The Higher Education and Research forge

Home My Page Projects Code Snippets Project Openings MonLabo
Summary Activity Tracker Tasks Docs SCM Files Dokuwiki Continious Integration Listes Sympa

SCM Repository

authorHerve Suaudeau <herve.suaudeau@parisdescartes.fr>
Wed, 29 Jul 2020 17:03:21 +0000 (19:03 +0200)
committerHerve Suaudeau <herve.suaudeau@parisdescartes.fr>
Wed, 29 Jul 2020 17:03:21 +0000 (19:03 +0200)
admin/MonLabo-admin.php
admin/MonLabo-edit-members.php
admin/includes/inc-lib-forms.php
admin/includes/inc-lib-tables.php
admin/js/MonLabo-admin.js
changelog.txt
readme.txt

index b7e88d2..1f2cf76 100644 (file)
@@ -24,7 +24,8 @@ class MonLabo_admin {
                $this->options['MonLabo_settings_group5']=get_option( 'MonLabo_settings_group5' );
 
                add_action( 'admin_enqueue_scripts', array( &$this, 'MonLabo_enqueue_admin_scripts' ) );
-               add_action( 'wp_ajax_update_member_thumbnail', array( &$this, 'update_member_thumbnail' ) );
+               add_action( 'wp_ajax_update_member_thumbnail', 'update_member_thumbnail' );
+
        }
 
        function MonLabo_enqueue_admin_scripts( $hook_suffix ) {
@@ -39,7 +40,15 @@ class MonLabo_admin {
                                                                                                        ."jQuery( 'input[type=hidden]' ).parents( 'td' ).prev( 'th' ).css( 'padding', '0' );"   );
 
                // in JavaScript, object properties are accessed as ajax_object.ajax_url, ajax_object.we_value
-               wp_localize_script( 'MonLabo_admin-script', 'ajax_object_update_member_thumbnail', array( 'ajax_url' => admin_url( 'admin-ajax.php' ) ) );
+               wp_localize_script(
+                       'MonLabo_admin-script',
+                       'ajax_object_update_member_thumbnail',
+                       array(
+                               'ajax_url' => admin_url( 'admin-ajax.php' ) ,
+                               'nonce' => wp_create_nonce( "nonce_update_member_thumbnail" )
+                       )
+               );
+
                wp_enqueue_media(); //On insère toutes les dépendances nécessaires pour l'affichage du menu média  //Obligatoire sous cette forme pour que le menu media fonctionne en AJAX
        }
 
@@ -115,6 +124,17 @@ class MonLabo_admin {
                                )
                        );
        }
+       public function error_MonLabo_perso_page_bad_parent() {
+               return MonLabo_admin::notice_message(
+                       'error',
+                       __( 'Erreur :', 'mon-laboratoire' ),
+                 sprintf(
+                         __( "La page de rattachement des pages personnelles est mal renseignée %s dans les configurations générales %s.", 'mon-laboratoire' )
+                         , "<a href=\"admin.php?page=MonLabo_config&tab=tab_appearance\">"
+                         , "</a>"
+                         )
+               );
+       }
 
        //hook into WP's admin_init action hook
        public function admin_init() {
@@ -438,46 +458,61 @@ class MonLabo_admin {
                //  Si oui: Relancer fonction cron
        }
 
-       //Ajax function to display the thumbnail image of member edition page
-       function update_member_thumbnail() {
-               require_once( dirname( __FILE__ ) . '/includes/inc-lib-forms.php' );
-               $wp_post_id=getPOSTnumber( 'wp_post_id' );
 
-               // Nouveau membre
-               //----------------
-               if ( is_null( $wp_post_id ) ) {
-                       echo '<fieldset> <legend>'.__( 'Choisir une image', 'mon-laboratoire' ).' : </legend>';
-                       //Display default image
-                       echo '<a class="hover-zoom-square60"><img id="image-preview" src="'.$this->options['MonLabo_settings_group2']['MonLabo_img_par_defaut'].'" width="150" height="150" class="wp-image-6 alignright img-arrondi wp-post-image" alt="photo personne" /></a>';
-                       echo( '<input id="upload_image_button" type="button" class="button" value="'. __( 'Changer l\'image par défaut', 'mon-laboratoire' ).'"' );
-                       echo( ' onclick="imageMediaMenu(\''. __( 'Choisir une image', 'mon-laboratoire' ).'\',\''. __( 'utiliser cette image', 'mon-laboratoire' ).'\');" />' );
-
-               // Membre avec page valide
-               //-----------------------
-               } elseif ( $wp_post_id>0 ) {
-                       echo '<fieldset> <legend>'.__( 'Page WordPress choisie', 'mon-laboratoire' )." <small>(<a href='".get_edit_post_link( $wp_post_id )."'>".__( 'éditer la page', 'mon-laboratoire' ).'</a>)</small> : </legend>';
-                       echo '<a class="hover-zoom-square60">';
-                       if ( has_post_thumbnail( $wp_post_id ) ) {
-                               echo get_the_post_thumbnail( $wp_post_id, array( 150, 150 ), array( 'class' => 'alignright img-arrondi',  'id'=>"image-preview" ) );
-                       } else {
-                               //Display default image
-                               echo '<img id="image-preview" src="'.$this->options['MonLabo_settings_group2']['MonLabo_img_par_defaut'].'" width="150" height="150" class="wp-image-6 alignright img-arrondi wp-post-image" alt="silhouette par défaut" />';
-                       }
-                       echo ( '</a>' );
-                       echo( '<input id="upload_image_button" type="button" class="button" value="'. __( "Changer l'image de la page n°", 'mon-laboratoire' ).$wp_post_id.'"' );
-                       echo( ' onclick="imageMediaMenu(\''. __( 'Choisir une image', 'mon-laboratoire' ).'\',\''. __( 'utiliser cette image', 'mon-laboratoire' ).'\');" />' );
+}
 
-               // Membre avec page invalide
-               //--------------------------
+//Ajax function to display the thumbnail image of member edition page
+function update_member_thumbnail() {
+       $response = array();
+       if ( check_ajax_referer( "nonce_update_member_thumbnail" ) ) {
+               $text = generate_update_member_thumbnail();
+               $response['type'] = 'success';
+               $response['text'] = $text;
+               echo( json_encode($response) );
+       }
+       wp_die();
+}
+
+function generate_update_member_thumbnail() {
+       require_once( dirname( __FILE__ ) . '/includes/inc-lib-forms.php' );
+       $wp_post_id=getPOSTnumber( 'wp_post_id' );
+       $options2=get_option( 'MonLabo_settings_group2' );
+
+       $retval = "";
+
+       // Nouveau membre
+       //----------------
+       if ( is_null( $wp_post_id ) ) {
+               $retval .= '<fieldset> <legend>'.__( 'Choisir une image', 'mon-laboratoire' ).' : </legend>';
+               //Display default image
+               $retval .= '<a class="hover-zoom-square60"><img id="image-preview" src="'.$options2['MonLabo_img_par_defaut'].'" width="150" height="150" class="wp-image-6 alignright img-arrondi wp-post-image" alt="photo personne" /></a>';
+               $retval .= '<input id="upload_image_button" type="button" class="button" value="'. __( 'Changer l\'image par défaut', 'mon-laboratoire' ).'"' ;
+               $retval .= ' onclick="imageMediaMenu(\''. __( 'Choisir une image', 'mon-laboratoire' ).'\',\''. __( 'utiliser cette image', 'mon-laboratoire' ).'\');" />' ;
+
+       // Membre avec page valide
+       //-----------------------
+       } elseif ( $wp_post_id>0 ) {
+               $retval .= '<fieldset> <legend>'.__( 'Page WordPress choisie', 'mon-laboratoire' )." <small>(<a href='".get_edit_post_link( $wp_post_id )."'>".__( 'éditer la page', 'mon-laboratoire' ).'</a>)</small> : </legend>';
+               $retval .= '<a class="hover-zoom-square60">';
+               if ( has_post_thumbnail( $wp_post_id ) ) {
+                       $retval .= get_the_post_thumbnail( $wp_post_id, array( 150, 150 ), array( 'class' => 'alignright img-arrondi',  'id'=>"image-preview" ) );
                } else {
-                       echo '<fieldset> <legend>'.__( 'Choisissez une page WordPress pour pouvoir avoir une image.', 'mon-laboratoire' ).'</legend>';
+                       //Display default image
+                       $retval .= '<img id="image-preview" src="'.$options2['MonLabo_img_par_defaut'].'" width="150" height="150" class="wp-image-6 alignright img-arrondi wp-post-image" alt="silhouette par défaut" />';
                }
-               echo( "<input type='hidden' name='submit_image_attachment_url' id='image_attachment_url' value='__no_change__' />" );
-               echo( "<input type='hidden' name='submit_image_attachment_id' id='image_attachment_id' value='__no_change__' />" );
-               echo '</fieldset>';
-
-               wp_die();
-       }
+               $retval .=  '</a>' ;
+               $retval .= '<input id="upload_image_button" type="button" class="button" value="'. __( "Changer l'image de la page n°", 'mon-laboratoire' ).$wp_post_id.'"' ;
+               $retval .= ' onclick="imageMediaMenu(\''. __( 'Choisir une image', 'mon-laboratoire' ).'\',\''. __( 'utiliser cette image', 'mon-laboratoire' ).'\');" />' ;
+
+       // Membre avec page invalide
+       //--------------------------
+       } else {
+               $retval .= '<fieldset> <legend>'.__( 'Choisissez une page WordPress pour pouvoir avoir une image.', 'mon-laboratoire' ).'</legend>';
+       }
+       $retval .= "<input type='hidden' name='submit_image_attachment_url' id='image_attachment_url' value='__no_change__' />" ;
+       $retval .= "<input type='hidden' name='submit_image_attachment_id' id='image_attachment_id' value='__no_change__' />" ;
+       $retval .= '</fieldset>';
+       return $retval;
 }
 
 function MonLabo_admin_edit_members_and_groups_render() {
index e455b48..9ed918f 100644 (file)
@@ -15,6 +15,8 @@ function edit_members_form() {
        require_once( dirname( __FILE__ ) . '/includes/inc-lib-forms.php' );
        $retval='';
        $MonLabo_access_data = New MonLabo_access_data();
+       $options0 = get_option( 'MonLabo_settings_group0' );
+       $options2 = get_option( 'MonLabo_settings_group2' );
 
        list( $retval, $member_id, $page_id_if_created )=form_edit_member_processing();
 
@@ -26,14 +28,14 @@ function edit_members_form() {
        if ( !empty( $members_name_alumni ) ) { asort( $members_name_alumni, SORT_STRING ); }
 
        //Get member infomation. If invalid of new, return an empty object
-       if ( 0 != $member_id ) {
+       if ( !empty( $member_id ) ) {
                $member_information = $MonLabo_access_data->get_person_information( $member_id );
                //If invalid ID
                if ( NULL === $member_information ) {
                        $member_id = 0;
                }
        }
-       if ( 0 === $member_id ) {
+       if ( empty( $member_id ) ) {
                $member_information = (object) Array( 'wp_post_id'=>'', 'title'=>'', 'first_name'=>'', 'last_name'=>''
                                , 'category'=>'', 'function_en'=>'', 'function_fr'=>'', 'id'=>0
                                , 'date_departure'=>'', 'mail'=>'', 'room'=>'', 'external_url'=>''
@@ -41,6 +43,7 @@ function edit_members_form() {
                                , 'uid_ENT_parisdescartes'=>'', 'status'=>'', 'visible'=>''
                                , 'custom1'=>'', 'custom2'=>'', 'custom3'=>'', 'custom4'=>'', 'custom5'=>''
                                , 'custom6'=>'', 'custom7'=>'', 'custom8'=>'', 'custom9'=>'', 'custom10'=>'' );
+               $member_id = 0;
        }
        $nouveau_membre_string='&mdash; '.__( 'Nouveau membre', 'mon-laboratoire' ).' &mdash;';
        if ( is_array( $members_name_actif ) && array_key_exists( $member_id, $members_name_actif ) ) {
@@ -90,8 +93,6 @@ function edit_members_form() {
 
        // Page WordPress
        //---------------
-       $options2 = get_option( 'MonLabo_settings_group2' );
-
        if ( 0 != $member_id ) {
                $retval .= '<br />';
                if ( ( array_key_exists( 'MonLabo_perso_page_parent', $options2 ) ) && ( !empty( $options2['MonLabo_perso_page_parent'] ) ) ) {
@@ -111,11 +112,7 @@ function edit_members_form() {
                  $retval.= '</div>';
                  //
                } else {
-                 $retval .= MonLabo_admin::notice_message(
-                         'error',
-                         __( 'Erreur :', 'mon-laboratoire' ),
-                         __( "La page de rattachement des pages personnelles est mal renseignée <a href=\"admin.php?page=MonLabo_config&tab=tab_appearance\">dans les configurations générales</a>.", 'mon-laboratoire' )
-                 );
+                 $retval .= MonLabo_admin::error_MonLabo_perso_page_bad_parent();
                }
        }
        $retval .= '</fieldset>';
@@ -129,7 +126,6 @@ function edit_members_form() {
        $retval .= '<fieldset class="clear"><legend>'.__( 'Propriétés :', 'mon-laboratoire' ).'</legend>';
 
        //Dans le cas où il n'y a qu'une unité, configurer si la personne en est ou pas le directeur
-       $options0=get_option( 'MonLabo_settings_group0' );
        if ( empty( $options0['MonLabo_uses_unites'] ) ) {
                $valueDirector=__( '(co)directeur ou (co)directrice de l&apos;unité', 'mon-laboratoire' );
                $directors_of_default_unit=$MonLabo_access_data->get_directors_id_for_an_unit( MAIN_STRUCT_NO_UNIT, $status='all' );
@@ -208,7 +204,6 @@ function edit_members_form() {
 
        // Liens externes
        //---------------
-       $options0 = get_option( 'MonLabo_settings_group0' );
        if ( 'aucun' != $options0['MonLabo_publication_server_type'] ) {
                $retval .= '</fieldset><fieldset><legend>'.__( 'Publications :', 'mon-laboratoire' ).'</legend>';
                if ( ( 'hal' === $options0['MonLabo_publication_server_type'] ) or ( 'both' === $options0['MonLabo_publication_server_type'] ) ) {
@@ -235,7 +230,8 @@ function edit_members_form() {
                get_MonLabo_Members_fields_comments( 'visible' ), $member_information->visible );
        $retval .= '</fieldset>';
 
-       $options = get_option( 'MonLabo_settings_group0' );
+       // Custtom fiels
+       //--------------
        if ( isset( $options0['MonLabo_uses_custom_fields_for_staff'] ) && ( intval( $options0['MonLabo_uses_custom_fields_for_staff'] ) === 1 ) ) {
                $retval .= '</fieldset><fieldset><legend>'.__( 'Champs personnalisés :', 'mon-laboratoire' ).'</legend>';
                $options3 = get_option( 'MonLabo_settings_group3' );
@@ -249,6 +245,13 @@ function edit_members_form() {
                }
                $retval .= '</fieldset>';
        }
+
+       //For security
+       //------------
+       $retval .= wp_nonce_field( 'edit_members_form', 'edit_members_form_wpnonce', true, false );
+
+       // Validation
+       //------------
        $onclick = 'edit_member()';
        if ( $valeur_initiale != $nouveau_membre_string ) {
                $retval .= generate_submit_button( __( 'Modifier', 'mon-laboratoire' ), 'submit_modify_member', $onclick );
@@ -282,18 +285,19 @@ function edit_teams_form() {
 
 
        //Get team infomation. If invalid of new, return an empty object
-       if ( 0 != $team_id ) {
+       if ( !empty( $team_id ) ) {
                $team_information = $MonLabo_access_data->get_team_information( $team_id );
                //If invalid ID
                if ( NULL == $team_information ) {
-                       $team_id=0;
+                       $team_id = 0;
                }
        }
-       if ( 0 == $team_id ) {
+       if ( empty( $team_id ) ) {
                $team_information = (object) Array( 'id'=>0, 'name_en'=>'', 'name_fr'=>''
                                , 'wp_post_id'=>'', 'external_url'=>'', 'descartes_publi_team_id'=>'', 'hal_publi_team_id'=>''
                                , 'logo'=>'', 'color'=>'' );
-                               $valeur_initiale = $nouvelle_equipe_string;
+               $valeur_initiale = $nouvelle_equipe_string;
+               $team_id = 0;
        } else {
                $valeur_initiale = $teams_name[$team_id];
        }
@@ -399,6 +403,13 @@ function edit_teams_form() {
                }
                $retval .= '</fieldset>';
        }
+
+       //For security
+       //------------
+       $retval .= wp_nonce_field( 'edit_teams_form', 'edit_teams_form_wpnonce', true, false );
+
+       // Validation
+       //------------
        $onclick = 'edit_team()';
        if ( $valeur_initiale != $nouvelle_equipe_string ) {
                $retval .= generate_submit_button( __( 'Modifier', 'mon-laboratoire' ), 'submit_edit_team', $onclick );
@@ -414,7 +425,6 @@ function edit_teams_form() {
 }
 
 function edit_thematics_form() {
-       $options0 = get_option( 'MonLabo_settings_group0' );
        require_once( dirname( __FILE__ ) . '/includes/inc-lib-forms.php' );
        $MonLabo_access_data = New MonLabo_access_data();
 
@@ -430,16 +440,17 @@ function edit_thematics_form() {
        $thematics_name = array( '0' => $nouvelle_thematique_string ) + $thematics_name;
 
        //Get thematic information. If invalid of new, return an empty object
-       if ( 0 != $thematic_id ) {
+       if ( !empty( $thematic_id ) ) {
                $thematic_information = $MonLabo_access_data->get_thematic_information( $thematic_id );
                //If invalid ID
                if ( NULL === $thematic_information ) {
                        $thematic_id = 0;
                }
        }
-       if ( 0 === $thematic_id ) {
+       if ( empty( $thematic_id ) ) {
                $thematic_information = (object) Array( 'id'=>0, 'name_en'=>'', 'name_fr'=>'', 'wp_post_id' => ''
                                , 'logo'=>'', 'external_url'=>'', 'hal_publi_thematic_id'=>'' );
+               $thematic_id = 0;
        }
        $valeur_initiale = $thematics_name[$thematic_id];
 
@@ -487,6 +498,13 @@ function edit_thematics_form() {
                $thematic_information->logo );
 
        $retval .= '</fieldset>';
+
+       //For security
+       //------------
+       $retval .= wp_nonce_field( 'edit_thematics_form', 'edit_thematics_form_wpnonce', true, false );
+
+       // Validation
+       //------------
        $onclick = 'edit_thematic()';
        if ( $valeur_initiale != $nouvelle_thematique_string ) {
                $retval .= generate_submit_button( __( 'Modifier', 'mon-laboratoire' ), 'submit_modify_thematic', $onclick );
@@ -516,17 +534,18 @@ function edit_unites_form() {
        $units_name = array( '0' => $nouvelle_unite_string ) + $units_name;
 
        //Get unit information. If invalid of new, return an empty object
-       if ( 0 != $unit_id ) {
+       if ( !empty( $unit_id ) ) {
                $unit_information = $MonLabo_access_data->get_unit_information( $unit_id );
                //If invalid ID
                if ( NULL == $unit_information ) {
-                       $unit_id=0;
+                       $unit_id = 0;
                }
        }
-       if ( 0 == $unit_id ) {
+       if ( empty( $unit_id ) ) {
                $unit_information = (object) Array( 'id'=>0, 'code'=>'', 'affiliations'=>''
                                , 'name_en'=>'', 'name_fr'=>'', 'wp_post_id' => ''
                                , 'external_url'=>'', 'descartes_publi_unit_id'=>'', 'hal_publi_unit_id'=>'', 'logo'=>'', 'address_alt'=>'', 'contact_alt'=>'' );
+               $unit_id = 0;
        }
        $valeur_initiale = $units_name[$unit_id];
 
@@ -604,6 +623,13 @@ function edit_unites_form() {
                $unit_information->contact_alt );
 
        $retval .= '</fieldset>';
+
+       //For security
+       //------------
+       $retval .= wp_nonce_field( 'edit_unites_form', 'edit_unites_form_wpnonce', true, false );
+
+       // Validation
+       //------------
        $onclick = 'edit_unite()';
        if ( $valeur_initiale != $nouvelle_unite_string ) {
                $retval .= generate_submit_button( __( 'Modifier', 'mon-laboratoire' ), 'submit_edit_unite', $onclick );
@@ -671,6 +697,13 @@ function edit_structure_principale_form() {
                get_MonLabo_Structure_principale_fields_comments( 'directors' ), $directors_name );
        $retval .= '<br />';
        $retval .= '</fieldset>';
+
+       //For security
+       //------------
+       $retval .= wp_nonce_field( 'edit_structure_principale_form', 'edit_structure_principale_form_wpnonce', true, false );
+
+       // Validation
+       //------------
        $retval .= generate_submit_button( __( 'Modifier', 'mon-laboratoire' ), 'submit_edit_structure_principale', '' );
        $retval .= '</div></form>';
        return $retval;
@@ -680,16 +713,15 @@ function  display_advanced_features_for_mmebers() {
        require_once( dirname( __FILE__ ) . '/includes/inc-lib-forms.php' );
        $retval=form_advanced_features_for_members_processing();
        $myurl=admin_url( 'admin.php?page=MonLabo_edit_members_and_groups&tab=tab_seven' );
+       $options2=get_option( 'MonLabo_settings_group2' );
 
        $MonLabo_access_data = New MonLabo_access_data();
-       $options2=get_option( 'MonLabo_settings_group2' );
        $retval .= '  <form class="navbar-form" id="form_creer_pages_manquantes" accept-charset="utf-8" method="post"
             enctype="multipart/form-data" action="'.$myurl.'">
             <div class="form-group">';
 
        $retval .= '<h3 id="pages_manquantes">'.__( 'Créer les pages manquantes', 'mon-laboratoire' ).'</h3>';
        $retval .= '<p>'.__( 'Cet outil peut être utile pour ceux qui auraient importé une base de personnels directement dans la base de donnée de MonLabo. Il est alors nécessaire de créer les pages WordPress de chaque membre.', 'mon-laboratoire' ).'</p>';
-       $options2 = get_option( 'MonLabo_settings_group2' );
 
        if ( ( array_key_exists( 'MonLabo_perso_page_parent', $options2 ) ) && ( !empty( $options2['MonLabo_perso_page_parent'] ) ) ) {
                $members_name_actif = $MonLabo_access_data->get_persons_information( $status='actif' );
@@ -707,6 +739,7 @@ function  display_advanced_features_for_mmebers() {
                                .serialize( MonLaboLib::secured_array_keys( $members_without_wp_post_id ) )
                                .'">';
                }
+               $retval .= wp_nonce_field( 'creer_pages_manquantes_form', 'creer_pages_manquantes_form_wpnonce', true, false );
                $retval .= generate_submit_button( __( 'Créer les pages manquantes', 'mon-laboratoire' ).' ( '.count( $members_without_wp_post_id ).' )', 'submit_creer_pages_manquantes', '' );
                $retval .= '<p>'.__( 'Les personnels suivants n\'ont pas encore de page WordPress', 'mon-laboratoire' ).' : ';
                if ( !empty( $members_without_wp_post_id ) ) {
@@ -715,15 +748,7 @@ function  display_advanced_features_for_mmebers() {
                        }
                }
        } else {
-         $retval .= MonLabo_admin::notice_message(
-               'error',
-               __( 'Erreur :', 'mon-laboratoire' ),
-               sprintf(
-                       __( "La page de rattachement des pages personnelles est mal renseignée %sdans les configurations générales%s.", 'mon-laboratoire' )
-                       , '<a href="admin.php?page=MonLabo_config&tab=tab_appearance">'
-                       , '</a>'
-                       )
-               );
+               $retval .= MonLabo_admin::error_MonLabo_perso_page_bad_parent();
        }
        $retval .= '<p></div>';
        $retval .= '</form>';
index 357a0af..a73fd49 100644 (file)
@@ -55,146 +55,151 @@ function form_edit_member_processing() {
        $membre_id = 0;
        //Vérification que le formulaire a bien été soumis
        if ( isset( $_POST['submit_first_name'] ) ) {
-               $membre_id = intval( $_POST['submit_id'] );
-               unset( $_POST['submit_id'] );
-               $action = sanitize_key( $_POST['action'] );
-               unset( $_POST['action'] );
-               if ( $action === 'edit' ) {
-                       $data = array();
-                       foreach ( $_POST as $key => $value ) {
-                               switch ( $key ) {
-                                       case 'submit_teams':
-                                       case 'submit_mentors':
-                                               if ( is_array($_POST[$key]) ) {
-                                                       foreach ( $_POST[$key] as $subkey => $subvalue ) {
-                                                               $data[str_replace( 'submit_', '', $key )][$subkey] = intval( $_POST[$key][$subkey] );
+               //Security verification by nonce
+               if( check_admin_referer( 'edit_members_form', 'edit_members_form_wpnonce' ) ) {
+                       unset( $_POST['edit_members_form_wpnonce'] );
+                       unset( $_POST['_wp_http_referer'] );
+                       $membre_id = intval( $_POST['submit_id'] );
+                       unset( $_POST['submit_id'] );
+                       $action = sanitize_key( $_POST['action'] );
+                       unset( $_POST['action'] );
+                       if ( $action === 'edit' ) {
+                               $data = array();
+                               foreach ( $_POST as $key => $value ) {
+                                       switch ( $key ) {
+                                               case 'submit_teams':
+                                               case 'submit_mentors':
+                                                       if ( is_array($_POST[$key]) ) {
+                                                               foreach ( $_POST[$key] as $subkey => $subvalue ) {
+                                                                       $data[str_replace( 'submit_', '', $key )][$subkey] = intval( $_POST[$key][$subkey] );
+                                                               }
+                                                       } else {
+                                                               $data[str_replace( 'submit_', '', $key )] = sanitize_text_field( $_POST[$key] );
                                                        }
-                                               } else {
-                                                       $data[str_replace( 'submit_', '', $key )] = sanitize_text_field( $_POST[$key] );
-                                               }
-                                               break;
-                                       default:
-                                               //echo $key.'<br />';
-                                               $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
-                                               break;
+                                                       break;
+                                               default:
+                                                       //echo $key.'<br />';
+                                                       $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
+                                                       break;
+                                       }
                                }
-                       }
-                       if ( !isset( $data['teams'] ) ) {
-                               //Si aucune équipe n'est renseignée, bien passer un tableau vide.
-                               $data['teams'] = array();
-                       }
-                       if ( !isset( $data['mentors'] ) ) {
-                               //Si aucun mentor n'est renseigné, bien passer un tableau vide.
-                               $data['mentors'] = array();
-                       }
-                       if ( !isset( $data['students'] ) ) {
-                               //Si aucun étudiant n'est renseigné, bien passer un tableau vide.
-                               $data['students'] = array();
-                       }
-                       if ( ( !empty( $data['edition_wp_post_id'] ) ) and ( $data['wp_post_id'] ) === '0' ) {
-                         //Si wp_post_id est édité, le remplacer par l'url du champs en question
-                         $data['wp_post_id'] = $data['edition_wp_post_id'];
-                       }
-                       unset( $data['edition_wp_post_id'] );
-
-                       if ( empty( $data['fonction'] ) ) {
-                         $data['fonction'] = ' |  | ';
-                       }
-                       $f = explode( ' | ', $data['fonction'] );
-                       if ( ( empty( $data['category'] ) ) and ( '' != $f[0] ) ) {
-                         $data['category'] = $f[0];
-                       }
-                       if ( !isset( $f[1] ) ) { $f[1] = ''; }
-                       if ( !isset( $f[2] ) ) { $f[2] = ''; }
-                       if ( $f[1] === '' && $f[2] === '' ) { //Si rien n'est envoyé en argument, ne pas mettre à jour.
-                         unset( $data['function_en'] );
-                         unset( $data['function_fr'] );
-                       } elseif ( $data['function_en'] === '' && $data['function_fr'] === '' ) {
-                               $data['function_en'] = $f[1];
-                               $data['function_fr'] = $f[2];
-                       }
-                       unset( $data['fonction'] );
-
-                       //Dans le cas où il n'y a qu'une unité, configurer si la personne en est ou pas le directeur
-                       $options0 = get_option( 'MonLabo_settings_group0' );
-                       if ( empty( $options0['MonLabo_uses_unites'] ) ) {
-                               if ( !empty( $data['is_director'] ) ) {
-                                       //On ajoute la personne comme directeur de la structure principale
-                                       $MonLabo_access_data->add_director_to_an_unit ( $membre_id, MAIN_STRUCT_NO_UNIT );
-                               } else {
-                                       $MonLabo_access_data->remove_director_from_an_unit( $membre_id, MAIN_STRUCT_NO_UNIT );
+                               if ( !isset( $data['teams'] ) ) {
+                                       //Si aucune équipe n'est renseignée, bien passer un tableau vide.
+                                       $data['teams'] = array();
                                }
-                       }
-                       if ( isset( $data['is_director'] ) ) {
-                               unset( $data['is_director'] );
-                       }
-                       if ( 0 === $membre_id ) { // ajout d'un membre
-                               //Création de la page personnelle
-                               //-------------------------------
-                               $options = get_option( 'MonLabo_settings_group2' );
-                               $wp_title = $data['first_name'].' '.mb_strtoupper( $data['last_name'], 'UTF-8' );
-                               $wp_post = array( 'post_content'   => '[perso_panel][publications_list]', // The full text of the post.
-                               'post_title'     => $wp_title, // The title of your post.
-                               'post_status'   => 'publish', // Default 'draft'.
-                               'post_type'       => 'page', // Default 'post'.
-                               'post_parent'   => $options['MonLabo_perso_page_parent'] // Sets the parent of the new post.
-                               );
-                               $wp_post_id = wp_insert_post( $wp_post );
-
-                               if ( ( 0 === $wp_post_id ) or ( is_wp_error( $wp_post_id ) ) )  {
-                                       return Array( MonLabo_admin::notice_message( 'error', 'Echec:', 'Impossible de créer la page personnelle.' ), NULL, NULL );
+                               if ( !isset( $data['mentors'] ) ) {
+                                       //Si aucun mentor n'est renseigné, bien passer un tableau vide.
+                                       $data['mentors'] = array();
                                }
-                               update_post_meta( $wp_post_id, '_theme_show_page_title', '0' ); //Do not show title
-
-                               //Modification de l'image en une de la page WordPress
-                               //---------------------------------------------------
-                               if ( $wp_post_id>0 ){ //Si la page existe
-                                 if ( ( '__no_change__' != $data['image_attachment_id'] ) and ( $data['image_attachment_id']>0 ) ) { //Si une nouvelle image est fournie
-                                       set_post_thumbnail( $wp_post_id, $data['image_attachment_id'] ); //Changer l'image à la une de cette page.
-                                 }
+                               if ( !isset( $data['students'] ) ) {
+                                       //Si aucun étudiant n'est renseigné, bien passer un tableau vide.
+                                       $data['students'] = array();
+                               }
+                               if ( ( !empty( $data['edition_wp_post_id'] ) ) and ( $data['wp_post_id'] ) === '0' ) {
+                                 //Si wp_post_id est édité, le remplacer par l'url du champs en question
+                                 $data['wp_post_id'] = $data['edition_wp_post_id'];
                                }
-                               unset( $data['image_attachment_id'] );
-                               unset( $data['image_attachment_url'] );
+                               unset( $data['edition_wp_post_id'] );
 
-                               // Création de la ligne dans la table MonLabo_members
-                               //---------------------------------------------------
-                               $data['wp_post_id'] = $wp_post_id;
-                               $membre_id = $MonLabo_access_data->insert_person( $data );
-
-                               return Array(
-                                                         MonLabo_admin::notice_message( 'info', '', sprintf( __( "Page %s crée.", 'mon-laboratoire' ), "<a href='".get_permalink( $wp_post_id )."'>". $wp_title . "</a>" ) ),
-                                                         NULL /*Renvoie sur un nouveau membre*/,
-                                                         $wp_post_id
-                                                       );
-
-                       } else { // édition d'un membre
-                               //Modification de l'image en une de la page WordPress
-                               //---------------------------------------------------
-                               if ( '0' != $data['wp_post_id'] ){ //Si la page existe
-                                 if ( ( '__no_change__' != $data['image_attachment_id'] ) and ( $data['image_attachment_id']>0 ) ) { //Si une nouvelle image est fournie
-                                       set_post_thumbnail( $data['wp_post_id'], $data['image_attachment_id'] ); //Changer l'image à la une de cette page.
-                                 }
+                               if ( empty( $data['fonction'] ) ) {
+                                 $data['fonction'] = ' |  | ';
+                               }
+                               $f = explode( ' | ', $data['fonction'] );
+                               if ( ( empty( $data['category'] ) ) and ( '' != $f[0] ) ) {
+                                 $data['category'] = $f[0];
+                               }
+                               if ( !isset( $f[1] ) ) { $f[1] = ''; }
+                               if ( !isset( $f[2] ) ) { $f[2] = ''; }
+                               if ( $f[1] === '' && $f[2] === '' ) { //Si rien n'est envoyé en argument, ne pas mettre à jour.
+                                 unset( $data['function_en'] );
+                                 unset( $data['function_fr'] );
+                               } elseif ( $data['function_en'] === '' && $data['function_fr'] === '' ) {
+                                       $data['function_en'] = $f[1];
+                                       $data['function_fr'] = $f[2];
+                               }
+                               unset( $data['fonction'] );
+
+                               //Dans le cas où il n'y a qu'une unité, configurer si la personne en est ou pas le directeur
+                               $options0 = get_option( 'MonLabo_settings_group0' );
+                               if ( empty( $options0['MonLabo_uses_unites'] ) ) {
+                                       if ( !empty( $data['is_director'] ) ) {
+                                               //On ajoute la personne comme directeur de la structure principale
+                                               $MonLabo_access_data->add_director_to_an_unit ( $membre_id, MAIN_STRUCT_NO_UNIT );
+                                       } else {
+                                               $MonLabo_access_data->remove_director_from_an_unit( $membre_id, MAIN_STRUCT_NO_UNIT );
+                                       }
+                               }
+                               if ( isset( $data['is_director'] ) ) {
+                                       unset( $data['is_director'] );
                                }
-                               unset( $data['image_attachment_id'] );
-                               unset( $data['image_attachment_url'] );
+                               if ( 0 === $membre_id ) { // ajout d'un membre
+                                       //Création de la page personnelle
+                                       //-------------------------------
+                                       $options = get_option( 'MonLabo_settings_group2' );
+                                       $wp_title = $data['first_name'].' '.mb_strtoupper( $data['last_name'], 'UTF-8' );
+                                       $wp_post = array( 'post_content'   => '[perso_panel][publications_list]', // The full text of the post.
+                                       'post_title'     => $wp_title, // The title of your post.
+                                       'post_status'   => 'publish', // Default 'draft'.
+                                       'post_type'       => 'page', // Default 'post'.
+                                       'post_parent'   => $options['MonLabo_perso_page_parent'] // Sets the parent of the new post.
+                                       );
+                                       $wp_post_id = wp_insert_post( $wp_post );
+
+                                       if ( ( 0 === $wp_post_id ) or ( is_wp_error( $wp_post_id ) ) )  {
+                                               return Array( MonLabo_admin::notice_message( 'error', 'Echec:', 'Impossible de créer la page personnelle.' ), NULL, NULL );
+                                       }
+                                       update_post_meta( $wp_post_id, '_theme_show_page_title', '0' ); //Do not show title
+
+                                       //Modification de l'image en une de la page WordPress
+                                       //---------------------------------------------------
+                                       if ( $wp_post_id>0 ){ //Si la page existe
+                                         if ( ( '__no_change__' != $data['image_attachment_id'] ) and ( $data['image_attachment_id']>0 ) ) { //Si une nouvelle image est fournie
+                                               set_post_thumbnail( $wp_post_id, $data['image_attachment_id'] ); //Changer l'image à la une de cette page.
+                                         }
+                                       }
+                                       unset( $data['image_attachment_id'] );
+                                       unset( $data['image_attachment_url'] );
+
+                                       // Création de la ligne dans la table MonLabo_members
+                                       //---------------------------------------------------
+                                       $data['wp_post_id'] = $wp_post_id;
+                                       $membre_id = $MonLabo_access_data->insert_person( $data );
+
+                                       return Array(
+                                                                 MonLabo_admin::notice_message( 'info', '', sprintf( __( "Page %s crée.", 'mon-laboratoire' ), "<a href='".get_permalink( $wp_post_id )."'>". $wp_title . "</a>" ) ),
+                                                                 NULL /*Renvoie sur un nouveau membre*/,
+                                                                 $wp_post_id
+                                                               );
+
+                               } else { // édition d'un membre
+                                       //Modification de l'image en une de la page WordPress
+                                       //---------------------------------------------------
+                                       if ( '0' != $data['wp_post_id'] ){ //Si la page existe
+                                         if ( ( '__no_change__' != $data['image_attachment_id'] ) and ( $data['image_attachment_id']>0 ) ) { //Si une nouvelle image est fournie
+                                               set_post_thumbnail( $data['wp_post_id'], $data['image_attachment_id'] ); //Changer l'image à la une de cette page.
+                                         }
+                                       }
+                                       unset( $data['image_attachment_id'] );
+                                       unset( $data['image_attachment_url'] );
 
-                               // Modification de la ligne dans la table MonLabo_members
-                               //-------------------------------------------------------
-                               $MonLabo_access_data->update_person( $membre_id, $data );
-                       }
-               } elseif ( 'remove' === $action ) {  // suppression d'un membre
-                       // Passage de la page personnelle en brouillon
-                       //--------------------------------------------
-                       $person_information = $MonLabo_access_data->get_person_information( $membre_id );
-                       if ( property_exists( $person_information, 'wp_post_id' ) ) {
-                               $my_post = array(
-                                       'ID'               => $person_information->wp_post_id,
-                                       'post_status'  => 'draft'
-                               );
-                               wp_update_post( $my_post );
-                               // Suppression de la ligne dans la table MonLabo_members
-                               //------------------------------------------------------
-                               $MonLabo_access_data->delete_person( $membre_id );
+                                       // Modification de la ligne dans la table MonLabo_members
+                                       //-------------------------------------------------------
+                                       $MonLabo_access_data->update_person( $membre_id, $data );
+                               }
+                       } elseif ( 'remove' === $action ) {  // suppression d'un membre
+                               // Passage de la page personnelle en brouillon
+                               //--------------------------------------------
+                               $person_information = $MonLabo_access_data->get_person_information( $membre_id );
+                               if ( property_exists( $person_information, 'wp_post_id' ) ) {
+                                       $my_post = array(
+                                               'ID'               => $person_information->wp_post_id,
+                                               'post_status'  => 'draft'
+                                       );
+                                       wp_update_post( $my_post );
+                                       // Suppression de la ligne dans la table MonLabo_members
+                                       //------------------------------------------------------
+                                       $MonLabo_access_data->delete_person( $membre_id );
+                               }
                        }
                }
        }
@@ -227,52 +232,57 @@ function form_edit_team_processing() {
                $action = sanitize_key( $_POST['action'] );
                unset( $_POST['action'] );
 
-               if ( 'edit' === $action ) {
-                       $data = array();
-                       foreach ( $_POST as $key => $value ) {
-                               switch ( $key ) {
-                                       case 'submit_leaders':
-                                       case 'submit_thematics':
-                                               if ( is_array($_POST[$key]) ) {
-                                                       foreach ( $_POST[$key] as $subkey => $subvalue ) {
-                                                               $data[str_replace( 'submit_', '', $key )][$subkey] = intval( $_POST[$key][$subkey] );
+               //Security verification by nonce
+               if( check_admin_referer( 'edit_teams_form', 'edit_teams_form_wpnonce' ) ) {
+                       unset( $_POST['edit_teams_form_wpnonce'] );
+                       unset( $_POST['_wp_http_referer'] );
+                       if ( 'edit' === $action ) {
+                               $data = array();
+                               foreach ( $_POST as $key => $value ) {
+                                       switch ( $key ) {
+                                               case 'submit_leaders':
+                                               case 'submit_thematics':
+                                                       if ( is_array($_POST[$key]) ) {
+                                                               foreach ( $_POST[$key] as $subkey => $subvalue ) {
+                                                                       $data[str_replace( 'submit_', '', $key )][$subkey] = intval( $_POST[$key][$subkey] );
+                                                               }
+                                                       } else {
+                                                               $data[str_replace( 'submit_', '', $key )] = sanitize_text_field( $_POST[$key] );
                                                        }
-                                               } else {
-                                                       $data[str_replace( 'submit_', '', $key )] = sanitize_text_field( $_POST[$key] );
-                                               }
-                                               break;
-                                       default:
-                                               $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
-                                               break;
+                                                       break;
+                                               default:
+                                                       $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
+                                                       break;
+                                       }
+                               }
+                               if ( !isset( $data['leaders'] ) ) {
+                                       //Si aucun leader n'est renseigné, bien passer un tableau vide.
+                                       $data['leaders'] = array();
+                               }
+                               if ( !isset( $data['thematics'] ) ) {
+                                       //Si aucune thematique n'est renseignée, bien passer un tableau vide.
+                                       $data['thematics'] = array();
                                }
-                       }
-                       if ( !isset( $data['leaders'] ) ) {
-                               //Si aucun leader n'est renseigné, bien passer un tableau vide.
-                               $data['leaders'] = array();
-                       }
-                       if ( !isset( $data['thematics'] ) ) {
-                               //Si aucune thematique n'est renseignée, bien passer un tableau vide.
-                               $data['thematics'] = array();
-                       }
 
-                       if ( 0 === $team_id ) { // ajout d'une équipe
-                               // Création de la ligne dans la table MonLabo_teams
-                               $team_id_if_created = $MonLabo_access_data->insert_team( $data );
-                               return Array(
-                                                         MonLabo_admin::notice_message( 'info', '', sprintf( __( 'Nouvelle équipe crée (ID=%u).', 'mon-laboratoire' ), $team_id_if_created ) ),
-                                                         NULL /*Renvoie sur une nouvelle équipe */,
-                                                         $team_id_if_created
-                                                       );
-                       } else { // éditon d'une équipe
-                               // Modification de la ligne dans la table MonLabo_teams
-                               //-----------------------------------------------------
-                               $MonLabo_access_data->update_team( $team_id, $data );
-                       }
-               } else {
-                       if ( 'remove' === $action ) {  // suppression d'un membre
-                               // Suppression de la ligne dans la table MonLabo_teams
-                               //----------------------------------------------------
-                               $MonLabo_access_data->delete_team( $team_id );
+                               if ( 0 === $team_id ) { // ajout d'une équipe
+                                       // Création de la ligne dans la table MonLabo_teams
+                                       $team_id_if_created = $MonLabo_access_data->insert_team( $data );
+                                       return Array(
+                                                                 MonLabo_admin::notice_message( 'info', '', sprintf( __( 'Nouvelle équipe crée (ID=%u).', 'mon-laboratoire' ), $team_id_if_created ) ),
+                                                                 NULL /*Renvoie sur une nouvelle équipe */,
+                                                                 $team_id_if_created
+                                                               );
+                               } else { // éditon d'une équipe
+                                       // Modification de la ligne dans la table MonLabo_teams
+                                       //-----------------------------------------------------
+                                       $MonLabo_access_data->update_team( $team_id, $data );
+                               }
+                       } else {
+                               if ( 'remove' === $action ) {  // suppression d'un membre
+                                       // Suppression de la ligne dans la table MonLabo_teams
+                                       //----------------------------------------------------
+                                       $MonLabo_access_data->delete_team( $team_id );
+                               }
                        }
                }
        }
@@ -304,29 +314,35 @@ function form_edit_thematic_processing() {
                unset( $_POST['submit_id'] );
                $action = sanitize_key( $_POST['action'] );
                unset( $_POST['action'] );
-               if ( 'edit' === $action ) {
-                       $data = array();
-                       foreach ( $_POST as $key => $value ) {
-                               $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
-                       }
-                       if ( 0 === $thematic_id ) { // ajout d'une thématique
-                               // Création de la ligne dans la table MonLabo_thematics
-                               //-------------------------------------------------------
-                               $thematic_id_if_created = $MonLabo_access_data->insert_thematic( $data );
-                               return Array(
-                                                         MonLabo_admin::notice_message( 'info', '', sprintf( __( 'Nouvelle thématique crée (ID=%u).', 'mon-laboratoire' ), $thematic_id_if_created ) ),
-                                                         NULL /*Renvoie sur une nouvelle thématique*/,
-                                                         $thematic_id_if_created
-                                                       );
-                       } else {
-                               // Modification de la ligne dans la table MonLabo_thematics
-                               //-----------------------------------------------------------
-                               $MonLabo_access_data->update_thematic( $thematic_id, $data );
+
+               //Security verification by nonce
+               if( check_admin_referer( 'edit_thematics_form', 'edit_thematics_form_wpnonce' ) ) {
+                       unset( $_POST['edit_thematics_form_wpnonce'] );
+                       unset( $_POST['_wp_http_referer'] );
+                       if ( 'edit' === $action ) {
+                               $data = array();
+                               foreach ( $_POST as $key => $value ) {
+                                       $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
+                               }
+                               if ( 0 === $thematic_id ) { // ajout d'une thématique
+                                       // Création de la ligne dans la table MonLabo_thematics
+                                       //-------------------------------------------------------
+                                       $thematic_id_if_created = $MonLabo_access_data->insert_thematic( $data );
+                                       return Array(
+                                                                 MonLabo_admin::notice_message( 'info', '', sprintf( __( 'Nouvelle thématique crée (ID=%u).', 'mon-laboratoire' ), $thematic_id_if_created ) ),
+                                                                 NULL /*Renvoie sur une nouvelle thématique*/,
+                                                                 $thematic_id_if_created
+                                                               );
+                               } else {
+                                       // Modification de la ligne dans la table MonLabo_thematics
+                                       //-----------------------------------------------------------
+                                       $MonLabo_access_data->update_thematic( $thematic_id, $data );
+                               }
+                       } elseif ( 'remove' === $action ) {  // suppression d'un membre
+                                       // Suppression de la ligne dans la table MonLabo_thematics
+                                       //----------------------------------------------------------
+                                       $MonLabo_access_data->delete_thematic( $thematic_id );
                        }
-               } elseif ( 'remove' === $action ) {  // suppression d'un membre
-                               // Suppression de la ligne dans la table MonLabo_thematics
-                               //----------------------------------------------------------
-                               $MonLabo_access_data->delete_thematic( $thematic_id );
                }
        }
        //En cas de rechargement de la page, récupérer le paramètre dans l'URL
@@ -358,47 +374,52 @@ function form_edit_unite_processing() {
                $action = sanitize_key( $_POST['action'] );
                unset( $_POST['action'] );
 
-               if ( 'edit' === $action ) {
-                       $data = array();
-                       foreach ( $_POST as $key => $value ) {
-                               switch ( $key ) {
-                                       case 'submit_directors':
-                                               if ( is_array($_POST[$key]) ) {
-                                                       foreach ( $_POST[$key] as $subkey => $subvalue ) {
-                                                               $data[str_replace( 'submit_', '', $key )][$subkey] = intval( $_POST[$key][$subkey] );
+               //Security verification by nonce
+               if( check_admin_referer( 'edit_unites_form', 'edit_unites_form_wpnonce' ) ) {
+                       unset( $_POST['edit_unites_form_wpnonce'] );
+                       unset( $_POST['_wp_http_referer'] );
+                       if ( 'edit' === $action ) {
+                               $data = array();
+                               foreach ( $_POST as $key => $value ) {
+                                       switch ( $key ) {
+                                               case 'submit_directors':
+                                                       if ( is_array($_POST[$key]) ) {
+                                                               foreach ( $_POST[$key] as $subkey => $subvalue ) {
+                                                                       $data[str_replace( 'submit_', '', $key )][$subkey] = intval( $_POST[$key][$subkey] );
+                                                               }
+                                                       } else {
+                                                               $data[str_replace( 'submit_', '', $key )] = sanitize_text_field( $_POST[$key] );
                                                        }
-                                               } else {
-                                                       $data[str_replace( 'submit_', '', $key )] = sanitize_text_field( $_POST[$key] );
-                                               }
-                                               break;
-                                       default:
-                                               $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
-                                               break;
+                                                       break;
+                                               default:
+                                                       $data[str_replace( 'submit_', '', $key )] = getPOSTstring( $key );
+                                                       break;
+                                       }
+                               }
+                               if ( !isset( $data['directors'] ) ) {
+                                       //Si aucun directeur n'est renseigné, bien passer un tableau vide.
+                                       $data['directors'] = array();
                                }
-                       }
-                       if ( !isset( $data['directors'] ) ) {
-                               //Si aucun directeur n'est renseigné, bien passer un tableau vide.
-                               $data['directors'] = array();
-                       }
 
-                       if ( 0 === $unite_id ) { // ajout d'une unité
-                               // Création de la ligne dans la table MonLabo_units
-                               //-------------------------------------------------------
-                               $unit_id_if_created = $MonLabo_access_data->insert_unit( $data );
-                               return Array(
-                                                         MonLabo_admin::notice_message( 'info', '', sprintf( __( 'Nouvelle unité crée (ID=%u).', 'mon-laboratoire' ), $unit_id_if_created ) ),
-                                                         NULL /*Renvoie sur une nouvelle unité */,
-                                                         $unit_id_if_created
-                                                       );
-                       } else {
-                               // Modification de la ligne dans la table MonLabo_units
-                               //-----------------------------------------------------------
-                               $MonLabo_access_data->update_unit( $unite_id, $data );
+                               if ( 0 === $unite_id ) { // ajout d'une unité
+                                       // Création de la ligne dans la table MonLabo_units
+                                       //-------------------------------------------------------
+                                       $unit_id_if_created = $MonLabo_access_data->insert_unit( $data );
+                                       return Array(
+                                                                 MonLabo_admin::notice_message( 'info', '', sprintf( __( 'Nouvelle unité crée (ID=%u).', 'mon-laboratoire' ), $unit_id_if_created ) ),
+                                                                 NULL /*Renvoie sur une nouvelle unité */,
+                                                                 $unit_id_if_created
+                                                               );
+                               } else {
+                                       // Modification de la ligne dans la table MonLabo_units
+                                       //-----------------------------------------------------------
+                                       $MonLabo_access_data->update_unit( $unite_id, $data );
+                               }
+                       } elseif ( 'remove' === $action ) {  // suppression d'un membre
+                                       // Suppression de la ligne dans la table MonLabo_units
+                                       //----------------------------------------------------------
+                                       $MonLabo_access_data->delete_unit( $unite_id );
                        }
-               } elseif ( 'remove' === $action ) {  // suppression d'un membre
-                               // Suppression de la ligne dans la table MonLabo_units
-                               //----------------------------------------------------------
-                               $MonLabo_access_data->delete_unit( $unite_id );
                }
        }
        //En cas de rechargement de la page, récupérer le paramètre dans l'URL
@@ -418,45 +439,50 @@ function form_edit_structure_principale_processing() {
        //Vérification que le formulaire a bien été soumis
        if ( isset( $_POST['submit_nom'] ) ) {
                unset( $_POST['not_used'] );
-               $options1 = get_option( 'MonLabo_settings_group1' );
-               $data = array();
-               foreach ( $_POST as $key => $value ) {
-                       switch ( $key ) {
-                               case 'submit_nom':
-                               case 'submit_code':
-                               case 'submit_prefixe_tel':
-                               case 'submit_hal_publi_struct_id':
-                                       $options1[str_replace( 'submit_', 'MonLabo_', $key )] = sanitize_text_field( $value );
-                                       break;
-                               case 'submit_contact':
-                               case 'submit_adresse':
-                                       $options1[str_replace( 'submit_', 'MonLabo_', $key )] = sanitize_textarea_field( $value );
-                                       break;
+               //Security verification by nonce
+               if( check_admin_referer( 'edit_structure_principale_form', 'edit_structure_principale_form_wpnonce' ) ) {
+                       unset( $_POST['edit_structure_principale_form_wpnonce'] );
+                       unset( $_POST['_wp_http_referer'] );
+                       $options1 = get_option( 'MonLabo_settings_group1' );
+                       $data = array();
+                       foreach ( $_POST as $key => $value ) {
+                               switch ( $key ) {
+                                       case 'submit_nom':
+                                       case 'submit_code':
+                                       case 'submit_prefixe_tel':
+                                       case 'submit_hal_publi_struct_id':
+                                               $options1[str_replace( 'submit_', 'MonLabo_', $key )] = sanitize_text_field( $value );
+                                               break;
+                                       case 'submit_contact':
+                                       case 'submit_adresse':
+                                               $options1[str_replace( 'submit_', 'MonLabo_', $key )] = sanitize_textarea_field( $value );
+                                               break;
+                               }
                        }
-               }
 
-               update_option( 'MonLabo_settings_group1', $options1 );
-               $options1 = get_option( 'MonLabo_settings_group1' );
+                       update_option( 'MonLabo_settings_group1', $options1 );
+                       $options1 = get_option( 'MonLabo_settings_group1' );
 
-               //Gestion des directeurs
-               $MonLabo_access_data = New MonLabo_access_data();
-               $data = array();
-               if ( !isset( $_POST['submit_directors'] ) ) {
-                       //Si aucun directeur n'est renseigné, bien passer un tableau vide.
-                       $data['directors'] = array();
-               } else {
-                       if (is_array( $_POST['submit_directors'] ) ) {
-                               foreach ( $_POST['submit_directors'] as $key => $value) {
-                                       $data['directors'][$key]= intval( $value );
-                               }
+                       //Gestion des directeurs
+                       $MonLabo_access_data = New MonLabo_access_data();
+                       $data = array();
+                       if ( !isset( $_POST['submit_directors'] ) ) {
+                               //Si aucun directeur n'est renseigné, bien passer un tableau vide.
+                               $data['directors'] = array();
                        } else {
-                               $data['directors']= sanitize_text_field( $_POST['submit_directors'] );
+                               if (is_array( $_POST['submit_directors'] ) ) {
+                                       foreach ( $_POST['submit_directors'] as $key => $value) {
+                                               $data['directors'][$key]= intval( $value );
+                                       }
+                               } else {
+                                       $data['directors']= sanitize_text_field( $_POST['submit_directors'] );
+                               }
                        }
-               }
 
-               // Modification de la ligne dans la table MonLabo_units
-               //-----------------------------------------------------------
-               $MonLabo_access_data->update_unit( MAIN_STRUCT_NO_UNIT, $data );
+                       // Modification de la ligne dans la table MonLabo_units
+                       //-----------------------------------------------------------
+                       $MonLabo_access_data->update_unit( MAIN_STRUCT_NO_UNIT, $data );
+               }
        }
 }
 
@@ -466,50 +492,56 @@ function form_edit_structure_principale_processing() {
 function form_advanced_features_for_members_processing() {
   $retval = '';
   if ( isset( $_POST['create_missing_pages_submit_ids'] ) ) {
-       $ids_to_create_page = ( unserialize( sanitize_text_field( $_POST['create_missing_pages_submit_ids'] ) ) );
-       if ( !empty( $ids_to_create_page ) ) {
-         foreach ( $ids_to_create_page as $id ) {
-               $id = intval( $id );
-               if ( !empty( $id ) ) {
-                 $MonLabo_access_data = New MonLabo_access_data();
-                 $member = $MonLabo_access_data->get_person_information( $id );
-                 if ( !empty( $member ) ) {
-
-
-                       //Création de la page personnelle
-                       //-------------------------------
-                       $options2 = get_option( 'MonLabo_settings_group2' );
-                       $wp_title = $member->first_name.' '.mb_strtoupper( $member->last_name, 'UTF-8' );
-                       $wp_post = array( 'post_content'   => '[perso_panel][publications_list]', // The full text of the post.
-                       'post_title'     => $wp_title, // The title of your post.
-                       'post_status'   => 'publish', // Default 'draft'.
-                       'post_type'       => 'page', // Default 'post'.
-                       'post_parent'   => $options2['MonLabo_perso_page_parent'] // Sets the parent of the new post.
-                       );
-
-                       $wp_post_id = wp_insert_post( $wp_post );
-                       $retval .=   MonLabo_admin::notice_message(
-                               'info',
-                               '',
-                               sprintf( __( 'Page de personnel crée (%s - %s)', 'mon-laboratoire' ),
-                               $wp_title,
-                               "<a href='".get_edit_post_link( $wp_post_id )."'>".__( 'éditer la page', 'mon-laboratoire'
-                       ).'</a>' ) );
-                       if ( ( 0 === $wp_post_id ) or ( is_wp_error( $wp_post_id ) ) )  {
-                               return MonLabo_admin::notice_message( 'error', 'Echec:', 'Impossible de créer la page personnelle.' );
-                       }
-                       update_post_meta( $wp_post_id, '_theme_show_page_title', '0' ); //Do not show title
+       //Security verification by nonce
+       if( check_admin_referer( 'creer_pages_manquantes_form', 'creer_pages_manquantes_form_wpnonce' ) ) {
+               unset( $_POST['creer_pages_manquantes_form_wpnonce'] );
+               unset( $_POST['_wp_http_referer'] );
 
-                       // Modification de la ligne dans la table MonLabo_members
-                       //-------------------------------------------------------
-                       $data = array();
-                       $data['id'] = $id;
-                       $data['wp_post_id'] = $wp_post_id;
-                       $MonLabo_access_data->update_person( $id, $data );
+               $ids_to_create_page = ( unserialize( sanitize_text_field( $_POST['create_missing_pages_submit_ids'] ) ) );
+               if ( !empty( $ids_to_create_page ) ) {
+                 foreach ( $ids_to_create_page as $id ) {
+                       $id = intval( $id );
+                       if ( !empty( $id ) ) {
+                         $MonLabo_access_data = New MonLabo_access_data();
+                         $member = $MonLabo_access_data->get_person_information( $id );
+                         if ( !empty( $member ) ) {
+
+
+                               //Création de la page personnelle
+                               //-------------------------------
+                               $options2 = get_option( 'MonLabo_settings_group2' );
+                               $wp_title = $member->first_name.' '.mb_strtoupper( $member->last_name, 'UTF-8' );
+                               $wp_post = array( 'post_content'   => '[perso_panel][publications_list]', // The full text of the post.
+                               'post_title'     => $wp_title, // The title of your post.
+                               'post_status'   => 'publish', // Default 'draft'.
+                               'post_type'       => 'page', // Default 'post'.
+                               'post_parent'   => $options2['MonLabo_perso_page_parent'] // Sets the parent of the new post.
+                               );
+
+                               $wp_post_id = wp_insert_post( $wp_post );
+                               $retval .=   MonLabo_admin::notice_message(
+                                       'info',
+                                       '',
+                                       sprintf( __( 'Page de personnel crée (%s - %s)', 'mon-laboratoire' ),
+                                       $wp_title,
+                                       "<a href='".get_edit_post_link( $wp_post_id )."'>".__( 'éditer la page', 'mon-laboratoire'
+                               ).'</a>' ) );
+                               if ( ( 0 === $wp_post_id ) or ( is_wp_error( $wp_post_id ) ) )  {
+                                       return MonLabo_admin::notice_message( 'error', 'Echec:', 'Impossible de créer la page personnelle.' );
+                               }
+                               update_post_meta( $wp_post_id, '_theme_show_page_title', '0' ); //Do not show title
+
+                               // Modification de la ligne dans la table MonLabo_members
+                               //-------------------------------------------------------
+                               $data = array();
+                               $data['id'] = $id;
+                               $data['wp_post_id'] = $wp_post_id;
+                               $MonLabo_access_data->update_person( $id, $data );
 
+                         }
+                       }
                  }
                }
-         }
        }
   }
   return $retval;
index 013123f..48352a7 100644 (file)
@@ -130,8 +130,7 @@ function generate_table_admin_for_teams() {
        if ( '0' != $number_of_teams ) {
                foreach ( $teams_information as $team_information ) {
                        $team_array = array();
-                       $team_array['modifier'] = '<form method="post" action="admin.php?page=MonLabo_edit_members_and_groups&tab=tab_two">'
-                                                                       .'<input type="hidden" name="submit_equipe" value="'.$team_information->id.'">'
+                       $team_array['modifier'] = '<form method="post" action="admin.php?page=MonLabo_edit_members_and_groups&tab=tab_two&submit_item='.$team_information->id.'">'
                                                                        .'<button type="submit">'.__( 'Modifier', 'mon-laboratoire' ).'</button></form>';
                        $team_array['id'] = $team_information->id;
                        $team_array['name_fr'] = '<small>'.$team_information->name_fr.'</small>';
@@ -204,8 +203,7 @@ function generate_table_admin_for_thematics() {
        if ( '0' != $number_of_thematics ) {
                foreach ( $thematics_information as $thematic_information ) {
                        $thematic_array = array();
-                       $thematic_array['modifier'] = '<form method="post" action="admin.php?page=MonLabo_edit_members_and_groups&tab=tab_three">'
-                                                                       .'<input type="hidden" name="submit_thematic" value="'.$thematic_information->id.'">'
+                       $thematic_array['modifier'] = '<form method="post" action="admin.php?page=MonLabo_edit_members_and_groups&tab=tab_three&submit_item='.$thematic_information->id.'">'
                                                                        .'<button type="submit">'.__( 'Modifier', 'mon-laboratoire' ).'</button></form>';
                        $thematic_array['id'] = $thematic_information->id;
                        $thematic_array['name_fr'] = '<small>'.$thematic_information->name_fr.'</small>';
@@ -274,8 +272,7 @@ function generate_table_admin_for_units() {
        if ( '0' != $number_of_units ) {
                foreach ( $units_information as $unit_information ) {
                        $unit_array = array();
-                       $unit_array['modifier'] = '<form method="post" action="admin.php?page=MonLabo_edit_members_and_groups&tab=tab_four">'
-                                                                       .'<input type="hidden" name="submit_unite" value="'.$unit_information->id.'">'
+                       $unit_array['modifier'] = '<form method="post" action="admin.php?page=MonLabo_edit_members_and_groups&tab=tab_four&submit_item='.$unit_information->id.'">'
                                                                        .'<button type="submit">'.__( 'Modifier', 'mon-laboratoire' ).'</button></form>';
                        $unit_array['id'] = $unit_information->id;
                        $unit_array['name_fr'] = '<small>'.$unit_information->name_fr.'</small>';
index 5a78f9f..f43953e 100644 (file)
@@ -87,18 +87,27 @@ function touchPersonFunction() {
  * @since 2.1.0 with name ajax_load_post_thumbnail_now
  * @since 2.8.0 renamed ajaxLoadPostThumbnailNow
  */
-function ajaxLoadPostThumbnailNow() {
+
+function ajaxLoadPostThumbnailNow(  ) {
        if ( jQuery( '#delayedLoadDivThumbnail' ).length ) {
-               var data = {
-                       'action': 'update_member_thumbnail',
-                       'wp_post_id': jQuery( "select[name='submit_wp_post_id']" ).val()
-               };
-
-               // We can also pass the url value separately from ajaxurl for front end AJAX implementations
-               jQuery.post( ajax_object_update_member_thumbnail.ajax_url, data, function( response ) {
-                       jQuery( '#delayedLoadDivThumbnail' ).hide();
-                       jQuery( '#delayedLoadDivThumbnail' ).html( response );
-                       jQuery( '#delayedLoadDivThumbnail' ).fadeIn( 500 );
+               jQuery.ajax({
+                       type : 'post',
+                       dataType : 'json',
+                       url : ajax_object_update_member_thumbnail.ajax_url,
+                       data : {
+                               action: 'update_member_thumbnail',
+                               _ajax_nonce: ajax_object_update_member_thumbnail.nonce,
+                               'wp_post_id': jQuery( "select[name='submit_wp_post_id']" ).val(),
+                       },
+                       success: function( response ) {
+                               console.log(response);
+                               if( 'success' == response.type ) {
+                                       jQuery( '#delayedLoadDivThumbnail' ).hide();
+                                       jQuery( '#delayedLoadDivThumbnail' ).html( response.text );
+                                       jQuery( '#delayedLoadDivThumbnail' ).fadeIn( 500 );
+                               }
+                               //else {        console.log(response);  }
+                       },
                });
        }
 }
index 20142fb..479633d 100644 (file)
@@ -2,7 +2,6 @@ Voici un fichier avec les TODO et les changelog complets.
 
 == TODO ==
 * EVOL: Proposer des templates de mise en forme.
-* CODE: Ajouter des nonce dans les formulaires ajax
 * EVOL : Renforcer l'obfuscation des emails https://www.olybop.fr/comment-proteger-et-afficher-son-email-et-telephone-sur-son-site-internet/
 * EVOL: (suggestion utilisateur) traiter les requêtes https://hal.archives-ouvertes.fr/IRT-SYSTEMX/search/?qa[localReference_t][]=SVA
     ==> Demande en cours à haltools pour utiliser leur interface en ce sens
@@ -51,11 +50,10 @@ Voici un fichier avec les TODO et les changelog complets.
     * installer JSHINT https://make.wordpress.org/core/handbook/best-practices/coding-standards/javascript/#jshint
     * Plugins should follow the Accessibility Handbook https://make.wordpress.org/accessibility/handbook/
         * https://make.wordpress.org/core/handbook/best-practices/coding-standards/accessibility-coding-standards/
-    * test avec PHP 5.2.3
     * DONE : Vérifier chaque data in ou out https://codex.wordpress.org/Data_Validation
         * sécuriser \$_(POST|GET|REQUEST) sanitize, validate, and escape all POST/GET/REQUEST
             * Using stripslashes or strip_tags is rarely enough. The ultimate goal is that invalid and unsafe data is never processed, saved, or displayed. Clean everything, check everything, escape everything, and never trust the users to always have input sane data.
-    * Nonces #Nonces All actions that accept POST data should be secured with a nonce to prevent unauthorized access.
+    * DONE : Nonces #Nonces All actions that accept POST data should be secured with a nonce to prevent unauthorized access.
         * https://codex.wordpress.org/WordPress_Nonces
     * Plugin Handbook : https://developer.wordpress.org/plugins/
 
@@ -80,6 +78,12 @@ Remember, check_admin_referer alone is not bulletproof security. Do not rely on
 
 == Changelog ==
 
+= 3.1 =
+* CODE : Secure ajax code with a nonce to prevent unauthorized access
+* CODE : Secure all actions that accept POST with a nonce to prevent unauthorized access
+* BUG : Suppress php warnings that occur when creating new person, team, thematic or unit.
+* BUG : Correct bad redirection of buttons for modifying teams, thematics or units in the admin tab "table view"
+
 = 3.0.5 =
 (GIT tag v3.0.5)
 * BUG : PHP error when activate multiple units mode and define no unit
index 5f2bfe4..076f66a 100644 (file)
@@ -39,6 +39,8 @@ Answer: By default you have to use HAL which is opened to all french-speaking sc
 == Changelog ==
 
 You can consult complete changelogs in file changelog.txt
+= 3.1 =
+* CODE : Secure ajax code with a nonce
 
 = 3.0.5 =
 * BUG : PHP error when activate multiple units mode and define no unit