Merge pull request #1744 from strangerstudios/dev

Release 2.6.1

CHANGELOG.txt

@@ -1,6 +1,18 @@
 == Changelog ==
+= 2.6.1 - 2021-08-24 =
+* SECURITY: Added capability checks to further tighten security around email template settings. (@ideadude, @sc0ttkclark)
+* SECURITY: Added a pmpro_kses function and using that to sanitize email template bodies and all email bodies before sending. (@ideadude, @sc0ttkclark)
+* ENHANCEMENT: Added Email Templates link to PMPro Dashboard for getting started. #1722 (@kimcoleman)
+* ENHANCEMENT: All actions in the admin list tables are now filterable for Discount Codes (`pmpro_discountcodes_row_actions`), Membership Levels (`pmpro_membershiplevels_row_actions`), and Orders (`pmpro_orders_user_row_actions`). #1686 (@sc0ttkclark, @mircobabini)
+* BUG FIX: Ensure our admin scripts/styles only load on PMPro admin pages. #1724 (@sc0ttkclark)
+* BUG FIX: Remove unused code in `pmpro_comments_filter()` that was triggering a PHP warning. #1730 (@freax)
+* BUG FIX: Stop turning on autoloading for PMPro options when saving them. #1719 (@freax)
+* BUG FIX: Prevent fatal error for PHP 8 in `pmpro_email_templates_email_data()` to strictly check for `WP_User` objects. #1729 (@ZebulanStanphill)
+* BUG FIX: Fix problem where `pmpro_round_price()` would not take into account currencies with decimals set to 0. #1732 (@dparker1005, @ipokkel, @sc0ttkclark)
+* BUG FIX: Clarify that Stripe Legacy keys remain connected and will continue to work. #1735 (@dparker1005, @sc0ttkclark)
+
 = 2.6 - 2021-08-12 =
-* FEATURE: Updated Stripe integration to use Stripe Connect.
+* FEATURE: Updated Stripe integration to use Stripe Connect. See [Gateway Fees](https://www.paidmembershipspro.com/gateway/stripe/#tab-fees) for information about transaction fees for Stripe Connect and our platform fee for those without an active Plus/Unlimited license.
 * FEATURE: Improved REST API endpoints to support Zapier integration natively.
 * FEATURE: You can now set levels to expire after a certain number of hours, and can set users to expire at a specific time down to the minute.
 * FEATURE: The Member History Add On has been merged into the core PMPro plugin. A table of the user's membership and order history is shown on the edit user page of the admin dashboard.

adminpages/dashboard.php

@@ -143,6 +143,10 @@ function pmpro_dashboard_welcome_callback() { ?>
     				<li><a href="<?php echo admin_url( 'admin.php?page=pmpro-emailsettings' );?>"><i class="dashicons dashicons-email"></i> <?php echo esc_attr_e( 'Confirm Email Settings', 'paid-memberships-pro' );?></a></li>
     			<?php } ?>
 
+				<?php if ( current_user_can( 'pmpro_emailtemplates' ) ) { ?>
+					<li><a href="<?php echo admin_url( 'admin.php?page=pmpro-emailtemplates' );?>"><i class="dashicons dashicons-editor-spellcheck"></i> <?php echo esc_attr_e( 'Customize Email Templates', 'paid-memberships-pro' );?></a></li>
+				<?php } ?>
+
     			<?php if ( current_user_can( 'pmpro_advancedsettings' ) ) { ?>
     				<li><a href="<?php echo admin_url( 'admin.php?page=pmpro-advancedsettings' );?>"><i class="dashicons dashicons-admin-settings"></i> <?php echo esc_attr_e( 'View Advanced Settings', 'paid-memberships-pro' ); ?></a></li>
     			<?php } ?>

adminpages/discountcodes.php

@@ -353,10 +353,10 @@
 			$pmpro_msgt = "error";
 		}
 	}
-	
+
 	if( ! empty( $pmpro_msg ) && ! empty( $expiration_warning_flag ) ) {
 		$pmpro_msg .= ' <strong>' . sprintf( __( 'WARNING: A level was set with both a recurring billing amount and an expiration date. You only need to set one of these unless you really want this membership to expire after a specific time period. For more information, <a target="_blank" href="%s">see our post here</a>.', 'paid-memberships-pro' ), 'https://www.paidmembershipspro.com/important-notes-on-recurring-billing-and-expiration-dates-for-membership-levels/?utm_source=plugin&utm_medium=pmpro-discountcodes&utm_campaign=blog&utm_content=important-notes-on-recurring-billing-and-expiration-dates-for-membership-levels' ) . '</strong>';
-		
+
 		if( $pmpro_msgt == 'success' ) {
 			$pmpro_msgt = 'warning';
 		}
@@ -415,7 +415,7 @@
 						$copy ),
 						OBJECT
 					);
-					
+
 					$temp_code = $code;
 				}
 
@@ -427,7 +427,7 @@
 				{
 					$code = new stdClass();
 					$code->code = pmpro_getDiscountCode();
-					
+
 					if( ! empty( $copy ) && $copy > 0 ) {
 						$code->starts = $temp_code->starts;
 						$code->expires = $temp_code->expires;
@@ -795,7 +795,7 @@
 						<td colspan="6">
 							<?php echo esc_attr_e( 'Code not found.', 'paid-memberships-pro' ); ?>
 						</td>
-					</tr> 
+					</tr>
 					<?php } ?>
 					<?php
 						foreach($codes as $code) {
@@ -806,20 +806,107 @@
 							<td class="has-row-actions">
 								<a title="<?php echo sprintf( __( 'Edit Code: %s', 'paid-memberships-pro' ), $code->code ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-discountcodes', 'edit' => $code->id ), admin_url('admin.php' ) ); ?>"><?php echo $code->code?></a>
 								<div class="row-actions">
-									<span class="edit">
-										<a title="<?php _e( 'Edit', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-discountcodes', 'edit' => $code->id ), admin_url('admin.php' ) ); ?>"><?php _e( 'Edit', 'paid-memberships-pro' ); ?></a>
-									</span> |
-									<span class="copy">
-										<a title="<?php _e( 'Copy', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-discountcodes', 'edit' => -1, 'copy' => $code->id ), admin_url('admin.php' ) ); ?>"><?php _e( 'Copy', 'paid-memberships-pro' ); ?></a>
-									</span> |
-									<span class="delete">
-										<a title="<?php _e( 'Delete', 'paid-memberships-pro' ); ?>" href="javascript:pmpro_askfirst('<?php echo str_replace("'", "\'", sprintf(__('Are you sure you want to delete the %s discount code? The subscriptions for existing users will not change, but new users will not be able to use this code anymore.', 'paid-memberships-pro' ), $code->code));?>', '<?php echo wp_nonce_url(add_query_arg( array( 'page' => 'pmpro-discountcodes', 'delete' => $code->id), admin_url( 'admin.php' ) ), 'delete', 'pmpro_discountcodes_nonce'); ?>'); void(0);"><?php _e('Delete', 'paid-memberships-pro' ); ?></a>
-									</span>
-									<?php if ( (int)$uses > 0 ) { ?>
-										| <span class="orders">
-											<a title="<?php _e(' View Orders', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-orders', 'discount-code' => $code->id, 'filter' => 'with-discount-code' ), admin_url('admin.php' ) ); ?>"><?php _e( 'Orders', 'paid-memberships-pro' ); ?></a>
-										</span>
-									<?php } ?>
+									<?php
+									$delete_text = esc_html(
+										sprintf(
+											// translators: %s is the Discount Code.
+											__( 'Are you sure you want to delete the %s discount code? The subscriptions for existing users will not change, but new users will not be able to use this code anymore.', 'paid-memberships-pro' ),
+											$code->code
+										)
+									);
+
+									$delete_nonce_url = wp_nonce_url(
+										add_query_arg(
+											[
+												'page'   => 'pmpro-discountcodes',
+												'delete' => $code->id,
+											],
+											admin_url( 'admin.php' )
+										),
+										'delete',
+										'pmpro_discountcodes_nonce'
+									);
+
+									$actions = [
+										'edit'   => sprintf(
+											'<a title="%1$s" href="%2$s">%3$s</a>',
+											esc_attr__( 'Edit', 'paid-memberships-pro' ),
+											esc_url(
+												add_query_arg(
+													[
+														'page' => 'pmpro-discountcodes',
+														'edit' => $code->id,
+													],
+													admin_url( 'admin.php' )
+												)
+											),
+											esc_html__( 'Edit', 'paid-memberships-pro' )
+										),
+										'copy'   => sprintf(
+											'<a title="%1$s" href="%2$s">%3$s</a>',
+											esc_attr__( 'Copy', 'paid-memberships-pro' ),
+											esc_url(
+												add_query_arg(
+													[
+														'page' => 'pmpro-discountcodes',
+														'edit' => - 1,
+														'copy' => $code->id,
+													],
+													admin_url( 'admin.php' )
+												)
+											),
+											esc_html__( 'Copy', 'paid-memberships-pro' )
+										),
+										'delete' => sprintf(
+											'<a title="%1$s" href="%2$s">%3$s</a>',
+											esc_attr__( 'Delete', 'paid-memberships-pro' ),
+											'javascript:pmpro_askfirst(\'' . esc_js( $delete_text ) . '\', \'' . esc_js( $delete_nonce_url ) . '\'); void(0);',
+											esc_html__( 'Delete', 'paid-memberships-pro' )
+										),
+									];
+
+									if ( 0 < (int) $uses ) {
+										$actions['orders'] = sprintf(
+											'<a title="%1$s" href="%2$s">%3$s</a>',
+											esc_attr__( 'View Orders', 'paid-memberships-pro' ),
+											esc_url(
+												add_query_arg(
+													[
+														'page'          => 'pmpro-orders',
+														'discount-code' => $code->id,
+														'filter'        => 'with-discount-code',
+													],
+													admin_url( 'admin.php' )
+												)
+											),
+											esc_html__( 'Orders', 'paid-memberships-pro' )
+										);
+									}
+
+									/**
+									 * Filter the extra actions for this discount code.
+									 *
+									 * @since TBD
+									 *
+									 * @param array  $actions The list of actions.
+									 * @param object $code    The discount code data.
+									 */
+									$actions = apply_filters( 'pmpro_discountcodes_row_actions', $actions, $code );
+
+									$actions_html = [];
+
+									foreach ( $actions as $action => $link ) {
+										$actions_html[] = sprintf(
+											'<span class="%1$s">%2$s</span>',
+											esc_attr( $action ),
+											$link
+										);
+									}
+
+									if ( ! empty( $actions_html ) ) {
+										echo implode( ' | ', $actions_html );
+									}
+									?>
 								</div>
 							</td>
 							<td>

adminpages/membershiplevels.php

@@ -830,9 +830,90 @@ function update_level_order(event, ui) {
 				<td class="level_name has-row-actions">
 					<span class="level-name"><a href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => $level->id ), admin_url( 'admin.php' ) ); ?>"><?php esc_attr_e( $level->name ); ?></a></span>
 					<div class="row-actions">
-						<span class="edit"><a title="<?php _e('Edit', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => $level->id ), admin_url('admin.php' ) ); ?>"><?php _e('Edit', 'paid-memberships-pro' ); ?></a></span> |
-						<span class="copy"><a title="<?php _e('Copy', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => -1, 'copy' => $level->id ), admin_url( 'admin.php' ) ); ?>"><?php _e('Copy', 'paid-memberships-pro' ); ?></a></span> |
-						<span class="delete"><a title="<?php _e('Delete', 'paid-memberships-pro' ); ?>" href="javascript:pmpro_askfirst('<?php echo str_replace("'", "\'", sprintf(__("Are you sure you want to delete membership level %s? All subscriptions will be cancelled.", 'paid-memberships-pro' ), $level->name));?>', '<?php echo wp_nonce_url(add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'action' => 'delete_membership_level', 'deleteid' => $level->id ), admin_url( 'admin.php' ) ), 'delete_membership_level', 'pmpro_membershiplevels_nonce'); ?>'); void(0);"><?php _e('Delete', 'paid-memberships-pro' ); ?></a></span>
+						<?php
+						$delete_text = esc_html(
+							sprintf(
+								// translators: %s is the Level Name.
+								__( 'Are you sure you want to delete membership level %s? All subscriptions will be cancelled.', 'paid-memberships-pro' ),
+								$level->name
+							)
+						);
+
+						$delete_nonce_url = wp_nonce_url(
+							add_query_arg(
+								[
+									'page'   => 'pmpro-membershiplevels',
+									'action' => 'delete_membership_level',
+									'deleteid' => $level->id,
+								],
+								admin_url( 'admin.php' )
+							),
+							'delete_membership_level',
+							'pmpro_membershiplevels_nonce'
+						);
+
+						$actions = [
+							'edit'   => sprintf(
+								'<a title="%1$s" href="%2$s">%3$s</a>',
+								esc_attr__( 'Edit', 'paid-memberships-pro' ),
+								esc_url(
+									add_query_arg(
+										[
+											'page' => 'pmpro-membershiplevels',
+											'edit' => $level->id,
+										],
+										admin_url( 'admin.php' )
+									)
+								),
+								esc_html__( 'Edit', 'paid-memberships-pro' )
+							),
+							'copy'   => sprintf(
+								'<a title="%1$s" href="%2$s">%3$s</a>',
+								esc_attr__( 'Copy', 'paid-memberships-pro' ),
+								esc_url(
+									add_query_arg(
+										[
+											'page' => 'pmpro-membershiplevels',
+											'edit' => - 1,
+											'copy' => $level->id,
+										],
+										admin_url( 'admin.php' )
+									)
+								),
+								esc_html__( 'Copy', 'paid-memberships-pro' )
+							),
+							'delete' => sprintf(
+								'<a title="%1$s" href="%2$s">%3$s</a>',
+								esc_attr__( 'Delete', 'paid-memberships-pro' ),
+								'javascript:pmpro_askfirst(\'' . esc_js( $delete_text ) . '\', \'' . esc_js( $delete_nonce_url ) . '\'); void(0);',
+								esc_html__( 'Delete', 'paid-memberships-pro' )
+							),
+						];
+
+						/**
+						 * Filter the extra actions for this level.
+						 *
+						 * @since TBD
+						 *
+						 * @param array  $actions The list of actions.
+						 * @param object $level   The membership level data.
+						 */
+						$actions = apply_filters( 'pmpro_membershiplevels_row_actions', $actions, $level );
+
+						$actions_html = [];
+
+						foreach ( $actions as $action => $link ) {
+							$actions_html[] = sprintf(
+								'<span class="%1$s">%2$s</span>',
+								esc_attr( $action ),
+								$link
+							);
+						}
+
+						if ( ! empty( $actions_html ) ) {
+							echo implode( ' | ', $actions_html );
+						}
+						?>
 					</div>
 				</td>
 				<td>