plugin updates

2024-07-16 13:57:46 +00:00
parent 41f50eacc4
commit 8f93917880
1529 changed files with 259452 additions and 25451 deletions
--- a/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-check-screen.php
+++ b/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-check-screen.php
@@ -15,17 +15,17 @@ if ( ! class_exists( 'ACF_Ajax_Check_Screen' ) ) :
 		var $public = false;

 		/**
-		 * get_response
-		 *
 		 * Returns the response data to sent back.
 		 *
-		 * @date    31/7/18
-		 * @since   5.7.2
+		 * @since 5.7.2
 		 *
-		 * @param   array $request The request args.
-		 * @return  mixed The response data or WP_Error.
+		 * @param array $request The request args.
+		 * @return array|WP_Error The response data or WP_Error.
 		 */
-		function get_response( $request ) {
+		public function get_response( $request ) {
+			if ( ! current_user_can( 'edit_posts' ) ) {
+				return new WP_Error( 'acf_invalid_permissions', __( 'Sorry, you do not have permission to do that.', 'acf' ) );
+			}

 			// vars
 			$args = wp_parse_args(
--- a/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-local-json-diff.php
+++ b/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-local-json-diff.php
@@ -32,6 +32,11 @@ if ( ! class_exists( 'ACF_Ajax_Local_JSON_Diff' ) ) :
 		 * @return array|WP_Error The response data or WP_Error.
 		 */
 		public function get_response( $request ) {
+			// Bail early if the current user can't access the ACF admin.
+			if ( ! acf_current_user_can_admin() ) {
+				return new WP_Error( 'acf_not_allowed', __( 'Sorry, you are not allowed to do that.', 'acf' ), array( 'status' => 403 ) );
+			}
+
 			$json = array();

 			// Extract props.
--- a/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-query-users.php
+++ b/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-query-users.php
@@ -11,6 +11,39 @@ if ( ! class_exists( 'ACF_Ajax_Query_Users' ) ) :
 		/** @var string The AJAX action name. */
 		var $action = 'acf/ajax/query_users';

+		/**
+		 * Verifies the request.
+		 *
+		 * @since 6.3.2
+		 *
+		 * @param array $request The request args.
+		 * @return  (bool|WP_Error) True on success, WP_Error on fail.
+		 */
+		public function verify_request( $request ) {
+			if ( empty( $request['nonce'] ) || empty( $request['field_key'] ) ) {
+				return new WP_Error( 'acf_invalid_args', __( 'Invalid request args.', 'acf' ), array( 'status' => 404 ) );
+			}
+
+			$nonce  = $request['nonce'];
+			$action = $request['field_key'];
+
+			if ( isset( $request['conditional_logic'] ) && true === (bool) $request['conditional_logic'] ) {
+				if ( ! acf_current_user_can_admin() ) {
+					return new WP_Error( 'acf_invalid_permissions', __( 'Sorry, you do not have permission to do that.', 'acf' ) );
+				}
+
+				// Use the standard ACF admin nonce.
+				$nonce  = '';
+				$action = '';
+			}
+
+			if ( ! acf_verify_ajax( $nonce, $action ) ) {
+				return new WP_Error( 'acf_invalid_nonce', __( 'Invalid nonce.', 'acf' ), array( 'status' => 404 ) );
+			}
+
+			return true;
+		}
+
 		/**
 		 * init_request
 		 *
--- a/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-upgrade.php
+++ b/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-upgrade.php
@@ -12,17 +12,17 @@ if ( ! class_exists( 'ACF_Ajax_Upgrade' ) ) :
 		var $action = 'acf/ajax/upgrade';

 		/**
-		 * get_response
-		 *
 		 * Returns the response data to sent back.
 		 *
-		 * @date    31/7/18
-		 * @since   5.7.2
+		 * @since 5.7.2
 		 *
-		 * @param   array $request The request args.
-		 * @return  mixed The response data or WP_Error.
+		 * @param array $request The request args.
+		 * @return boolean|WP_Error True if successful, or WP_Error on failure.
 		 */
-		function get_response( $request ) {
+		public function get_response( $request ) {
+			if ( ! current_user_can( acf_get_setting( 'capability' ) ) ) {
+				return new WP_Error( 'upgrade_error', __( 'Sorry, you don\'t have permission to do that.', 'acf' ) );
+			}

 			// Switch blog.
 			if ( isset( $request['blog_id'] ) ) {
@@ -47,6 +47,7 @@ if ( ! class_exists( 'ACF_Ajax_Upgrade' ) ) :
 			if ( $error ) {
 				return new WP_Error( 'upgrade_error', $error );
 			}
+
 			return true;
 		}
 	}
--- a/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-user-setting.php
+++ b/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-user-setting.php
@@ -8,11 +8,19 @@ if ( ! class_exists( 'ACF_Ajax_User_Setting' ) ) :

 	class ACF_Ajax_User_Setting extends ACF_Ajax {

-		/** @var string The AJAX action name. */
-		var $action = 'acf/ajax/user_setting';
+		/**
+		 * The AJAX action name.
+		 *
+		 * @var string
+		 */
+		public $action = 'acf/ajax/user_setting';

-		/** @var boolean Prevents access for non-logged in users. */
-		var $public = true;
+		/**
+		 * Prevents access for non-logged in users.
+		 *
+		 * @var boolean
+		 */
+		public $public = false;

 		/**
 		 * get_response
@@ -25,7 +33,10 @@ if ( ! class_exists( 'ACF_Ajax_User_Setting' ) ) :
 		 * @param   array $request The request args.
 		 * @return  mixed The response data or WP_Error.
 		 */
-		function get_response( $request ) {
+		public function get_response( $request ) {
+			if ( ! acf_current_user_can_admin() ) {
+				return new WP_Error( 'acf_invalid_permissions', __( 'Sorry, you do not have permission to do that.', 'acf' ) );
+			}

 			// update
 			if ( $this->has( 'value' ) ) {
--- a/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/index.php
+++ b/wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/index.php
@@ -0,0 +1,2 @@
+<?php
+// There are many ways to WordPress.