PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / 5.8.2
Matomo Analytics – Powerful, Privacy-First Insights for WordPress v5.8.2
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / classes / WpMatomo / Capabilities.php
matomo / classes / WpMatomo Last commit date
Admin 2 months ago Commands 2 years ago Db 1 year ago Ecommerce 3 months ago Report 2 months ago Site 2 months ago TrackingCode 4 months ago Updater 4 years ago User 2 months ago Workarounds 2 years ago WpStatistics 5 months ago views 4 years ago AIBotTracking.php 4 months ago API.php 2 months ago Access.php 4 years ago AjaxTracker.php 4 months ago Annotations.php 2 months ago Bootstrap.php 10 months ago Capabilities.php 2 months ago Compatibility.php 2 months ago Email.php 2 years ago ErrorNotice.php 2 months ago Feature.php 2 months ago Installer.php 5 months ago Logger.php 1 year ago OptOut.php 2 months ago Paths.php 5 months ago PluginActionLinks.php 2 months ago PluginAdminOverrides.php 2 months ago PluginInit.php 2 months ago PrivacyBadge.php 4 years ago RedirectOnActivation.php 2 months ago Referral.php 2 months ago Roles.php 2 months ago ScheduledTasks.php 2 months ago Settings.php 4 months ago Site.php 3 years ago TrackingCode.php 2 months ago Uninstaller.php 5 months ago Updater.php 10 months ago User.php 4 years ago
Capabilities.php
187 lines
1 <?php
2 /**
3 * Matomo - free/libre analytics platform
4 *
5 * @link https://matomo.org
6 * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
7 * @package matomo
8 */
9
10 namespace WpMatomo;
11
12 use WP_Roles;
13 use WpMatomo\Admin\Menu;
14
15 if ( ! defined( 'ABSPATH' ) ) {
16 exit; // if accessed directly
17 }
18
19 class Capabilities extends Feature {
20
21 const KEY_NONE = 'none_matomo';
22
23 /**
24 * @api
25 */
26 const KEY_VIEW = 'view_matomo';
27
28 /**
29 * @api
30 */
31 const KEY_WRITE = 'write_matomo';
32
33 /**
34 * @api
35 */
36 const KEY_ADMIN = 'admin_matomo';
37
38 /**
39 * @api
40 */
41 const KEY_SUPERUSER = 'superuser_matomo';
42 const KEY_STEALTH = 'stealth_matomo';
43
44 /**
45 * @var Settings
46 */
47 private $settings;
48
49 public function __construct( $settings ) {
50 $this->settings = $settings;
51 }
52
53 public function register_hooks() {
54 add_action( 'wp_roles_init', [ $this, 'add_capabilities_to_roles' ] );
55 add_filter( 'user_has_cap', [ $this, 'add_capabilities_to_user' ], 10, 4 );
56 add_filter( 'map_meta_cap', [ $this, 'map_meta_cap' ], 10, 4 );
57 }
58
59 /**
60 * Tests only
61 *
62 * @internal
63 */
64 public function remove_hooks() {
65 remove_action( 'wp_roles_init', [ $this, 'add_capabilities_to_roles' ] );
66 remove_filter( 'user_has_cap', [ $this, 'add_capabilities_to_user' ], 10 );
67 remove_filter( 'map_meta_cap', [ $this, 'map_meta_cap' ], 10 );
68 }
69
70 public function map_meta_cap( $caps, $cap, $user_id, $args ) {
71 if ( self::KEY_STEALTH === $cap ) {
72 // a super admin is usually allowed all actions... unless we add do_not_allow
73 if ( is_multisite() && is_super_admin() ) {
74 $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH );
75 if ( ! empty( $stealth['administrator'] ) ) {
76 $caps[] = 'do_not_allow';
77 }
78 }
79 }
80
81 if ( Menu::CAP_NOT_EXISTS === $cap
82 && is_multisite()
83 && is_super_admin() ) {
84 $caps[] = 'do_not_allow'; // prevent matomo-analytics submenu to be shown
85 }
86
87 return $caps;
88 }
89
90 public function add_capabilities_to_user( $allcaps, $caps, $args, $user ) {
91 if ( isset( $caps[0] ) ) {
92 $cap_request = $caps[0];
93 switch ( $cap_request ) {
94 // ensure the Matomo capability inheritcance always works
95 case self::KEY_SUPERUSER:
96 if ( $this->has_super_user_capability( $allcaps ) ) {
97 $allcaps[ $cap_request ] = true;
98 }
99 break;
100
101 case self::KEY_VIEW:
102 case self::KEY_WRITE:
103 case self::KEY_ADMIN:
104 if ( empty( $allcaps[ $cap_request ] ) ) {
105 // when user has the above permission we also make sure to add all capabilites below... eg
106 // when user has write... then we ensure the user also has the view capability
107 if ( $this->has_any_higher_permission( $cap_request, $allcaps )
108 || $this->has_super_user_capability( $allcaps ) ) {
109 $allcaps[ $cap_request ] = true;
110 }
111 }
112
113 break;
114 }
115 }
116
117 return $allcaps;
118 }
119
120 private function has_super_user_capability( $allcaps ) {
121 if ( is_multisite() && $this->settings->is_network_enabled() ) {
122 if ( is_super_admin() ) {
123 // only network manager can be super user in this case
124 return true;
125 }
126 } elseif ( ! empty( $allcaps['administrator'] ) || ( is_multisite() && is_super_admin() ) ) {
127 return true;
128 }
129
130 return false;
131 }
132
133 /**
134 * @param WP_Roles $roles
135 */
136 public function add_capabilities_to_roles( $roles ) {
137 $access = $this->settings->get_global_option( Settings::OPTION_KEY_CAPS_ACCESS );
138 $stealth = $this->settings->get_global_option( Settings::OPTION_KEY_STEALTH );
139
140 if ( ! empty( $access ) && is_array( $access ) ) {
141 foreach ( $access as $role_name => $cap ) {
142 $role = $roles->get_role( $role_name );
143 if ( $role ) {
144 $role->capabilities[ $cap ] = true;
145 }
146 }
147 }
148
149 if ( ! empty( $stealth ) && is_array( $stealth ) ) {
150 foreach ( $stealth as $role_name => $enabled ) {
151 $role = $roles->get_role( $role_name );
152 if ( $role && $enabled ) {
153 $role->capabilities[ self::KEY_STEALTH ] = true;
154 }
155 }
156 }
157 }
158
159 public function get_all_capabilities_sorted_by_highest_permission() {
160 return [
161 self::KEY_SUPERUSER,
162 self::KEY_ADMIN,
163 self::KEY_WRITE,
164 self::KEY_VIEW,
165 ];
166 }
167
168 protected function has_any_higher_permission( $cap_to_find, $allcaps ) {
169 $all_caps = $this->get_all_capabilities_sorted_by_highest_permission();
170 if ( ! in_array( $cap_to_find, $all_caps, true ) ) {
171 return false;
172 }
173
174 foreach ( $all_caps as $cap ) {
175 if ( array_key_exists( $cap, $allcaps ) && ! empty( $allcaps[ $cap ] ) ) {
176 // eg if user has super user... then we return right away...
177 return true;
178 }
179 if ( $cap === $cap_to_find ) {
180 return false;
181 }
182 }
183
184 return false;
185 }
186 }
187