Merge pull request #6975 from pods-framework/release/2.9.11

classes/PodsAPI.php

@@ -3414,7 +3414,7 @@ public function save_field( $params, $table_operation = true, $sanitized = false
 			} elseif ( 0 === strpos( $field['pick_object'], 'taxonomy-' ) ) {
 				$field['pick_val']    = pods_str_replace( 'taxonomy-', '', $field['pick_object'], 1 );
 				$field['pick_object'] = 'taxonomy';
-			} elseif ( 'table' === $field['pick_object'] && 0 < strlen( pods_v( 'pick_table', $field ) ) ) {
+			} elseif ( 'table' === $field['pick_object'] && 0 < strlen( (string) pods_v( 'pick_table', $field ) ) ) {
 				$field['pick_val']    = $field['pick_table'];
 				$field['pick_object'] = 'table';
 			} elseif ( false === strpos( $field['pick_object'], '-' ) && ! in_array( $field['pick_object'], array(

classes/PodsData.php

@@ -3442,7 +3442,7 @@ public function traverse_recurse( $traverse_recurse ) {
 		$rel_alias = 'rel_' . $field_joined;
 
 		if ( pods_v( 'search', $traverse_recurse['params'], false ) && empty( $traverse_recurse['params']->filters ) ) {
-			if ( 0 < strlen( pods_v( 'filter_' . $field_joined ) ) ) {
+			if ( 0 < strlen( (string) pods_v( 'filter_' . $field_joined ) ) ) {
 				$val = absint( pods_v( 'filter_' . $field_joined ) );
 
 				$search = "`{$field_joined}`.`{$table_info[ 'field_id' ]}` = {$val}";

classes/PodsForm.php

@@ -270,7 +270,7 @@ public static function field( $name, $value, $type = 'text', $options = null, $p
 			 * @deprecated 2.7.0
 			 */
 			do_action( "pods_form_ui_field_{$type}", $name, $value, $options, $pod, $id );
-		} elseif ( ! empty( $helper ) && 0 < strlen( pods_v( 'code', $helper ) ) && false === strpos( $helper['code'], '$this->' ) && ( ! defined( 'PODS_DISABLE_EVAL' ) || ! PODS_DISABLE_EVAL ) ) {
+		} elseif ( ! empty( $helper ) && 0 < strlen( (string) pods_v( 'code', $helper ) ) && false === strpos( $helper['code'], '$this->' ) && ( ! defined( 'PODS_DISABLE_EVAL' ) || ! PODS_DISABLE_EVAL ) ) {
 			/**
 			 * Input helpers are deprecated and not guaranteed to work properly.
 			 *
@@ -552,7 +552,7 @@ public static function merge_attributes( $attributes, $name = null, $type = null
 			$_attributes['name']            = $name;
 			$_attributes['data-name-clean'] = $name_more_clean;
 
-			if ( 0 < strlen( pods_v( 'label', $options, '' ) ) ) {
+			if ( 0 < strlen( (string) pods_v( 'label', $options, '' ) ) ) {
 				$_attributes['data-label'] = strip_tags( pods_v( 'label', $options ) );
 			}
 

classes/PodsInit.php

@@ -1013,9 +1013,7 @@ public function register_assets() {
 			array_merge(
 				(array) $pods_dfv_options['dependencies'],
 				[
-					'jquery',
-					'jquery-ui-core',
-					'jquery-ui-sortable',
+					// @todo Refactor File field and any other DFV field types that need to go full React and replace Marionette usage.
 					'pods-marionette',
 					'media-views',
 					'media-models',
@@ -1508,7 +1506,7 @@ public function setup_content_types( $force = false ) {
 
 				$show_in_menu = (boolean) pods_v( 'show_in_menu', $post_type, true );
 
-				if ( $show_in_menu && 0 < strlen( pods_v( 'menu_location_custom', $post_type ) ) ) {
+				if ( $show_in_menu && 0 < strlen( (string) pods_v( 'menu_location_custom', $post_type ) ) ) {
 					$show_in_menu = pods_v( 'menu_location_custom', $post_type );
 				}
 
@@ -1564,7 +1562,7 @@ public function setup_content_types( $force = false ) {
 					$rest_namespace = pods_v( 'rest_namespace', $post_type );
 
 					// Get the namespace and sanitize/clean up the path.
-					if ( $rest_namespace ) {
+					if ( ! empty( $rest_namespace ) ) {
 						$rest_namespace = str_replace( '\\', '/', $rest_namespace );
 						$rest_namespace = explode( '/', $rest_namespace );
 						$rest_namespace = array_map( 'sanitize_title', $rest_namespace );
@@ -1578,7 +1576,7 @@ public function setup_content_types( $force = false ) {
 					$pods_post_types[ $post_type_name ]['rest_base']             = $rest_base;
 					$pods_post_types[ $post_type_name ]['rest_controller_class'] = 'WP_REST_Posts_Controller';
 
-					if ( $rest_namespace ) {
+					if ( ! empty( $rest_namespace ) ) {
 						$pods_post_types[ $post_type_name ]['rest_namespace'] = $rest_namespace;
 					}
 				}
@@ -1771,7 +1769,7 @@ public function setup_content_types( $force = false ) {
 					$rest_namespace = pods_v( 'rest_namespace', $taxonomy );
 
 					// Get the namespace and sanitize/clean up the path.
-					if ( $rest_namespace ) {
+					if ( ! empty( $rest_namespace ) ) {
 						$rest_namespace = str_replace( '\\', '/', $rest_namespace );
 						$rest_namespace = explode( '/', $rest_namespace );
 						$rest_namespace = array_map( 'sanitize_title', $rest_namespace );
@@ -1785,7 +1783,7 @@ public function setup_content_types( $force = false ) {
 					$pods_taxonomies[ $taxonomy_name ]['rest_base']             = $rest_base;
 					$pods_taxonomies[ $taxonomy_name ]['rest_controller_class'] = 'WP_REST_Terms_Controller';
 
-					if ( $rest_namespace ) {
+					if ( ! empty( $rest_namespace ) ) {
 						$pods_taxonomies[ $taxonomy_name ]['rest_namespace'] = $rest_namespace;
 					}
 				}

classes/PodsUI.php

@@ -1317,10 +1317,16 @@ public function go() {
 			$this->view();
 		} else {
 			if ( isset( $this->actions_custom[ $this->action ] ) ) {
-				$more_args = false;
+				$use_nonce = false;
 
-				if ( is_array( $this->actions_custom[ $this->action ] ) && isset( $this->actions_custom[ $this->action ]['more_args'] ) ) {
-					$more_args = $this->actions_custom[ $this->action ]['more_args'];
+				if ( is_array( $this->actions_custom[ $this->action ] ) ) {
+					$more_args = [];
+
+					if ( ! empty( $this->actions_custom[ $this->action ]['more_args'] ) ) {
+						$more_args = $this->actions_custom[ $this->action ]['more_args'];
+					}
+
+					$use_nonce = ! empty( $this->actions_custom[ $this->action ]['nonce'] ) || ! empty( $more_args['nonce'] );
 				}
 
 				$row = $this->row;
@@ -1329,7 +1335,13 @@ public function go() {
 					$row = $this->get_row();
 				}
 
-				if ( $this->restricted( $this->action, $row ) || ( $more_args && ! empty( $more_args['nonce'] ) && false === wp_verify_nonce( $this->_nonce, 'pods-ui-action-' . $this->action ) ) ) {
+				if (
+					$this->restricted( $this->action, $row )
+					|| (
+						$use_nonce
+						&& false === wp_verify_nonce( $this->_nonce, 'pods-ui-action-' . $this->action )
+					)
+				) {
 					return $this->error( sprintf( __( '<strong>Error:</strong> You do not have access to this %s.', 'pods' ), $this->item ) );
 				} elseif ( $more_args && false !== $this->callback_action( true, $this->action, $this->id, $row ) ) {
 					return null;

classes/fields/file.php

@@ -407,6 +407,11 @@ public function input( $name, $value = null, $options = null, $pod = null, $id =
 
 		wp_enqueue_script( 'pods-i18n' );
 
+		// To be further refactored later when we remove jQuery dependency and this field is fully React.
+		wp_enqueue_script( 'jquery' );
+		wp_enqueue_script( 'jquery-ui-core' );
+		wp_enqueue_script( 'jquery-ui-sortable' );
+
 		// Ensure the media library is initialized
 		$this->render_input_script( $args );
 	}

components/Pages.php

@@ -1076,7 +1076,7 @@ public function precode() {
 			if ( $permission ) {
 				$content = false;
 
-				if ( ! is_object( $pods ) && 404 != $pods && 0 < strlen( pods_var( 'pod', self::$exists['options'] ) ) ) {
+				if ( ! is_object( $pods ) && 404 != $pods && 0 < strlen( (string) pods_var( 'pod', self::$exists['options'] ) ) ) {
 					$slug = pods_var_raw( 'pod_slug', self::$exists['options'], null, null, true );
 
 					$has_slug = 0 < strlen( $slug );

init.php

@@ -4,13 +4,13 @@
  *
  * @package   Pods
  * @author    Pods Framework Team
- * @copyright 2022 Pods Foundation, Inc
+ * @copyright 2023 Pods Foundation, Inc
  * @license   GPL v2 or later
  *
  * Plugin Name:       Pods - Custom Content Types and Fields
  * Plugin URI:        https://pods.io/
  * Description:       Pods is a framework for creating, managing, and deploying customized content types and fields
- * Version:           2.9.10.2
+ * Version:           2.9.11
  * Author:            Pods Framework Team
  * Author URI:        https://pods.io/about/
  * Text Domain:       pods
@@ -43,7 +43,7 @@
 	add_action( 'init', 'pods_deactivate_pods_ui' );
 } else {
 	// Current version.
-	define( 'PODS_VERSION', '2.9.10.2' );
+	define( 'PODS_VERSION', '2.9.11' );
 
 	// Current database version, this is the last version the database changed.
 	define( 'PODS_DB_VERSION', '2.3.5' );

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pods",
-  "version": "2.9.10.2",
+  "version": "2.9.11",
   "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.",
   "author": "Pods Foundation, Inc",
   "homepage": "https://pods.io/",

readme.txt

@@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields,
 Requires at least: 5.7
 Tested up to: 6.1
 Requires PHP: 5.6
-Stable tag: 2.9.10.2
+Stable tag: 2.9.11
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -173,6 +173,14 @@ Pods really wouldn't be where it is without all the contributions from our [dono
 
 == Changelog ==
 
+= 2.9.11 - January 19th, 2023 =
+
+* Security: Fix nonce verification check when deleting a pod. Thanks to Rafshanzani Suhada for responsibly disclosing this through Patchstack (@0xshdax, @sc0ttkclark)
+* Compatibility: Improved compatibility with PHP 8.1+ (@sc0ttkclark)
+* Tweak: Removed some of the jQuery dependency for Pods DFV, the only part that remains is `jquery-ui-sortable` for File fields (to be further refactored into React at a later point). (@sc0ttkclark)
+* Fixed: Updated the tribe-common library which had an older version of JWT included. (@sc0ttkclark)
+* Fixed: Remove debug output on the Tools page when no actions needed to run. (@sc0ttkclark)
+
 = 2.9.10.2 - December 14th, 2022 =
 
 * Fixed: The new `pods_get_instance()` function now correctly checks if the `$pod` object is set up before calling methods on it. (@lkraav, @sc0ttkclark)

tribe-common/src/Common/Editor/Full_Site/Template_Utils.php

@@ -0,0 +1,88 @@
+<?php
+
+namespace TEC\Common\Editor\Full_Site;
+
+/**
+ * Class Template_Utils.
+ *
+ * @since   4.14.18
+ *
+ * @package TEC\Common\Editor\Full_Site
+ */
+class Template_Utils {
+	/**
+	 * Returns an array containing the references of the passed blocks and their inner blocks.
+	 *
+	 * When we return we are replacing/overwriting $blocks with $all_blocks so we pass-by-reference.
+	 * If we don't pass-by-reference the non-event blocks get lost (ex: header and footer)
+	 *
+	 * @since 4.14.18
+	 *
+	 * @param array<array<string,mixed>> $blocks Array of parsed block objects.
+	 *
+	 * @return array<array<string,mixed>> Block references to the passed blocks and their inner blocks.
+	 */
+	public static function flatten_blocks( &$blocks ) {
+		$all_blocks = [];
+		$queue      = [];
+
+		foreach ( $blocks as &$block ) {
+			$queue[] = &$block;
+		}
+
+		$queue_count = count( $queue );
+
+		while ( $queue_count > 0 ) {
+			$block = &$queue[0];
+			array_shift( $queue );
+			$all_blocks[] = &$block;
+
+			if ( ! empty( $block['innerBlocks'] ) ) {
+				foreach ( $block['innerBlocks'] as &$inner_block ) {
+					$queue[] = &$inner_block;
+				}
+			}
+
+			$queue_count = count( $queue );
+		}
+
+		return $all_blocks;
+	}
+
+	/**
+	 * Parses wp_template content and injects the current theme's stylesheet as a theme attribute into
+	 * each wp_template_part.
+	 *
+	 * @since 4.14.18
+	 *
+	 * @param string $template_content serialized wp_template content.
+	 *
+	 * @return string Updated wp_template content.
+	 */
+	public static function inject_theme_attribute_in_content( $template_content ) {
+		$has_updated_content = false;
+		$new_content         = '';
+		$template_blocks     = parse_blocks( $template_content );
+
+		$blocks = static::flatten_blocks( $template_blocks );
+		foreach ( $blocks as &$block ) {
+			if (
+				'core/template-part' === $block['blockName'] &&
+				! isset( $block['attrs']['theme'] )
+			) {
+				$block['attrs']['theme'] = wp_get_theme()->get_stylesheet();
+				$has_updated_content     = true;
+			}
+		}
+
+		if ( $has_updated_content ) {
+			foreach ( $template_blocks as &$block ) {
+				$new_content .= serialize_block( $block );
+			}
+
+			return $new_content;
+		}
+
+		return $template_content;
+	}
+}