release: fixes

### Fixes - Fixes the issue with category creation - Enhanced security - Updated error message for invalid feed sources
Codeinwp · Feb 9, 2024 · 0032aae · 0032aae
2 parents 0c044f6 + 00cc885
commit 0032aae
Show file tree

Hide file tree

Showing 8 changed files with 49 additions and 24 deletions.
diff --git a/includes/admin/feedzy-rss-feeds-admin.php b/includes/admin/feedzy-rss-feeds-admin.php
@@ -266,7 +266,6 @@ public function register_post_type() {
 		$supports = array(
 			'title',
 		);
-		$capability = feedzy_current_user_can();
 		$args     = array(
 			'labels'                => $labels,
 			'supports'              => $supports,
@@ -283,18 +282,35 @@ public function register_post_type() {
 			'rest_controller_class' => 'WP_REST_Posts_Controller',
 			'map_meta_cap'          => true,
 			'capabilities' => array(
-				'publish_posts'         => $capability,
-				'edit_posts'            => $capability,
-				'edit_others_posts'     => $capability,
-				'delete_posts'          => $capability,
-				'delete_others_posts'   => $capability,
-				'read_private_posts'    => $capability,
+				'edit_post'          => 'edit_feedzy_category',
+				'read_post'          => 'read_feedzy_category',
+				'delete_post'        => 'delete_feedzy_category',
+				'edit_posts'         => 'edit_feedzy_categories',
+				'edit_others_posts'  => 'edit_others_feedzy_categories',
+				'publish_posts'      => 'publish_feedzy_categories',
+				'read_private_posts' => 'read_private_feedzy_categories',
 			),
 		);
 		$args     = apply_filters( 'feedzy_post_type_args', $args );
 		register_post_type( 'feedzy_categories', $args );
 	}
 
+	/**
+	 * Only allow admin to modify or delete categories.
+	 *
+	 * @return void
+	 */
+	public function register_admin_capabilities() {
+		$admin_role = get_role( 'administrator' );
+		$admin_role->add_cap( 'edit_feedzy_category' );
+		$admin_role->add_cap( 'read_feedzy_category' );
+		$admin_role->add_cap( 'delete_feedzy_category' );
+		$admin_role->add_cap( 'edit_feedzy_categories' );
+		$admin_role->add_cap( 'edit_others_feedzy_categories' );
+		$admin_role->add_cap( 'publish_feedzy_categories' );
+		$admin_role->add_cap( 'read_private_feedzy_categories' );
+	}
+
 	/**
 	 * Method to add a meta box to `feedzy_categories`
 	 * custom post type.
@@ -876,7 +892,7 @@ public function get_source_validity_error( $message = '', $post = '', $class = '
 		$invalid = $text = null;
 		switch ( $post->post_type ) {
 			case 'feedzy_categories':
-				$text    = __( 'We found the following invalid URLs that we have removed from the list', 'feedzy-rss-feeds' );
+				$text    = __( 'We found the following invalid or unreachable by WordPress SimplePie URLs that we have removed from the list', 'feedzy-rss-feeds' );
 				$invalid = get_post_meta( $post->ID, '__transient_feedzy_category_feed', true );
 				delete_post_meta( $post->ID, '__transient_feedzy_category_feed' );
 				break;
@@ -885,7 +901,7 @@ public function get_source_validity_error( $message = '', $post = '', $class = '
 				$invalid_dc_namespace = get_post_meta( $post->ID, '__transient_feedzy_invalid_dc_namespace', true );
 				$invalid_source_errors = get_post_meta( $post->ID, '__transient_feedzy_invalid_source_errors', true );
 				if ( $invalid_source ) {
-					$text = __( 'This source has invalid URLs. Please correct/remove the following', 'feedzy-rss-feeds' );
+					$text = __( 'This source has invalid or unreachable by WordPress SimplePie URLs. Please correct/remove the following', 'feedzy-rss-feeds' );
 					$invalid = $invalid_source;
 					delete_post_meta( $post->ID, '__transient_feedzy_invalid_source' );
 				} elseif ( $invalid_dc_namespace ) {
@@ -1080,6 +1096,10 @@ public function feedzy_dismiss_wizard( $redirect_to_dashboard = true ) {
 	 * Setup wizard process.
 	 */
 	public function feedzy_wizard_step_process() {
+		if ( ! feedzy_current_user_can() ) {
+			return wp_send_json( array( 'status' => 0 ) );
+		}
+
 		check_ajax_referer( FEEDZY_BASEFILE, 'security' );
 		$step = ! empty( $_POST['step'] ) ? filter_input( INPUT_POST, 'step', FILTER_UNSAFE_RAW ) : 1;
 		switch ( $step ) {

diff --git a/includes/admin/feedzy-rss-feeds-import.php b/includes/admin/feedzy-rss-feeds-import.php
@@ -1020,6 +1020,11 @@ public function ajax() {
 	 * @access  private
 	 */
 	private function import_status() {
+
+		if ( ! feedzy_current_user_can() ) {
+			return wp_send_json_error( array( 'msg' => __( 'You do not have permission to do this.', 'feedzy-rss-feeds' ) ) );
+		}
+
 		global $wpdb;
 
 		check_ajax_referer( FEEDZY_BASEFILE, 'security' );
@@ -2621,16 +2626,15 @@ public function set_wpml_element_language_details( $post_type = 'post', $post_id
 	 * Fetch custom field by selected post type.
 	 */
 	public function fetch_custom_fields() {
+		check_ajax_referer( FEEDZY_BASEFILE, 'security' );
 		global $wpdb;
 
-		// @codingStandardsIgnoreStart
-		$post_type  = isset( $_POST['post_type'] ) ? filter_input( INPUT_POST, 'post_type', FILTER_UNSAFE_RAW ) : '';
-		$search_key = isset( $_POST['search_key'] ) ? filter_input( INPUT_POST, 'search_key', FILTER_UNSAFE_RAW ) : '';
-		// @codingStandardsIgnoreEnd
+		$post_type  = isset( $_POST['post_type'] ) ? sanitize_text_field( wp_unslash( $_POST['post_type'] ) ) : '';
+		$search_key = isset( $_POST['search_key'] ) ? sanitize_text_field( wp_unslash( $_POST['search_key'] ) ) : '';
 
 		$like = '';
 		if ( ! empty( $search_key ) ) {
-			$like = " AND $wpdb->postmeta.meta_key LIKE '%$search_key%'";
+			$like = $wpdb->prepare( " AND $wpdb->postmeta.meta_key LIKE %s", '%' . $search_key . '%' );
 		}
 
 		// phpcs:ignore

diff --git a/includes/feedzy-rss-feeds.php b/includes/feedzy-rss-feeds.php
@@ -190,6 +190,7 @@ private function define_admin_hooks() {
 		self::$instance->loader->add_action( 'admin_init', $plugin_ui, 'register_init' );
 
 		self::$instance->loader->add_action( 'wp_head', $plugin_ui, 'add_feedzy_global_style', 10, 1 );
+		self::$instance->loader->add_action( 'admin_init', self::$instance->admin, 'register_admin_capabilities' );
 		self::$instance->loader->add_action( 'init', self::$instance->admin, 'register_post_type' );
 		self::$instance->loader->add_action( 'save_post', self::$instance->admin, 'save_feedzy_post_type_meta', 1, 2 );
 		self::$instance->loader->add_action( 'feedzy_pre_http_setup', self::$instance->admin, 'pre_http_setup', 10, 1 );

diff --git a/includes/gutenberg/build/block.js b/includes/gutenberg/build/block.js
diff --git a/includes/gutenberg/src/Editor.js b/includes/gutenberg/src/Editor.js
@@ -420,7 +420,7 @@ class Editor extends Component {
 						</Button>,
                         <ExternalLink href={ this.getValidateURL() } title={ __( 'Validate Feed ' ) }>{ __( 'Validate ' ) }</ExternalLink>,
                         ( ! feedzyjs.isPro ) && <div className="fz-source-upgrade-alert"><strong>{__('NEW!')} </strong>{__('Enable Amazon Product Advertising feeds to generate affiliate revenue by ')}<ExternalLink href="https://themeisle.com/plugins/feedzy-rss-feeds/upgrade/?utm_source=wpadmin&utm_medium=blockeditor&utm_campaign=keywordsfilter&utm_content=feedzy-rss-feeds">{__('upgrading to Feedzy Pro.')}</ExternalLink></div>,
-                        ( this.state.error ) && <div>{ __( 'Feed URL is invalid. Invalid feeds will NOT display items.') }</div>,
+                        ( this.state.error ) && <div>{ __( 'Feed URL is invalid or unreachable by WordPress SimplePie and will NOT display items.') }</div>,
                         <p>{ __( 'Enter the full URL of the feed source you wish to display here, or the name of a category you\'ve created. Also you can add multiple URLs just separate them with a comma. You can manage your categories feed from') } <a href="edit.php?post_type=feedzy_categories" title={ __( 'feedzy categories ' ) } target="_blank">{ __( 'here ' ) }</a></p>
 					] }
 					</Placeholder>

diff --git a/js/ActionPopup/action-popup.min.js b/js/ActionPopup/action-popup.min.js
diff --git a/js/FeedBack/feedback.min.js b/js/FeedBack/feedback.min.js
diff --git a/js/Onboarding/import-onboarding.min.js b/js/Onboarding/import-onboarding.min.js