fix/security-vulnerability-issue-for-users-task-calender (#474)

* fix/security-vulnerability-issue-for-users-task-calender * enhance: handle-user-calendar-task-sql-injection * fix: phpcs-issues * enhance: add-changelop-2.6.1 * fix: vue-build-relevant-issues * fix: task-title-rendering-not-working-fine * fix: changelog & ui relevant issues * fix: phpcs-issue * fix: phpcs-issue * fix: make-wp-rest-route-function-alignment-issue
weDevsOfficial · May 29, 2023 · 6a11fed · 6a11fed
1 parent 5d73964
commit 6a11fed
Show file tree

Hide file tree

Showing 25 changed files with 155 additions and 120 deletions.
diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,9 @@
+= v2.6.1 - May 24, 2023 =
+
+**Fix:** The email type settings field UI broken issue.
+**Fix:** Tasks title content not decoded properly & fix ux issue.
+**Fix:** User task calender's starting date data handling security issue.
+
 = v2.6.0 - Nov 30, 2022 =
 
 **New:** Added pm pro version overview for lite users

diff --git a/config/app.php b/config/app.php
@@ -3,7 +3,7 @@
 return [
     'name'        => 'Project Manager',
     'slug'        => 'pm',
-    'version'     => '2.6.0',
+    'version'     => '2.6.1',
     'api'     	  => '2',
     'db_version'  => '2.5',
     'text_domain' => 'pm',

diff --git a/core/Router/WP_Router.php b/core/Router/WP_Router.php
@@ -34,9 +34,9 @@ public static function register( $routes = [] ) {
 	 *
 	 * @return void
 	 */
-    public function make_wp_rest_route() {
+	public function make_wp_rest_route() {
 		$routes = static::$routes;
-		
+
 		foreach ( $routes as $route ) {
 			$uri         = '/' . $route['uri'];
 			$http_verb   = $route['http_verb'];
@@ -46,14 +46,14 @@ public function make_wp_rest_route() {
 			$validator   = $route['validator'];
 			$sanitizer   = $route['sanitizer'];
 			$namespace   = pm_api_namespace();
-			
+
 			register_rest_route( $namespace, $uri, array(
-				'methods'  => $http_verb,
-				'callback' => array( $controller, $method ),
+				'methods'             => $http_verb,
+				'callback'            => array( $controller, $method ),
+				'args'                => $this->prepare_args( $http_verb, $namespace, $uri, $validator, $sanitizer ),
 				'permission_callback' => function ( WP_REST_Request $request ) use ( $permissions ) {
 					return $this->check_permission( $request, $permissions );
 				},
-				'args' => $this->prepare_args( $http_verb, $namespace, $uri, $validator, $sanitizer )
 			) );
 		}
 	}
@@ -68,7 +68,7 @@ public function make_wp_rest_route() {
 	 * @return boolean (Return true if permitted; ortherwise false.)
 	 */
 	private function check_permission( WP_REST_Request $request, $permissions ) {
-		$permitted = array();
+		$permitted   = array();
 		$merge_error = false;
 
 		if ( empty( $permissions ) ) {
@@ -88,7 +88,7 @@ private function check_permission( WP_REST_Request $request, $permissions ) {
 
 		if ( $merge_error ) {
 			$permitted = $this->merge_permission_error( $permitted );
-		} else if ( is_array($permitted) && in_array( false, $permitted ) ) {
+		} else if ( is_array( $permitted ) && in_array( false, $permitted ) ) {
 			$permitted = false;
 		}
 
@@ -98,7 +98,7 @@ private function check_permission( WP_REST_Request $request, $permissions ) {
 	function merge_permission_error($wp_errors) {
 	  	$wp_error_merged = new WP_Error();
 
-	  	if ( !is_array( $wp_errors ) ) {
+	  	if ( ! is_array( $wp_errors ) ) {
 	  		return $wp_errors;
 	  	}
 
@@ -146,7 +146,7 @@ private function prepare_args( $http_verb, $namespace, $uri, $validator = null,
 
 	protected function prepare_request_object( $http_verb, $namespace, $uri) {
 		$request_uri = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
-		$url_prefix = '/' . rest_get_url_prefix();
+		$url_prefix  = '/' . rest_get_url_prefix();
 		$request_uri = substr( $request_uri, strlen( $url_prefix ) );
 
 		$route   = '/' . $namespace . $uri;
@@ -188,21 +188,21 @@ private function get_headers() {
             if ( substr( $key, 0, 5 ) === 'HTTP_' ) {
                 $key = substr( $key, 5 );
 
-                if ( !isset( $copy_server[$key] ) || !isset( $_SERVER[$key] ) ) {
+                if ( ! isset( $copy_server[ $key ] ) || !isset( $_SERVER[ $key ] ) ) {
                     $key = str_replace( ' ', '-', ucwords( strtolower( str_replace( '_', ' ', $key ) ) ) );
-                    $headers[$key] = $value;
+                    $headers[ $key ] = $value;
                 }
             } elseif ( isset( $copy_server[$key] ) ) {
-                $headers[$copy_server[$key]] = $value;
+                $headers[ $copy_server[ $key ] ] = $value;
             }
         }
 
-        if ( !isset( $headers['Authorization'] ) ) {
+        if ( ! isset( $headers['Authorization'] ) ) {
             if ( isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
                 $headers['Authorization'] = isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) : '';
             } elseif ( isset( $_SERVER['PHP_AUTH_USER'] ) ) {
                 $basic_pass = isset( $_SERVER['PHP_AUTH_PW'] ) ? sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_PW'] )  ) : '';
-                $auth_user = isset( $_SERVER['PHP_AUTH_USER'] ) ? sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) ) : '';
+                $auth_user  = isset( $_SERVER['PHP_AUTH_USER'] ) ? sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_USER'] ) ) : '';
                 $headers['Authorization'] = 'Basic ' . base64_encode( $auth_user . ':' . $basic_pass );
             } elseif ( isset( $_SERVER['PHP_AUTH_DIGEST'] ) ) {
                 $headers['Authorization'] = isset( $_SERVER['PHP_AUTH_DIGEST'] ) ? sanitize_text_field( wp_unslash( $_SERVER['PHP_AUTH_DIGEST'] ) ) : '';
@@ -214,18 +214,18 @@ private function get_headers() {
 
     protected function append_uri_params( WP_REST_Request $request, $route ) {
     	$request_uri = $request->get_route();
-    	$uri_parts = explode( '/', $request_uri );
+    	$uri_parts   = explode( '/', $request_uri );
     	$route_parts = explode( '/', $route );
     	$params = [];
 
     	if ( count( $uri_parts ) === count( $route_parts ) ) {
-    		foreach ($uri_parts as $key => $value) {
-    			if ( $value === $route_parts[$key] ) {
+    		foreach ( $uri_parts as $key => $value ) {
+    			if ( $value === $route_parts[ $key ] ) {
     				continue;
-    			} elseif ( preg_match( "/^(\(\?P<).+(>\.\+\))$/", $route_parts[$key] ) ) {
-    				$param = str_replace( "(?P<", '', $route_parts[$key] );
+    			} elseif ( preg_match( "/^(\(\?P<).+(>\.\+\))$/", $route_parts[ $key ] ) ) {
+    				$param = str_replace( "(?P<", '', $route_parts[ $key ] );
     				$param = str_replace( ">.+)", '', $param );
-    				$params[$param] = $value;
+    				$params[ $param ] = $value;
     			}
     		}
     	}
@@ -272,7 +272,7 @@ protected function append_params( WP_REST_Request $request ) {
 	 */
 	protected function apply_validation( $args, Validator $validator ) {
 		$rules = $validator->rules();
-		$keys = array_keys( $rules );
+		$keys  = array_keys( $rules );
 
 		foreach ( $keys as $key ) {
 			$args[$key] = [
@@ -312,7 +312,7 @@ protected function apply_sanitizer( $args, Sanitizer $sanitizer ) {
 		$keys = array_keys( $filters );
 
 		foreach ( $keys as $key ) {
-			$args[$key]['sanitize_callback'] = function ( $param, $request, $key ) use ( $sanitizer ) {
+			$args[ $key ]['sanitize_callback'] = function ( $param, $request, $key ) use ( $sanitizer ) {
 				return $sanitizer->sanitize( $request, $key );
 			};
 		}

diff --git a/cpm.php b/cpm.php
@@ -5,7 +5,7 @@
  * Description: WordPress Project Management plugin. Manage your projects and tasks, get things done.
  * Author: weDevs
  * Author URI: https://wedevs.com
- * Version: 2.6.0
+ * Version: 2.6.1
  * Text Domain: wedevs-project-manager
  * Domain Path: /languages
  * License: GPL2

diff --git a/languages/wedevs-project-manager.php b/languages/wedevs-project-manager.php
@@ -172,6 +172,7 @@
 	__( '27', 'wedevs-project-manager' ),
 	__( '28', 'wedevs-project-manager' ),
 	__( '29', 'wedevs-project-manager' ),
+	__( 'Create Developer Assignments', 'wedevs-project-manager' ),
 	__( 'Handle Bitcom Deals', 'wedevs-project-manager' ),
 	__( 'Make Final Presentation', 'wedevs-project-manager' ),
 	__( 'Categories', 'wedevs-project-manager' ),
@@ -277,7 +278,6 @@
 	__( 'Stripe Gateway', 'wedevs-project-manager' ),
 	__( 'Enable the hassle-free and popular payment system with the minimum cost possible.', 'wedevs-project-manager' ),
 	__( 'Private', 'wedevs-project-manager' ),
-	__( 'KanBan Board', 'wedevs-project-manager' ),
 	__( 'Turn your projects into Trello like boards and organize them using drag and drop feature.', 'wedevs-project-manager' ),
 	__( 'Break down your to-dos into smaller tasks for better management and project tracking.', 'wedevs-project-manager' ),
 	__( 'Custom Fields', 'wedevs-project-manager' ),
@@ -401,6 +401,7 @@
 	__( 'Title', 'wedevs-project-manager' ),
 	__( 'Start time', 'wedevs-project-manager' ),
 	__( 'Group', 'wedevs-project-manager' ),
+	__( 'Action', 'wedevs-project-manager' ),
 	__( '2022-11-17', 'wedevs-project-manager' ),
 	__( 'Inbox', 'wedevs-project-manager' ),
 	__( 'List', 'wedevs-project-manager' ),
@@ -451,12 +452,14 @@
 	__( 'Field options required!', 'pm-pro' ),
 	__( 'Custom field created successfully!', 'pm-pro' ),
 	__( 'Custom field updated successfully!', 'pm-pro' ),
-	__( 'Action', 'wedevs-project-manager' ),
 	__( 'No field found!', 'wedevs-project-manager' ),
 	__( 'Github', 'wedevs-project-manager' ),
 	__( 'Webhook URL', 'wedevs-project-manager' ),
 	__( 'to send our JSON payloads', 'wedevs-project-manager' ),
 	__( 'View documentation', 'wedevs-project-manager' ),
+	__( 'Github Username', 'wedevs-project-manager' ),
+	__( 'Bitbucket Username', 'wedevs-project-manager' ),
+	__( 'No user found', 'wedevs-project-manager' ),
 	__( 'Save Form', 'wedevs-project-manager' ),
 	__( 'Save Changes', 'wedevs-project-manager' ),
 	__( 'Created', 'wedevs-project-manager' ),
@@ -476,6 +479,8 @@
 	__( 'Capabilities', 'pm-pro' ),
 	__( 'Integrations', 'pm-pro' ),
 	__( 'Label', 'pm-pro' ),
+	__( 'x', 'wedevs-project-manager' ),
+	__( 'Slack Webhook URL', 'wedevs-project-manger' ),
 	__( 'Slack webhook URL', 'wedevs-project-manager' ),
 	__( 'More option', 'wedevs-project-manager' ),
 	__( 'Incomplete', 'wedevs-project-manager' ),

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pmapi",
-  "version": "2.6.0",
+  "version": "2.6.1",
   "description": "Front-end package manager for project manager",
   "main": "index.js",
   "directories": {

diff --git a/readme.txt b/readme.txt
@@ -5,7 +5,7 @@ Tags: project, project manager, project management, kanban board, gantt charts,
 Requires at least: 4.4 or higher
 Tested up to: 6.0.1
 Requires PHP: 5.6
-Stable tag: 2.6.0
+Stable tag: 2.6.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -283,6 +283,12 @@ A. Found any bugs? Please create an [issue](https://github.com/tareq1988/wp-proj
 
 == Changelog ==
 
+= v2.6.1 - May 24, 2023 =
+
+**Fix:** The email type settings field UI broken issue.
+**Fix:** Tasks title content not decoded properly & fix ux issue.
+**Fix:** User task calender's starting date data handling security issue.
+
 = v2.6.0 - Nov 30, 2022 =
 
 **New:** Added pm pro version overview for lite users