Noting where nonce checks are not needed and marking funcs as deprecated

includes/deprecated.php

@@ -1,13 +1,16 @@
 <?php
 
-/*
-	Subscribe a user to any additional opt-in lists selected
-*/
-function pmpromc_subscribeToAdditionalLists($user_id)
-{
-	$options = get_option("pmpromc_options");
-	if (!empty($_REQUEST['additional_lists']))
-		$additional_lists = $_REQUEST['additional_lists'];
+/**
+ * Subscribe a user to any additional opt-in lists selected
+ *
+ * @deprecated TBD Use pmpromc_set_user_additional_list_meta() instead
+ */
+function pmpromc_subscribeToAdditionalLists($user_id){
+	_deprecated_function( __FUNCTION__, 'TBD', 'pmpromc_set_user_additional_list_meta' );
+
+	// Nonce checks not needed as this function is not used anymore and is deprecated.
+	if (!empty($_REQUEST['additional_lists'])) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$additional_lists = $_REQUEST['additional_lists']; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 
 	if (!empty($additional_lists)) {
 		update_user_meta($user_id, 'pmpromc_additional_lists', $additional_lists);
@@ -24,8 +27,11 @@ function pmpromc_subscribeToAdditionalLists($user_id)
  * all levels that they should unsubscribe from
  *
  * @param WP_User|int $user - The WP_User object or user_id for the user.
+ *
+ * @deprecated TBD
  */
 function pmpromc_queue_smart_unsubscriptions( $user ) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	// Get the user object if user_id is passed.
 	if( ! is_object( $user ) ) {
 		$user = get_userdata($user);
@@ -41,52 +47,85 @@ function pmpromc_queue_smart_unsubscriptions( $user ) {
 /**
  * Update a user's Mailchimp information when profile is updated
  *
+ * @deprecated TBD
+ *
  * @param WP_User $old_user - The old WP_User object being changed
  * @param WP_User $old_user - The new WP_User object being added
  * @param Array|string $audiences - The id(s) of the audience(s) to remove the user from
  */
 function pmpromc_queue_user_update( $old_user, $new_user, $audiences ) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	pmpromc_queue_unsubscription( $old_user, $audiences );
 	pmpromc_queue_subscription( $new_user, $audiences );
 }
 
+/**
+ * @deprecated TBD
+ */
 function pmpromc_subscribe( $list, $user ) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	pmpromc_queue_subscription( $user, $list );
 	pmpromc_process_audience_member_updates_queue();
 }
 
+/**
+ * @deprecated TBD
+ */
 function pmpromc_queueUserToSubscribeToList($user_id, $list) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	pmpromc_queue_subscription( $user_id, $list );
 }
 
+/**
+ * @deprecated TBD
+ */
 function pmpromc_processSubscriptions($param) {
 	pmpromc_process_audience_member_updates_queue();
 }
-
+
+/**
+ * @deprecated TBD
+ */
 function pmpromc_unsubscribe($list, $user) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	pmpromc_queue_unsubscription( $user, $list );
 	pmpromc_process_audience_member_updates_queue();
 }
 
+/**
+ * @deprecated TBD
+ */
 function pmpromc_queueUserToUnsubscribeFromLists($user_id) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	pmpromc_queue_smart_unsubscriptions( $user_id );
 }
 
+/**
+ * @deprecated TBD
+ */
 function pmpromc_processUnsubscriptions($param) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	pmpromc_process_audience_member_updates_queue();
 }
-
+
+/**
+ * @deprecated TBD
+ */
 function pmpromc_unsubscribeFromLists($user_id, $level_id = NULL) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	pmpromc_queue_smart_unsubscriptions( $user_id );
 	pmpromc_process_audience_member_updates_queue();
 }
 
 /**
  * Get array of lists to unsubscribe a user from
  *
+ * @deprecated TBD
+ *
  * @param $user_id (int) - User Id
  */
 function pmpromc_get_unsubscribe_audiences( $user_id ) {
+	_deprecated_function( __FUNCTION__, 'TBD' );
 	global $wpdb;
 	$options = get_option("pmpromc_options");
 	$all_lists = get_option("pmpromc_all_lists");

includes/export-csv.php

@@ -34,20 +34,21 @@
 
 	global $wpdb;
 
+	// Nonce check not needed as we are not making changes to the website.
 	// requested a level id
-	if(isset($_REQUEST['l']))
-		$l = sanitize_text_field($_REQUEST['l']);
+	if(isset($_REQUEST['l'])) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$l = sanitize_text_field($_REQUEST['l']); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 	else
 		$l = false;
 
 	//some vars for the search
-	if(!empty($_REQUEST['pn']))
-		$pn = intval($_REQUEST['pn']);
+	if(!empty($_REQUEST['pn'])) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$pn = intval($_REQUEST['pn']); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 	else
 		$pn = 1;
 
-	if(!empty($_REQUEST['limit']))
-		$limit = intval($_REQUEST['limit']);
+	if(!empty($_REQUEST['limit'])) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$limit = intval($_REQUEST['limit']); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 	else
 		$limit = false;
 

includes/functions.php

@@ -115,7 +115,8 @@ function pmpromc_pmpro_after_change_membership_level( $level_id, $user_id ) {
 	// Update opt-in audiences and user audiences.
 	if ( empty( $user_level_ids ) && 'all' === $options['unsubscribe'] ) {
 		pmpromc_set_user_additional_list_meta( $user_id, array() );
-		if ( isset( $_REQUEST['additional_lists'] ) ) {
+		// Nonce not needed as we only want to make sure that this REQUEST variable is empty, not process it as form data.
+		if ( isset( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			// In case level is changed from profile.
 			$_REQUEST['additional_lists'] = array();
 		}
@@ -200,8 +201,9 @@ function pmpromc_additional_lists_on_checkout() {
         <div class="pmpro_checkout-fields">
             <?php
             global $current_user;
-            if ( isset( $_REQUEST['additional_lists'] ) ) {
-                $additional_lists_selected = $_REQUEST['additional_lists'];
+			// Nonce not needed as this is only setting the default value for the checkbox, not processing form data.
+            if ( isset( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                $additional_lists_selected = $_REQUEST['additional_lists']; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
             } elseif ( isset( $_SESSION['additional_lists'] ) ) {
                 $additional_lists_selected = $_SESSION['additional_lists'];
             } elseif ( ! empty( $current_user->ID ) ) {
@@ -235,8 +237,9 @@ function pmpromc_additional_lists_on_checkout() {
  * Sets Session variables.
  */
 function pmpromc_pmpro_paypalexpress_session_vars() {
-	if ( isset( $_REQUEST['additional_lists'] ) ) {
-		$_SESSION['additional_lists'] = $_REQUEST['additional_lists'];
+	// Nonce not needed as this only runs within the PMPro checkout process.
+	if ( isset( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$_SESSION['additional_lists'] = $_REQUEST['additional_lists']; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 	}
 }
 add_action( 'pmpro_paypalexpress_session_vars', 'pmpromc_pmpro_paypalexpress_session_vars' );
@@ -257,10 +260,11 @@ function pmpromc_pmpro_checkout_before_change_membership_level() {
  */
 function pmpromc_pmpro_after_checkout( $user_id, $order ) {
 	pmpromc_pmpro_after_change_membership_level( $order->membership_id, $user_id );
-	if ( empty( $_REQUEST['additional_lists'] ) ) {
-		$_REQUEST['additional_lists'] = array();
+	// Nonce not needed as this only runs within the PMPro checkout process.
+	if ( empty( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$_REQUEST['additional_lists'] = array(); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 	}
-	pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] );
+	pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 }
 add_action( 'pmpro_after_checkout', 'pmpromc_pmpro_after_checkout', 15, 2 );
 

includes/profile.php

@@ -112,13 +112,14 @@ function pmpromc_add_custom_user_profile_fields( $user ) {
 
 // Saving additional lists on profile save.
 function pmpromc_save_custom_user_profile_fields( $user_id ) {
+	// Nonce checks not needed as nonces would already be checked whenever this function is called.
 	// Only if additional lists is set.
-	if ( ! isset( $_REQUEST['additional_lists_profile'] ) ) {
+	if ( ! isset( $_REQUEST['additional_lists_profile'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		return;
 	}
 
 	// Get user's new additional lists.
-	if ( empty( $_REQUEST['additional_lists'] ) ) {
+	if ( empty( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		$_REQUEST['additional_lists'] = array();
 	}
 
@@ -135,11 +136,11 @@ function pmpromc_save_custom_user_profile_fields( $user_id ) {
 
 	if (
 		1 == $options['profile_update'] ||
-		! empty( array_diff( $current_lists, $_REQUEST['additional_lists'] ) ) ||
-		! empty( array_diff( $_REQUEST['additional_lists'], $current_lists ) )
+		! empty( array_diff( $current_lists, $_REQUEST['additional_lists'] ) ) || // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		! empty( array_diff( $_REQUEST['additional_lists'], $current_lists ) ) // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 	) {
 		// Option set to update MC on every profile save or opt-in lists have changed.
-		pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] );
+		pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 	}
 }
 add_action( 'personal_options_update', 'pmpromc_save_custom_user_profile_fields' );

includes/settings.php

@@ -471,7 +471,8 @@ function pmpromc_option_memberships_lists($level)
 */
 function pmpromc_admin_init_sync()
 {
-	if (is_admin() && !empty($_REQUEST['page']) && $_REQUEST['page'] == 'pmpromc_options' && !empty($_REQUEST['sync'])) {
+	// Nonce check not needed as we are not changing any data.
+	if (is_admin() && !empty($_REQUEST['page']) && $_REQUEST['page'] == 'pmpromc_options' && !empty($_REQUEST['sync'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		if (!current_user_can('manage_options'))
 			wp_die('You do not have sufficient permission to access this page.');
 		else {