strangerstudios/pmpro-register-helper

Readonly select2 fields empty content on profile save

Opened this issue · 1 comments

dparker1005 commented

Describe the bug
When we show a readonly Select2 field to the user profile, we add the disabled property to the <select> html element to prevent the user from changing the field's contents. The issue here is that when the form is submitted, the select2 field contents is not passed along with the form (since it is disabled), and so when PMProRH tries to save the data, it cannot find the field data and it instead empties the usermeta contents.

As a side-effect of how this works, if a user edits the source code of the profile page, they can then remove the disabled property and change the value of the readonly field. That change would actually save successfully.

To Reproduce
Steps to reproduce the behavior:

  1. Add a readonly select2 field via register helper based off of this code recipe: https://gist.github.com/ipokkel/4c0392099f4b578131484e0fe12e8e05
  2. Check out for a new non-admin user and fill in the select 2 field at checkout
  3. Go to the user profile as the non-admin user and see that the select2 field shows the correct data
  4. Save the profile and see that the data is then erased

Expected behavior
The profile save code should not run at all for readonly fields. Fix would also resolve the security issue I mentioned above with users being able to change readonly fields.

My suggestion to fix this issue is to wrap all of this code in an if ( ! empty( field->readonly ) ){ }:

pmpro-register-helper/pmpro-register-helper.php

Lines 1118 to 1149 in e90c450

if(isset($_POST[$field->name]) || isset($_FILES[$field->name]))
{
if ( isset( $_POST[ $field->name ] ) && isset( $field->sanitize ) && true === $field->sanitize ) {
$value = pmprorh_sanitize( $_POST[ $field->name ], $field );
} elseif( isset($_POST[$field->name]) ) {
$value = $_POST[ $field->name ];
} else {
$value = $_FILES[$field->name];
}
//callback?
if(!empty($field->save_function))
call_user_func($field->save_function, $user_id, $field->name, $value);
else
update_user_meta($user_id, $field->meta_key, $value);
}
elseif(!empty($_POST[$field->name . "_checkbox"]) && $field->type == 'checkbox') //handle unchecked checkboxes
{
//callback?
if(!empty($field->save_function))
call_user_func($field->save_function, $user_id, $field->name, 0);
else
update_user_meta($user_id, $field->meta_key, 0);
}
elseif(!empty($_POST[$field->name . "_checkbox"]) && in_array( $field->type, array( 'checkbox', 'checkbox_grouped', 'select2' ) ) ) //handle unchecked checkboxes
{
//callback?
if(!empty($field->save_function))
call_user_func($field->save_function, $user_id, $field->name, array());
else
update_user_meta($user_id, $field->meta_key, array());
}

Isolating the problem (mark completed items with an [x]):

  • I have deactivated other plugins and confirmed this bug occurs when only Paid Memberships Pro plugin is active.
  • This bug happens with a default WordPress theme active, or Memberlite.
  • I can reproduce this bug consistently using the steps above.

WordPress Environment

``` Please share non-sensitive information about your hosting environment such as WordPress version, PHP version, Paid Memberships Pro and any related plugins versions. ```
kimwhite commented

Still not working.