layout-list',
     234        'middlewares'   => [ 'UlistingManageOptions' ],
     235        'uses'          => function(){
    221236            wp_send_json(StmListingSingleLayout::get_layout_list());
    222237            die;
     
    226241
    227242$wp_router->post( array(
    228         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/get-layout',
    229         'uses' => function(){
     243        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/get-layout',
     244        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     245        'uses'          => function(){
    230246            wp_send_json(StmListingSingleLayout::get_layout());
    231247            die;
     
    235251
    236252$wp_router->post( array(
    237         'uri'  => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/delete-layout',
    238         'uses' => function(){
     253        'uri'           => ULISTING_BASE_URL.'/ulisting-builder/listing-single-page/delete-layout',
     254        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     255        'uses'          => function(){
    239256            wp_send_json(StmListingSingleLayout::get_layout_delete());
    240257            die;
     
    293310$wp_router->post( array(
    294311        'uri'  => ULISTING_BASE_URL.'/search-form/get-form-data',
     312        'middlewares'   => [ 'UlistingVerifyNonce' ],
    295313        'uses' => function(){
    296314            wp_send_json(\uListing\Classes\StmListingFilter::get_data_api());
     
    305323 */
    306324$wp_router->get( array(
    307         'uri'  => ULISTING_BASE_URL.'/ulisting-import/get-import-info',
    308         'uses' => function(){
     325        'uri'           => ULISTING_BASE_URL.'/ulisting-import/get-import-info',
     326        'middlewares'   => [ 'UlistingManageOptions' ],
     327        'uses'          => function(){
    309328            wp_send_json( \uListing\Classes\StmImport::get_import_info_api() );
    310329            die;
     
    314333
    315334$wp_router->post( array(
    316         'uri'  => ULISTING_BASE_URL.'/ulisting-import/progress',
    317         'uses' => function(){
     335        'uri'           => ULISTING_BASE_URL.'/ulisting-import/progress',
     336        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     337        'uses'          => function(){
    318338            wp_send_json( \uListing\Classes\StmImport::import_progress() );
    319339            die;
     
    326346 */
    327347$wp_router->post( array(
    328         'uri'  => ULISTING_BASE_URL.'/ulisting-comment/add',
    329         'uses' => function(){
     348        'uri'           => ULISTING_BASE_URL.'/ulisting-comment/add',
     349        'middlewares'   => [ 'UlistingVerifyNonce' ],
     350        'uses'          => function(){
    330351            wp_send_json( \uListing\Classes\StmComment::add_commnet_api() );
    331352            die;
     
    335356
    336357$wp_router->get( array(
    337         'uri'  => ULISTING_BASE_URL.'/ulisting-comment/get',
    338         'uses' => function(){
     358        'uri'           => ULISTING_BASE_URL.'/ulisting-comment/get',
     359        'middlewares'   => [ 'UlistingVerifyNonce' ],
     360        'uses'          => function(){
    339361            wp_send_json( \uListing\Classes\StmComment::get_commnet_api());
    340362            die;
     
    360382 */
    361383$wp_router->post( array(
    362         'uri'  => ULISTING_BASE_URL.'/ulisting-email/single',
    363         'uses' => function(){
     384        'uri'           => ULISTING_BASE_URL.'/ulisting-email/single',
     385        'middlewares'   => [ 'UlistingManageOptions', 'UlistingVerifyNonce' ],
     386        'uses'          => function(){
    364387            wp_send_json( \uListing\Classes\UlistingNotifications::single_email_save_changes() );
    365388            die;
     
    378401if(uListing_wishlist_active()){
    379402    $wp_router->post( array(
    380             'uri'  => ULISTING_BASE_URL.'/ulisting-save-search/save',
    381             'uses' => function(){
     403            'uri'           => ULISTING_BASE_URL.'/ulisting-save-search/save',
     404            'middlewares'   => [ 'UlistingVerifyNonce' ],
     405            'uses'          => function(){
    382406                if( isset($_POST["user_id"]) AND isset($_POST["url"]) AND isset($_POST["listing_type_id"]))
    383407                    wp_send_json( \uListing\Classes\UlistingSearch::save_api($_POST) );
     
    388412
    389413    $wp_router->post( array(
    390             'uri'  => ULISTING_BASE_URL.'/ulisting-save-search/delete',
    391             'uses' => function(){
     414            'uri'           => ULISTING_BASE_URL.'/ulisting-save-search/delete',
     415            'middlewares'   => [ 'UlistingVerifyNonce' ],
     416            'uses'          => function(){
    392417                if( isset($_POST["id"]))
    393418                    wp_send_json( \uListing\Classes\UlistingSearch::delete_api($_POST["id"]) );
     
    407432
    408433    $wp_router->post( array(
    409             'uri'  => ULISTING_BASE_URL.'/ulisting-saved-searches/check',
    410             'uses' => function(){
     434            'uri'           => ULISTING_BASE_URL.'/ulisting-saved-searches/check',
     435            'middlewares'   => [ 'UlistingVerifyNonce' ],
     436            'uses'          => function(){
    411437                wp_send_json( \uListing\Classes\UlistingSearch::check_api($_POST) );
    412438                die;
  • ulisting/trunk/uListing.php

    r2454754 r2456786  
    77 * Author URI: https://stylemixthemes.com/
    88 * Text Domain: ulisting
    9  * Version: 1.6.6
     9 * Version: 1.7
    1010 */
    1111
    1212if ( ! defined( 'ABSPATH' ) ) exit;
    1313
    14 define( 'ULISTING_VERSION', '1.6.6' );
     14define( 'ULISTING_VERSION', '1.7' );
    1515define( 'ULISTING_DB_VERSION', '1.0.2');
    1616define( 'ULISTING_PATH', dirname( __FILE__ ) );
Note: See TracChangeset for help on using the changeset viewer.