From 6c86c2b2d75ac4f989826275f4a63294bdc2fd17 Mon Sep 17 00:00:00 2001 From: Harald Eilertsen Date: Sat, 12 Mar 2022 18:32:31 +0100 Subject: Move update edit concert form code to class. Also ensure that nonce checking is performed before both adding and editing concerts, and escape concert data before outputing it in the form. --- includes/admin/views/_edit_concert_form.php | 78 ++++++++++++++++++++++++++--- includes/admin/views/giglog_admin_page.php | 52 ++----------------- 2 files changed, 73 insertions(+), 57 deletions(-) (limited to 'includes') diff --git a/includes/admin/views/_edit_concert_form.php b/includes/admin/views/_edit_concert_form.php index c7675f0..b839edd 100644 --- a/includes/admin/views/_edit_concert_form.php +++ b/includes/admin/views/_edit_concert_form.php @@ -42,23 +42,35 @@ if (!class_exists("GiglogAdmin_EditConcertForm")) $cid = filter_input(INPUT_POST, "cid"); $editing = filter_input(INPUT_POST, "edit") == "EDIT"; - if ($editing && !empty($cid)) //A bit overdoing with the checks if concert ID is empty both here and in find_cid. But based on that, things are NULL or not. Better ideas? + if ($editing && !empty($cid)) { $c = GiglogAdmin_Concert::get($cid); - else + if ( !$c ) { + wp_die("Invalid request!", 400); + } + } + else { $c = new GiglogAdmin_Concert((object)[]); + } $content='
'; $content.='
' .'
CONCERT DETAILS

' - . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_edit_concert_nonce' ) - .'' - .'
' + . wp_nonce_field( 'edit-concert', 'nonce' ) + .'' + .'' + .'
' .'' . $this->get_venue_selector($c->venue()) . '
' //date has to be formatted else it is not red in the date field of html form - .'
' - .'
' - .'
' + .'' + .'
' + .'' + .'
' + .'' + .'
' .'
'; + // actions differ if we update or create a concert, hence two buttons needed if ($editing) $content.='

'; @@ -77,5 +89,55 @@ if (!class_exists("GiglogAdmin_EditConcertForm")) return $content; } + + static function update() : void + { + if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'edit-concert')) { + wp_die('CSRF validation failed.', 403); + } + + if (isset($_POST['newconcert'])) { + if (empty($_POST['cname']) || empty($_POST['selectvenueadmin']) || empty($_POST['cdate']) || empty($_POST['ticket']) || empty($_POST['eventurl'])) { + echo ''; + } + else { + if (GiglogAdmin_Concert::create($_POST['cname'], $_POST['selectvenueadmin'], $_POST['cdate'], $_POST['ticket'], $_POST['eventurl'])) { + echo ''; + } + else { + echo ''; + } + } + } + + if (isset($_POST['editconcert'])) + { + $roles = array_reduce( + ['photo1', 'photo1', 'rev1', 'rev2'], + function($roles, $r) { + if (isset($_POST[$r])) { + $roles[$r] = sanitize_user($_POST[$r]); + } + return $roles; + }, + [] + ); + + $attributes = [ + 'wpgconcert_name' => sanitize_text_field($_POST['cname']), + 'venue' => intval($_POST['selectvenueadmin']), + 'wpgconcert_date' => sanitize_text_field($_POST['cdate']), + 'wpgconcert_ticket' => esc_url_raw($_POST['ticket']), + 'wpgconcert_event' => esc_url_raw($_POST['eventurl']), + 'wpgconcert_roles' => $roles, + ]; + + $concert = GiglogAdmin_Concert::get(intval($_POST['pid'])); + if ($concert && $concert->update((object) $attributes)) { + // let user know the concert was updated. + // Look into admin_notices + } + } + } } } diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php index 6ce3cc8..a2682a1 100644 --- a/includes/admin/views/giglog_admin_page.php +++ b/includes/admin/views/giglog_admin_page.php @@ -77,57 +77,11 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) { return; } - if (isset($_POST['newconcert'])) { - if (empty($_POST['cname']) || empty($_POST['selectvenueadmin']) || empty($_POST['cdate']) || empty($_POST['ticket']) || empty($_POST['eventurl'])) { - echo ''; - } - else { - if (GiglogAdmin_Concert::create($_POST['cname'], $_POST['selectvenueadmin'], $_POST['cdate'], $_POST['ticket'], $_POST['eventurl'])) { - echo ''; - } - else { - echo ''; - } - } - } - - if (isset($_POST['editconcert'])) - { - if (!isset($_POST['giglog_edit_concert_nonce']) - || wp_verify_nonce($_POST['giglog_edit_concert_nonce'], plugin_basename( __FILE__ ))) - { - header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden"); - wp_die('CSRF validation failed.', 403); - } - - $roles = array_reduce( - ['photo1', 'photo1', 'rev1', 'rev2'], - function($roles, $r) { - if (isset($_POST[$r])) { - $roles[$r] = sanitize_user($_POST[$r]); - } - return $roles; - }, - [] - ); - - $attributes = [ - 'wpgconcert_name' => sanitize_text_field($_POST['cname']), - 'venue' => intval($_POST['selectvenueadmin']), - 'wpgconcert_date' => sanitize_text_field($_POST['cdate']), - 'wpgconcert_ticket' => esc_url_raw($_POST['ticket']), - 'wpgconcert_event' => esc_url_raw($_POST['eventurl']), - 'wpgconcert_roles' => $roles, - ]; - - $concert = GiglogAdmin_Concert::get(intval($_POST['pid'])); - if ($concert && $concert->update((object) $attributes)) { - // let user know the concert was updated. - // Look into admin_notices - } + if (isset($_POST['newconcert']) || isset($_POST['editconcert'])) { + GiglogAdmin_EditConcertForm::update(); + return; } - if(isset($_POST['newvenue'])) { if (!isset($_POST['giglog_new_venue_nonce']) -- cgit v1.2.3