Fix: Prevent file deletion conflicts by enforcing unique filenames on … upload

includes/Ajax/Upload_Ajax.php

@@ -49,18 +49,18 @@
                 $guest_post = true;
             }
             // check if the request coming from weForms & allow users to upload when require login option is disabled
             if ( isset( $form_settings['require_login'] ) && $form_settings['require_login'] == 'false' ) {
                 $guest_post = true;
             }
             //if it is registration form, let the user upload the file
             if ( get_post_type( $form_id ) == 'wpuf_profile' ) {
                 $guest_post = true;
             }
             if ( ! $guest_post ) {
                 die( 'error' );
             }
         }
         $wpuf_file = isset( $_FILES['wpuf_file'] ) ? $_FILES['wpuf_file'] : []; // WPCS: sanitization ok.
         $file_name      = pathinfo( $wpuf_file['name'], PATHINFO_FILENAME );
         $file_extension = pathinfo( $wpuf_file['name'], PATHINFO_EXTENSION );
         $upload = [
@@ -97,7 +97,7 @@
                  * @param string $field_type
                  */
                 $image_type = apply_filters( 'wpuf_upload_response_image_type', $image_type, $form_id, $field_type );
                 if ( $image_type == 'link' ) {
                     $response['html'] = wp_get_attachment_link( $attach['attach_id'], $image_size );
                 } else {
                     $response['html'] = wp_get_attachment_image( $attach['attach_id'], $image_size );
@@ -147,24 +147,19 @@
     /**
      * Generic function to upload a file
      *
-     * @param string $field_name file input field name
+     * @param array $upload_data file upload data
      *
-     * @return bool|int attachment id on success, bool false instead
+     * @return array attachment result with success status and attach_id
      */
     public function handle_upload( $upload_data ) {
-        $check_duplicate = $this->duplicate_upload( $upload_data );
-        if ( isset( $check_duplicate['duplicate'] ) && $check_duplicate['duplicate'] ) {
-            return [
-                'success'   => true,
-                'attach_id' => $check_duplicate['duplicate'],
-            ];
-        }
+        // Always make filenames unique to prevent conflicts between users
+        $upload_data['name'] = $this->wpuf_filename_unique( $upload_data['name'] );
+
         $uploaded_file = wp_handle_upload( $upload_data, [ 'test_form' => false ] );
         // If the wp_handle_upload call returned a local path for the image
         if ( isset( $uploaded_file['file'] ) ) {
             $file_loc    = $uploaded_file['file'];
-            $file_name   = basename( $upload_data['name'] );
-            $upload_hash = md5( $upload_data['name'] . $upload_data['size'] );
+            $file_name   = basename( $uploaded_file['file'] );
             $file_type   = wp_check_filetype( $file_name );
             $attachment = [
                 'post_mime_type' => $file_type['type'],
@@ -175,7 +170,6 @@
             $attach_id   = wp_insert_attachment( $attachment, $file_loc );
             $attach_data = wp_generate_attachment_metadata( $attach_id, $file_loc );
             wp_update_attachment_metadata( $attach_id, $attach_data );
-            update_post_meta( $attach_id, 'wpuf_file_hash', $upload_hash );
 
             return [
                 'success'   => true,
@@ -189,9 +183,9 @@
         ];
     }
 
     public static function attach_html( $attach_id, $type = NULL, $form_id = NULL ) {
         if ( ! $type ) {
             $type = isset( $_GET['type'] ) ? sanitize_text_field( wp_unslash( $_GET['type'] ) ) : 'image';
         }
         $attachment = get_post( $attach_id );
         if ( ! $attachment ) {
@@ -229,7 +223,7 @@
             '<div class="attachment-name"><img src="%s" alt="%s" class="%s" /></div>', $image,
             esc_attr( $attachment->post_title ), esc_attr( $attachment_class_names )
         );
         if ( wpuf_get_option( 'image_caption', 'wpuf_frontend_posting', 'off' ) == 'on' ) {
             $html .= '<div class="wpuf-file-input-wrap">';
             $html .= sprintf(
                 '<input type="text" name="wpuf_files_data[%d][title]" value="%s" placeholder="%s">', $attach_id,
@@ -274,9 +268,9 @@
         }
 
         // post author or editor role
         if ( get_current_user_id() == absint( $attachment->post_author ) || current_user_can(
                 'delete_private_pages'
             ) ) {
             $deleted = wp_delete_attachment( $attachment_id, true );
             if ( $deleted ) {
                 wp_send_json_success( [ 'message' => __( 'Attachment deleted successfully.', 'wp-user-frontend' ) ] );
@@ -300,24 +294,51 @@
     }
 
     /**
-     * Check if duplicate file
+     * Make filename unique by adding user ID prefix to prevent conflicts between users
+     * while still allowing WordPress to handle duplicates for the same user
      *
-     * @param array $file
+     * @since WPUF_SINCE
+     * 
+     * @param string $filename
      *
-     * @return mixed
+     * @return string
      */
-    function duplicate_upload( $file ) {
-        global $wpdb;
-        $upload_hash = md5( $file['name'] . $file['size'] );
-
-        $match = $wpdb->get_var( $wpdb->prepare(
-            "SELECT post_id FROM $wpdb->postmeta m JOIN $wpdb->posts p ON p.ID = m.post_id WHERE m.meta_key = 'wpuf_file_hash' AND m.meta_value = %s AND p.post_status != 'trash' LIMIT 1;",
-            $upload_hash
-        ) );
-        if ( $match ) {
-            $file['duplicate'] = $match;
+    private function wpuf_filename_unique( $filename ) {
+        $info = pathinfo( $filename );
+        $ext  = empty( $info['extension'] ) ? '' : '.' . $info['extension'];
+        $name = basename( $filename, $ext );
+
+        // Sanitize the base name
+        $name = sanitize_file_name( $name );
+
+        // Get current user ID for user isolation
+        $user_id = get_current_user_id();
+
+        // For logged-in users, add user ID prefix to prevent cross-user conflicts
+        // For guests, add a session-based or timestamp prefix
+        if ( $user_id > 0 ) {
+            // Add user ID prefix to isolate files between users
+            // Format: u123-filename.ext (WordPress will handle duplicates as u123-filename-1.ext)
+            $unique_prefix = 'u' . $user_id;
+        } else {
+            // For guest uploads, use timestamp to ensure uniqueness
+            // This prevents guests from overwriting each other's files
+            $unique_prefix = 'guest-' . time() . '-' . substr( uniqid(), -4 );
         }
-
-        return $file;
+
+        // Combine prefix with filename
+        // This ensures user isolation while preserving WordPress duplicate handling
+        $new_filename = $unique_prefix . '-' . $name . $ext;
+
+        // Apply filter to allow customization of the unique filename
+        $new_filename = apply_filters( 'wpuf_upload_file_name', $new_filename, [
+            'original_name' => $filename,
+            'base_name'     => $name,
+            'extension'     => $ext,
+            'user_id'       => $user_id,
+            'unique_prefix' => $unique_prefix,
+        ] );
+
+        return $new_filename;
     }
 }