genesis-front-page-manager-functions.php

<?php
/**
 * Genesis Front Page Manager
 *
 * @package   Genesis_Front_Page_Manager
 * @author    Brad Potter
 * @license   GPL-2.0+
 * @link      http://www.bradpotter.com/plugins/genesis-front-page-manager
 * @copyright Copyright (c) 2014, Brad Potter
 */

/**
 * Add metabox for Front Page Manager
 */
add_action( 'genesis_theme_settings_metaboxes', 'front_page_manager_metaboxes', 10, 1 );
function front_page_manager_metaboxes( $pagehook ) {

	add_meta_box( 'front-page-manager', __( 'Front Page Manager', 'genesis-front-page-manager' ), 'front_page_metabox', $pagehook, 'main', 'high' );

}

/**
 * Content for the Front Page Manager metabox
 */
function front_page_metabox() {
    
    // set the default selection (if empty)
    $frontpageselect = genesis_get_option('front_page_select') ? genesis_get_option('front_page_select') : 'front-page.php';
?>

    <p> 
        <select name="<?php echo GENESIS_SETTINGS_FIELD; ?>[front_page_select]">
            <?php
            foreach ( glob(CHILD_DIR . "/front-page*.php") as $file ) {
            $file = str_replace( CHILD_DIR . '/', '', $file );
            
            ?>
                
            <option value="<?php echo esc_attr( $file ); ?>" <?php selected($file, $frontpageselect); ?>><?php echo esc_html( $file ); ?></option>
            
            <?php } ?>
        </select>
    </p>
    <p><span class="description">Select your desired <b>Front Page</b> from the drop down list and save your settings.</span></p>
<?php
}

/**
 * Template Redirect
 */
add_action( 'template_redirect', 'front_page_redirect' );
function front_page_redirect() {
    
	if( is_home() || is_front_page() ) {
        
        $frontpagemanager = genesis_get_option( 'front_page_select' );
        
        include (CHILD_DIR . '/' . $frontpagemanager);
        exit();
    }
}

Using exit() in a template_redirect action isn't a very good practice (unless you're doing an HTTP redirect, obviously). Other things might be hooked in there. Imagine a plugin hooked in at priority 11. Its action will never get run, because you're bailing before WordPress finishes running.

A better hook to use is the template_include filter. Instead of include() and exit(), just return the path to the include file from the callback. WordPress continues to function normally, just using your new template.

You also should pass through the original template value if genesis_get_option( 'front_page_select' ) is empty(), so the user doesn't have errors until they select one.

And in terms of security, you should be verifying that the value you get out of genesis_get_option( 'front_page_select' ) is reasonable. What if it's ../../../../etc/passwd? Could be bad. So I would use regex like so:

<?php

if ( preg_match( '#^[a-z0-9-]+\.php$#', $frontpagemanager ) ) {
    return $frontpagemanager;
} else {
    return $original_template;
}

(Obviously this is assuming you switch to the template_include filter.)