PluginProbe ʕ •ᴥ•ʔ
Advanced Ads – Ad Manager & AdSense / 2.0.21
Advanced Ads – Ad Manager & AdSense v2.0.21
2.0.23 2.0.22 2.0.21 1.38.0 1.39.0 1.39.1 1.39.2 1.39.3 1.39.4 1.4.0 1.4.1 1.4.2 1.4.3 1.4.4 1.4.5 1.4.6 1.4.7 1.4.8 1.4.9 1.40.0 1.40.1 1.40.2 1.41.0 1.42.0 1.42.1 1.42.2 1.43.0 1.44.0 1.44.1 1.45.0 1.45.1 1.46.0 1.47.0 1.47.1 1.47.2 1.47.3 1.47.4 1.47.5 1.48.0 1.48.1 1.49.0 1.5.0 1.5.0.1 1.5.1 1.5.2 1.5.2.1 1.5.4 1.5.4.1 1.5.5 1.50.0 1.51.0 1.51.1 1.51.2 1.51.3 1.52.0 1.52.1 1.52.2 1.52.3 1.52.4 1.53.0 1.53.1 1.53.2 1.54.0 1.54.1 1.55.0 1.56.0 1.56.1 1.56.2 1.56.3 1.56.4 1.6 1.6.1 1.6.10 1.6.10.1 1.6.10.2 1.6.11 1.6.11.1 1.6.12 1.6.13 1.6.14 1.6.15 1.6.16 1.6.17 1.6.17.1 1.6.17.2 1.6.2 1.6.2.1 1.6.3 1.6.4 1.6.4.1 1.6.5 1.6.6 1.6.6.1 1.6.7 1.6.7.1 1.6.8 1.6.8.1 1.6.8.2 1.6.8.3 1.6.9 1.6.9.1 1.6.9.2 1.6.9.3 1.6.9.4 1.7 1.7.0.1 1.7.0.2 1.7.0.3 1.7.1 1.7.1.1 1.7.1.2 1.7.1.3 1.7.1.4 1.7.1.5 1.7.10 trunk 1.7.11 1.0.1 1.7.12 1.0.2 1.7.13 1.0.3 1.7.14 1.1.0 1.7.15 1.1.1 1.7.16 1.1.2 1.7.17 1.1.3 1.7.18 1.10 1.7.19 1.10.1 1.7.2 1.10.10 1.7.2.1 1.10.11 1.7.20 1.10.12 1.7.21 1.10.2 1.7.22 1.10.3 1.7.23 1.10.4 1.7.24 1.10.5 1.7.25 1.10.6 1.7.3 1.10.7 1.7.4 1.10.8 1.7.4.1 1.10.9 1.7.4.2 1.11 1.7.4.3 1.11.1 1.7.4.4 1.11.2 1.7.4.5 1.12 1.7.5 1.13 1.7.5.1 1.13.1 1.7.6 1.13.2 1.7.7 1.13.3 1.7.8 1.13.4 1.7.9 1.13.5 1.7.9.1 1.13.6 1.7.9.2 1.13.7 1.7.9.3 1.13.8 1.8 1.14 1.8.1 1.14.1 1.8.10 1.14.10 1.8.11 1.14.11 1.8.12 1.14.2 1.8.13 1.14.3 1.8.14 1.14.4 1.8.15 1.14.5 1.8.16 1.14.6 1.8.17 1.14.7 1.8.18 1.14.8 1.8.19 1.14.9 1.8.2 1.15 1.8.20 1.16 1.8.21 1.16.1 1.8.22 1.17 1.8.23 1.17.1 1.8.24 1.17.10 1.8.25 1.17.10-rc.1 1.8.26 1.17.11 1.8.27 1.17.12 1.8.28 1.17.12-rc.1 1.8.29 1.17.2 1.8.3 1.17.3 1.8.30 1.17.4 1.8.4 1.17.5 1.8.5 1.17.6 1.8.6 1.17.7 1.8.7 1.17.8 1.8.8 1.17.9 1.8.9 1.17.9-beta.1 1.9 1.18.0 2.0.0 1.19.0 2.0.1 1.19.1 2.0.10 1.2 2.0.11 1.2.1 2.0.12 1.2.2 2.0.13 1.2.3 2.0.14 1.2.4 2.0.15 1.2.5 2.0.16 1.2.6 2.0.17 1.2.7 2.0.18 1.20.0 2.0.19 1.20.0-rc.1 2.0.2 1.20.0-rc.2 2.0.20 1.20.1 2.0.3 1.20.2 2.0.4 1.20.3 2.0.5 1.21.0 2.0.6 1.21.1 2.0.7 1.22.0 2.0.8 1.22.1 2.0.9 1.22.2 1.23.0 1.23.1 1.23.2 1.24.0 1.24.1 1.24.2 1.25.0 1.25.1 1.26.0 1.27.0 1.28.0 1.29.0 1.29.1 1.3 1.3.1 1.3.10 1.3.11 1.3.12 1.3.13 1.3.14 1.3.15 1.3.16 1.3.17 1.3.18 1.3.2 1.3.3 1.3.4 1.3.5 1.3.6 1.3.7 1.3.8 1.3.9 1.30.0 1.30.1 1.30.2 1.30.2-rc.1 1.30.3 1.30.4 1.30.4-rc.1 1.30.5 1.31.0 1.31.1 1.32.0 1.32.0-rc.1 1.33.0 1.33.1 1.33.2 1.34.0 1.35.0 1.35.1 1.36.0 1.36.1 1.36.2 1.36.3 1.37.0 1.37.1 1.37.2
advanced-ads / includes / admin / class-authors.php
advanced-ads / includes / admin Last commit date
ads 3 months ago groups 3 months ago metaboxes 1 year ago pages 3 months ago placements 2 months ago class-action-links.php 1 year ago class-addon-box.php 1 year ago class-addon-updater.php 3 months ago class-admin-menu.php 3 months ago class-admin-notices.php 1 year ago class-ajax.php 3 months ago class-assets.php 3 months ago class-authors.php 1 year ago class-compatibility.php 1 year ago class-edd-updater.php 3 months ago class-list-filters.php 2 months ago class-marketing.php 1 year ago class-metabox-ad-settings.php 1 year ago class-metabox-ad.php 1 year ago class-misc.php 1 year ago class-page-quick-edit.php 1 year ago class-plugin-installer.php 1 year ago class-post-list.php 1 year ago class-post-types.php 3 months ago class-screen-options.php 3 months ago class-settings.php 1 year ago class-shortcode-creator.php 1 year ago class-system-info.php 1 year ago class-tinymce.php 2 years ago class-translation-promo.php 1 year ago class-upgrades.php 1 year ago class-version-control.php 3 months ago class-welcome.php 1 year ago class-wordpress-dashboard.php 1 year ago index.php 2 years ago
class-authors.php
196 lines
1 <?php
2 /**
3 * The class manages the ad authors.
4 *
5 * @package AdvancedAds
6 * @author Advanced Ads <info@wpadvancedads.com>
7 * @since 1.47.0
8 */
9
10 namespace AdvancedAds\Admin;
11
12 use Advanced_Ads;
13 use AdvancedAds\Constants;
14 use AdvancedAds\Framework\Interfaces\Integration_Interface;
15 use WP_Role;
16 use WP_User_Query;
17
18 defined( 'ABSPATH' ) || exit;
19
20 /**
21 * Control Ad Authors.
22 */
23 class Authors implements Integration_Interface {
24
25 /**
26 * Hook into WordPress.
27 *
28 * @return void
29 */
30 public function hooks(): void {
31 add_filter( 'wp_dropdown_users_args', [ $this, 'filter_ad_authors' ] );
32 add_action( 'pre_post_update', [ $this, 'sanitize_author_saving' ], 10, 2 );
33 add_filter( 'map_meta_cap', [ $this, 'filter_editable_posts' ], 10, 4 );
34 }
35
36 /**
37 * Ensure that users cannot assign ads to users with unfiltered_html if they don't have the capability themselves.
38 *
39 * @param array $query_args WP_User_Query args.
40 *
41 * @return array
42 */
43 public function filter_ad_authors( $query_args ) {
44 $screen = get_current_screen();
45
46 if ( ! $screen || Constants::POST_TYPE_AD !== $screen->post_type ) {
47 return $query_args;
48 }
49
50 if ( is_multisite() ) {
51 return $this->multisite_filter_ad_authors( $query_args );
52 }
53
54 $user_roles_to_display = $this->filtered_user_roles();
55 $query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );
56
57 return $query_args;
58 }
59
60 /**
61 * Ensure that users cannot assign ads to users who have more rights on multisite.
62 *
63 * @param array $query_args WP_User_Query args.
64 *
65 * @return array
66 */
67 private function multisite_filter_ad_authors( $query_args ) {
68 if ( is_super_admin() ) {
69 return $query_args;
70 }
71
72 $options = Advanced_Ads::get_instance()->options();
73 $allowed_roles = $options['allow-unfiltered-html'] ?? [];
74
75 // if the current user can unfiltered_html, return the default args.
76 if ( ! empty( array_intersect( wp_get_current_user()->roles, $allowed_roles ) ) ) {
77 return $query_args;
78 }
79
80 // if the current user can't use unfiltered_html, they should not be able to assign the ad to a user that can.
81 $user_roles_to_display = array_filter(
82 wp_roles()->role_objects,
83 function ( WP_Role $role ) use ( $allowed_roles ) {
84 return ! in_array( $role->name, $allowed_roles, true ) && $role->has_cap( 'advanced_ads_edit_ads' );
85 }
86 );
87
88 $query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );
89
90 // Exclude super-admins from the author dropdown.
91 $query_args['exclude'] = array_map(
92 function ( $login ) {
93 return get_user_by( 'login', $login )->ID;
94 },
95 get_super_admins()
96 );
97
98 return $query_args;
99 }
100
101 /**
102 * Prevent users from editing the form data and assign ads to users they're not allowed to.
103 * Wp_die() if tampering detected.
104 *
105 * @param int $post_id The current post id.
106 * @param array $data The post data to be saved.
107 *
108 * @return void
109 */
110 public function sanitize_author_saving( $post_id, $data ) {
111 if (
112 get_post_type( $post_id ) !== Constants::POST_TYPE_AD ||
113 get_current_user_id() === (int) $data['post_author'] ||
114 (int) get_post_field( 'post_author', $post_id ) === (int) $data['post_author']
115 ) {
116 return;
117 }
118
119 $user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );
120 $user_query = array_map( 'absint', $user_query->get_results() );
121
122 if ( ! in_array( (int) $data['post_author'], $user_query, true ) ) {
123 wp_die( esc_html__( 'Sorry, you\'re not allowed to assign this user.', 'advanced-ads' ) );
124 }
125 }
126
127 /**
128 * Prevent users from editing posts of users with more rights than themselves.
129 *
130 * @param array $caps Needed capabilities.
131 * @param string $cap Requested capability.
132 * @param int $user_id The user_id for the cap check.
133 * @param array $args Arguments array for checking primitive capabilities.
134 *
135 * @return array
136 */
137 public function filter_editable_posts( $caps, $cap, $user_id, $args ) {
138 if ( 'advanced_ads_edit_ads' !== $cap || empty( $args ) ) {
139 return $caps;
140 }
141
142 $post_id = (int) $args[0];
143 if ( empty( $post_id ) ) {
144 return $caps;
145 }
146
147 $ad = wp_advads_get_ad( $post_id );
148 if ( $ad && ! $ad->is_type( 'plain' ) ) {
149 return $caps;
150 }
151
152 $author_id = (int) get_post_field( 'post_author', $post_id );
153 $author = get_userdata( $author_id );
154
155 if ( false === $author ) {
156 $author_id = $user_id;
157 }
158
159 if ( $author_id !== $user_id && ! user_can( $author, $cap, $post_id ) ) {
160 return [ 'do_not_allow' ];
161 }
162
163 static $users;
164
165 if ( null === $users ) {
166 $user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );
167 $users = array_map( 'absint', $user_query->get_results() );
168 }
169
170 if ( ! in_array( $author_id, $users, true ) ) {
171 return [ 'do_not_allow' ];
172 }
173
174 return $caps;
175 }
176
177 /**
178 * Get the user roles that are allowed to edit ads.
179 *
180 * @return array
181 */
182 private function filtered_user_roles(): array {
183 $current_user_has_unfiltered_html = current_user_can( 'unfiltered_html' );
184 return array_filter(
185 wp_roles()->role_objects,
186 function ( \WP_Role $role ) use ( $current_user_has_unfiltered_html ) {
187 if ( $current_user_has_unfiltered_html ) {
188 return $role->has_cap( 'advanced_ads_edit_ads' );
189 }
190
191 return ! $role->has_cap( 'unfiltered_html' ) && $role->has_cap( 'advanced_ads_edit_ads' );
192 }
193 );
194 }
195 }
196