Merge pull request #55 from Strategy11/fix/quick-start

Apply access control and nonce verification

Gruntfile.js

@@ -20,9 +20,6 @@ module.exports = function( grunt ) {
 			this.registered[ id ] = config;
 
 			config.pluginPath = config.folder + '/';
-			if ( id === 'awpcp' ) {
-				config.pluginPath = '';
-			}
 
 			grunt.config.set( 'path.' + id, config.pluginPath );
 			grunt.wpbdp.registerSetVersionTasks( config );
@@ -33,7 +30,6 @@ module.exports = function( grunt ) {
 			}
 
 			if ( config.concat ) {
-				console.log('register js');
 				grunt.wpbdp.registerJavaScriptTasks( config );
 			}
 
@@ -210,39 +206,45 @@ module.exports = function( grunt ) {
 		},
 
 		registerLessTask: function( config ) {
-			var path = '<%= path.' + config.name + ' %>';
+			var folder = '<%= path.' + config.name + ' %>';
 
 			grunt.config.set( 'less.' + config.slug, config.less );
 			grunt.config.set( 'watch.' + config.name + '-css', {
-				files: [ path + '/less/**/*.less' ],
+				files: [ folder + '/less/**/*.less' ],
 				tasks: [ 'less:' + config.slug ]
 			} );
 		},
 
 		registerJavaScriptTasks: function( config ) {
-			var path = '<%= path.' + config.name + ' %>', targetFiles;
+			const basedir = config.pluginPath
 
 			grunt.config.set( 'concat.' + config.slug, config.concat );
 
 			grunt.config.set( 'watch.' + config.name + '-js', {
-				files: [path + '/js/**/*.js', '!' + path + '/js/**/*.src.js', '!' + path + '/js/**/*.min.js'],
+				files: [
+					path.join(basedir, '**/*.js'),
+					'!' + path.join(basedir, 'vendors/**/*'),
+					'!' + path.join(basedir, '**/*.src.js'),
+					'!' + path.join(basedir, '**/*.min.js'),
+					'!' + path.join(basedir, 'assets/vendor/**/*')
+				],
 				tasks: ['concat:' + config.slug, 'uglify:' + config.slug]
 			} );
 
-			targetFiles = grunt.task.normalizeMultiTaskFiles( config.concat );
+			let targetFiles = grunt.task.normalizeMultiTaskFiles( config.concat );
 
 			grunt.wpbdp.registerJSHintTask( config, targetFiles );
 			grunt.wpbdp.registerUglifyTask( config, targetFiles );
 		},
 
 		registerJSHintTask: function( config, targetFiles ) {
-			var path = '<%= path.' + config.name + ' %>', filesToCheck;
+			const folder = '<%= path.' + config.name + ' %>';
 
-			filesToCheck = _.flatten( _.map( targetFiles, function( value ) {
+			let filesToCheck = _.flatten( _.map( targetFiles, function( value ) {
 				return value.orig.src;
 			} ) );
 
-			grunt.config.set( 'jshint.' + config.slug, filesToCheck.concat( ['!' + path + '/js/**/*.min.js'] ) );
+			grunt.config.set( 'jshint.' + config.slug, filesToCheck.concat( ['!' + folder + '/js/**/*.min.js'] ) );
 		},
 
 		registerUglifyTask: function( config, targetFiles ) {
@@ -344,7 +346,7 @@ module.exports = function( grunt ) {
 	grunt.loadTasks( '../awpcp-zip-code-search/grunt' );
 	*/
 
-	grunt.registerTask('default', ['concat', 'jshint', 'uglify', 'less']);
+	grunt.registerTask('default', ['watch', 'concat', 'jshint', 'uglify', 'less']);
 
 	grunt.registerTask('i18n', '', function(t) {
 		grunt.task.run('makepot:' + t);

README.TXT

@@ -5,7 +5,7 @@ Tags: listings, classified ads, classified, classifieds, directory plugin, class
 Requires at least: 4.9
 Requires PHP: 5.6
 Tested up to: 6.2.2
-Stable tag: 4.3.1
+Stable tag: 4.3.2
 License: GPLv2 or later
 
 Create a classified listings directory, from auto listings to yard sales with AWP Classifieds plugin.
@@ -166,6 +166,12 @@ Yes it can. Our Classifieds directory plugin comes with many user-provided trans
 Yes it is. However, you cannot "network-activate" the plugin (as this will share the database). Activate it on only the subsites on which you need a directory. This can be done under Plugins->Add New as the Administrator user. Do not "network activate" AWPCP as the "super admin".
 
 == Changelog ==
+= 4.3.2 =
+* New: Updates for better PHP 8 support.
+* Security: Add more nonce and user role protection for uninstalling and other ajax functions.
+* Update SelectWoo script version.
+* Fix: Fallback to native dropdowns if there is a conflict with Select2.
+
 = 4.3.1 =
 * Security update against CSRF attacks in some admin pages. add CSRF tokens "nonce".
 * Fix: Pagination show the correct number of ads per page based on "number ads per page plugin" settings instead of 10 ads per page.

admin/admin-panel-users.php

@@ -31,7 +31,11 @@ private function get_table() {
     }
 
     public function scripts() {
-        wp_enqueue_script('awpcp-admin-users');
+        $options = array(
+            'nonce' => wp_create_nonce( 'awpcp_ajax' ),
+        );
+        wp_localize_script( 'awpcp-admin-users', 'AWPCPAjaxOptions', $options );
+        wp_enqueue_script( 'awpcp-admin-users' );
     }
 
     public function get_columns($columns) {
@@ -97,9 +101,7 @@ public function ajax_edit_balance($user_id, $action) {
     }
 
     public function ajax() {
-        if (!awpcp_current_user_is_admin()) {
-            return false;
-        }
+        awpcp_check_admin_ajax();
 
         $user_id = awpcp_get_var( array( 'param' => 'user', 'default' => 0 ), 'post' );
         $action  = awpcp_get_var( array( 'param' => 'action' ), 'post' );

admin/admin-panel.php

@@ -390,7 +390,7 @@ public function notices() {
 			return;
 		}
 
-		if ( awpcp_get_var( array( 'param' => 'page' ) ) == 'awpcp-admin-upgrade' ) {
+		if ( awpcp_get_var( array( 'param' => 'page' ) ) === 'awpcp-admin-upgrade' ) {
 			return;
 		}
 
@@ -643,12 +643,16 @@ public function upgrade() {
 	}
 
     public function disable_quick_start_guide_notice() {
+        awpcp_check_admin_ajax();
+
         global $awpcp;
         $awpcp->settings->update_option('show-quick-start-guide-notice', false);
         die('Success!');
     }
 
     public function disable_widget_modification_notice() {
+        awpcp_check_admin_ajax();
+
         global $awpcp;
         $awpcp->settings->update_option('show-widget-modification-notice', false);
         die('Success!');

admin/class-debug-admin-page.php

@@ -35,6 +35,11 @@ class AWPCP_DebugAdminPage {
      */
     private $settings_manager;
 
+    /**
+     * @var TemplateRenderer
+     */
+    protected $template_renderer;
+
     /**
      * @var wpdb
      */

admin/class-dismiss-notice-ajax-handler.php

@@ -17,6 +17,8 @@ public function __construct( $request, $ajax_response ) {
     }
 
     public function ajax() {
+        awpcp_check_admin_ajax();
+
         delete_option( 'awpcp-show-' . $this->request->post( 'notice' ) );
         return $this->success();
     }

admin/class-export-listings-admin-page.php

@@ -19,8 +19,8 @@ public function dispatch() {
     }
 
     public function ajax() {
-	    $verify_nonce = check_ajax_referer( 'awpcp-export-csv' );
-	    if ( ! current_user_can( 'administrator' ) || ! $verify_nonce ) {
+	    check_ajax_referer( 'awpcp-export-csv' );
+	    if ( ! current_user_can( 'administrator' ) ) {
 		    wp_send_json_error();
 	    }
 

admin/class-table-entry-action-ajax-handler.php

@@ -11,6 +11,7 @@ public function __construct( $action_handler, $response ) {
     }
 
     public function ajax() {
+        check_ajax_referer( 'awpcp_ajax', 'nonce' );
         if ( ! awpcp_current_user_is_admin() ) {
             return $this->error_response( __( 'You are not authorized to perform this action.', 'another-wordpress-classifieds-plugin' ) );
         }

admin/form-fields/class-update-form-fields-order-ajax-handler.php

@@ -43,6 +43,8 @@ public function __construct( $form_fields, $request, $response ) {
      * Handles ajax request.
      */
     public function ajax() {
+        awpcp_check_admin_ajax();
+
         $fields       = $this->form_fields->get_listing_details_form_fields();
         $fields_order = array();
 

admin/import/class-csv-import-sessions-manager.php

@@ -21,6 +21,9 @@ class AWPCP_CSV_Import_Sessions_Manager {
     private $csv_importer_factory;
     private $csv_importer_delegate_factory;
     private $csv_reader_factory;
+
+    public $settings;
+
     private $wordpress;
 
     public function __construct( $csv_importer_factory, $csv_importer_delegate_factory, $csv_reader_factory, $settings, $wordpress ) {

admin/import/class-csv-importer-delegate-factory.php

@@ -8,6 +8,11 @@
  */
 class AWPCP_CSV_Importer_Delegate_Factory {
 
+    /**
+     * @var object
+     */
+    public $container;
+
     /**
      * Constructor.
      */

admin/import/class-import-listings-ajax-handler.php

@@ -12,6 +12,8 @@ class AWPCP_Import_Listings_Ajax_Handler extends AWPCP_AjaxHandler {
 
     private $import_sessions_manager;
 
+    protected $csv_importer_factory;
+
     public function __construct( $import_sessions_manager, $csv_importer_factory, $response ) {
         parent::__construct( $response );
 
@@ -20,6 +22,8 @@ public function __construct( $import_sessions_manager, $csv_importer_factory, $r
     }
 
     public function ajax() {
+        awpcp_check_admin_ajax();
+
         $import_session = $this->import_sessions_manager->get_current_import_session();
 
         $csv_importer = $this->csv_importer_factory->create_importer( $import_session );

awpcp.php

@@ -5,7 +5,7 @@
  * Plugin Name: AWP Classifieds Plugin
  * Plugin URI: https://awpcp.com/
  * Description: Run a free or paid classified ads service on your WordPress site.
- * Version: 4.3.1
+ * Version: 4.3.2
  * Author: AWP Classifieds Team
  * Author URI: https://awpcp.com/
  * License: GPLv2 or any later version
@@ -56,7 +56,7 @@
 global $hasregionsmodule;
 global $hasextrafieldsmodule;
 
-$awpcp_db_version = '4.3.1';
+$awpcp_db_version = '4.3.2';
 
 $awpcp_imagesurl      = AWPCP_URL . '/resources/images';
 $hascaticonsmodule    = 0;

frontend/class-awpcp-meta.php

@@ -23,6 +23,7 @@ class AWPCP_Meta {
     private $request = null;
 
     private $doing_opengraph = false;
+    public $doin_description_meta_tag = false;
 
     public function __construct( $listings_collection, $categories_collection, $title_builder, $meta_tags_genertor, $query, $request ) {
         $this->listings_collection   = $listings_collection;

frontend/placeholders.php

@@ -282,7 +282,11 @@ function awpcp_replace_placeholders( $placeholders, $listing, $content, $context
         $callback    = $available_placeholders[ $placeholder ]['callback'];
 
         if ( is_callable( $callback ) ) {
-            $replacement                      = call_user_func( $callback, $listing, $placeholder, $context );
+            $replacement = call_user_func( $callback, $listing, $placeholder, $context );
+            if ( is_null( $replacement ) ) {
+                $replacement = '';
+            }
+
             $content                          = str_replace( $match, $replacement, $content );
             $processed_placeholders[ $match ] = true;
         }

frontend/shortcode.php

@@ -29,6 +29,12 @@ class AWPCP_Pages {
 
     public $browse_ads;
 
+    public $place_ad_page = null;
+
+    public $edit_ad_page = null;
+
+    public $renew_ad_page = null;
+
 	public function __construct( $container ) {
         $this->container = $container;
 
@@ -83,7 +89,7 @@ public function place_ad() {
         if ( ! isset( $this->output['place-ad'] ) ) {
             do_action( 'awpcp-shortcode', 'place-ad' );
 
-            if ( ! isset( $this->place_ad_page ) ) {
+            if ( is_null( $this->place_ad_page ) ) {
                 $this->place_ad_page = $this->container['SubmitListingPage'];
             }
 
@@ -97,7 +103,7 @@ public function edit_ad() {
         if ( ! isset( $this->output['edit-ad'] ) ) {
             do_action( 'awpcp-shortcode', 'edit-ad' );
 
-            if ( ! isset( $this->edit_ad_page ) ) {
+            if ( is_null( $this->edit_ad_page ) ) {
                 $this->edit_ad_page = $this->container['EditListingPage'];
             }
 
@@ -108,7 +114,7 @@ public function edit_ad() {
 	}
 
 	public function renew_ad() {
-		if ( ! isset( $this->renew_ad_page ) ) {
+		if ( is_null( $this->renew_ad_page ) ) {
 			$this->renew_ad_page = awpcp_renew_listing_page();
         }
 

functions.php

@@ -520,6 +520,18 @@ function awpcp_user_is_admin($id) {
     return awpcp_roles_and_capabilities()->user_is_administrator( $id );
 }
 
+/**
+ * Check the nonce and user role.
+ *
+ * @since 4.3.2
+ */
+function awpcp_check_admin_ajax() {
+    check_ajax_referer( 'awpcp_ajax', 'nonce' );
+    if ( ! awpcp_current_user_is_admin() ) {
+        wp_die( esc_html__( 'You are not authorized to perform this action.', 'another-wordpress-classifieds-plugin' ) );
+    }
+}
+
 function awpcp_get_grid_item_css_class($classes, $pos, $columns, $rows) {
 	if ($pos < $columns)
 		$classes[] = 'first-row';

grunt/grunt.js

@@ -6,7 +6,7 @@ module.exports = function(grunt) {
 	grunt.wpbdp.registerModule( {
 		name: 'awpcp',
 		slug: 'awpcp',
-		folder: pluginName,
+		folder: '../' + pluginName,
 		path: pluginName + '/resources',
 		concat: {
 			files: {
@@ -80,8 +80,6 @@ module.exports = function(grunt) {
 		less: {
 			files: {
 				'<%= path.awpcp %>resources/css/awpcpstyle.css': '<%= path.awpcp %>resources/less/frontend.less',
-				'<%= path.awpcp %>resources/css/awpcpstyle-ie-6.css': '<%= path.awpcp %>resources/less/frontend-ie6.less',
-				'<%= path.awpcp %>resources/css/awpcpstyle-lte-ie-7.css': '<%= path.awpcp %>resources/less/frontend-lte-ie-7.less',
 				'<%= path.awpcp %>resources/css/awpcp-admin.css': '<%= path.awpcp %>resources/less/admin.less',
 				'<%= path.awpcp %>resources/css/awpcp-admin-menu.css': '<%= path.awpcp %>resources/less/admin-menu.less',
 			}

includes/admin/debug/class-test-ssl-client-ajax-handler.php

@@ -12,9 +12,7 @@ class AWPCP_TestSSLClientAjaxHandler {
      * @since 4.0.0
      */
     public function ajax() {
-        if ( ! awpcp_current_user_is_admin() ) {
-            die();
-        }
+        awpcp_check_admin_ajax();
 
         if ( ! function_exists( 'curl_init' ) ) {
             die( 'cURL not available.' );

includes/admin/tools/class-tools-admin-page.php

@@ -13,6 +13,11 @@ class AWPCP_ToolsAdminPage {
      */
     private $template = '/admin/tools/tools-admin-page.tpl.php';
 
+    /**
+     * @var object
+     */
+    protected $template_renderer;
+
     /**
      * @var array
      */