summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2022-03-12 18:32:31 +0100
committerHarald Eilertsen <haraldei@anduin.net>2022-03-12 18:32:31 +0100
commit6c86c2b2d75ac4f989826275f4a63294bdc2fd17 (patch)
tree94b40dd6efd841fb1f77fde6d8d28627924d784a
parentb4f6d9c766021c4b3285bdef97d29c25d5ed60fa (diff)
downloadgigologadmin-6c86c2b2d75ac4f989826275f4a63294bdc2fd17.tar.gz
gigologadmin-6c86c2b2d75ac4f989826275f4a63294bdc2fd17.tar.bz2
gigologadmin-6c86c2b2d75ac4f989826275f4a63294bdc2fd17.zip
Move update edit concert form code to class.
Also ensure that nonce checking is performed before both adding and editing concerts, and escape concert data before outputing it in the form.
-rw-r--r--includes/admin/views/_edit_concert_form.php78
-rw-r--r--includes/admin/views/giglog_admin_page.php52
2 files changed, 73 insertions, 57 deletions
diff --git a/includes/admin/views/_edit_concert_form.php b/includes/admin/views/_edit_concert_form.php
index c7675f0..b839edd 100644
--- a/includes/admin/views/_edit_concert_form.php
+++ b/includes/admin/views/_edit_concert_form.php
@@ -42,23 +42,35 @@ if (!class_exists("GiglogAdmin_EditConcertForm"))
$cid = filter_input(INPUT_POST, "cid");
$editing = filter_input(INPUT_POST, "edit") == "EDIT";
- if ($editing && !empty($cid)) //A bit overdoing with the checks if concert ID is empty both here and in find_cid. But based on that, things are NULL or not. Better ideas?
+ if ($editing && !empty($cid)) {
$c = GiglogAdmin_Concert::get($cid);
- else
+ if ( !$c ) {
+ wp_die("Invalid request!", 400);
+ }
+ }
+ else {
$c = new GiglogAdmin_Concert((object)[]);
+ }
$content='<div class="concertform">';
$content.='<form method="POST" action="" class="concert" >'
.'<div class="concertitems"><strong>CONCERT DETAILS</strong><br><br><fieldset>'
- . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_edit_concert_nonce' )
- .'<input type="hidden" name="pid" value="' .$c->id(). '" />'
- .'<label for="cname">Concert Name:</label><textarea id="cname" name="cname" value="'.$c->cname().'">'.$c->cname().'</textarea><br>'
+ . wp_nonce_field( 'edit-concert', 'nonce' )
+ .'<input type="hidden" name="pid" value="' . esc_attr($c->id()) . '" />'
+ .'<label for="cname">Concert Name:</label>'
+ .'<textarea id="cname" name="cname" value="'. esc_attr($c->cname()) . '">'
+ . esc_textarea($c->cname())
+ .'</textarea><br>'
.'<label for="venue">Venue:</label>' . $this->get_venue_selector($c->venue()) . '<br>'
//date has to be formatted else it is not red in the date field of html form
- .'<label for="cdate">Date:</label><input type="date" id="cdate" name="cdate" value="'.date('Y-m-d',strtotime($c->cdate())).'"><br>'
- .'<label for="ticket">Tickets:</label><input type="text" id="ticket" name="ticket" value="'.$c->tickets().'"><br>'
- .'<label for="eventurl">Event link:</label><input type="text" id="eventurl" name="eventurl" value="'.$c->eventlink().'"><br>'
+ .'<label for="cdate">Date:</label>'
+ .'<input type="date" id="cdate" name="cdate" value="'. esc_attr(date('Y-m-d',strtotime($c->cdate()))) .'"><br>'
+ .'<label for="ticket">Tickets:</label>'
+ .'<input type="text" id="ticket" name="ticket" value="'. esc_url($c->tickets()) .'"><br>'
+ .'<label for="eventurl">Event link:</label>'
+ .'<input type="text" id="eventurl" name="eventurl" value="'. esc_url($c->eventlink()) .'"><br>'
.'</fieldset>';
+
// actions differ if we update or create a concert, hence two buttons needed
if ($editing)
$content.='<p><input type="submit" name="editconcert" value="Edit Concert"></p>';
@@ -77,5 +89,55 @@ if (!class_exists("GiglogAdmin_EditConcertForm"))
return $content;
}
+
+ static function update() : void
+ {
+ if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'edit-concert')) {
+ wp_die('CSRF validation failed.', 403);
+ }
+
+ if (isset($_POST['newconcert'])) {
+ if (empty($_POST['cname']) || empty($_POST['selectvenueadmin']) || empty($_POST['cdate']) || empty($_POST['ticket']) || empty($_POST['eventurl'])) {
+ echo '<script language="javascript">alert("You are missing a value, concert was not created"); </script>';
+ }
+ else {
+ if (GiglogAdmin_Concert::create($_POST['cname'], $_POST['selectvenueadmin'], $_POST['cdate'], $_POST['ticket'], $_POST['eventurl'])) {
+ echo '<script language="javascript">alert("Yey, concert created"); </script>';
+ }
+ else {
+ echo '<script language="javascript">alert("Nay, concert was duplicated"); </script>';
+ }
+ }
+ }
+
+ if (isset($_POST['editconcert']))
+ {
+ $roles = array_reduce(
+ ['photo1', 'photo1', 'rev1', 'rev2'],
+ function($roles, $r) {
+ if (isset($_POST[$r])) {
+ $roles[$r] = sanitize_user($_POST[$r]);
+ }
+ return $roles;
+ },
+ []
+ );
+
+ $attributes = [
+ 'wpgconcert_name' => sanitize_text_field($_POST['cname']),
+ 'venue' => intval($_POST['selectvenueadmin']),
+ 'wpgconcert_date' => sanitize_text_field($_POST['cdate']),
+ 'wpgconcert_ticket' => esc_url_raw($_POST['ticket']),
+ 'wpgconcert_event' => esc_url_raw($_POST['eventurl']),
+ 'wpgconcert_roles' => $roles,
+ ];
+
+ $concert = GiglogAdmin_Concert::get(intval($_POST['pid']));
+ if ($concert && $concert->update((object) $attributes)) {
+ // let user know the concert was updated.
+ // Look into admin_notices
+ }
+ }
+ }
}
}
diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php
index 6ce3cc8..a2682a1 100644
--- a/includes/admin/views/giglog_admin_page.php
+++ b/includes/admin/views/giglog_admin_page.php
@@ -77,57 +77,11 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) {
return;
}
- if (isset($_POST['newconcert'])) {
- if (empty($_POST['cname']) || empty($_POST['selectvenueadmin']) || empty($_POST['cdate']) || empty($_POST['ticket']) || empty($_POST['eventurl'])) {
- echo '<script language="javascript">alert("You are missing a value, concert was not created"); </script>';
- }
- else {
- if (GiglogAdmin_Concert::create($_POST['cname'], $_POST['selectvenueadmin'], $_POST['cdate'], $_POST['ticket'], $_POST['eventurl'])) {
- echo '<script language="javascript">alert("Yey, concert created"); </script>';
- }
- else {
- echo '<script language="javascript">alert("Nay, concert was duplicated"); </script>';
- }
- }
- }
-
- if (isset($_POST['editconcert']))
- {
- if (!isset($_POST['giglog_edit_concert_nonce'])
- || wp_verify_nonce($_POST['giglog_edit_concert_nonce'], plugin_basename( __FILE__ )))
- {
- header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden");
- wp_die('CSRF validation failed.', 403);
- }
-
- $roles = array_reduce(
- ['photo1', 'photo1', 'rev1', 'rev2'],
- function($roles, $r) {
- if (isset($_POST[$r])) {
- $roles[$r] = sanitize_user($_POST[$r]);
- }
- return $roles;
- },
- []
- );
-
- $attributes = [
- 'wpgconcert_name' => sanitize_text_field($_POST['cname']),
- 'venue' => intval($_POST['selectvenueadmin']),
- 'wpgconcert_date' => sanitize_text_field($_POST['cdate']),
- 'wpgconcert_ticket' => esc_url_raw($_POST['ticket']),
- 'wpgconcert_event' => esc_url_raw($_POST['eventurl']),
- 'wpgconcert_roles' => $roles,
- ];
-
- $concert = GiglogAdmin_Concert::get(intval($_POST['pid']));
- if ($concert && $concert->update((object) $attributes)) {
- // let user know the concert was updated.
- // Look into admin_notices
- }
+ if (isset($_POST['newconcert']) || isset($_POST['editconcert'])) {
+ GiglogAdmin_EditConcertForm::update();
+ return;
}
-
if(isset($_POST['newvenue']))
{
if (!isset($_POST['giglog_new_venue_nonce'])