Improved security, corrected typos, and refactored code.

assets/src/js/front/tutor-front.js

@@ -274,6 +274,11 @@ jQuery(document).ready(function($) {
 				return;
 			}
 
+			// If user is not enrolled like lesson preview.
+			if (!video_data.is_enrolled) {
+				return;
+			}
+
 			if (this.isRequiredPercentage()) {
 				this.enable_complete_lesson_btn(instance);
 			}

classes/Addons.php

@@ -10,9 +10,8 @@
 
 namespace TUTOR;
 
-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;
+
 /**
  * Addons Class
  *
@@ -25,6 +24,7 @@ class Addons {
 	 * Constructor
 	 *
 	 * @since 1.0.0
+	 *
 	 * @return void
 	 */
 	public function __construct() {
@@ -52,6 +52,7 @@ public static function get_addons_config() {
 	 *
 	 * @param string $basename basename of addon.
 	 * @param bool   $status status 0,1.
+	 *
 	 * @return void
 	 */
 	public static function update_addon_status( $basename, $status ) {
@@ -66,6 +67,7 @@ public static function update_addon_status( $basename, $status ) {
 	 * Get all addons data.
 	 *
 	 * @since 1.0.0
+	 *
 	 * @return void
 	 */
 	public function get_all_addons() {
@@ -179,8 +181,8 @@ public function addon_enable_disable() {
 
 		tutor_utils()->checking_nonce();
 
-		if ( ! current_user_can( 'manage_options' ) ) {
-			wp_send_json_error( array( 'message' => __( 'Access Denied', 'tutor' ) ) );
+		if ( ! User::is_admin() ) {
+			wp_send_json_error( tutor_utils()->error_message() );
 		}
 
 		$form_data     = json_decode( Input::post( 'addonFieldNames' ) );
@@ -227,6 +229,7 @@ public function addon_enable_disable() {
 	 * Get tutor addons list
 	 *
 	 * @since 1.0.0
+	 *
 	 * @return array
 	 */
 	public function addons_lists_to_show() {

classes/Admin.php

@@ -10,16 +10,14 @@
 
 namespace TUTOR;
 
+defined( 'ABSPATH' ) || exit;
+
 use Tutor\Ecommerce\OrderController;
 use Tutor\Helpers\HttpHelper;
 use TUTOR\Input;
 use Tutor\Models\CourseModel;
 use Tutor\Traits\JsonResponse;
 
-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
-
 /**
  * Admin Class
  *
@@ -58,7 +56,7 @@
 		// Handle flash toast message for redirect_to util helper.
 		add_action( 'admin_head', array( new Utils(), 'handle_flash_message' ), 999 );
 
 		add_action( 'admin_bar_menu', array( $this, 'add_toolbar_items' ), 100 );
 
 		add_action( 'wp_ajax_tutor_do_not_show_feature_page', array( $this, 'handle_do_not_show_feature_page' ) );
 
@@ -262,7 +260,7 @@
 						'menu_title'  => __( 'Tools', 'tutor' ),
 						'capability'  => 'manage_tutor',
 						'menu_slug'   => 'tutor-tools',
 						'callback'    => array( new Tools_V2(), 'load_tools_page' ),
 					),
 					'settings'         => array(
 						'parent_slug' => 'tutor',
@@ -270,7 +268,7 @@
 						'menu_title'  => __( 'Settings', 'tutor' ),
 						'capability'  => 'manage_tutor',
 						'menu_slug'   => 'tutor_settings',
 						'callback'    => array( new Options_V2(), 'load_settings_page' ),
 					),
 					'license'          => null,
 					'whats_new'        => null,
@@ -348,7 +346,7 @@
 	 */
 	public function feature_promotion_page() {
 		include tutor()->path . 'views/pages/welcome.php';
 		// include tutor()->path . 'views/pages/feature-promotion.php';
 	}
 
 	/**
@@ -513,7 +511,7 @@
 	 * @return void
 	 */
 	public function filter_posts_for_instructors() {
 		if ( ! current_user_can( 'administrator' ) && current_user_can( tutor()->instructor_role ) ) {
 			@remove_menu_page( 'edit-comments.php' ); // Comments.
 			add_filter( 'posts_clauses_request', array( $this, 'posts_clauses_request' ) );
 		}
@@ -559,7 +557,7 @@
 	 * @return void
 	 */
 	public function check_if_current_users_post() {
 		if ( current_user_can( 'administrator' ) || ! current_user_can( tutor()->instructor_role ) ) {
 			return;
 		}
 

classes/Ajax.php

@@ -10,9 +10,7 @@
 
 namespace TUTOR;
 
-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
+defined( 'ABSPATH' ) || exit;
 
 use Tutor\GDPR\Controllers\LegalConsent;
 use Tutor\Helpers\HttpHelper;
@@ -28,6 +26,7 @@
 	use JsonResponse;
 
 	const LOGIN_ERRORS_TRANSIENT_KEY = 'tutor_login_errors';
+
 	/**
 	 * Constructor
 	 *
@@ -41,7 +40,6 @@
 	public function __construct( $allow_hooks = true ) {
 		if ( $allow_hooks ) {
 			add_action( 'wp_ajax_sync_video_playback', array( $this, 'sync_video_playback' ) );
-			add_action( 'wp_ajax_nopriv_sync_video_playback', array( $this, 'sync_video_playback_noprev' ) );
 			add_action( 'wp_ajax_tutor_place_rating', array( $this, 'tutor_place_rating' ) );
 			add_action( 'wp_ajax_delete_tutor_review', array( $this, 'delete_tutor_review' ) );
 
@@ -60,8 +58,8 @@
 			 *
 			 * @since  v.1.7.9
 			 */
-			add_action( 'wp_ajax_tutor_announcement_create', array( $this, 'create_or_update_annoucement' ) );
-			add_action( 'wp_ajax_tutor_announcement_delete', array( $this, 'delete_annoucement' ) );
+			add_action( 'wp_ajax_tutor_announcement_create', array( $this, 'create_or_update_announcement' ) );
+			add_action( 'wp_ajax_tutor_announcement_delete', array( $this, 'delete_announcement' ) );
 
 			add_action( 'wp_ajax_tutor_youtube_video_duration', array( $this, 'ajax_youtube_video_duration' ) );
 		}
@@ -73,6 +71,7 @@
 	 * Update video information and data when necessary
 	 *
 	 * @since 1.0.0
+	 *
 	 * @return void
 	 */
 	public function sync_video_playback() {
@@ -116,15 +115,6 @@
 		exit();
 	}
 
-	/**
-	 * Video playback callback for noprev
-	 *
-	 * @since 1.0.0
-	 * @return void
-	 */
-	public function sync_video_playback_noprev() {
-	}
-
 	/**
 	 * Place rating
 	 *
@@ -396,9 +386,7 @@
 	 * Process tutor login
 	 *
 	 * @since 1.6.3
-	 *
-	 * @since 2.1.3 Ajax removed, validation errors
-	 * stores in session.
+	 * @since 2.1.3 Ajax removed, validation errors stores in session.
 	 *
 	 * @return void
 	 */
@@ -411,9 +399,9 @@
 		 *
 		 * @since 2.1.4
 		 */
-        if ( ! wp_verify_nonce( $_POST[ tutor()->nonce ], tutor()->nonce_action ) ) { //phpcs:ignore
+		if ( ! tutor_utils()->is_nonce_verified( 'post' ) ) {
 			$validation_error->add( 401, __( 'Nonce verification failed', 'tutor' ) );
-			\set_transient( self::LOGIN_ERRORS_TRANSIENT_KEY, $validation_error->get_error_messages() );
+			\set_transient( self::LOGIN_ERRORS_TRANSIENT_KEY, $validation_error->get_error_messages(), MINUTE_IN_SECONDS );
 			return;
 		}
 
@@ -425,10 +413,12 @@
 		 *
 		 * @see https://developer.wordpress.org/reference/functions/wp_signon/
 		 */
-        $username    = tutor_utils()->array_get( 'log', $_POST ); //phpcs:ignore
-        $password    = tutor_utils()->array_get( 'pwd', $_POST ); //phpcs:ignore
+		//phpcs:disable WordPress.Security.NonceVerification.Missing
+		$username    = tutor_utils()->array_get( 'log', $_POST ); //phpcs:ignore
+		$password    = tutor_utils()->array_get( 'pwd', $_POST ); //phpcs:ignore
 		$redirect_to = isset( $_POST['redirect_to'] ) ? esc_url_raw( wp_unslash( $_POST['redirect_to'] ) ) : '';
 		$remember    = isset( $_POST['rememberme'] );
+		//phpcs:enable WordPress.Security.NonceVerification.Missing
 
 		try {
 			$creds = array(
@@ -452,7 +442,7 @@
 				);
 			}
 
 			$validate_consent = LegalConsent::validate_consent( LegalConsent::DISPLAY_ON_LOGIN, $_POST );
 			if ( is_wp_error( $validate_consent ) ) {
 				$validation_error->add(
 					$validate_consent->get_error_code(),
@@ -497,25 +487,26 @@
 			$validation_error->add( 400, $e->getMessage() );
 		} finally {
 			// Store errors in transient data.
-			\set_transient( self::LOGIN_ERRORS_TRANSIENT_KEY, $validation_error->get_error_messages() );
+			\set_transient( self::LOGIN_ERRORS_TRANSIENT_KEY, $validation_error->get_error_messages(), MINUTE_IN_SECONDS );
 		}
 	}
 
 	/**
 	 * Create/Update announcement
 	 *
 	 * @since  1.7.9
+	 *
 	 * @return void
 	 */
-	public function create_or_update_annoucement() {
+	public function create_or_update_announcement() {
 		tutor_utils()->checking_nonce();
 
 		$error                = array();
 		$course_id            = Input::post( 'tutor_announcement_course' );
 		$announcement_title   = Input::post( 'tutor_announcement_title' );
 		$announcement_summary = Input::post( 'tutor_announcement_summary', '', Input::TYPE_TEXTAREA );
 
-		// Check if user can manage this announcment.
+		// Check if user can manage this announcement.
 		if ( ! tutor_utils()->can_user_manage( 'course', $course_id ) ) {
 			wp_send_json_error( array( 'message' => __( 'Access Denied', 'tutor' ) ) );
 		}
@@ -588,9 +579,10 @@
 	 * Delete announcement
 	 *
 	 * @since  1.7.9
+	 *
 	 * @return void
 	 */
-	public function delete_annoucement() {
+	public function delete_announcement() {
 		tutor_utils()->checking_nonce();
 
 		$announcement_id = Input::post( 'announcement_id' );

classes/Announcements.php

@@ -10,12 +10,11 @@
 
 namespace TUTOR;
 
+defined( 'ABSPATH' ) || exit;
+
 use Tutor\Helpers\QueryHelper;
 use Tutor\Helpers\UrlHelper;
 
-if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
 /**
  * Announcements class
  *
@@ -41,6 +40,7 @@ class Announcements {
 	 * Constructor
 	 *
 	 * @since 1.0.0
+	 *
 	 * @return void
 	 */
 	public function __construct() {
@@ -74,6 +74,7 @@ public function __get( $name ) {
 	 * Prepare bulk actions that will show on dropdown options
 	 *
 	 * @since 2.0.0
+	 *
 	 * @return array
 	 */
 	public function prepare_bulk_actions(): array {
@@ -88,6 +89,7 @@ public function prepare_bulk_actions(): array {
 	 * Handle bulk action for enrollment cancel | delete
 	 *
 	 * @since 2.0.0
+	 *
 	 * @return string JSON response.
 	 */
 	public function announcement_bulk_action() {
@@ -118,7 +120,7 @@ function ( $announcement_id ) {
 	 * @since 2.0.0
 	 *
 	 * @param string $action hold action.
-	 * @param string $bulk_ids comma seperated ids.
+	 * @param string $bulk_ids comma separated ids.
 	 *
 	 * @return bool
 	 */