Skip to content

3.9.6 security issue fixes #2336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shewa12 merged 1 commit into from
Jan 27, 2026
Merged

3.9.6 security issue fixes #2336

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion classes/Course_List.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@
array_push( $actions, $this->bulk_action_trash() );
}

if ( ! current_user_can( 'administrator' ) ) {

Check failure on line 105 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

Capabilities should be used instead of roles. Found "administrator" in function call to current_user_can()
$can_trash_post = tutor_utils()->get_option( 'instructor_can_delete_course' ) && current_user_can( 'edit_tutor_course' );
if ( ! $can_trash_post ) {
$actions = array_filter(
Expand Down Expand Up @@ -190,7 +190,7 @@
'url' => $url . '&data=trash',
),
);
if ( ! tutor_utils()->get_option( 'instructor_can_delete_course' ) && ! current_user_can( 'administrator' ) ) {

Check failure on line 193 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

Capabilities should be used instead of roles. Found "administrator" in function call to current_user_can()
unset( $tabs[7] );
}
return apply_filters( 'tutor_course_tabs', $tabs );
Expand Down Expand Up @@ -229,15 +229,15 @@
}

// Author query.
if ( 'mine' === $status || ! current_user_can( 'administrator' ) ) {

Check failure on line 232 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

Capabilities should be used instead of roles. Found "administrator" in function call to current_user_can()
$args['author'] = $user_id;
}

$date_filter = sanitize_text_field( $date );

$year = date( 'Y', strtotime( $date_filter ) );

Check failure on line 238 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
$month = date( 'm', strtotime( $date_filter ) );

Check failure on line 239 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
$day = date( 'd', strtotime( $date_filter ) );

Check failure on line 240 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.

// Add date query.
if ( '' !== $date_filter ) {
Expand Down Expand Up @@ -273,7 +273,6 @@
$the_query = self::course_list_query( $args, $user_id, $status );

return ! is_null( $the_query ) && isset( $the_query->found_posts ) ? $the_query->found_posts : $the_query;

}

/**
Expand All @@ -290,7 +289,9 @@
$bulk_ids = Input::post( 'bulk-ids', '' );

// Check if user is privileged.
if ( ! current_user_can( 'administrator' ) ) {

Check failure on line 292 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

Capabilities should be used instead of roles. Found "administrator" in function call to current_user_can()
$course_ids = explode( ',', $bulk_ids );

if ( current_user_can( 'edit_tutor_course' ) ) {
$can_publish_course = tutor_utils()->get_option( 'instructor_can_publish_course' );

Expand All @@ -300,6 +301,17 @@
} else {
wp_send_json_error( tutor_utils()->error_message() );
}

// Check if the course ids are instructors own course.
$course_ids = array_filter(
$course_ids,
function ( $course_id ) {
return tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id );
}
);

$bulk_ids = implode( ',', $course_ids );

}

if ( '' === $action || '' === $bulk_ids ) {
Expand Down Expand Up @@ -349,7 +361,7 @@
$course = get_post( $id );

// Check if user is privileged.
if ( ! current_user_can( 'administrator' ) ) {

Check failure on line 364 in classes/Course_List.php

View workflow job for this annotation

GitHub Actions / WPCS 

Capabilities should be used instead of roles. Found "administrator" in function call to current_user_can()

if ( ! tutor_utils()->can_user_edit_course( get_current_user_id(), $course->ID ) ) {
wp_send_json_error( tutor_utils()->error_message() );
Expand Down
2 changes: 2 additions & 0 deletions ecommerce/CouponController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -659,6 +659,8 @@ public function ajax_coupon_details() {
$this->json_response( tutor_utils()->error_message( 'nonce' ), null, HttpHelper::STATUS_BAD_REQUEST );
}

tutor_utils()->check_current_user_capability();

$coupon_id = Input::post( 'id' );

if ( empty( $coupon_id ) ) {
Expand Down
Loading