Changeset 12412 for sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-blocks.php

Timestamp:

02/22/2023 12:54:20 AM (2 years ago)

Author:

Clorith

Message:

Support Forums: Check intent before updating user preferences.

The bbPress profile page may be triggered by various scenarios that do not have the full context of a profile edit included.

By introducing a hidden input field in the form areas which need a "yes or no" type response, indicated by checkboxes, we can ensure that these are not unintentionally cleared or set from profile modifications made without the options even being presented to the user.

Props zoonini.
Fixes #6509.

File:

• sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-blocks.php (modified) (2 diffs)

sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-blocks.php

@@ -160 +160 @@
         printf(
             '<p>
+                <input type="hidden" name="can_update_block_editor_preference" value="true">
                 <input name="block_editor" id="block_editor" type="checkbox" value="disabled" %s />
                 <label for="block_editor">%s</label>
@@ -175 +176 @@
      */
     public function bbp_profile_update( $user_id ) {
+        // Catch profile updates that should not be able to include the "Disable Block Editor" preference, and return early.
+        if ( ! isset( $_REQUEST['can_update_block_editor_preference'] ) ) {
+            return;
+        }
+
         $disabled = ! empty( $_REQUEST['block_editor'] ) && 'disabled' === $_REQUEST['block_editor'];