PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 4.14.2
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v4.14.2
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / classes / WpMatomo / Capabilities.php
matomo / classes / WpMatomo Last commit date
Admin 3 years ago Commands 4 years ago Db 4 years ago Ecommerce 3 years ago Report 4 years ago Site 3 years ago TrackingCode 4 years ago Updater 4 years ago User 3 years ago WpStatistics 4 years ago views 4 years ago API.php 4 years ago Access.php 4 years ago AjaxTracker.php 5 years ago Annotations.php 4 years ago Bootstrap.php 4 years ago Capabilities.php 4 years ago Compatibility.php 4 years ago Email.php 4 years ago Installer.php 4 years ago Logger.php 4 years ago OptOut.php 4 years ago Paths.php 4 years ago PrivacyBadge.php 4 years ago RedirectOnActivation.php 4 years ago Referral.php 4 years ago Roles.php 4 years ago ScheduledTasks.php 4 years ago Settings.php 4 years ago Site.php 3 years ago TrackingCode.php 4 years ago Uninstaller.php 4 years ago Updater.php 4 years ago User.php 4 years ago
Capabilities.php
187 lines
1 <?php
2 /**
3 * Matomo - free/libre analytics platform
4 *
5 * @link https://matomo.org
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
7 * @package matomo
8 */
9
10 namespace WpMatomo;
11
12 use WP_Roles;
13 use WpMatomo\Admin\Menu;
14
15 if ( ! defined( 'ABSPATH' ) ) {
16 exit; // if accessed directly
17 }
18
19 class Capabilities {
20
21 const KEY_NONE = 'none_matomo';
22
23 /**
24 * @api
25 */
26 const KEY_VIEW = 'view_matomo';
27
28 /**
29 * @api
30 */
31 const KEY_WRITE = 'write_matomo';
32
33 /**
34 * @api
35 */
36 const KEY_ADMIN = 'admin_matomo';
37
38 /**
39 * @api
40 */
41 const KEY_SUPERUSER = 'superuser_matomo';
42 const KEY_STEALTH = 'stealth_matomo';
43
44 /**
45 * @var Settings
46 */
47 private $settings;
48
49 public function __construct( $settings ) {
50 $this->settings = $settings;
51 }
52
53 public function register_hooks() {
54 add_action( 'wp_roles_init', [ $this, 'add_capabilities_to_roles' ] );
55 add_filter( 'user_has_cap', [ $this, 'add_capabilities_to_user' ], 10, 4 );
56 add_filter( 'map_meta_cap', [ $this, 'map_meta_cap' ], 10, 4 );
57 }
58
59 /**
60 * Tests only
61 *
62 * @internal
63 */
64 public function remove_hooks() {
65 remove_action( 'wp_roles_init', [ $this, 'add_capabilities_to_roles' ] );
66 remove_filter( 'user_has_cap', [ $this, 'add_capabilities_to_user' ], 10 );
67 remove_filter( 'map_meta_cap', [ $this, 'map_meta_cap' ], 10 );
68 }
69
70 public function map_meta_cap( $caps, $cap, $user_id, $args ) {
71 if ( self::KEY_STEALTH === $cap ) {
72 // a super admin is usually allowed all actions... unless we add do_not_allow
73 if ( is_multisite() && is_super_admin() ) {
74 $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH );
75 if ( ! empty( $stealth['administrator'] ) ) {
76 $caps[] = 'do_not_allow';
77 }
78 }
79 }
80
81 if ( Menu::CAP_NOT_EXISTS === $cap
82 && is_multisite()
83 && is_super_admin() ) {
84 $caps[] = 'do_not_allow'; // prevent matomo-analytics submenu to be shown
85 }
86
87 return $caps;
88 }
89
90 public function add_capabilities_to_user( $allcaps, $caps, $args, $user ) {
91 if ( isset( $caps[0] ) ) {
92 $cap_request = $caps[0];
93 switch ( $cap_request ) {
94 // ensure the Matomo capability inheritcance always works
95 case self::KEY_SUPERUSER:
96 if ( $this->has_super_user_capability( $allcaps ) ) {
97 $allcaps[ $cap_request ] = true;
98 }
99 break;
100
101 case self::KEY_VIEW:
102 case self::KEY_WRITE:
103 case self::KEY_ADMIN:
104 if ( empty( $allcaps[ $cap_request ] ) ) {
105 // when user has the above permission we also make sure to add all capabilites below... eg
106 // when user has write... then we ensure the user also has the view capability
107 if ( $this->has_any_higher_permission( $cap_request, $allcaps )
108 || $this->has_super_user_capability( $allcaps ) ) {
109 $allcaps[ $cap_request ] = true;
110 }
111 }
112
113 break;
114 }
115 }
116
117 return $allcaps;
118 }
119
120 private function has_super_user_capability( $allcaps ) {
121 if ( is_multisite() && $this->settings->is_network_enabled() ) {
122 if ( is_super_admin() ) {
123 // only network manager can be super user in this case
124 return true;
125 }
126 } elseif ( ! empty( $allcaps['administrator'] ) || ( is_multisite() && is_super_admin() ) ) {
127 return true;
128 }
129
130 return false;
131 }
132
133 /**
134 * @param WP_Roles $roles
135 */
136 public function add_capabilities_to_roles( $roles ) {
137 $access = $this->settings->get_global_option( Settings::OPTION_KEY_CAPS_ACCESS );
138 $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH );
139
140 if ( ! empty( $access ) && is_array( $access ) ) {
141 foreach ( $access as $role_name => $cap ) {
142 $role = $roles->get_role( $role_name );
143 if ( $role ) {
144 $role->capabilities[ $cap ] = true;
145 }
146 }
147 }
148
149 if ( ! empty( $stealth ) && is_array( $stealth ) ) {
150 foreach ( $stealth as $role_name => $enabled ) {
151 $role = $roles->get_role( $role_name );
152 if ( $role && $enabled ) {
153 $role->capabilities[ self::KEY_STEALTH ] = true;
154 }
155 }
156 }
157 }
158
159 public function get_all_capabilities_sorted_by_highest_permission() {
160 return [
161 self::KEY_SUPERUSER,
162 self::KEY_ADMIN,
163 self::KEY_WRITE,
164 self::KEY_VIEW,
165 ];
166 }
167
168 protected function has_any_higher_permission( $cap_to_find, $allcaps ) {
169 $all_caps = $this->get_all_capabilities_sorted_by_highest_permission();
170 if ( ! in_array( $cap_to_find, $all_caps, true ) ) {
171 return false;
172 }
173
174 foreach ( $all_caps as $cap ) {
175 if ( array_key_exists( $cap, $allcaps ) && ! empty( $allcaps[ $cap ] ) ) {
176 // eg if user has super user... then we return right away...
177 return true;
178 }
179 if ( $cap === $cap_to_find ) {
180 return false;
181 }
182 }
183
184 return false;
185 }
186 }
187