Add methods for nonce handling per user-taxonomy.

Also bump to 2.1.0.

Add methods for nonce handling per user-taxonomy.
Also bump to 2.1.0.
ea915c53 · John James Jacoby · ab0e5ca3 · ea915c53 · ea915c53 · ea915c53
Commit ea915c53 authored Apr 16, 2018 by John James Jacoby
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: johnjamesjacoby, stuttter
 Tags: taxonomy, term, user, group, type
 Requires at least: 4.7
 Tested up to: 4.9
-Stable tag: 2.0.0
+Stable tag: 2.1.0
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9Q4F4EL5YJ62J
@@ -77,6 +77,9 @@ http://github.com/stuttter/wp-user-groups/

 == Changelog ==

+= [2.1.0] - 2018/04/16 =
+* Add a dedicated nonce for each user taxonomy (thanks Tom Dxw!)
+
 = [2.0.0] - 2017/10/24 =
 * Fix bug with user filtering
 * Fix bug with setting user terms

--- a/wp-user-groups.php
+++ b/wp-user-groups.php
@@ -8,7 +8,7 @@
 * License:     GPLv2 or later
 * License URI: https://www.gnu.org/licenses/gpl-2.0.html
 * Description: Group users together with taxonomies & terms.
- * Version:     2.0.0
+ * Version:     2.1.0
 * Text Domain: wp-user-groups
 * Domain Path: /wp-user-groups/assets/languages/
 */
@@ -56,5 +56,5 @@ function wp_user_groups_get_plugin_url() {
 * @return int
 */
 function wp_user_groups_get_asset_version() {
-	return 201710240001;
+	return 201804160001;
 }
--- a/wp-user-groups/includes/classes/class-user-taxonomy.php
+++ b/wp-user-groups/includes/classes/class-user-taxonomy.php
@@ -308,6 +308,11 @@ class WP_User_Taxonomy {
 	 */
 	public function save_terms_for_user( $user_id = 0 ) {

+		// Bail if nonce problem
+		if ( ! $this->verify_nonce() ) {
+			return;
+		}
+
 		// Additional checks if User Profiles is active
 		if ( function_exists( 'wp_user_profiles_get_section_hooknames' ) ) {

@@ -531,6 +536,9 @@ class WP_User_Taxonomy {
 		</table>

 		<?php
+
+		// Nonce for table fields
+		$this->nonce_field();
 	}

 	/**
@@ -762,6 +770,11 @@ class WP_User_Taxonomy {
 	 */
 	public function handle_bulk_actions( $redirect_to = '', $action = '', $user_ids = array() ) {

+		// Bail if nonce fails
+		if ( ! $this->verify_nonce() ) {
+			return $redirect_to;
+		}
+
 		// Get terms
 		$terms = get_terms( $this->taxonomy, array(
 			'hide_empty' => false
@@ -1078,5 +1091,52 @@ class WP_User_Taxonomy {
 		// Return columns
 		return $defaults;
 	}
+
+	/** Nonce *****************************************************************/
+
+	/**
+	 * Return the concatenated nonce key
+	 *
+	 * @since 2.1.0
+	 *
+	 * @return string
+	 */
+	private function get_nonce_key() {
+		return "wp_user_taxonomy_{$this->taxonomy}";
+	}
+
+	/**
+	 * Output the nonce field for this user taxonomy table
+	 *
+	 * @since 2.1.0
+	 */
+	private function nonce_field() {
+		wp_nonce_field( $this->taxonomy, $this->get_nonce_key() );
+	}
+
+	/**
+	 * Try to verify the nonce for this use taxonomy
+	 *
+	 * @since 2.1.0
+	 *
+	 * @return boolean
+	 */
+	private function verify_nonce() {
+
+		// Nonce exists?
+		$retval = false;
+		$key    = $this->get_nonce_key();
+		$nonce  = isset( $_REQUEST[ $key ] )
+			? $_REQUEST[ $key ]
+			: $retval;
+
+		// Return true if nonce was verified
+		if ( ! empty( $nonce ) && wp_verify_nonce( $nonce, $this->taxonomy ) ) {
+			$retval = true;
+		}
+
+		// Default return value
+		return $retval;
+	}
 }
 endif;