AddViewCapabilitiesToAdminRoles.php
5 months ago
FixGiveAccountantCapabilities.php
5 months ago
FixGiveWorkerCapabilities.php
5 months ago
FixGiveWorkerCapabilities.php
123 lines
| 1 | <?php |
| 2 | |
| 3 | declare(strict_types=1); |
| 4 | |
| 5 | namespace Give\Framework\Permissions\Migrations; |
| 6 | |
| 7 | use Give\Framework\Migrations\Contracts\Migration; |
| 8 | |
| 9 | /** |
| 10 | * Fixes give_worker role capabilities to match documentation. |
| 11 | * |
| 12 | * The give_worker role should only be able to read donations (view_give_payments), |
| 13 | * not edit them. This migration removes the incorrectly assigned edit_give_payments |
| 14 | * capability from the give_worker role. It also adds view_give_forms for consistency. |
| 15 | * |
| 16 | * @since 4.14.0 |
| 17 | */ |
| 18 | class FixGiveWorkerCapabilities extends Migration |
| 19 | { |
| 20 | /** |
| 21 | * @inheritdoc |
| 22 | */ |
| 23 | public static function id(): string |
| 24 | { |
| 25 | return 'fix_give_worker_capabilities'; |
| 26 | } |
| 27 | |
| 28 | /** |
| 29 | * @inheritdoc |
| 30 | */ |
| 31 | public static function title(): string |
| 32 | { |
| 33 | return 'Fix GiveWP Worker role capabilities'; |
| 34 | } |
| 35 | |
| 36 | /** |
| 37 | * @inheritdoc |
| 38 | */ |
| 39 | public static function timestamp(): int |
| 40 | { |
| 41 | return strtotime('2026-01-12'); |
| 42 | } |
| 43 | |
| 44 | /** |
| 45 | * @inheritdoc |
| 46 | */ |
| 47 | public function run(): void |
| 48 | { |
| 49 | $this->fixRoleCapabilities(); |
| 50 | $this->fixUserCapabilities(); |
| 51 | } |
| 52 | |
| 53 | /** |
| 54 | * Fix capabilities at the role level. |
| 55 | * |
| 56 | * @since 4.14.0 |
| 57 | */ |
| 58 | private function fixRoleCapabilities(): void |
| 59 | { |
| 60 | global $wp_roles; |
| 61 | |
| 62 | if (!class_exists('WP_Roles')) { |
| 63 | return; |
| 64 | } |
| 65 | |
| 66 | if (!isset($wp_roles)) { |
| 67 | $wp_roles = new \WP_Roles(); |
| 68 | } |
| 69 | |
| 70 | if (!is_object($wp_roles)) { |
| 71 | return; |
| 72 | } |
| 73 | |
| 74 | // Remove edit_give_payments from give_worker - they should only be able to view payments |
| 75 | $wp_roles->remove_cap('give_worker', 'edit_give_payments'); |
| 76 | |
| 77 | // Ensure give_worker has view_give_payments for reading donations |
| 78 | $wp_roles->add_cap('give_worker', 'view_give_payments'); |
| 79 | |
| 80 | // Ensure give_worker has view_give_forms for consistency |
| 81 | $wp_roles->add_cap('give_worker', 'view_give_forms'); |
| 82 | } |
| 83 | |
| 84 | /** |
| 85 | * Fix capabilities at the user level for all give_worker users. |
| 86 | * |
| 87 | * This handles cases where edit_give_payments was manually granted to individual users. |
| 88 | * |
| 89 | * @since 4.14.0 |
| 90 | */ |
| 91 | private function fixUserCapabilities(): void |
| 92 | { |
| 93 | $giveWorkers = get_users([ |
| 94 | 'role' => 'give_worker', |
| 95 | 'fields' => 'ID', |
| 96 | ]); |
| 97 | |
| 98 | foreach ($giveWorkers as $userId) { |
| 99 | $user = get_userdata($userId); |
| 100 | |
| 101 | if (!$user) { |
| 102 | continue; |
| 103 | } |
| 104 | |
| 105 | // Remove edit_give_payments if it was individually granted |
| 106 | if ($user->has_cap('edit_give_payments')) { |
| 107 | $user->remove_cap('edit_give_payments'); |
| 108 | } |
| 109 | |
| 110 | // Ensure view_give_payments is present |
| 111 | if (!$user->has_cap('view_give_payments')) { |
| 112 | $user->add_cap('view_give_payments'); |
| 113 | } |
| 114 | |
| 115 | // Ensure view_give_forms is present |
| 116 | if (!$user->has_cap('view_give_forms')) { |
| 117 | $user->add_cap('view_give_forms'); |
| 118 | } |
| 119 | } |
| 120 | } |
| 121 | } |
| 122 | |
| 123 |