diff options
| author | Harald Eilertsen <haraldei@anduin.net> | 2022-03-12 18:32:31 +0100 |
|---|---|---|
| committer | Harald Eilertsen <haraldei@anduin.net> | 2022-03-12 18:32:31 +0100 |
| commit | 6c86c2b2d75ac4f989826275f4a63294bdc2fd17 (patch) | |
| tree | 94b40dd6efd841fb1f77fde6d8d28627924d784a | |
| parent | b4f6d9c766021c4b3285bdef97d29c25d5ed60fa (diff) | |
| download | gigologadmin-6c86c2b2d75ac4f989826275f4a63294bdc2fd17.tar.gz gigologadmin-6c86c2b2d75ac4f989826275f4a63294bdc2fd17.tar.bz2 gigologadmin-6c86c2b2d75ac4f989826275f4a63294bdc2fd17.zip | |
Move update edit concert form code to class.
Also ensure that nonce checking is performed before both adding and
editing concerts, and escape concert data before outputing it in the
form.
| -rw-r--r-- | includes/admin/views/_edit_concert_form.php | 78 | ||||
| -rw-r--r-- | includes/admin/views/giglog_admin_page.php | 52 |
2 files changed, 73 insertions, 57 deletions
diff --git a/includes/admin/views/_edit_concert_form.php b/includes/admin/views/_edit_concert_form.php index c7675f0..b839edd 100644 --- a/includes/admin/views/_edit_concert_form.php +++ b/includes/admin/views/_edit_concert_form.php @@ -42,23 +42,35 @@ if (!class_exists("GiglogAdmin_EditConcertForm")) $cid = filter_input(INPUT_POST, "cid"); $editing = filter_input(INPUT_POST, "edit") == "EDIT"; - if ($editing && !empty($cid)) //A bit overdoing with the checks if concert ID is empty both here and in find_cid. But based on that, things are NULL or not. Better ideas? + if ($editing && !empty($cid)) { $c = GiglogAdmin_Concert::get($cid); - else + if ( !$c ) { + wp_die("Invalid request!", 400); + } + } + else { $c = new GiglogAdmin_Concert((object)[]); + } $content='<div class="concertform">'; $content.='<form method="POST" action="" class="concert" >' .'<div class="concertitems"><strong>CONCERT DETAILS</strong><br><br><fieldset>' - . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_edit_concert_nonce' ) - .'<input type="hidden" name="pid" value="' .$c->id(). '" />' - .'<label for="cname">Concert Name:</label><textarea id="cname" name="cname" value="'.$c->cname().'">'.$c->cname().'</textarea><br>' + . wp_nonce_field( 'edit-concert', 'nonce' ) + .'<input type="hidden" name="pid" value="' . esc_attr($c->id()) . '" />' + .'<label for="cname">Concert Name:</label>' + .'<textarea id="cname" name="cname" value="'. esc_attr($c->cname()) . '">' + . esc_textarea($c->cname()) + .'</textarea><br>' .'<label for="venue">Venue:</label>' . $this->get_venue_selector($c->venue()) . '<br>' //date has to be formatted else it is not red in the date field of html form - .'<label for="cdate">Date:</label><input type="date" id="cdate" name="cdate" value="'.date('Y-m-d',strtotime($c->cdate())).'"><br>' - .'<label for="ticket">Tickets:</label><input type="text" id="ticket" name="ticket" value="'.$c->tickets().'"><br>' - .'<label for="eventurl">Event link:</label><input type="text" id="eventurl" name="eventurl" value="'.$c->eventlink().'"><br>' + .'<label for="cdate">Date:</label>' + .'<input type="date" id="cdate" name="cdate" value="'. esc_attr(date('Y-m-d',strtotime($c->cdate()))) .'"><br>' + .'<label for="ticket">Tickets:</label>' + .'<input type="text" id="ticket" name="ticket" value="'. esc_url($c->tickets()) .'"><br>' + .'<label for="eventurl">Event link:</label>' + .'<input type="text" id="eventurl" name="eventurl" value="'. esc_url($c->eventlink()) .'"><br>' .'</fieldset>'; + // actions differ if we update or create a concert, hence two buttons needed if ($editing) $content.='<p><input type="submit" name="editconcert" value="Edit Concert"></p>'; @@ -77,5 +89,55 @@ if (!class_exists("GiglogAdmin_EditConcertForm")) return $content; } + + static function update() : void + { + if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'edit-concert')) { + wp_die('CSRF validation failed.', 403); + } + + if (isset($_POST['newconcert'])) { + if (empty($_POST['cname']) || empty($_POST['selectvenueadmin']) || empty($_POST['cdate']) || empty($_POST['ticket']) || empty($_POST['eventurl'])) { + echo '<script language="javascript">alert("You are missing a value, concert was not created"); </script>'; + } + else { + if (GiglogAdmin_Concert::create($_POST['cname'], $_POST['selectvenueadmin'], $_POST['cdate'], $_POST['ticket'], $_POST['eventurl'])) { + echo '<script language="javascript">alert("Yey, concert created"); </script>'; + } + else { + echo '<script language="javascript">alert("Nay, concert was duplicated"); </script>'; + } + } + } + + if (isset($_POST['editconcert'])) + { + $roles = array_reduce( + ['photo1', 'photo1', 'rev1', 'rev2'], + function($roles, $r) { + if (isset($_POST[$r])) { + $roles[$r] = sanitize_user($_POST[$r]); + } + return $roles; + }, + [] + ); + + $attributes = [ + 'wpgconcert_name' => sanitize_text_field($_POST['cname']), + 'venue' => intval($_POST['selectvenueadmin']), + 'wpgconcert_date' => sanitize_text_field($_POST['cdate']), + 'wpgconcert_ticket' => esc_url_raw($_POST['ticket']), + 'wpgconcert_event' => esc_url_raw($_POST['eventurl']), + 'wpgconcert_roles' => $roles, + ]; + + $concert = GiglogAdmin_Concert::get(intval($_POST['pid'])); + if ($concert && $concert->update((object) $attributes)) { + // let user know the concert was updated. + // Look into admin_notices + } + } + } } } diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php index 6ce3cc8..a2682a1 100644 --- a/includes/admin/views/giglog_admin_page.php +++ b/includes/admin/views/giglog_admin_page.php @@ -77,57 +77,11 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) { return; } - if (isset($_POST['newconcert'])) { - if (empty($_POST['cname']) || empty($_POST['selectvenueadmin']) || empty($_POST['cdate']) || empty($_POST['ticket']) || empty($_POST['eventurl'])) { - echo '<script language="javascript">alert("You are missing a value, concert was not created"); </script>'; - } - else { - if (GiglogAdmin_Concert::create($_POST['cname'], $_POST['selectvenueadmin'], $_POST['cdate'], $_POST['ticket'], $_POST['eventurl'])) { - echo '<script language="javascript">alert("Yey, concert created"); </script>'; - } - else { - echo '<script language="javascript">alert("Nay, concert was duplicated"); </script>'; - } - } - } - - if (isset($_POST['editconcert'])) - { - if (!isset($_POST['giglog_edit_concert_nonce']) - || wp_verify_nonce($_POST['giglog_edit_concert_nonce'], plugin_basename( __FILE__ ))) - { - header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden"); - wp_die('CSRF validation failed.', 403); - } - - $roles = array_reduce( - ['photo1', 'photo1', 'rev1', 'rev2'], - function($roles, $r) { - if (isset($_POST[$r])) { - $roles[$r] = sanitize_user($_POST[$r]); - } - return $roles; - }, - [] - ); - - $attributes = [ - 'wpgconcert_name' => sanitize_text_field($_POST['cname']), - 'venue' => intval($_POST['selectvenueadmin']), - 'wpgconcert_date' => sanitize_text_field($_POST['cdate']), - 'wpgconcert_ticket' => esc_url_raw($_POST['ticket']), - 'wpgconcert_event' => esc_url_raw($_POST['eventurl']), - 'wpgconcert_roles' => $roles, - ]; - - $concert = GiglogAdmin_Concert::get(intval($_POST['pid'])); - if ($concert && $concert->update((object) $attributes)) { - // let user know the concert was updated. - // Look into admin_notices - } + if (isset($_POST['newconcert']) || isset($_POST['editconcert'])) { + GiglogAdmin_EditConcertForm::update(); + return; } - if(isset($_POST['newvenue'])) { if (!isset($_POST['giglog_new_venue_nonce']) |