access-check.php
329 lines
| 1 | <?php |
| 2 | /** |
| 3 | * Determine access to premium content. |
| 4 | * |
| 5 | * @package Automattic\Jetpack\Extensions\Premium_Content |
| 6 | */ |
| 7 | |
| 8 | namespace Automattic\Jetpack\Extensions\Premium_Content; |
| 9 | |
| 10 | use Automattic\Jetpack\Extensions\Premium_Content\Subscription_Service\Abstract_Token_Subscription_Service; |
| 11 | use Automattic\Jetpack\Extensions\Premium_Content\Subscription_Service\WPCOM_Online_Subscription_Service; |
| 12 | |
| 13 | require_once __DIR__ . '/subscription-service/include.php'; |
| 14 | |
| 15 | /** |
| 16 | * Determines if the memberships module is set up. |
| 17 | * |
| 18 | * @return bool Whether the memberships module is set up. |
| 19 | */ |
| 20 | function membership_checks() { |
| 21 | // If Jetpack is not yet configured, don't show anything ... |
| 22 | if ( ! class_exists( '\Jetpack_Memberships' ) ) { |
| 23 | return false; |
| 24 | } |
| 25 | // if stripe not connected don't show anything... |
| 26 | if ( ! \Jetpack_Memberships::has_connected_account() ) { |
| 27 | return false; |
| 28 | } |
| 29 | return true; |
| 30 | } |
| 31 | |
| 32 | /** |
| 33 | * Determines if the site has a plan that supports the |
| 34 | * Premium Content block. |
| 35 | * |
| 36 | * @return bool |
| 37 | */ |
| 38 | function required_plan_checks() { |
| 39 | $availability = \Jetpack_Gutenberg::get_cached_availability(); |
| 40 | $slug = 'premium-content/container'; |
| 41 | return ( isset( $availability[ $slug ] ) && $availability[ $slug ]['available'] ); |
| 42 | } |
| 43 | |
| 44 | /** |
| 45 | * Determines if the block should be rendered. Returns true |
| 46 | * if the block passes all required checks, or if the user is |
| 47 | * an editor. |
| 48 | * |
| 49 | * @return bool Whether the block should be rendered. |
| 50 | */ |
| 51 | function pre_render_checks() { |
| 52 | return ( current_user_can_edit() || membership_checks() ); |
| 53 | } |
| 54 | |
| 55 | /** |
| 56 | * Determines whether the current user can edit. |
| 57 | * |
| 58 | * @return bool Whether the user can edit. |
| 59 | */ |
| 60 | function current_user_can_edit() { |
| 61 | $user = wp_get_current_user(); |
| 62 | |
| 63 | return 0 !== $user->ID && current_user_can( 'edit_post', get_the_ID() ); |
| 64 | } |
| 65 | |
| 66 | /** |
| 67 | * Mint and persist a fresh premium-content session cookie for the current visitor. |
| 68 | * |
| 69 | * When the WPCOM Memberships filter returns authoritative subscriptions for a logged-in |
| 70 | * visitor but no JWT cookie is present (e.g. the previous one expired or was cleared), |
| 71 | * we wrap those subscriptions in a JWT signed with the site's Jetpack blog token and |
| 72 | * persist it as the standard `wp-jp-premium-content-session` cookie. Subsequent requests |
| 73 | * within the cookie TTL take the fast cached path instead of the WPCOM round-trip. |
| 74 | * |
| 75 | * Returns the minted JWT so callers can act on it; returns null when no token should be |
| 76 | * minted because there are no subscriptions, a valid cookie already exists, or the |
| 77 | * signing key is unavailable. The cookie itself is set on a best-effort basis: if headers |
| 78 | * have already been sent, the token is still returned so the caller can decide what to do. |
| 79 | * |
| 80 | * @param object $paywall Subscription service (provides the signing key). |
| 81 | * @param int $user_id User id the subscriptions belong to (WPCOM id when available, otherwise local). |
| 82 | * @param array $abbreviated_subscriptions Subscriptions after `abbreviate_subscriptions()`. |
| 83 | * @return string|null The encoded JWT, or null when no cookie was minted. |
| 84 | */ |
| 85 | function maybe_renew_session_cookie( $paywall, $user_id, $abbreviated_subscriptions ) { |
| 86 | if ( empty( $abbreviated_subscriptions ) ) { |
| 87 | return null; |
| 88 | } |
| 89 | if ( Abstract_Token_Subscription_Service::has_token_from_cookie() ) { |
| 90 | $session_cookie_name = Abstract_Token_Subscription_Service::JWT_AUTH_TOKEN_COOKIE_NAME; |
| 91 | $existing_payload = null; |
| 92 | if ( isset( $_COOKIE[ $session_cookie_name ] ) ) { |
| 93 | // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash |
| 94 | $existing_payload = $paywall->decode_token( $_COOKIE[ $session_cookie_name ] ); |
| 95 | } |
| 96 | if ( ! empty( $existing_payload ) ) { |
| 97 | return null; |
| 98 | } |
| 99 | } |
| 100 | |
| 101 | $key = $paywall->get_key(); |
| 102 | if ( ! $key ) { |
| 103 | return null; |
| 104 | } |
| 105 | |
| 106 | $payload_subscriptions = array(); |
| 107 | foreach ( $abbreviated_subscriptions as $pid => $sub ) { |
| 108 | $sub = (array) $sub; |
| 109 | $payload_subscriptions[ $pid ] = array( |
| 110 | 'status' => 'active', |
| 111 | 'end_date' => $sub['end_date'] ?? gmdate( 'Y-m-d H:i:s', time() + MONTH_IN_SECONDS ), |
| 112 | 'product_id' => (int) $pid, |
| 113 | ); |
| 114 | if ( ! empty( $sub['is_comp'] ) ) { |
| 115 | $payload_subscriptions[ $pid ]['is_comp'] = true; |
| 116 | } |
| 117 | } |
| 118 | |
| 119 | $token = JWT::encode( |
| 120 | array( |
| 121 | 'user_id' => $user_id, |
| 122 | 'blog_sub' => 'active', |
| 123 | 'subscriptions' => $payload_subscriptions, |
| 124 | ), |
| 125 | $key |
| 126 | ); |
| 127 | |
| 128 | if ( ! ( defined( 'TESTING_IN_JETPACK' ) && TESTING_IN_JETPACK ) && ! headers_sent() ) { |
| 129 | // phpcs:ignore Jetpack.Functions.SetCookie.FoundNonHTTPOnlyFalse |
| 130 | setcookie( Abstract_Token_Subscription_Service::JWT_AUTH_TOKEN_COOKIE_NAME, $token, strtotime( '+1 month' ), '/', '', is_ssl(), false ); |
| 131 | } |
| 132 | |
| 133 | // Reflect the cookie in the current request so the render path (and any later code in |
| 134 | // this request) reads the freshly minted token instead of re-querying the filter. |
| 135 | $_COOKIE[ Abstract_Token_Subscription_Service::JWT_AUTH_TOKEN_COOKIE_NAME ] = $token; |
| 136 | |
| 137 | return $token; |
| 138 | } |
| 139 | |
| 140 | /** |
| 141 | * Resolve the current logged-in visitor's subscriptions from the authoritative |
| 142 | * WordPress.com Memberships filter. |
| 143 | * |
| 144 | * Translates the local user id to the WordPress.com user id (via the `wpcom_user_id` |
| 145 | * user_meta populated by Jetpack SSO) and queries the filter with the paywall's |
| 146 | * WordPress.com blog id (not get_current_blog_id(), which is the independent local id |
| 147 | * on Atomic/WoA). Shared by the access decision and the cookie self-heal. |
| 148 | * |
| 149 | * @param object $paywall Subscription service (provides the WordPress.com blog id). |
| 150 | * @return array{0:int,1:array,2:array} [ user_id (WPCOM id when available, otherwise local), raw_subscriptions, abbreviated_subscriptions ]. |
| 151 | */ |
| 152 | function get_subscriptions_for_logged_in_user( $paywall ) { |
| 153 | $local_user_id = wp_get_current_user()->ID; |
| 154 | $wpcom_user_id = (int) get_user_meta( $local_user_id, 'wpcom_user_id', true ); |
| 155 | $user_id = $wpcom_user_id > 0 ? $wpcom_user_id : $local_user_id; |
| 156 | $site_id = $paywall->get_site_id(); |
| 157 | |
| 158 | /** |
| 159 | * Filter the subscriptions attached to a specific user on a given site. |
| 160 | * |
| 161 | * @since 9.4.0 |
| 162 | * |
| 163 | * @param array $subscriptions Array of subscriptions. |
| 164 | * @param int $user_id The user's ID. |
| 165 | * @param int $site_id ID of the current site. |
| 166 | */ |
| 167 | $raw_subscriptions = apply_filters( 'earn_get_user_subscriptions_for_site_id', array(), $user_id, $site_id ); |
| 168 | $abbreviated_subscriptions = WPCOM_Online_Subscription_Service::abbreviate_subscriptions( $raw_subscriptions ); |
| 169 | |
| 170 | return array( $user_id, $raw_subscriptions, $abbreviated_subscriptions ); |
| 171 | } |
| 172 | |
| 173 | /** |
| 174 | * Pre-warm the premium-content session cookie before output starts. |
| 175 | * |
| 176 | * `current_visitor_can_access()` runs during `the_content`, by which point headers are |
| 177 | * already sent and `setcookie()` is a no-op. This `template_redirect` callback runs earlier — |
| 178 | * after the main query resolves but before the template renders — so the self-heal cookie can |
| 179 | * actually persist for subsequent requests. It does work only on front-end page views that |
| 180 | * contain the block, for logged-in visitors who do not already have a valid cookie. |
| 181 | * |
| 182 | * @return void |
| 183 | */ |
| 184 | function prewarm_premium_content_session_cookie() { |
| 185 | if ( ! is_user_logged_in() ) { |
| 186 | return; |
| 187 | } |
| 188 | |
| 189 | // Front-end page views only — skip admin, REST, feeds and cron. |
| 190 | if ( is_admin() || is_feed() || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) || ( defined( 'DOING_CRON' ) && DOING_CRON ) ) { |
| 191 | return; |
| 192 | } |
| 193 | |
| 194 | // Only on singular content that actually contains the block, so we never pay the filter |
| 195 | // round-trip on unrelated pages. |
| 196 | $queried = get_queried_object(); |
| 197 | if ( ! ( $queried instanceof \WP_Post ) || ! has_block( 'premium-content/container', $queried ) ) { |
| 198 | return; |
| 199 | } |
| 200 | |
| 201 | // Editors/authors of this post already bypass gating in current_visitor_can_access(), so |
| 202 | // there is no cookie to pre-warm for them — skip the Memberships filter round-trip. |
| 203 | if ( current_user_can( 'edit_post', $queried->ID ) ) { |
| 204 | return; |
| 205 | } |
| 206 | |
| 207 | $paywall = subscription_service(); |
| 208 | |
| 209 | // Already have a valid cached session? Nothing to heal — and don't query the filter. |
| 210 | $existing_payload = $paywall->decode_token( $paywall->get_and_set_token_from_request() ); |
| 211 | if ( ! empty( $existing_payload ) ) { |
| 212 | return; |
| 213 | } |
| 214 | |
| 215 | list( $user_id, , $abbreviated_subscriptions ) = get_subscriptions_for_logged_in_user( $paywall ); |
| 216 | maybe_renew_session_cookie( $paywall, $user_id, $abbreviated_subscriptions ); |
| 217 | } |
| 218 | |
| 219 | /** |
| 220 | * Determines if the current user can view the protected content of the given block. |
| 221 | * |
| 222 | * @param array $attributes Block attributes. |
| 223 | * @param object $block Block to check. |
| 224 | * |
| 225 | * @return bool Whether the use can view the content. |
| 226 | */ |
| 227 | function current_visitor_can_access( $attributes, $block ) { |
| 228 | /** |
| 229 | * If the current WordPress install has as signed in user |
| 230 | * they can see the content. |
| 231 | */ |
| 232 | |
| 233 | if ( current_user_can_edit() ) { |
| 234 | return true; |
| 235 | } |
| 236 | |
| 237 | $selected_plan_ids = array(); |
| 238 | |
| 239 | if ( isset( $attributes['selectedPlanIds'] ) ) { |
| 240 | $selected_plan_ids = $attributes['selectedPlanIds']; |
| 241 | } elseif ( isset( $attributes['selectedPlanId'] ) ) { |
| 242 | $selected_plan_ids = array( $attributes['selectedPlanId'] ); |
| 243 | } |
| 244 | |
| 245 | if ( isset( $block ) && ! empty( $block->context['premium-content/planId'] ) ) { |
| 246 | $selected_plan_ids = array( $block->context['premium-content/planId'] ); |
| 247 | } elseif ( isset( $block ) && ! empty( $block->context['premium-content/planIds'] ) ) { |
| 248 | $selected_plan_ids = $block->context['premium-content/planIds']; |
| 249 | } |
| 250 | |
| 251 | if ( empty( $selected_plan_ids ) ) { |
| 252 | return false; |
| 253 | } |
| 254 | |
| 255 | $can_view = false; |
| 256 | $paywall = subscription_service(); |
| 257 | $access_level = Abstract_Token_Subscription_Service::POST_ACCESS_LEVEL_PAID_SUBSCRIBERS; // Only paid subscribers should be granted access to the premium content |
| 258 | $tier_ids = \Jetpack_Memberships::get_all_newsletter_plan_ids(); |
| 259 | $tier_ids = array_intersect( $tier_ids, $selected_plan_ids ); |
| 260 | if ( ! empty( $tier_ids ) ) { |
| 261 | // If the selected plan is a tier, we want to check directly if user has a higher "tier". |
| 262 | // This is to prevent situation where the user upgrades and lose access to premium-gated content |
| 263 | |
| 264 | $subscriptions = array(); |
| 265 | |
| 266 | // Cookie/token first (fast cached path, no WPCOM round-trip). Also covers anonymous |
| 267 | // visitors arriving via a `?token=` magic link, which takes precedence over the cookie. |
| 268 | $token = $paywall->get_and_set_token_from_request(); |
| 269 | $payload = $paywall->decode_token( $token ); |
| 270 | if ( ! empty( $payload ) ) { |
| 271 | $subscriptions = (array) $payload['subscriptions']; |
| 272 | } |
| 273 | |
| 274 | // No valid cookie yet, but logged in: consult the authoritative WPCOM filter. This is |
| 275 | // the first-visit / expired-cookie path; the template_redirect pre-warm hook mints the |
| 276 | // cookie for subsequent requests. Keeps CM-584 fixed (expired cookie still grants access). |
| 277 | if ( empty( $subscriptions ) && is_user_logged_in() ) { |
| 278 | list( , , $subscriptions ) = get_subscriptions_for_logged_in_user( $paywall ); |
| 279 | } |
| 280 | |
| 281 | foreach ( $tier_ids as $tier_id ) { |
| 282 | $can_view = ! $paywall->maybe_gate_access_for_user_if_tier( $tier_id, $subscriptions ); |
| 283 | if ( $can_view ) { |
| 284 | break; |
| 285 | } |
| 286 | } |
| 287 | |
| 288 | // Refresh-before-deny for the tier path. If the tier check denied access but the |
| 289 | // token already references a subscription whose product_id maps to one of the |
| 290 | // requested tiers, the most likely cause is a stale end_date from a renewal — |
| 291 | // attempt a single refresh against the WordPress.com token-refresh endpoint and |
| 292 | // re-check with the fresh subscriptions. Mirrors the same gate inside |
| 293 | // visitor_can_view_content() for the non-tier path. |
| 294 | if ( |
| 295 | ! $can_view |
| 296 | && method_exists( $paywall, 'token_has_matching_product' ) |
| 297 | && $paywall->token_has_matching_product( $tier_ids, $subscriptions ) |
| 298 | ) { |
| 299 | $fresh_payload = $paywall->refresh_token_payload(); |
| 300 | if ( ! empty( $fresh_payload ) ) { |
| 301 | $subscriptions = isset( $fresh_payload['subscriptions'] ) ? (array) $fresh_payload['subscriptions'] : array(); |
| 302 | foreach ( $tier_ids as $tier_id ) { |
| 303 | $can_view = ! $paywall->maybe_gate_access_for_user_if_tier( $tier_id, $subscriptions ); |
| 304 | if ( $can_view ) { |
| 305 | break; |
| 306 | } |
| 307 | } |
| 308 | } |
| 309 | } |
| 310 | } |
| 311 | |
| 312 | $non_tier_ids = array_diff( $selected_plan_ids, $tier_ids ); |
| 313 | if ( ! $can_view ) { |
| 314 | // For selected plans that are not tiers, we want to check if the user has any of the selected plans. |
| 315 | $can_view = $paywall->visitor_can_view_content( $non_tier_ids, $access_level ); |
| 316 | } |
| 317 | |
| 318 | if ( $can_view ) { |
| 319 | /** |
| 320 | * Fires when a visitor can view protected content on a site. |
| 321 | * |
| 322 | * @since 9.4.0 |
| 323 | */ |
| 324 | do_action( 'jetpack_earn_remove_cache_headers' ); |
| 325 | } |
| 326 | |
| 327 | return $can_view; |
| 328 | } |
| 329 |