Bump to 2.0.0:

* Additional protection around editing of users
* Rename `functions.php` to `common.php`
* Use `'edit'` filter on user object
* Rearrange some functions to more adequate file locations.

readme.txt

@@ -3,7 +3,7 @@ Contributors: johnjamesjacoby, stuttter
 Tags: users, user, profile, edit, metabox
 Requires at least: 4.4
 Tested up to: 4.8
-Stable tag: 1.2.0
+Stable tag: 2.0.0
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9Q4F4EL5YJ62J
@@ -62,6 +62,11 @@ http://github.com/stuttter/wp-user-profiles
 
 == Changelog ==
 
+= [2.0.0]- 2017-05-18 =
+* Use 'edit' filter on user data
+* Additional capability checks when editing
+* First pass support for "Other" section
+
 = [1.2.0]- 2017-01-26 =
 * Use WordPress.org for translations
 

wp-user-profiles.php

@@ -8,7 +8,7 @@
  * License:     GPLv2 or later
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
  * Description: A sophisticated way to edit users in WordPress
- * Version:     1.2.0
+ * Version:     2.0.0
  * Text Domain: wp-user-profiles
  */
 
@@ -55,7 +55,7 @@ function _wp_user_profiles() {
 	require_once $plugin_path . 'includes/admin.php';
 	require_once $plugin_path . 'includes/capabilities.php';
 	require_once $plugin_path . 'includes/dependencies.php';
-	require_once $plugin_path . 'includes/functions.php';
+	require_once $plugin_path . 'includes/common.php';
 	require_once $plugin_path . 'includes/help.php';
 	require_once $plugin_path . 'includes/metaboxes.php';
 	require_once $plugin_path . 'includes/screen-options.php';

wp-user-profiles/includes/admin.php

@@ -261,13 +261,8 @@ function wp_user_profiles_user_admin() {
 	// Reset a bunch of global values
 	wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) );
 
-	// Get the user ID
-	$user_id = ! empty( $_GET['user_id'] )
-		? (int) $_GET['user_id']
-		: get_current_user_id();
-
-	// Get user
-	$user = get_user_to_edit( $user_id );
+	// Get user to edit
+	$user = wp_user_profiles_get_user_to_edit();
 
 	/**
 	 * Backwards compatibility for JIT metaboxes

wp-user-profiles/includes/capabilities.php

@@ -59,6 +59,46 @@ function wp_user_profiles_map_meta_cap( $caps = array(), $cap = '', $user_id = 0
 	return $caps;
 }
 
+/**
+ * Check that the current user can actually edit the user being requested
+ *
+ * @since 2.0.0
+ *
+ * @param int $user_id
+ *
+ * @return void Will wp_die() with traditional WordPress messaging on failure
+ */
+function wp_user_profiles_current_user_can_edit( $user_id = 0 ) {
+
+	// Bail if user does not exist
+	$user = get_userdata( $user_id );
+	if ( empty( $user ) ) {
+		wp_die( esc_html__( 'Invalid user ID.', 'wp-user-profiles' ) );
+	}
+
+	// Can the current user edit the requested user ID?
+	if (
+
+		// Allow administrators on Multisite to edit every user?
+		(
+			is_multisite()
+				&& ! current_user_can( 'manage_network_users' )
+				&& ( $user->ID !== get_current_user_id() )
+				&& ! apply_filters( 'enable_edit_any_user_configuration', true )
+		)
+
+		// OR
+		||
+
+		// Explicitly check the current user against the requested one
+		(
+			! current_user_can( 'edit_user', $user->ID )
+		)
+	) {
+		wp_die( esc_html__( 'Sorry, you are not allowed to edit this user.', 'wp-user-profiles' ) );
+	}
+}
+
 /**
  * Prevent access to `profile.php`
  *

wp-user-profiles/includes/functions.php → wp-user-profiles/includes/common.php

@@ -248,6 +248,39 @@ function wp_user_profiles_get_admin_area_url( $user_id = 0, $scheme = '', $args
 	return apply_filters( 'wp_user_profiles_get_admin_area_url', $url, $user_id, $scheme, $args );
 }
 
+/**
+ * Get the data of the user being edit
+ *
+ * @since 2.0.0
+ *
+ * @param int $user_id ID of user to get for editing
+ *
+ * @return WP_User
+ */
+function wp_user_profiles_get_user_to_edit( $user_id = 0 ) {
+
+	// Get the user ID being edited
+	if ( empty( $user_id ) ) {
+		$user_id = ! empty( $_GET['user_id'] )
+			? $_GET['user_id']
+			: get_current_user_id();
+	}
+
+	// Cast to INT because we can't be sure where this came from
+	$user_id = (int) $user_id;
+
+	// Get the user to edit
+	$user = get_userdata( $user_id );
+
+	// Set user filter to 'edit'
+	if ( ! empty( $user ) ) {
+		$user->filter = 'edit';
+	}
+
+	// Return the user to edit
+	return $user;
+}
+
 /**
  * Save the user when they click "Update"
  *
@@ -298,7 +331,7 @@ function wp_user_profiles_save_user() {
 		: do_action( 'edit_user_profile_update', $user_id );
 
 	// Get the userdata to compare it to
-	$user = get_userdata( $user_id );
+	$user = wp_user_profiles_get_user_to_edit( $user_id, false );
 
 	// Do actions & return errors
 	$status = apply_filters( 'wp_user_profiles_save', $user );

wp-user-profiles/includes/metaboxes.php

@@ -16,18 +16,13 @@
  */
 function wp_user_profiles_add_meta_boxes() {
 
-	// Get the user ID being edited
-	$user_id = ! empty( $_GET['user_id'] )
-		? (int) $_GET['user_id']
-		: get_current_user_id();
-
-	// Get the user being edited & bail if user does not exist
-	$user = get_userdata( $user_id );
-	if ( empty( $user ) ) {
-		wp_die( esc_html__( 'Invalid user ID.', 'wp-user-profiles' ) );
-	}
-
-	// Adjust the hoox for user/network dashboards and pass into the action
+	// Try to get the user being edited
+	$user = wp_user_profiles_get_user_to_edit();
+
+	// Maybe die if user cannot be edited
+	wp_user_profiles_current_user_can_edit( $user->ID );
+
+	// Adjust the hook for user/network dashboards and pass into the action
 	$hook = $GLOBALS['page_hook'];
 	wp_user_profiles_walk_section_hooknames( $hook );