hmikhail
commented
11 years ago done in commit : 27bbeb248984f937ef0ed336ce7f1f9b4ab2e5a3
Closed ansonphong closed 11 years ago
hmikhail
commented
11 years ago done in commit : 27bbeb248984f937ef0ed336ce7f1f9b4ab2e5a3
For all the set...() _ PHP Methods, I discovered a security hole wherby users could set the values of other users if they know their user_id. As a result, let's remove 'user_id' from the input parameters, and instead check which user is currently calling the set function, and apply it to that user ID.
This is how to get the ID of the current user : $current_user = wp_get_current_user(); $current_user_ID = $current_user->ID;
This applies to the following functions: set_points() set_favorites() set_viewed()