Securing taxonomies export #872
Conversation
|
Creating the PR for the sake of commenting. One detail about the cptui_get_single_taxonomy_registery() function is that it echos by default. Perhaps a detail we should change with output buffering. As is though, line 211 isn't really assigning anything to the variable because it's not explicitly returning anything. We're also never going to have a WP_Error since we don't throw any with the function either. In large part because it's just meant to display copy/paste ready versions of a given For the show_graphql, sort, and queryvar parts, the disp_boolean() function is immediately casting them to string, which is what we're getting from the settings extraction anyway, so may as well not worry about type casting there. |
|
Also, I'm pretty sure a lot of what this original issue stemmed from is when doing the actual registration which happens in the main custom-post-type-ui.php file. We suddenly have new labels or arguments that we are trying to set values for, but the "old" settings don't have saved indexes in their current That said, if this is attempting to do the "scanning" I mention in #780 then I'm still for moving forward here, but may need to ponder on some extra approaches. |
Thanks! I will try to add it there too, I've added it in taxonomies from the error logs sent when the issue was reported, when I was able to replicate the error it gave error because the key was not found, that's why I check if the key exists and if not I "initialize it", I'll add to check all keys are available in the other processes. I'll add this too -> -at least update the "get_option" value to have empty, and at least existing, indexes- |
|
All changes added and tested! |
custom-post-type-ui.php
Outdated
| @@ -268,6 +268,23 @@ function cptui_create_custom_post_types() { | |||
| return; | |||
| } | |||
|
|
|||
| function sample_admin_notice__warning() { | |||
There was a problem hiding this comment.
Let's move this function into the inc/utility.php file at the end of the file, and let's also rename it to cptui_undefined_index_notice.
custom-post-type-ui.php
Outdated
| function sample_admin_notice__warning() { | ||
| ?> | ||
| <div class="notice notice-warning"> | ||
| <p>There's some missing indexes. You might need to re-save.</p> |
There was a problem hiding this comment.
Need to get this passed through esc_html_e() with a textdomain of custom-post-type-ui.
Also lets have it say "Custom Post Type UI added new parameters. Please consider reviewing your post types or taxonomies and consider clicking to save them again."
custom-post-type-ui.php
Outdated
| if ( (is_array($cpts) && !empty($cpts)) && | ||
| (is_array($cpts_override) && !empty($cpts_override)) && | ||
| ( array_diff( array_keys($cpts), array_keys($cpts_override) ) )) { | ||
| add_action( 'admin_notices', 'sample_admin_notice__warning' ); |
There was a problem hiding this comment.
This line will need to be updated to match the function rename.
custom-post-type-ui.php
Outdated
| // Compare if they don't have any missing or difference in keys | ||
| if ( (is_array($cpts) && !empty($cpts)) && | ||
| (is_array($cpts_override) && !empty($cpts_override)) && | ||
| ( array_diff( array_keys($cpts), array_keys($cpts_override) ) )) { |
There was a problem hiding this comment.
Nitpicky detail, but can we check on PHPCS for this section regarding whitespace around function calls and passed parameters?
| @@ -1503,6 +1503,20 @@ function cptui_update_taxonomy( $data = [] ) { | |||
| return 'error'; | |||
| } | |||
|
|
|||
| $must_have_keys = ['object_types', 'rewrite', 'rewrite_slug', 'name', | |||
There was a problem hiding this comment.
Can we turn this into a function similar to cptui_reserved_taxonomies() where it returns this array? No need to add an apply_filters() for it, just have it return the array.
Could either still assign to $must_have_keys or it could replace the variable and just be used as such:
foreach( my_function_name() as $key ) {
...
}
The reason for this request is to make the array more usable in the future, if need arises.
| } | ||
| } | ||
|
|
||
| if ( ! array_key_exists('labels', $taxonomy) ){ |
There was a problem hiding this comment.
Another nitpick, but spacing around our functions and logic statements. Her and above into the foreach loop above around line 241.
I know Alok is also working on his own PHPCS review so best to not introduce new spots when able.
There was a problem hiding this comment.
I'll run phpcs to check my added code
| ?> | ||
| ]; | ||
|
|
||
| <?php | ||
| $show_graphql = isset( $taxonomy['show_in_graphql'] ) ? (bool) $taxonomy['show_in_graphql'] : false; | ||
| ?> |
There was a problem hiding this comment.
This looks like it was accidentally removed and we will want to have it in place still
There was a problem hiding this comment.
no, it's this comment above: "For the show_graphql, sort, and queryvar parts, the disp_boolean() function is immediately casting them to string, which is what we're getting from the settings extraction anyway, so may as well not worry about type casting there." but I can leave it as it was,
inc/tools.php
Outdated
| @@ -349,7 +370,7 @@ function cptui_get_single_taxonomy_registery( $taxonomy = [] ) { | |||
| "rest_namespace" => "<?php echo $rest_namespace; ?>", | |||
| "show_in_quick_edit" => <?php echo $show_in_quick_edit; ?>, | |||
| "sort" => <?php echo disp_boolean( $taxonomy['sort'] ); ?>, | |||
| <?php if ( $show_graphql ) : ?> | |||
There was a problem hiding this comment.
Same part as restoring the isset for this above.
inc/tools.php
Outdated
| 'public', 'publicly_queryable', 'show_ui', 'show_in_nav_menus', | ||
| 'delete_with_user', 'show_in_rest', 'has_archive', 'exclude_from_search', | ||
| 'hierarchical', 'can_export', 'rewrite', 'rewrite_withfront', 'query_var', | ||
| 'show_in_menu']; |
There was a problem hiding this comment.
Same request as for the taxonomy reusable function.
| if ( array_key_exists($key, $post_type) ){ | ||
| $post_type[$key] = ''; | ||
| } | ||
| } |
There was a problem hiding this comment.
Same nitpick around spacing.
No description provided.