Merge branch 'release/1.64.1'

base/base.php

@@ -381,13 +381,25 @@ function_exists( 'wp_lazy_loading_enabled' ) &&
  * The ajax handler for the links field using the the post: ID format without a title set.
  */
 function siteorigin_widgets_links_get_title() {
-	if ( empty( $_REQUEST['_widgets_nonce'] ) || ! wp_verify_nonce( $_REQUEST['_widgets_nonce'], 'widgets_action' ) ) {
+	if (
+		empty( $_REQUEST['_widgets_nonce'] ) ||
+		! wp_verify_nonce( $_REQUEST['_widgets_nonce'], 'widgets_action' )
+	) {
 		wp_die( __( 'Invalid request.', 'so-widgets-bundle' ), 403 );
 	}
 
-	if ( empty( $_GET['postId'] ) || ! is_numeric( $_GET['postId'] ) ) {
+	if (
+		empty( $_GET['postId'] ) ||
+		! is_numeric( $_GET['postId'] )
+	) {
 		wp_die( __( 'Invalid request.', 'so-widgets-bundle' ), 400 );
 	}
+
+	// Don't allow users to link to posts they can't view.
+	if ( ! current_user_can( 'read_post', $_GET['postId'] ) ) {
+		wp_die( __( 'Invalid request.', 'so-widgets-bundle' ), 403 );
+	}
+
 	$postTitle = get_the_title( $_GET['postId'] );
 	echo ! empty( $postTitle ) ? esc_attr( $postTitle ) : esc_html__( '(No Title)', 'so-widgets-bundle' );
 	die();

base/css/admin.less

@@ -811,6 +811,19 @@ div.siteorigin-widget-form {
 				width: 120px;
 				text-align: center;
 			}
+
+			.content-no-results {
+				align-items: center;
+				background: #fff;
+				border: 1px solid #e4e4e4;
+				height: 40px;
+				margin: 0;
+				padding-inline: 10px;
+
+				&:not(.hidden) {
+					display: flex;
+				}
+			}
 		}
 
 		&.siteorigin-widget-field-type-link {

base/inc/actions.php

@@ -69,6 +69,26 @@ function siteorigin_widget_preview_widget_action() {
 }
 add_action( 'wp_ajax_so_widgets_preview', 'siteorigin_widget_preview_widget_action' );
 
+/**
+ * Check if the current user can edit posts of a specific post type.
+ *
+ * This function checks if the current user has the capability to edit posts
+ * of the specified post type. It retrieves the post type object if necessary
+ * and then checks the user's capabilities.
+ *
+ * @param string|object $post_type The post type name or object.
+ *
+ * @return bool True if the user can edit posts of the specified post type,
+ * false otherwise.
+ */
+function siteorigin_widget_user_can_edit_post_type( $post_type ) {
+	if ( ! is_object( $post_type ) ) {
+		$post_type = get_post_type_object( $post_type );
+	}
+
+	return $post_type && current_user_can( $post_type->cap->edit_posts );
+}
+
 /**
  * Action to handle searching posts
  */
@@ -78,31 +98,40 @@ function siteorigin_widget_action_search_posts() {
 	}
 
 	global $wpdb;
-	$query = null;
-	$wpml_query = null;
+	$query = '';
+	$wpml_query = '';
 
 	// Get all public post types, besides attachments
 	$post_types = (array) get_post_types( array(
 		'public' => true,
 	) );
 
 	if ( ! empty( $_REQUEST['postTypes'] ) ) {
-		$post_types = array_intersect( explode( ',', $_REQUEST['postTypes'] ), $post_types );
+		$post_types = array_intersect( explode( ',', sanitize_text_field( $_REQUEST['postTypes'] ) ), $post_types );
 	} else {
 		unset( $post_types['attachment'] );
 	}
 
 	// If WPML is installed, only include posts from the currently active language.
 	if ( defined( 'ICL_LANGUAGE_CODE' ) && ! empty( $_REQUEST['language'] ) ) {
-		$query .= " AND {$wpdb->prefix}icl_translations.language_code = '" . esc_sql( $_REQUEST['language'] ) . "' ";
+		$query .= $wpdb->prepare(" AND {$wpdb->prefix}icl_translations.language_code = %s ", sanitize_text_field( $_REQUEST['language'] ));
 		$wpml_query .= " INNER JOIN {$wpdb->prefix}icl_translations ON ($wpdb->posts.ID = {$wpdb->prefix}icl_translations.element_id) ";
 	}
 
 	if ( ! empty( $_GET['query'] ) ) {
-		$query .= "AND post_title LIKE '%" . esc_sql( $_GET['query'] ) . "%'";
+		$search_query = '%' . $wpdb->esc_like( sanitize_text_field( $_GET['query'] ) ) . '%';
+		$query .= $wpdb->prepare( " AND post_title LIKE %s ", $search_query );
 	}
 
 	$post_types = apply_filters( 'siteorigin_widgets_search_posts_post_types', $post_types );
+
+	// Ensure the user can edit this post type.
+	foreach ( $post_types as $key => $post_type ) {
+		if ( ! siteorigin_widget_user_can_edit_post_type( $post_type ) ) {
+			unset( $post_types[ $key ] );
+		}
+
+	}
 	$post_types = "'" . implode( "', '", array_map( 'esc_sql', $post_types ) ) . "'";
 
 	$ordered_by = esc_sql( apply_filters( 'siteorigin_widgets_search_posts_order_by', 'post_modified DESC' ) );
@@ -117,10 +146,55 @@ function siteorigin_widget_action_search_posts() {
 		LIMIT 20
 	", ARRAY_A );
 
+	// Filter results to ensure the user can read the post.
+	$results = array_filter( $results, function( $post ) {
+
+		return current_user_can( 'read_post', $post['value'] );
+	} );
+
 	wp_send_json( apply_filters( 'siteorigin_widgets_search_posts_results', $results ) );
 }
 add_action( 'wp_ajax_so_widgets_search_posts', 'siteorigin_widget_action_search_posts' );
 
+$siteorigin_widget_taxonomies = array();
+/**
+ * Get the capability required for a taxonomy term.
+ *
+ * Determines the lowest available capability needed for the specified taxonomy
+ * type. Caches the result in the $siteorigin_widget_taxonomies global array.
+ *
+ * @param string $type The taxonomy type to get the capability for.
+ *
+ * @return string|false The capability required for the taxonomy term, or false if not available.
+ */
+function siteorigin_widget_get_taxonomy_capability( $type ) {
+	global $siteorigin_widget_taxonomies;
+
+	if ( ! empty( $siteorigin_widget_taxonomies[ $type ] ) ) {
+		return $siteorigin_widget_taxonomies[ $type ];
+	}
+
+	// Let's identify the post type for this taxonomy.
+	$taxonomy = get_taxonomy( $type );
+
+	if (
+		empty( $taxonomy ) ||
+		! is_object(  $taxonomy->cap )
+	) {
+		return false;
+	}
+
+	// Get the lowest capability possible.
+	$capability = $taxonomy->cap->assign_terms
+	?? $taxonomy->cap->edit_terms
+	?? $taxonomy->cap->manage_terms
+	?? false;
+
+	$siteorigin_widget_taxonomies[ $type ] = $capability;
+
+	return $siteorigin_widget_taxonomies[ $type ];
+}
+
 /**
  * Action to handle searching taxonomy terms.
  */
@@ -130,7 +204,7 @@ function siteorigin_widget_action_search_terms() {
 	}
 
 	global $wpdb;
-	$term = ! empty( $_GET['term'] ) ? stripslashes( $_GET['term'] ) : '';
+	$term = ! empty( $_GET['term'] ) ? sanitize_text_field( stripslashes( $_GET['term'] ) ) : '';
 	$term = trim( $term, '%' );
 
 	$query = $wpdb->prepare( "
@@ -140,16 +214,25 @@ function siteorigin_widget_action_search_terms() {
 		WHERE
 			terms.name LIKE '%s'
 		LIMIT 20
-	", '%' . esc_sql( $term ) . '%' );
+	", '%' . $wpdb->esc_like( $term ) . '%' );
 
 	$results = array();
 
-	foreach ( $wpdb->get_results( $query ) as $result ) {
-		$results[] = array(
-			'value' => $result->type . ':' . $result->value,
-			'label' => $result->label,
-			'type' => $result->type,
-		);
+	$query_results = $wpdb->get_results( $query );
+	if ( empty( $query_results ) ) {
+		return array();
+	}
+
+	foreach ( $query_results as $result ) {
+		if ( current_user_can(
+			siteorigin_widget_get_taxonomy_capability( $result->type )
+		) ) {
+			$results[] = array(
+				'value' => $result->type . ':' . $result->value,
+				'label' => $result->label,
+				'type' => $result->type,
+			);
+		}
 	}
 
 	wp_send_json( $results );

base/inc/fields/js/autocomplete-field.js

@@ -28,17 +28,19 @@
 			} );
 		};
 
-		var request = null;
-		var refreshList = function() {
+		const $itemList = $$.find( 'ul.items' );
+		const $noResults = $$.find( '.content-no-results' );
+		let request = null;
+		const refreshList = () => {
 			if ( request !== null ) {
 				request.abort();
 			}
 
-			var $contentSearchInput = $$.find( '.content-text-search' );
-			var query = $contentSearchInput.val();
-			var source = $contentSearchInput.data( 'source' );
-			var postTypes = $contentSearchInput.data( 'postTypes' );
-			var ajaxData = { action: 'so_widgets_search_' + source };
+			const $contentSearchInput = $$.find( '.content-text-search' );
+			const query = $contentSearchInput.val();
+			const source = $contentSearchInput.data( 'source' );
+			const postTypes = $contentSearchInput.data( 'postTypes' );
+			const ajaxData = { action: 'so_widgets_search_' + source };
 			if ( source === 'posts' ) {
 				ajaxData.query = query;
 				ajaxData.postTypes = postTypes;
@@ -51,31 +53,47 @@
 				ajaxData.language = icl_this_lang;
 			}
 
-			var $ul = $$.find( 'ul.items' ).empty().addClass( 'loading' );
+			// Visually prep the field.
+			$noResults.addClass( 'hidden' );
+			$itemList.empty();
+			$itemList.removeClass( 'hidden' )
+			$itemList.addClass( 'loading' );
+
 			return $.get(
 				soWidgets.ajaxurl,
 				ajaxData,
-				function( results ) {
-					results.forEach( function( item ) {
+				( results ) => {
+					// If there aren't any results, show a message.
+					if ( results.length === 0 ) {
+						$noResults.removeClass( 'hidden' );
+						$itemList.addClass( 'hidden' );
+						$itemList.removeClass( 'loading' );
+						return;
+					}
+
+
+					results.forEach( ( item ) => {
 						if ( item.label === '' ) {
 							item.label = ' ';
 						}
 						// Add all the items.
-						$ul.append(
+						$itemList.append(
 							$( '<li>' )
 								.html( item.label + '<span>(' + item.type + ')</span>' )
 								.data( item )
 						);
 					} );
-					$ul.removeClass( 'loading' );
+					$itemList.removeClass( 'loading' );
 				}
 			);
 		};
 
-		$$.find( '.siteorigin-widget-autocomplete-input' ).on( 'click', function() {
+		$$.find( '.siteorigin-widget-autocomplete-input' ).on( 'click', () => {
+			$noResults.addClass( 'hidden' );
+			$itemList.show();
 			$contentSelector.show();
 
-			var refreshPromise = new $.Deferred();
+			let refreshPromise = new $.Deferred();
 			if( $contentSelector.is( ':visible' ) && $contentSelector.find( 'ul.items li' ).length === 0 ) {
 				refreshPromise = refreshList();
 			} else {
@@ -120,7 +138,7 @@
 				} else {
 					selectedItems.push( clickedItem );
 					$li.addClass( 'selected' );
-				}				
+				}
 				$input.val( selectedItems.join( ',' ) );
 			} else {
 				$li.parent().find( '.selected' ).removeClass( 'selected' );

base/inc/fields/posts.class.php

@@ -30,7 +30,14 @@ public function __construct( $base_name, $element_id, $element_name, $field_opti
 		}
 
 		foreach ( $types as $id => $type ) {
-			if ( empty( $this->post_types ) || in_array( $id, $this->post_types ) ) {
+			if ( ! siteorigin_widget_user_can_edit_post_type( $id ) ) {
+				continue;
+			}
+
+			if (
+				empty( $this->post_types ) ||
+				in_array( $id, $this->post_types )
+			) {
 				$type_options[ $id ] = $type->labels->name;
 			}
 		}
@@ -167,7 +174,7 @@ protected function render_field_label( $value, $instance ) {
 
 			<?php if ( ! empty( $this->show_count ) ) { ?>
 				<span class="sow-current-count">
-					<?php echo esc_html( siteorigin_widget_post_selector_count_posts( $value ) ); ?>		
+					<?php echo esc_html( siteorigin_widget_post_selector_count_posts( $value ) ); ?>
 				</span>
 			<?php } ?>
 		</div>