Headline
CVE-2023-0294: sidebar.php in mediamatic/trunk/inc – WordPress Plugin Repository
The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on its AJAX actions function. This makes it possible for unauthenticated attackers to change image categories used by the plugin, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
1<?php23use Mediamatic\Helper;45class Mediamatic_Sidebar {67 public function __construct() 8 {9 add_filter( 'restrict_manage_posts’, array($this, ‘mediamaticRestrictManagePosts’));10 add_filter( 'posts_clauses’, array($this, ‘mediamaticPostsClauses’), 10, 2);11 12 add_action( 'admin_enqueue_scripts’, array($this, ‘mediamaticEnqueueStyles’ )); // load style files13 add_action( 'admin_enqueue_scripts’, array($this, ‘mediamaticEnqueueScripts’ )); // load js files14 15 add_action( ‘init’, array($this,’mediamaticAddFolderToAttachments’ )); // register MEDIAMATIC taxonomy16 add_action( ‘admin_footer-upload.php’, array($this,’mediamaticInitSidebar’)); // get interface17 18 add_action( ‘wp_ajax_mediamaticAjaxAddCategory’, array($this,’mediamaticAjaxAddCategory’)); // ajax: add new category19 add_action( ‘wp_ajax_mediamaticAjaxDeleteCategory’, array($this,’mediamaticAjaxDeleteCategory’)); // ajax: delete existing category20 add_action( ‘wp_ajax_mediamaticAjaxClearCategory’, array($this,’mediamaticAjaxClearCategory’)); // ajax: delete existing category21 add_action( ‘wp_ajax_mediamaticAjaxRenameCategory’, array($this,’mediamaticAjaxRenameCategory’)); // ajax: rename existing category22 23 add_action( ‘wp_ajax_mediamaticAjaxUpdateSidebarWidth’, array($this,’mediamaticAjaxUpdateSidebarWidth’)); // ajax: update sidebar width24 25 add_action( ‘wp_ajax_mediamaticAjaxMoveMultipleMedia’, array($this,’mediamaticAjaxMoveMultipleMedia’)); // ajax: move multiple media26 add_action( ‘wp_ajax_mediamaticAjaxGetTermsByMedia’, array($this,’mediamaticAjaxGetTermsByMedia’)); // ajax: get terms by media for single media27 add_action( ‘wp_ajax_mediamaticAjaxMoveSingleMedia’, array($this,’mediamaticAjaxMoveSingleMedia’)); // ajax: move singe media28 29 add_action( ‘wp_ajax_mediamaticAjaxCheckDeletingMedia’, array($this,’mediamaticAjaxCheckDeletingMedia’)); // ajax: check deleting media 30 31 add_action( ‘wp_ajax_mediamaticAjaxMoveCategory’, array($this,’mediamaticAjaxMoveCategory’)); // move category32 add_action( ‘wp_ajax_mediamaticAjaxUpdateFolderPosition’, array($this,’mediamaticAjaxUpdateFolderPosition’ )); // update folder position33 34 add_option( 'mediamatic_sidebar_width’, 280); // add option for sidebar width35 36 add_filter( 'pre-upload-ui’, array($this, ‘mediamaticPreUploadUserInterface’)); // upload uploader category to “Add new” 37 add_filter( 'wp_kses_allowed_html’, array($this, ‘mediamatic_allowed_html’), 10, 2 );38 39 40 if(MEDIAMATIC_PLUGIN_NAME != ‘Mediamatic’){41 add_action( 'admin_notices’, [$this, ‘pro_version_notice’] );42 }43 //Support Elementor44 if (defined(‘ELEMENTOR_VERSION’)) {45 add_action('elementor/editor/after_enqueue_scripts’, [$this, ‘mediamaticScripts’]);46 add_action('elementor/editor/after_enqueue_scripts’, [$this, ‘mediamaticStyles’]);47 }48 49 }50 51 public function mediamatic_allowed_html($allowed, $context){52 if (is_array($context))53 {54 return $allowed;55 }5657 if ($context === ‘post’)58 {59 $allowed[‘input’][‘type’] = true;60 $allowed[‘input’][‘name’] = true;61 $allowed[‘input’][‘id’] = true;62 $allowed[‘input’][‘class’] = true;63 $allowed[‘input’][‘value’] = true;64 $allowed[‘input’][‘placeholder’] = true;65 $allowed[‘input’][‘autocomplete’] = true;66 67 $allowed[‘select’][‘id’] = true;68 $allowed[‘select’][‘name’] = true;69 $allowed[‘select’][‘class’] = true;70 $allowed[‘option’][‘value’] = true;71 }7273 return $allowed;74 }75 76 public function pro_version_notice(){77 global $pagenow;78 if ( $pagenow == ‘upload.php’ ) {79 echo '<div class="notice notice-warning is-dismissible">80 <p>’.esc_html__(‘Mediamatic PRO has more handy features. You could rename a folder, add subfolders easily, clear folders, and search for folders. It also enables folders panel on the media pop-up window.’, MEDIAMATIC_TEXT_DOMAIN).’ <a href="https://frenify.net/envato/themedo/plugin/mediamatic/1/" target="_blank">Mediamatic PRO</a></p>81 </div>’;82 }83 }84 85 86 public function mediamaticEnqueueStyles(){87 $this->mediamaticStyles();88 }89 90 91 public function mediamaticStyles()92 {93 wp_enqueue_style( 'iaoalert’, MEDIAMATIC_ASSETS_URL . 'css/iaoalert.css’, array(), MEDIAMATIC_PLUGIN_NAME, ‘all’ );94 wp_enqueue_style( 'mediamatic-admin’, MEDIAMATIC_ASSETS_URL . 'css/core.css’, array(), MEDIAMATIC_PLUGIN_NAME, ‘all’ );95 wp_enqueue_style( 'mediamatic-front’, MEDIAMATIC_ASSETS_URL . 'css/front.css’, array(), MEDIAMATIC_PLUGIN_NAME, ‘all’ );96 wp_enqueue_style( 'mediamatic-rtl’, MEDIAMATIC_ASSETS_URL . 'css/rtl.css’, array(), MEDIAMATIC_PLUGIN_NAME, ‘all’ );97 98 if(MEDIAMATIC_PLUGIN_NAME == ‘Mediamatic’){99 $custom_css = “#mediamatic-attachment-filters{display: none;}";100 wp_add_inline_style( 'mediamatic-admin’, $custom_css );101 }102 103 }104 105106 public function mediamaticEnqueueScripts()107 {108 $this->mediamaticScripts();109 }110 111 public function mediamaticScripts()112 {113 114 $allFilesText = esc_html__('All Files’, MEDIAMATIC_TEXT_DOMAIN);115 $uncategorizedText = esc_html__('Uncategorized’, MEDIAMATIC_TEXT_DOMAIN);116 $taxonomy = apply_filters('mediamatic_taxonomy’, MEDIAMATIC_FOLDER);117 $dropdownOptions = array(118 ‘taxonomy’ => $taxonomy,119 ‘hide_empty’ => false,120 ‘hierarchical’ => true,121 ‘orderby’ => ‘name’,122 ‘show_count’ => true,123 ‘walker’ => new Mediamatic_Walker_Category_Mediagridfilter(),124 ‘value’ => ‘id’,125 ‘echo’ => false126 );127 $attachmentTerms = wp_dropdown_categories( $dropdownOptions );128 $attachmentTerms = preg_replace( array( "/<select([^>]*)>/", “/<\/select>/” ), “", $attachmentTerms );129 130 wp_register_script( 'inline-script-handle-header’, ‘’ );131 wp_enqueue_script( ‘inline-script-handle-header’ );132 wp_add_inline_script( 'inline-script-handle-header’, '/* <![CDATA[ */ var mediamaticFolders = [{"folderID":"all","folderName":"’. esc_html($allFilesText) .’"}, {"folderID":”-1","folderName":"’. esc_html($uncategorizedText) .’"},’ . wp_kses_post(substr($attachmentTerms, 2)) . ']; /* ]]> */’ );133 134 135 wp_enqueue_script(‘jquery-ui-draggable’);136 wp_enqueue_script(‘jquery-ui-droppable’);137138 wp_register_script('iaoalert’, MEDIAMATIC_ASSETS_URL . 'js/third-party-plugins/iaoalert.js’,[‘jquery’], MEDIAMATIC_PLUGIN_NAME, false);139 wp_register_script('nicescroll’, MEDIAMATIC_ASSETS_URL . 'js/third-party-plugins/nicescroll.js’,[‘jquery’], MEDIAMATIC_PLUGIN_NAME, false);140 wp_register_script('mediamatic-resizable’, MEDIAMATIC_ASSETS_URL . 'js/resizable.js’,[‘jquery’], MEDIAMATIC_PLUGIN_NAME, false);141 wp_register_script('mediamatic-core’, MEDIAMATIC_ASSETS_URL . 'js/core.js’,[‘jquery’], MEDIAMATIC_PLUGIN_NAME, true);142 wp_register_script('mediamatic-filter’, MEDIAMATIC_ASSETS_URL . 'js/filter.js’,[‘jquery’], MEDIAMATIC_PLUGIN_NAME, false);143 wp_register_script('mediamatic-select-filter’, MEDIAMATIC_ASSETS_URL . '/js/select-filter.js’, [‘media-views’], MEDIAMATIC_PLUGIN_NAME, true );144 wp_register_script('mediamatic-upload’, MEDIAMATIC_ASSETS_URL . 'js/upload.js’, [‘jquery’], MEDIAMATIC_PLUGIN_NAME, false );145146 wp_localize_script(147 'mediamatic-core’,148 'mediamaticConfig’,149 [150 ‘plugin’ => MEDIAMATIC_PLUGIN_NAME,151 ‘pluginURL’ => MEDIAMATIC_URL,152 ‘nonce’ => wp_create_nonce( ‘ajax-nonce’ ),153 ‘uploadURL’ => admin_url( ‘upload.php’ ),154 ‘ajaxUrl’ => admin_url( ‘admin-ajax.php’ ),155 ‘moveOneFile’ => esc_html__( 'Move 1 file’, MEDIAMATIC_TEXT_DOMAIN ),156 ‘move’ => esc_html__( 'Move’, MEDIAMATIC_TEXT_DOMAIN ),157 ‘files’ => esc_html__( 'files’, MEDIAMATIC_TEXT_DOMAIN ),158 ‘newFolderText’ => esc_html__( 'New Subfolder’, MEDIAMATIC_TEXT_DOMAIN ),159 ‘clearMediaText’ => esc_html__( 'Clear Media’, MEDIAMATIC_TEXT_DOMAIN ),160 ‘renameText’ => esc_html__( 'Rename Folder’, MEDIAMATIC_TEXT_DOMAIN ),161 ‘deleteText’ => esc_html__( 'Delete Folder’, MEDIAMATIC_TEXT_DOMAIN ),162 ‘clearText’ => esc_html__( 'Clear Folder’, MEDIAMATIC_TEXT_DOMAIN ),163 ‘cancelText’ => esc_html__( 'Cancel’, MEDIAMATIC_TEXT_DOMAIN ),164 ‘confirmText’ => esc_html__( 'Confirm’, MEDIAMATIC_TEXT_DOMAIN ),165 ‘areYouSure’ => esc_html__( 'Are you confident?’, MEDIAMATIC_TEXT_DOMAIN ),166 ‘willBeMovedToUncategorized’ => esc_html__( 'All media inside this folder gets moved to “Uncategorized” folder.’, MEDIAMATIC_TEXT_DOMAIN ),167 ‘hasSubFolder’ => esc_html__( 'This folder contains subfolders, you should delete the subfolders first!’, MEDIAMATIC_TEXT_DOMAIN ),168 ‘slugError’ => esc_html__( 'Unfortunately, you already have a folder with that name.’, MEDIAMATIC_TEXT_DOMAIN ),169 ‘enterName’ => esc_html__( 'Please, enter your folder name!’, MEDIAMATIC_TEXT_DOMAIN ),170 ‘item’ => esc_html__( 'item’, MEDIAMATIC_TEXT_DOMAIN ),171 ‘items’ => esc_html__( 'items’, MEDIAMATIC_TEXT_DOMAIN ),172 ‘currentFolder’ => $this->getCurrentFolder(),173 ‘noItemDOM’ => $this->noItemForListMode(),174 ‘mediamaticAllTitle’ => esc_html__('All categories’, MEDIAMATIC_TEXT_DOMAIN),175 ]176 );177 wp_localize_script(178 'mediamatic-filter’,179 'mediamaticConfig2’,180 [181 ‘pluginURL’ => MEDIAMATIC_URL,182 ‘ajaxUrl’ => admin_url( ‘admin-ajax.php’ ),183 ‘nonce’ => wp_create_nonce( ‘ajax-nonce’ ),184 ‘moveOneFile’ => esc_html__( 'Move 1 file’, MEDIAMATIC_TEXT_DOMAIN ),185 ‘move’ => esc_html__( 'Move’, MEDIAMATIC_TEXT_DOMAIN ),186 ‘files’ => esc_html__( 'files’, MEDIAMATIC_TEXT_DOMAIN ),187 ]188 );189 190 wp_localize_script(191 'mediamatic-select-filter’,192 'mediamaticConfig’,193 [194 ‘mediamaticFolder’ => MEDIAMATIC_FOLDER,195 ‘mediamaticAllTitle’ => esc_html__('All categories’, MEDIAMATIC_TEXT_DOMAIN),196 ‘uploadURL’ => admin_url( ‘upload.php’ ),197 ‘assetsURL’ => MEDIAMATIC_ASSETS_URL198 ]199 );200 201 wp_localize_script(202 'mediamatic-upload’,203 'mediamaticConfig’,204 [205 ‘nonce’ => wp_create_nonce(‘ajax-nonce’)206 ]207 );208209 wp_enqueue_script( ‘iaoalert’ );210 wp_enqueue_script( ‘nicescroll’ );211 wp_enqueue_script( ‘mediamatic-resizable’ );212 wp_enqueue_script( ‘mediamatic-core’ );213 wp_enqueue_script( ‘mediamatic-filter’ );214 wp_enqueue_script( ‘mediamatic-select-filter’ );215 wp_enqueue_script( ‘mediamatic-upload’ );216 217 218 219 }220 221 public function noItemForListMode()222 {223 return '<tr class="no-items"><td class="colspanchange” colspan="6">’.esc_html__('No media files found.’, MEDIAMATIC_TEXT_DOMAIN).’</td></tr>’;224 }225 226 public function getCurrentFolder()227 {228 if(isset($_GET[‘cc_mediamatic_folder’])){229 return sanitize_text_field($_GET[‘cc_mediamatic_folder’]);230 }231 return '’;232 }233 234 public function mediamaticRestrictManagePosts()235 {236 $scr = get_current_screen();237 if($scr->base !== ‘upload’){238 return;239 }240 echo '<select id="mediao-attachment-filters" class="wpmediacategory-filter attachment-filters" name="cc_mediamatic_folder"></select>’;241 }242243 public function getSidebarWidth()244 {245 $sidebarWidth = (int) get_option('mediamatic_sidebar_width’, 380);246 if($sidebarWidth < 250 || $sidebarWidth > 750){247 $sidebarWidth = 380;248 }249 return $sidebarWidth;250 }251252 public function mediamaticInitSidebar()253 {254 $output = '’;255 $helper = new Helper;256 $sidebarWidth = $this->getSidebarWidth().’px;’;257 258 $output .= '<div class="cc_mediamatic_temporary">’;259 $output .= '<div id="mediamatic_sidebar" class="cc_mediamatic_sidebar" style="width:’.$sidebarWidth.’">’;260 $output .= '<div class="cc_mediamatic_sidebar_in" style="width:’.$sidebarWidth.’">’;261 $output .= $helper->getSidebarHeader();262 $output .= $helper->getSidebarContent();263 $output .= '<input type="hidden" id="mediamatic_hidden_terms">’;264 $output .= '</div>’;265 $output .= '</div>’;266 $output .= $this->splitter();267 $output .= '</div>’;268 269 270 echo wp_kses_post($output);271 }272 273 public function splitter()274 {275 if(MEDIAMATIC_PLUGIN_NAME == ‘Mediamatic’){276 $html = '<div class="mediamatic_splitter active">277 <span class="splitter_holder">278 <span class="splitter_a"></span>279 <span class="splitter_b"></span>280 <span class="splitter_c"></span>281 </span>282 </div>’;283 }else{284 $html = '<div class="mediamatic_splitter"></div>’;285 }286 return $html;287 }288 289 public function mediamaticPreUploadUserInterface() 290 {291 $helper = new Helper;292 $terms = $helper->mediamaticTermTreeArray(MEDIAMATIC_FOLDER, 0);293 $otherOptions = $helper->mediamaticTermTreeOption($terms);294 $text = esc_html__(“New files go to chosen category", MEDIAMATIC_TEXT_DOMAIN);295 $output = '’;296 297 // top section298 $output .= '<p class="cc_upload_paragraph attachments-category">’;299 $output .= $text;300 $output .= '</p>’;301 302 // select section303 $output .= '<p class="cc_upload_paragraph">’;304 $output .= '<select name="ccFolder” class="mediamatic-editcategory-filter">’;305 $output .= '<option value="-1">1.’.esc_html__('Uncategorized’, MEDIAMATIC_TEXT_DOMAIN).’</option>’;306 $output .= $otherOptions;307 $output .= '</select>’;308 $output .= '</p>’;309 310 // echo result311 echo wp_kses_post($output);312 }313 314 public function mediamaticAjaxAddCategory()315 {316 $categoryName = sanitize_text_field($_POST[“categoryName”]);317 $parent = sanitize_text_field($_POST[“parent”]);318 319 320 // check category name321 $name = self::mediamaticCheckMetaName($categoryName, $parent);322 $newTerm = wp_insert_term($name, MEDIAMATIC_FOLDER, array(323 ‘name’ => $name,324 ‘parent’ => $parent325 ));326327 if (is_wp_error($newTerm)){328 echo 'error’;329 }else{330 add_term_meta( $newTerm[“term_id”], 'folder_position’, 9999 );331 332 333 $buffyArray = array(334 ‘termID’ => $newTerm[“term_id”],335 ‘termName’ => $name,336 );337338 die(json_encode($buffyArray));339 }340 341 }342 343 public function mediamaticAjaxDeleteCategory()344 {345 $categoryID = sanitize_text_field($_POST[“categoryID”]);346 $selectedTerm = get_term($categoryID , MEDIAMATIC_FOLDER );347 $count = $selectedTerm->count ? $selectedTerm->count : 0;348 $deleteTerm = wp_delete_term( $categoryID, MEDIAMATIC_FOLDER );349 350 351 if(is_wp_error($deleteTerm)){352 $error = 'yes’;353 }else{354 $error = 'no’;355 }356 $buffyArray = array(357 ‘error’ => $error,358 ‘count’ => $count,359 );360 361 die(json_encode($buffyArray));362 363 }364 365 public function mediamaticAjaxClearCategory()366 {367 global $wpdb;368 $categoryID = sanitize_text_field($_POST[“categoryID”]);369 $selectedTerm = get_term($categoryID , MEDIAMATIC_FOLDER );370 $count = $selectedTerm->count ? $selectedTerm->count : 0;371 372 $wpdb->query($wpdb->prepare( "UPDATE {$wpdb->prefix}term_taxonomy SET count=%d WHERE term_id=%d AND taxonomy=%s", 0, $categoryID, MEDIAMATIC_FOLDER));373 $wpdb->query($wpdb->prepare( "DELETE FROM {$wpdb->prefix}term_relationships WHERE term_taxonomy_id=%d", $categoryID));374 375 $buffyArray = array(376 ‘error’ => 'no’,377 ‘count’ => $count,378 );379 die(json_encode($buffyArray));380 381 }382 383 public function mediamaticAjaxRenameCategory()384 {385 $categoryID = sanitize_text_field($_POST[“categoryID”]);386 $categoryTitle = sanitize_text_field($_POST[“categoryTitle”]);387 $newSlug = $this->mediamaticSlugGenerator($categoryTitle,$categoryID);388 $renameCategory = wp_update_term($categoryID, MEDIAMATIC_FOLDER, array(389 ‘name’ => $categoryTitle,390 ‘slug’ => $newSlug391 ));392 393 if(is_wp_error($renameCategory)){394 $error = 'yes’;395 }else{396 $error = 'no’;397 }398 $buffyArray = array(399 ‘error’ => $error,400 ‘title’ => $categoryTitle,401 );402 die(json_encode($buffyArray));403 404 }405 406 public function mediamaticAjaxUpdateSidebarWidth()407 {408 $width = sanitize_text_field($_POST[‘width’]);409 $error = 'yes’;410 411 if(update_option( 'mediamatic_sidebar_width’, $width )){412 $error = 'no’;413 }414 415 $buffyArray = array(416 ‘error’ => $error,417 );418 die(json_encode($buffyArray));419 420 }421 422 423 public function recursive_sanitize_text_field($array_or_string) {424 if( is_string($array_or_string) ){425 $array_or_string = sanitize_text_field($array_or_string);426 }elseif( is_array($array_or_string) ){427 foreach ( $array_or_string as $key => &$value ) {428 if ( is_array( $value ) ) {429 $value = recursive_sanitize_text_field($value);430 }431 else {432 $value = sanitize_text_field( $value );433 }434 }435 }436437 return $array_or_string;438 }439 440 441 public function mediamaticAjaxMoveMultipleMedia()442 {443 $IDs = $this->recursive_sanitize_text_field($_POST[‘IDs’]);444 $folderID = sanitize_text_field($_POST[‘folderID’]);445 $result = array();446447 foreach ($IDs as $ID){448 $termList = wp_get_post_terms( sanitize_text_field($ID), MEDIAMATIC_FOLDER, array( ‘fields’ => ‘ids’ ) );449 $from = -1;450451 if(count($termList)){452 $from = $termList[0];453 }454455 $obj = (object) array(‘id’ => $ID, ‘from’ => $from, ‘to’ => $folderID);456 $result[] = $obj;457458 wp_set_object_terms( $ID, intval($folderID), MEDIAMATIC_FOLDER, false );459460 }461462 463 $buffyArray = array(464 ‘result’ => $result,465 );466 die(json_encode($buffyArray));467 468 }469 470 public function mediamaticAjaxGetTermsByMedia()471 {472 $error = 'no’;473 $nonce = sanitize_text_field($_POST[‘nonce’]);474 $terms = array();475 476 if(!wp_verify_nonce($nonce, ‘ajax-nonce’)){477 $error = 'yes’;478 }479 if(!isset($_POST[‘ID’])){480 $error = 'yes’;481 }else{482 $ID = (int) sanitize_text_field($_POST[‘ID’]);483 $terms = get_the_terms($ID, MEDIAMATIC_FOLDER);484 }485 486 $buffyArray = array(487 ‘terms’ => $terms,488 ‘error’ => $error,489 ‘id’ => $ID,490 );491 die(json_encode($buffyArray));492 }493 494 public function mediamaticAjaxMoveSingleMedia()495 {496 $error = 'no’;497 498 if (!isset($_POST[‘mediaID’])){499 $error = 'yes’;500 }else{501 $mediaID = absint(sanitize_text_field($_POST[‘mediaID’]));502 503 if(empty($_POST[‘attachments’]) || empty($_POST[‘attachments’][ $mediaID ])){504 $error = 'yes’;505 }else{506 $attachment_data = $_POST[‘attachments’][ $mediaID ];507 $post = get_post( $mediaID, ARRAY_A );508 if(‘attachment’ != $post[‘post_type’]){509 $error = 'yes’;510 }else{511 $post = apply_filters( 'attachment_fields_to_save’, $post, $attachment_data );512513 if(isset($post[‘errors’])){514 $errors = $post[‘errors’]; 515 unset( $post[‘errors’] );516 }517518 wp_update_post($post);519520 wp_set_object_terms( $mediaID, intval(sanitize_text_field($_POST[‘folderID’])), MEDIAMATIC_FOLDER, false );521 if (!$attachment = wp_prepare_attachment_for_js($mediaID)){522 $error = 'yes’;523 }524 }525 }526 }527 528 529 $buffyArray = array(530 ‘attachment’ => $attachment,531 ‘error’ => $error,532 );533 die(json_encode($buffyArray));534 535 }536 537 538 public function mediamaticSlugGenerator($categoryName,$ID)539 {540 global $wpdb;541 $categoryName = strtolower($categoryName);542 $newSlug = preg_replace('/[^A-Za-z0-9-]+/’, '-', $categoryName);543 544 $ID = sanitize_text_field($ID);545 $ID = esc_sql($ID);546 547 $count = $wpdb->get_var($wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->prefix}terms WHERE slug=%s AND term_id<>%d", $newSlug, $ID ));548 549 550 if($count > 0){551 $newSlug = $newSlug . '1’;552 $newSlug = $this->mediamaticSlugGenerator($newSlug,$ID);553 }554 return $newSlug;555 }556 557 public function mediamaticAjaxUpdateFolderPosition()558 {559 $results = sanitize_text_field($_POST[“data”]);560 $results = explode('#’, $results);561 foreach ($results as $result) {562 $result = explode(',’, $result);563 update_term_meta($result[0], 'folder_position’, $result[1]);564 }565 die();566 }567 568 public function mediamaticAjaxMoveCategory()569 {570 $current = sanitize_text_field($_POST[“current”]);571 $parent = sanitize_text_field($_POST[“parent”]);572 573 574 $checkError = wp_update_term($current, MEDIAMATIC_FOLDER, array(575 ‘parent’ => $parent576 ));577 578579 if(is_wp_error($checkError)){580 $error = 'yes’;581 }else{582 $error = 'no’;583 }584 $buffyArray = array(585 ‘error’ => $error,586 );587 die(json_encode($buffyArray));588 589 }590 591 public static function mediamaticCheckMetaName($name, $parent)592 {593 if(!$parent){ $parent = 0; }594 595 $terms = get_terms( MEDIAMATIC_FOLDER, array(‘parent’ => $parent, ‘hide_empty’ => false) );596 $check = true;597598 if(count($terms)){599 foreach ($terms as $term){600 if($term->name === $name){601 $check = false;602 break;603 }604 }605 }else{606 return $name;607 }608609 610 if($check){611 return $name; 612 }613614 $arr = explode('_’, $name); 615616 if($arr && count($arr) > 1){ 617 $suffix = array_values(array_slice($arr, -1))[0];618619 array_pop($arr);620621 $originName = implode($arr);622623 if(intval($suffix)){624 $name = $originName . ‘_’ . (intval($suffix)+1);625 }626627 }else{628 $name = $name . '_1’;629 } 630631 $name = self::mediamaticCheckMetaName($name, $parent);632633 return $name;634635 }636 637 public function mediamaticAddFolderToAttachments()638 {639 register_taxonomy( MEDIAMATIC_FOLDER, 640 array( “attachment” ), 641 array( “hierarchical” => true, 642 “labels” => array(), 643 ‘show_ui’ => true,644 ‘show_in_menu’ => false,645 ‘show_in_nav_menus’ => false,646 ‘show_in_quick_edit’ => false,647 ‘update_count_callback’ => '_update_generic_term_count’,648 ‘show_admin_column’ => false,649 “rewrite” => false 650 )651 );652 }653 654 655 public function mediamaticPostsClauses($clauses, $query)656 {657 global $wpdb;658 659 if (isset($_GET[‘cc_mediamatic_folder’])){660 661 $folder = sanitize_text_field($_GET[‘cc_mediamatic_folder’]);662 663 if (!empty($folder) != ‘’){664 $folder = (int)$folder;665 $wpdbPrefix = $wpdb->prefix;666 667 if($folder > 0){668 $clauses[‘where’] .= ' AND ('.$wpdbPrefix.’term_relationships.term_taxonomy_id = ‘.$folder.’)';669 $clauses[‘join’] .= ' LEFT JOIN '.$wpdbPrefix.’term_relationships ON ('.$wpdbPrefix.’posts.ID = '.$wpdbPrefix.’term_relationships.object_id)';670 }else{671 672 $folders = get_terms(MEDIAMATIC_FOLDER, array(673 ‘hide_empty’ => false674 ));675 $folderIDs = array();676 foreach ($folders as $k => $folder) {677 $folderIDs[] = $folder->term_id;678 }679 680 $folderIDs = esc_sql($folderIDs);681 682 $extraQuery = "SELECT `ID` FROM ".$wpdbPrefix."posts LEFT JOIN ".$wpdbPrefix."term_relationships ON (".$wpdbPrefix."posts.ID = ".$wpdbPrefix."term_relationships.object_id) WHERE (".$wpdbPrefix."term_relationships.term_taxonomy_id IN (“.implode(', ', $folderIDs).”))";683 $clauses[‘where’] .= " AND (".$wpdbPrefix."posts.ID NOT IN (“.$extraQuery.”))";684 }685 }686 }687 688 return $clauses;689 }690 691 692 693 public function mediamaticAjaxCheckDeletingMedia()694 {695 $attachmentID = '’;696 $error = ‘no’;697 $terms = array();698 $ajaxNonce = sanitize_text_field($_POST[‘ajaxNonce’]);699700 if(!wp_verify_nonce($ajaxNonce,’ajax-nonce’ )){701 $error = 'yes’;702 }703 704 if(!isset($_POST[‘attachmentID’])){705 $error = 'yes’;706 }707 if($error == ‘no’){708 $attachmentID = absint(sanitize_text_field($_POST[‘attachmentID’]));709 $terms = get_the_terms($attachmentID, MEDIAMATIC_FOLDER);710 }711 712 $buffyArray = array(713 ‘error’ => $error,714 ‘terms’ => $terms,715 );716 die(json_encode($buffyArray));717 }718719}720new Mediamatic_Sidebar();721722723// Custom Category Walker724class Mediamatic_Walker_Category_Mediagridfilter extends \Walker_CategoryDropdown 725{726 function start_el( &$output, $category, $depth = 0, $args = array(), $id = 0 )727 {728 $space = str_repeat( ' ', $depth * 3 );729 730 if(isset($category->name)){731 $folderName = $category->name;732 $folderID = $category->term_id;733 $folderName = apply_filters( 'list_cats’, $folderName, $category );734 735 $output .= ‘,{"folderID":"’ . $folderID . '",’;736 $output .= ‘"folderName":"’ . $space . $folderName . '"}’;737 738 } 739 }740}