Merge remote-tracking branch 'strangerstudios/dev' into v3.0

CHANGELOG.txt

@@ -30,6 +30,10 @@
 * REFACTOR: Changing uses of `pmpro_getOption()` to `get_option()`. #2491, #2493, #2494, #2495 (@JarrydLong, @MaximilianoRicoTabo)
 * DEPRECATED: No longer using `$pmpro_levels` global variable. #2666 (@dparker1005)
 
+= 2.12.6 - 2023-12-18 =
+* SECURITY: Fixed a security issue where unauthorized users could abuse the REST API endpoints to add new levels or edit existing levels. (Thanks, Craig Smith at WordFence) #2742 (@ideadude)
+* BUG FIX: Now hiding level confirmation messages from the output returned by the checkout_levels API route. #2742 (@ideadude)
+
 = 2.12.5 - 2023-12-12 =
 * ENHANCEMENT: Now allowing links to be included in user field group descriptions. #2681 (@dparker1005)
 * ENHANCEMENT: Now sorting the Levels column on the Discount Codes list table by the sorted level order. #2628 (@kimcoleman)

includes/rest-api.php

@@ -916,9 +916,18 @@ function pmpro_rest_api_get_checkout_levels( $request ) {
 			$r['initial_payment'] = 0.00;
 			foreach ( $level_ids as $level_id ) {
 				$r[ $level_id ] = pmpro_getLevelAtCheckout( $level_id, $discount_code );
+
+				// Increment the total initial_paymnent.
 				if ( ! empty( $r[ $level_id ]->initial_payment ) ) {
 					$r['initial_payment'] += floatval( $r[ $level_id ]->initial_payment );
 				}
+
+				// Hide confirmation message if not an admin or member.
+				if ( ! empty( $r[ $level_id ]->confirmation ) 
+						&& ! pmpro_hasMembershipLevel( $level_id )
+						&& ! current_user_can( 'pmpro_edit_memberships' ) ) {				
+					$r[ $level_id ]->confirmation = '';					
+				}
 			}
 			$r['initial_payment_formatted'] = pmpro_formatPrice( $r['initial_payment'] );
 			return new WP_REST_Response( $r );
@@ -1143,13 +1152,15 @@ public function pmpro_rest_api_set_post_restrictions( $request ) {
 		 * 'administrator' for any other type of request.
 		 *
 		 * @since 2.3
+		 * @since 2.12.6 Now allowing arrays in $route_caps so you can have a different permission per HTTP method.
 		 */
 		 function pmpro_rest_api_get_permissions_check( $request ) {
 
 			$method = $request->get_method();
 			$route = $request->get_route();
 
 			// Default to requiring pmpro_edit_members capability.
+			// NOTE: This basically means that anyone with the pmpro_edit_members capability could potentially do anything made available through the API in this file.
 			$permission = current_user_can( 'pmpro_edit_members' );
 
 			// Check other caps for some routes.
@@ -1159,7 +1170,13 @@ function pmpro_rest_api_get_permissions_check( $request ) {
 				'/pmpro/v1/get_membership_levels_for_user' => 'pmpro_edit_members',
 				'/pmpro/v1/change_membership_level' => 'pmpro_edit_members',
 				'/pmpro/v1/cancel_membership_level' => 'pmpro_edit_members',
-				'/pmpro/v1/membership_level' => true,
+				'/pmpro/v1/membership_level' => array(
+					'GET' => true,
+					'POST' => 'pmpro_membershiplevels',
+					'PUT' => 'pmpro_membershiplevels',
+					'PATCH' => 'pmpro_membershiplevels',
+					'DELETE' => 'pmpro_membershiplevels',
+				),
 				'/pmpro/v1/membership_levels' => true,
 				'/pmpro/v1/discount_code' => 'pmpro_discountcodes',
 				'/pmpro/v1/order' => 'pmpro_orders',
@@ -1170,15 +1187,30 @@ function pmpro_rest_api_get_permissions_check( $request ) {
 				'/pmpro/v1/recent_orders' => 'pmpro_orders',
 				'/pmpro/v1/post_restrictions' => 'pmpro_edit_members',
 			);
-			$route_caps = apply_filters( 'pmpro_rest_api_route_capabilities', $route_caps, $request );			
+			$route_caps = apply_filters( 'pmpro_rest_api_route_capabilities', $route_caps, $request );
 
+			// Check if we have a specific permission to check for this route/method.
 			if ( isset( $route_caps[$route] ) ) {
-				if ( $route_caps[$route] === true ) {
-					// public
-					$permission = true;
-				} else {									
-					$permission = current_user_can( $route_caps[$route] );					
-				}				
+				// Find the permission to check.
+				if ( is_array ( $route_caps[$route] ) && isset( $route_caps[$route][$method] ) ) {
+					// Different permission for this method, use it.
+					$permission_to_check = $route_caps[$route][$method];
+				} elseif ( is_array( $route_caps[$route] ) ) {
+					// No permission for this method, default to false.
+					$permission_to_check = false;
+				} else {
+					// Same permission for all methods, use it.
+					$permission_to_check = $route_caps[$route];
+				}
+
+				// Check the permission.
+				if ( $permission_to_check === true || $permission_to_check === false ) {
+					// For true or false, just pass it along.
+					$permission = $permission_to_check;
+				} else {
+					// Check if the current user has this capability.
+					$permission = current_user_can( $permission );
+				}
 			}
 
 			// Is the request method allowed? We disable DELETE by default.

languages/paid-memberships-pro-ca.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:36+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:39+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-ca_AD.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:38+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:41+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-ca_ES.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:40+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:43+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-cs_CZ.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:42+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:44+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-da_DK.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:44+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:46+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-de_DE.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:46+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:48+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-de_DE_formal.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:48+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:50+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-el_GR.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:51+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:51+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-en_GB.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:53+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:53+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-es_CL.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:55+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:55+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-es_ES.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:57+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:57+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-es_PE.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:34:59+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:23:59+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"

languages/paid-memberships-pro-et_EE.po

@@ -2,14 +2,22 @@
 # This file is distributed under the same license as the Paid Memberships Pro plugin.
 msgid ""
 msgstr ""
+<<<<<<< HEAD
 "Project-Id-Version: Paid Memberships Pro 2.99.991\n"
+=======
+"Project-Id-Version: Paid Memberships Pro 2.12.6\n"
+>>>>>>> strangerstudios/dev
 "Report-Msgid-Bugs-To: [email protected]\n"
 "Last-Translator: Paid Memberships Pro <[email protected]>\n"
 "Language-Team: Paid Memberships Pro <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
+<<<<<<< HEAD
 "POT-Creation-Date: 2023-12-14T14:35:01+00:00\n"
+=======
+"POT-Creation-Date: 2023-12-18T21:24:00+00:00\n"
+>>>>>>> strangerstudios/dev
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: paid-memberships-pro\n"