Merge pull request #7619 from Automattic/release/4.24.1

Release/4.24.1

changelog.txt

@@ -1,5 +1,16 @@
 *** Changelog ***
 
+## 4.24.1 - 2024-06-13
+### Security
+- Improve security for lessons and modules ordering
+
+### Fixed
+- Avoid creating a new translation if it exists already [#7609](https://github.com/Automattic/sensei/pull/7609)
+- Change some taxonomy capabilities to fix some behaviors [#7613](https://github.com/Automattic/sensei/pull/7613)
+- Contact teacher form not displaying correctly in Learning Mode [#7610](https://github.com/Automattic/sensei/pull/7610)
+- Register Sensei LMS custom post types without delay [#7607](https://github.com/Automattic/sensei/pull/7607)
+- Support "0" or other falsy values as an answer for a quiz question [#7614](https://github.com/Automattic/sensei/pull/7614)
+
 ## 4.24.0 - 2024-04-25
 ### Security
 - Prevent unauthenticated flushing of rewrite rules [#7596](https://github.com/Automattic/sensei/pull/7596)

includes/class-sensei-admin.php

@@ -1248,12 +1248,18 @@ public function save_course_order( $order_string = '' ) {
 	 */
 	public function handle_order_lessons() {
 		check_admin_referer( 'order_lessons' );
-		if ( ! current_user_can( 'edit_published_lessons' ) ) {
+
+		$course_id = isset( $_POST['course_id'] ) ? intval( $_POST['course_id'] ) : 0;
+
+		if (
+			! current_user_can( 'edit_published_lessons' )
+			|| ! Sensei_Course::can_current_user_edit_course( $course_id )
+		) {
 			wp_die( esc_html__( 'Insufficient permissions', 'sensei-lms' ) );
 		}
 
 		if (
-			empty( $_POST['course_id'] )
+			empty( $course_id )
 			|| empty( $_POST['lessons'] )
 		) {
 			_doing_it_wrong(
@@ -1273,8 +1279,7 @@ public function handle_order_lessons() {
 			];
 		}
 
-		$course_id = (int) $_POST['course_id'];
-		$ordered   = $this->sync_lesson_order(
+		$ordered = $this->sync_lesson_order(
 			$lessons_order,
 			$course_id
 		);

includes/class-sensei-modules.php

@@ -1261,7 +1261,7 @@ public function add_submenus() {
 			'', // Hide the submenu.
 			__( 'Order Modules', 'sensei-lms' ),
 			__( 'Order Modules', 'sensei-lms' ),
-			'edit_lessons',
+			'edit_courses',
 			$this->order_page_slug,
 			array( $this, 'module_order_screen' )
 		);
@@ -1275,18 +1275,27 @@ public function add_submenus() {
 	public function handle_order_modules() {
 		check_admin_referer( 'order_modules' );
 
+		$course_id    = isset( $_POST['course_id'] ) ? intval( $_POST['course_id'] ) : 0;
+		$module_order = isset( $_POST['module-order'] ) ? sanitize_text_field( wp_unslash( $_POST['module-order'] ) ) : '';
+
+		if (
+			! Sensei_Course::can_current_user_edit_course( $course_id )
+		) {
+			wp_die( esc_html__( 'Insufficient permissions', 'sensei-lms' ) );
+		}
+
 		$ordered = false;
-		if ( isset( $_POST['module-order'] ) && 0 < strlen( $_POST['module-order'] ) ) {
-			$ordered = $this->save_course_module_order( esc_attr( $_POST['module-order'] ), esc_attr( $_POST['course_id'] ) );
+		if ( 0 < strlen( $module_order ) ) {
+			$ordered = $this->save_course_module_order( esc_attr( $module_order ), $course_id );
 		}
 
-		wp_redirect(
+		wp_safe_redirect(
 			esc_url_raw(
 				add_query_arg(
 					array(
 						'page'      => $this->order_page_slug,
 						'ordered'   => $ordered,
-						'course_id' => $_POST['course_id'],
+						'course_id' => $course_id,
 					),
 					admin_url( 'admin.php' )
 				)