Admin
3 years ago
Commands
4 years ago
Db
4 years ago
Ecommerce
3 years ago
Report
4 years ago
Site
3 years ago
TrackingCode
4 years ago
Updater
4 years ago
User
3 years ago
WpStatistics
4 years ago
views
4 years ago
API.php
4 years ago
Access.php
4 years ago
AjaxTracker.php
5 years ago
Annotations.php
4 years ago
Bootstrap.php
4 years ago
Capabilities.php
4 years ago
Compatibility.php
4 years ago
Email.php
4 years ago
Installer.php
4 years ago
Logger.php
4 years ago
OptOut.php
4 years ago
Paths.php
4 years ago
PrivacyBadge.php
4 years ago
RedirectOnActivation.php
4 years ago
Referral.php
4 years ago
Roles.php
4 years ago
ScheduledTasks.php
4 years ago
Settings.php
4 years ago
Site.php
3 years ago
TrackingCode.php
4 years ago
Uninstaller.php
4 years ago
Updater.php
4 years ago
User.php
4 years ago
Capabilities.php
187 lines
| 1 | <?php |
| 2 | /** |
| 3 | * Matomo - free/libre analytics platform |
| 4 | * |
| 5 | * @link https://matomo.org |
| 6 | * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 7 | * @package matomo |
| 8 | */ |
| 9 | |
| 10 | namespace WpMatomo; |
| 11 | |
| 12 | use WP_Roles; |
| 13 | use WpMatomo\Admin\Menu; |
| 14 | |
| 15 | if ( ! defined( 'ABSPATH' ) ) { |
| 16 | exit; // if accessed directly |
| 17 | } |
| 18 | |
| 19 | class Capabilities { |
| 20 | |
| 21 | const KEY_NONE = 'none_matomo'; |
| 22 | |
| 23 | /** |
| 24 | * @api |
| 25 | */ |
| 26 | const KEY_VIEW = 'view_matomo'; |
| 27 | |
| 28 | /** |
| 29 | * @api |
| 30 | */ |
| 31 | const KEY_WRITE = 'write_matomo'; |
| 32 | |
| 33 | /** |
| 34 | * @api |
| 35 | */ |
| 36 | const KEY_ADMIN = 'admin_matomo'; |
| 37 | |
| 38 | /** |
| 39 | * @api |
| 40 | */ |
| 41 | const KEY_SUPERUSER = 'superuser_matomo'; |
| 42 | const KEY_STEALTH = 'stealth_matomo'; |
| 43 | |
| 44 | /** |
| 45 | * @var Settings |
| 46 | */ |
| 47 | private $settings; |
| 48 | |
| 49 | public function __construct( $settings ) { |
| 50 | $this->settings = $settings; |
| 51 | } |
| 52 | |
| 53 | public function register_hooks() { |
| 54 | add_action( 'wp_roles_init', [ $this, 'add_capabilities_to_roles' ] ); |
| 55 | add_filter( 'user_has_cap', [ $this, 'add_capabilities_to_user' ], 10, 4 ); |
| 56 | add_filter( 'map_meta_cap', [ $this, 'map_meta_cap' ], 10, 4 ); |
| 57 | } |
| 58 | |
| 59 | /** |
| 60 | * Tests only |
| 61 | * |
| 62 | * @internal |
| 63 | */ |
| 64 | public function remove_hooks() { |
| 65 | remove_action( 'wp_roles_init', [ $this, 'add_capabilities_to_roles' ] ); |
| 66 | remove_filter( 'user_has_cap', [ $this, 'add_capabilities_to_user' ], 10 ); |
| 67 | remove_filter( 'map_meta_cap', [ $this, 'map_meta_cap' ], 10 ); |
| 68 | } |
| 69 | |
| 70 | public function map_meta_cap( $caps, $cap, $user_id, $args ) { |
| 71 | if ( self::KEY_STEALTH === $cap ) { |
| 72 | // a super admin is usually allowed all actions... unless we add do_not_allow |
| 73 | if ( is_multisite() && is_super_admin() ) { |
| 74 | $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH ); |
| 75 | if ( ! empty( $stealth['administrator'] ) ) { |
| 76 | $caps[] = 'do_not_allow'; |
| 77 | } |
| 78 | } |
| 79 | } |
| 80 | |
| 81 | if ( Menu::CAP_NOT_EXISTS === $cap |
| 82 | && is_multisite() |
| 83 | && is_super_admin() ) { |
| 84 | $caps[] = 'do_not_allow'; // prevent matomo-analytics submenu to be shown |
| 85 | } |
| 86 | |
| 87 | return $caps; |
| 88 | } |
| 89 | |
| 90 | public function add_capabilities_to_user( $allcaps, $caps, $args, $user ) { |
| 91 | if ( isset( $caps[0] ) ) { |
| 92 | $cap_request = $caps[0]; |
| 93 | switch ( $cap_request ) { |
| 94 | // ensure the Matomo capability inheritcance always works |
| 95 | case self::KEY_SUPERUSER: |
| 96 | if ( $this->has_super_user_capability( $allcaps ) ) { |
| 97 | $allcaps[ $cap_request ] = true; |
| 98 | } |
| 99 | break; |
| 100 | |
| 101 | case self::KEY_VIEW: |
| 102 | case self::KEY_WRITE: |
| 103 | case self::KEY_ADMIN: |
| 104 | if ( empty( $allcaps[ $cap_request ] ) ) { |
| 105 | // when user has the above permission we also make sure to add all capabilites below... eg |
| 106 | // when user has write... then we ensure the user also has the view capability |
| 107 | if ( $this->has_any_higher_permission( $cap_request, $allcaps ) |
| 108 | || $this->has_super_user_capability( $allcaps ) ) { |
| 109 | $allcaps[ $cap_request ] = true; |
| 110 | } |
| 111 | } |
| 112 | |
| 113 | break; |
| 114 | } |
| 115 | } |
| 116 | |
| 117 | return $allcaps; |
| 118 | } |
| 119 | |
| 120 | private function has_super_user_capability( $allcaps ) { |
| 121 | if ( is_multisite() && $this->settings->is_network_enabled() ) { |
| 122 | if ( is_super_admin() ) { |
| 123 | // only network manager can be super user in this case |
| 124 | return true; |
| 125 | } |
| 126 | } elseif ( ! empty( $allcaps['administrator'] ) || ( is_multisite() && is_super_admin() ) ) { |
| 127 | return true; |
| 128 | } |
| 129 | |
| 130 | return false; |
| 131 | } |
| 132 | |
| 133 | /** |
| 134 | * @param WP_Roles $roles |
| 135 | */ |
| 136 | public function add_capabilities_to_roles( $roles ) { |
| 137 | $access = $this->settings->get_global_option( Settings::OPTION_KEY_CAPS_ACCESS ); |
| 138 | $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH ); |
| 139 | |
| 140 | if ( ! empty( $access ) && is_array( $access ) ) { |
| 141 | foreach ( $access as $role_name => $cap ) { |
| 142 | $role = $roles->get_role( $role_name ); |
| 143 | if ( $role ) { |
| 144 | $role->capabilities[ $cap ] = true; |
| 145 | } |
| 146 | } |
| 147 | } |
| 148 | |
| 149 | if ( ! empty( $stealth ) && is_array( $stealth ) ) { |
| 150 | foreach ( $stealth as $role_name => $enabled ) { |
| 151 | $role = $roles->get_role( $role_name ); |
| 152 | if ( $role && $enabled ) { |
| 153 | $role->capabilities[ self::KEY_STEALTH ] = true; |
| 154 | } |
| 155 | } |
| 156 | } |
| 157 | } |
| 158 | |
| 159 | public function get_all_capabilities_sorted_by_highest_permission() { |
| 160 | return [ |
| 161 | self::KEY_SUPERUSER, |
| 162 | self::KEY_ADMIN, |
| 163 | self::KEY_WRITE, |
| 164 | self::KEY_VIEW, |
| 165 | ]; |
| 166 | } |
| 167 | |
| 168 | protected function has_any_higher_permission( $cap_to_find, $allcaps ) { |
| 169 | $all_caps = $this->get_all_capabilities_sorted_by_highest_permission(); |
| 170 | if ( ! in_array( $cap_to_find, $all_caps, true ) ) { |
| 171 | return false; |
| 172 | } |
| 173 | |
| 174 | foreach ( $all_caps as $cap ) { |
| 175 | if ( array_key_exists( $cap, $allcaps ) && ! empty( $allcaps[ $cap ] ) ) { |
| 176 | // eg if user has super user... then we return right away... |
| 177 | return true; |
| 178 | } |
| 179 | if ( $cap === $cap_to_find ) { |
| 180 | return false; |
| 181 | } |
| 182 | } |
| 183 | |
| 184 | return false; |
| 185 | } |
| 186 | } |
| 187 |