ads
3 months ago
groups
3 months ago
metaboxes
1 year ago
pages
3 months ago
placements
2 months ago
class-action-links.php
1 year ago
class-addon-box.php
1 year ago
class-addon-updater.php
3 months ago
class-admin-menu.php
3 months ago
class-admin-notices.php
1 year ago
class-ajax.php
3 months ago
class-assets.php
3 months ago
class-authors.php
1 year ago
class-compatibility.php
1 year ago
class-edd-updater.php
3 months ago
class-list-filters.php
2 months ago
class-marketing.php
1 year ago
class-metabox-ad-settings.php
1 year ago
class-metabox-ad.php
1 year ago
class-misc.php
1 year ago
class-page-quick-edit.php
1 year ago
class-plugin-installer.php
1 year ago
class-post-list.php
1 year ago
class-post-types.php
3 months ago
class-screen-options.php
3 months ago
class-settings.php
1 year ago
class-shortcode-creator.php
1 year ago
class-system-info.php
1 year ago
class-tinymce.php
2 years ago
class-translation-promo.php
1 year ago
class-upgrades.php
1 year ago
class-version-control.php
3 months ago
class-welcome.php
1 year ago
class-wordpress-dashboard.php
1 year ago
index.php
2 years ago
class-authors.php
196 lines
| 1 | <?php |
| 2 | /** |
| 3 | * The class manages the ad authors. |
| 4 | * |
| 5 | * @package AdvancedAds |
| 6 | * @author Advanced Ads <info@wpadvancedads.com> |
| 7 | * @since 1.47.0 |
| 8 | */ |
| 9 | |
| 10 | namespace AdvancedAds\Admin; |
| 11 | |
| 12 | use Advanced_Ads; |
| 13 | use AdvancedAds\Constants; |
| 14 | use AdvancedAds\Framework\Interfaces\Integration_Interface; |
| 15 | use WP_Role; |
| 16 | use WP_User_Query; |
| 17 | |
| 18 | defined( 'ABSPATH' ) || exit; |
| 19 | |
| 20 | /** |
| 21 | * Control Ad Authors. |
| 22 | */ |
| 23 | class Authors implements Integration_Interface { |
| 24 | |
| 25 | /** |
| 26 | * Hook into WordPress. |
| 27 | * |
| 28 | * @return void |
| 29 | */ |
| 30 | public function hooks(): void { |
| 31 | add_filter( 'wp_dropdown_users_args', [ $this, 'filter_ad_authors' ] ); |
| 32 | add_action( 'pre_post_update', [ $this, 'sanitize_author_saving' ], 10, 2 ); |
| 33 | add_filter( 'map_meta_cap', [ $this, 'filter_editable_posts' ], 10, 4 ); |
| 34 | } |
| 35 | |
| 36 | /** |
| 37 | * Ensure that users cannot assign ads to users with unfiltered_html if they don't have the capability themselves. |
| 38 | * |
| 39 | * @param array $query_args WP_User_Query args. |
| 40 | * |
| 41 | * @return array |
| 42 | */ |
| 43 | public function filter_ad_authors( $query_args ) { |
| 44 | $screen = get_current_screen(); |
| 45 | |
| 46 | if ( ! $screen || Constants::POST_TYPE_AD !== $screen->post_type ) { |
| 47 | return $query_args; |
| 48 | } |
| 49 | |
| 50 | if ( is_multisite() ) { |
| 51 | return $this->multisite_filter_ad_authors( $query_args ); |
| 52 | } |
| 53 | |
| 54 | $user_roles_to_display = $this->filtered_user_roles(); |
| 55 | $query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' ); |
| 56 | |
| 57 | return $query_args; |
| 58 | } |
| 59 | |
| 60 | /** |
| 61 | * Ensure that users cannot assign ads to users who have more rights on multisite. |
| 62 | * |
| 63 | * @param array $query_args WP_User_Query args. |
| 64 | * |
| 65 | * @return array |
| 66 | */ |
| 67 | private function multisite_filter_ad_authors( $query_args ) { |
| 68 | if ( is_super_admin() ) { |
| 69 | return $query_args; |
| 70 | } |
| 71 | |
| 72 | $options = Advanced_Ads::get_instance()->options(); |
| 73 | $allowed_roles = $options['allow-unfiltered-html'] ?? []; |
| 74 | |
| 75 | // if the current user can unfiltered_html, return the default args. |
| 76 | if ( ! empty( array_intersect( wp_get_current_user()->roles, $allowed_roles ) ) ) { |
| 77 | return $query_args; |
| 78 | } |
| 79 | |
| 80 | // if the current user can't use unfiltered_html, they should not be able to assign the ad to a user that can. |
| 81 | $user_roles_to_display = array_filter( |
| 82 | wp_roles()->role_objects, |
| 83 | function ( WP_Role $role ) use ( $allowed_roles ) { |
| 84 | return ! in_array( $role->name, $allowed_roles, true ) && $role->has_cap( 'advanced_ads_edit_ads' ); |
| 85 | } |
| 86 | ); |
| 87 | |
| 88 | $query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' ); |
| 89 | |
| 90 | // Exclude super-admins from the author dropdown. |
| 91 | $query_args['exclude'] = array_map( |
| 92 | function ( $login ) { |
| 93 | return get_user_by( 'login', $login )->ID; |
| 94 | }, |
| 95 | get_super_admins() |
| 96 | ); |
| 97 | |
| 98 | return $query_args; |
| 99 | } |
| 100 | |
| 101 | /** |
| 102 | * Prevent users from editing the form data and assign ads to users they're not allowed to. |
| 103 | * Wp_die() if tampering detected. |
| 104 | * |
| 105 | * @param int $post_id The current post id. |
| 106 | * @param array $data The post data to be saved. |
| 107 | * |
| 108 | * @return void |
| 109 | */ |
| 110 | public function sanitize_author_saving( $post_id, $data ) { |
| 111 | if ( |
| 112 | get_post_type( $post_id ) !== Constants::POST_TYPE_AD || |
| 113 | get_current_user_id() === (int) $data['post_author'] || |
| 114 | (int) get_post_field( 'post_author', $post_id ) === (int) $data['post_author'] |
| 115 | ) { |
| 116 | return; |
| 117 | } |
| 118 | |
| 119 | $user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) ); |
| 120 | $user_query = array_map( 'absint', $user_query->get_results() ); |
| 121 | |
| 122 | if ( ! in_array( (int) $data['post_author'], $user_query, true ) ) { |
| 123 | wp_die( esc_html__( 'Sorry, you\'re not allowed to assign this user.', 'advanced-ads' ) ); |
| 124 | } |
| 125 | } |
| 126 | |
| 127 | /** |
| 128 | * Prevent users from editing posts of users with more rights than themselves. |
| 129 | * |
| 130 | * @param array $caps Needed capabilities. |
| 131 | * @param string $cap Requested capability. |
| 132 | * @param int $user_id The user_id for the cap check. |
| 133 | * @param array $args Arguments array for checking primitive capabilities. |
| 134 | * |
| 135 | * @return array |
| 136 | */ |
| 137 | public function filter_editable_posts( $caps, $cap, $user_id, $args ) { |
| 138 | if ( 'advanced_ads_edit_ads' !== $cap || empty( $args ) ) { |
| 139 | return $caps; |
| 140 | } |
| 141 | |
| 142 | $post_id = (int) $args[0]; |
| 143 | if ( empty( $post_id ) ) { |
| 144 | return $caps; |
| 145 | } |
| 146 | |
| 147 | $ad = wp_advads_get_ad( $post_id ); |
| 148 | if ( $ad && ! $ad->is_type( 'plain' ) ) { |
| 149 | return $caps; |
| 150 | } |
| 151 | |
| 152 | $author_id = (int) get_post_field( 'post_author', $post_id ); |
| 153 | $author = get_userdata( $author_id ); |
| 154 | |
| 155 | if ( false === $author ) { |
| 156 | $author_id = $user_id; |
| 157 | } |
| 158 | |
| 159 | if ( $author_id !== $user_id && ! user_can( $author, $cap, $post_id ) ) { |
| 160 | return [ 'do_not_allow' ]; |
| 161 | } |
| 162 | |
| 163 | static $users; |
| 164 | |
| 165 | if ( null === $users ) { |
| 166 | $user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) ); |
| 167 | $users = array_map( 'absint', $user_query->get_results() ); |
| 168 | } |
| 169 | |
| 170 | if ( ! in_array( $author_id, $users, true ) ) { |
| 171 | return [ 'do_not_allow' ]; |
| 172 | } |
| 173 | |
| 174 | return $caps; |
| 175 | } |
| 176 | |
| 177 | /** |
| 178 | * Get the user roles that are allowed to edit ads. |
| 179 | * |
| 180 | * @return array |
| 181 | */ |
| 182 | private function filtered_user_roles(): array { |
| 183 | $current_user_has_unfiltered_html = current_user_can( 'unfiltered_html' ); |
| 184 | return array_filter( |
| 185 | wp_roles()->role_objects, |
| 186 | function ( \WP_Role $role ) use ( $current_user_has_unfiltered_html ) { |
| 187 | if ( $current_user_has_unfiltered_html ) { |
| 188 | return $role->has_cap( 'advanced_ads_edit_ads' ); |
| 189 | } |
| 190 | |
| 191 | return ! $role->has_cap( 'unfiltered_html' ) && $role->has_cap( 'advanced_ads_edit_ads' ); |
| 192 | } |
| 193 | ); |
| 194 | } |
| 195 | } |
| 196 |