PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 1.3.1
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v1.3.1
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / classes / WpMatomo / Capabilities.php
matomo / classes / WpMatomo Last commit date
Admin 5 years ago Commands 6 years ago Db 6 years ago Ecommerce 6 years ago Report 6 years ago Site 5 years ago TrackingCode 5 years ago User 5 years ago views 6 years ago API.php 5 years ago Access.php 6 years ago AjaxTracker.php 5 years ago Annotations.php 6 years ago Bootstrap.php 6 years ago Capabilities.php 6 years ago Compatibility.php 6 years ago Email.php 5 years ago Installer.php 6 years ago Logger.php 5 years ago OptOut.php 5 years ago Paths.php 6 years ago PrivacyBadge.php 6 years ago Referral.php 6 years ago Roles.php 6 years ago ScheduledTasks.php 6 years ago Settings.php 5 years ago Site.php 6 years ago TrackingCode.php 5 years ago Uninstaller.php 6 years ago Updater.php 6 years ago User.php 6 years ago
Capabilities.php
187 lines
1 <?php
2 /**
3 * Matomo - free/libre analytics platform
4 *
5 * @link https://matomo.org
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
7 * @package matomo
8 */
9
10 namespace WpMatomo;
11
12 use WP_Roles;
13 use WpMatomo\Admin\Menu;
14
15 if ( ! defined( 'ABSPATH' ) ) {
16 exit; // if accessed directly
17 }
18
19 class Capabilities {
20 const KEY_NONE = 'none_matomo';
21
22 /**
23 * @api
24 */
25 const KEY_VIEW = 'view_matomo';
26
27 /**
28 * @api
29 */
30 const KEY_WRITE = 'write_matomo';
31
32 /**
33 * @api
34 */
35 const KEY_ADMIN = 'admin_matomo';
36
37 /**
38 * @api
39 */
40 const KEY_SUPERUSER = 'superuser_matomo';
41 const KEY_STEALTH = 'stealth_matomo';
42
43 /**
44 * @var Settings
45 */
46 private $settings;
47
48 public function __construct( $settings ) {
49 $this->settings = $settings;
50 }
51
52 public function register_hooks() {
53 add_action( 'wp_roles_init', array( $this, 'add_capabilities_to_roles' ) );
54 add_filter( 'user_has_cap', array( $this, 'add_capabilities_to_user' ), 10, 4 );
55 add_filter( 'map_meta_cap', array( $this, 'map_meta_cap' ), 10, 4 );
56 }
57
58 /**
59 * Tests only
60 *
61 * @internal
62 */
63 public function remove_hooks() {
64 remove_action( 'wp_roles_init', array( $this, 'add_capabilities_to_roles' ) );
65 remove_filter( 'user_has_cap', array( $this, 'add_capabilities_to_user' ), 10 );
66 remove_filter( 'map_meta_cap', array( $this, 'map_meta_cap' ), 10 );
67 }
68
69 public function map_meta_cap( $caps, $cap, $user_id, $args ) {
70 if ( self::KEY_STEALTH === $cap ) {
71 // a super admin is usually allowed all actions... unless we add do_not_allow
72 if ( is_multisite() && is_super_admin() ) {
73 $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH );
74 if ( ! empty( $stealth['administrator'] ) ) {
75 $caps[] = 'do_not_allow';
76 }
77 }
78 }
79
80 if ( Menu::CAP_NOT_EXISTS === $cap
81 && is_multisite()
82 && is_super_admin() ) {
83 $caps[] = 'do_not_allow'; // prevent matomo-analytics submenu to be shown
84 }
85
86 return $caps;
87 }
88
89 public function add_capabilities_to_user( $allcaps, $caps, $args, $user ) {
90 if ( isset( $caps[0] ) ) {
91 $cap_request = $caps[0];
92 switch ( $cap_request ) {
93 // ensure the Matomo capability inheritcance always works
94 case self::KEY_SUPERUSER:
95 if ( $this->has_super_user_capability( $allcaps ) ) {
96 $allcaps[ $cap_request ] = true;
97 }
98 break;
99
100 case self::KEY_VIEW:
101 case self::KEY_WRITE:
102 case self::KEY_ADMIN:
103 if ( empty( $allcaps[ $cap_request ] ) ) {
104 // when user has the above permission we also make sure to add all capabilites below... eg
105 // when user has write... then we ensure the user also has the view capability
106 if ( $this->has_any_higher_permission( $cap_request, $allcaps )
107 || $this->has_super_user_capability( $allcaps ) ) {
108 $allcaps[ $cap_request ] = true;
109 }
110 }
111
112 break;
113 }
114 }
115
116 return $allcaps;
117 }
118
119 private function has_super_user_capability( $allcaps ) {
120 if ( is_multisite() && $this->settings->is_network_enabled() ) {
121 if ( is_super_admin() ) {
122 // only network manager can be super user in this case
123 return true;
124 }
125 } elseif ( ! empty( $allcaps['administrator'] ) || ( is_multisite() && is_super_admin() ) ) {
126 return true;
127 }
128
129 return false;
130 }
131
132 /**
133 * @param WP_Roles $roles
134 */
135 public function add_capabilities_to_roles( $roles ) {
136 $access = $this->settings->get_global_option( Settings::OPTION_KEY_CAPS_ACCESS );
137 $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH );
138
139 if ( ! empty( $access ) && is_array( $access ) ) {
140 foreach ( $access as $role_name => $cap ) {
141 $role = $roles->get_role( $role_name );
142 if ( $role ) {
143 $role->capabilities[ $cap ] = true;
144 }
145 }
146 }
147
148 if ( ! empty( $stealth ) && is_array( $stealth ) ) {
149 foreach ( $stealth as $role_name => $enabled ) {
150 $role = $roles->get_role( $role_name );
151 if ( $role && $enabled ) {
152 $role->capabilities[ self::KEY_STEALTH ] = true;
153 }
154 }
155 }
156 }
157
158 public function get_all_capabilities_sorted_by_highest_permission() {
159 return array(
160 self::KEY_SUPERUSER,
161 self::KEY_ADMIN,
162 self::KEY_WRITE,
163 self::KEY_VIEW,
164 );
165 }
166
167 protected function has_any_higher_permission( $cap_to_find, $allcaps ) {
168 $all_caps = $this->get_all_capabilities_sorted_by_highest_permission();
169 if ( ! in_array( $cap_to_find, $all_caps, true ) ) {
170 return false;
171 }
172
173 foreach ( $all_caps as $cap ) {
174 if ( array_key_exists( $cap, $allcaps ) && ! empty( $allcaps[ $cap ] ) ) {
175 // eg if user has super user... then we return right away...
176 return true;
177 }
178 if ( $cap === $cap_to_find ) {
179 return false;
180 }
181 }
182
183 return false;
184 }
185
186 }
187