compatibility
3 months ago
access.php
4 months ago
classes.php
4 months ago
compatibility.php
4 months ago
data.php
4 months ago
forms.php
4 months ago
general.php
1 month ago
media.php
4 months ago
access.php
2387 lines
| 1 | <?php |
| 2 | |
| 3 | // Don't load directly. |
| 4 | if ( ! defined( 'ABSPATH' ) ) { |
| 5 | die( '-1' ); |
| 6 | } |
| 7 | |
| 8 | /** |
| 9 | * @package Pods\Global\Functions\Access |
| 10 | */ |
| 11 | |
| 12 | use Pods\Whatsit\Pod; |
| 13 | |
| 14 | /** |
| 15 | * Normalize Pod information with a Pods object or object info. |
| 16 | * |
| 17 | * @since 3.1.0 |
| 18 | * |
| 19 | * @param array $args { |
| 20 | * The arguments to use. |
| 21 | * |
| 22 | * @type string|null $object_type The object type. |
| 23 | * @type string|null $object_name The object name. |
| 24 | * @type int|string|null $item_id The item ID. |
| 25 | * @type Pods|null $pods The Pods object. |
| 26 | * @type Pod|null $pod The Pod object. |
| 27 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 28 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 29 | * } |
| 30 | * |
| 31 | * @return array { |
| 32 | * The arguments to use. |
| 33 | * |
| 34 | * @type string|null $object_type The object type (if set). |
| 35 | * @type string|null $object_name The object name (if set). |
| 36 | * @type int|string|null $item_id The item ID (if set). |
| 37 | * @type Pods|null $pods The Pods object (if built or provided). |
| 38 | * @type Pod|null $pod The Pod object (if built or provided). |
| 39 | * } |
| 40 | */ |
| 41 | function pods_info_from_args( array $args ): array { |
| 42 | $info = [ |
| 43 | 'object_type' => null, |
| 44 | 'object_name' => null, |
| 45 | 'item_id' => null, |
| 46 | 'pods' => null, |
| 47 | 'pod' => null, |
| 48 | ]; |
| 49 | |
| 50 | $build_pods = false; |
| 51 | $build_pod = false; |
| 52 | |
| 53 | if ( isset( $args['build_pods'] ) ) { |
| 54 | $build_pods = $args['build_pods']; |
| 55 | |
| 56 | unset( $args['build_pods'] ); |
| 57 | } |
| 58 | |
| 59 | if ( isset( $args['build_pod'] ) ) { |
| 60 | $build_pod = $args['build_pod']; |
| 61 | |
| 62 | unset( $args['build_pod'] ); |
| 63 | } |
| 64 | |
| 65 | // Merge in the args with the defaults. |
| 66 | $info = array_merge( $info, $args ); |
| 67 | |
| 68 | $object_type_set = null !== $info['object_type']; |
| 69 | $object_name_set = null !== $info['object_name']; |
| 70 | |
| 71 | // Maybe auto-set the object name from the type if we can. |
| 72 | if ( |
| 73 | $object_type_set |
| 74 | && ! $object_name_set |
| 75 | && in_array( $info['object_type'], [ 'comment', 'media', 'user' ], true ) |
| 76 | ) { |
| 77 | $info['object_name'] = $info['object_type']; |
| 78 | |
| 79 | $object_name_set = true; |
| 80 | } |
| 81 | |
| 82 | // Normalize the Pods info to null if it's not valid. |
| 83 | if ( |
| 84 | $info['pods'] instanceof Pods |
| 85 | && ! $info['pods']->is_valid() |
| 86 | ) { |
| 87 | $info['pods'] = null; |
| 88 | } |
| 89 | |
| 90 | // Maybe build the Pods object from the info. |
| 91 | if ( |
| 92 | $build_pods |
| 93 | && $object_name_set |
| 94 | && ! $info['pods'] instanceof Pods |
| 95 | ) { |
| 96 | $pods = pods_get_instance( $info['object_name'], $info['item_id'], true ); |
| 97 | |
| 98 | if ( |
| 99 | $pods instanceof Pods |
| 100 | && $pods->is_valid() |
| 101 | && ( |
| 102 | empty( $info['object_type'] ) |
| 103 | || $info['object_type'] === $pods->pod_data->get_type() |
| 104 | ) |
| 105 | ) { |
| 106 | $info['pods'] = $pods; |
| 107 | |
| 108 | if ( ! $info['pod'] instanceof Pod ) { |
| 109 | $info['pod'] = clone $pods->pod_data; |
| 110 | } |
| 111 | } |
| 112 | } elseif ( |
| 113 | $info['pods'] instanceof Pods |
| 114 | && $info['pods']->is_valid() |
| 115 | && ! $info['pod'] instanceof Pod |
| 116 | ) { |
| 117 | $info['pod'] = clone $info['pods']->pod_data; |
| 118 | } |
| 119 | |
| 120 | // Maybe build the Pod object from the info. |
| 121 | if ( |
| 122 | $build_pod |
| 123 | && $object_name_set |
| 124 | && ! $info['pod'] instanceof Pod |
| 125 | ) { |
| 126 | try { |
| 127 | $pod = pods_api()->load_pod( [ |
| 128 | 'name' => $info['object_name'], |
| 129 | ] ); |
| 130 | } catch ( Exception $e ) { |
| 131 | $pod = null; |
| 132 | } |
| 133 | |
| 134 | if ( |
| 135 | $pod instanceof Pod |
| 136 | && ( |
| 137 | empty( $info['object_type'] ) |
| 138 | || $info['object_type'] === $pod->get_type() |
| 139 | ) |
| 140 | ) { |
| 141 | $info['pod'] = $pod; |
| 142 | } |
| 143 | } |
| 144 | |
| 145 | if ( $info['pod'] instanceof Pod ) { |
| 146 | $info['object_type'] = $info['pod']->get_type(); |
| 147 | $info['object_name'] = $info['pod']->get_name(); |
| 148 | } |
| 149 | |
| 150 | return $info; |
| 151 | } |
| 152 | |
| 153 | /** |
| 154 | * Determine whether the current user has access to an object. |
| 155 | * |
| 156 | * @since 3.1.0 |
| 157 | * |
| 158 | * @param array $args { |
| 159 | * The arguments to use. |
| 160 | * |
| 161 | * @type string|null $object_type The object type. |
| 162 | * @type string|null $object_name The object name. |
| 163 | * @type int|string|null $item_id The item ID. |
| 164 | * @type Pods|null $pods The Pods object. |
| 165 | * @type Pod|null $pod The Pod object. |
| 166 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 167 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 168 | * } |
| 169 | * @param int|null $user_id The user ID to check against, set to 0 or null for anonymous access check. |
| 170 | * @param string $access_type The type of access to check for (read, add, edit, delete). |
| 171 | * @param string|null $context The unique slug that can be referenced by hooks for context. |
| 172 | * |
| 173 | * @return bool Whether the current user has access to an object. |
| 174 | */ |
| 175 | function pods_user_can_access_object( array $args, ?int $user_id, string $access_type = 'edit', ?string $context = null ): bool { |
| 176 | $info = pods_info_from_args( $args ); |
| 177 | |
| 178 | if ( null === $user_id ) { |
| 179 | $user_id = 0; |
| 180 | } |
| 181 | |
| 182 | // Check if the user exists. |
| 183 | $user = get_userdata( $user_id ); |
| 184 | |
| 185 | if ( ! $user instanceof WP_User ) { |
| 186 | // If the user does not exist and it was not anonymous, do not allow access to an invalid user. |
| 187 | if ( 0 < $user_id ) { |
| 188 | return false; |
| 189 | } |
| 190 | |
| 191 | // If the user was 0 to begin with (anonymous) then set up a user object to work with. |
| 192 | $user = new WP_User(); |
| 193 | } |
| 194 | |
| 195 | // Determine if this is a user in WP that has full access. |
| 196 | if ( $user_id && pods_is_user_admin( $user_id ) ) { |
| 197 | return true; |
| 198 | } |
| 199 | |
| 200 | if ( 'pod' === $info['object_type'] || 'table' === $info['object_type'] ) { |
| 201 | // If no object name is provided, we cannot check access. |
| 202 | if ( empty( $info['object_name'] ) ) { |
| 203 | return false; |
| 204 | } |
| 205 | |
| 206 | // Determine if this user has full content access. |
| 207 | if ( $user->has_cap('pods_content' ) ) { |
| 208 | return true; |
| 209 | } |
| 210 | } |
| 211 | |
| 212 | $capabilities = pods_access_map_capabilities( $info, $user_id ); |
| 213 | |
| 214 | // Unsupported capabilities returned. |
| 215 | if ( null === $capabilities ) { |
| 216 | return false; |
| 217 | } |
| 218 | |
| 219 | /** |
| 220 | * Allow filtering the list of capabilities used for checking access against an object. |
| 221 | * |
| 222 | * @since 3.1.0 |
| 223 | * |
| 224 | * @param array $capabilities The list of capabilities used for checking access against an object. |
| 225 | * @param int $user_id The user ID to check against. |
| 226 | * @param array $info { |
| 227 | * The normalized Pod information referenced. |
| 228 | * |
| 229 | * @type string|null $object_type The object type (if set). |
| 230 | * @type string|null $object_name The object name (if set). |
| 231 | * @type int|string|null $item_id The item ID (if set). |
| 232 | * @type Pods|null $pods The Pods object (if built or provided). |
| 233 | * @type Pod|null $pod The Pod object (if built or provided). |
| 234 | * } |
| 235 | * @param string $access_type The type of access to check for (read, add, edit, delete). |
| 236 | * @param string|null $context The unique slug that can be referenced by hooks for context. |
| 237 | */ |
| 238 | $capabilities = (array) apply_filters( |
| 239 | 'pods_user_can_access_object_get_capabilities', |
| 240 | $capabilities, |
| 241 | $user_id, |
| 242 | $info, |
| 243 | $access_type, |
| 244 | $context |
| 245 | ); |
| 246 | |
| 247 | // No capability mapped, do not allow access. |
| 248 | if ( ! array_key_exists( $access_type, $capabilities ) ) { |
| 249 | return false; |
| 250 | } |
| 251 | |
| 252 | /** |
| 253 | * Allow filtering whether a user has access to an object before the normal capability check runs. |
| 254 | * |
| 255 | * @since 3.1.0 |
| 256 | * |
| 257 | * @param null|bool $can_access Whether a user has access to an object (return null to run normal check). |
| 258 | * @param int $user_id The user ID to check against. |
| 259 | * @param array $info { |
| 260 | * The normalized Pod information referenced. |
| 261 | * |
| 262 | * @type string|null $object_type The object type (if set). |
| 263 | * @type string|null $object_name The object name (if set). |
| 264 | * @type int|string|null $item_id The item ID (if set). |
| 265 | * @type Pods|null $pods The Pods object (if built or provided). |
| 266 | * @type Pod|null $pod The Pod object (if built or provided). |
| 267 | * } |
| 268 | * @param string $access_type The type of access to check for (read, add, edit, delete). |
| 269 | * @param string|null $context The unique slug that can be referenced by hooks for context. |
| 270 | * @param array $capabilities The list of capabilities used for checking access against an object. |
| 271 | */ |
| 272 | $can_access = apply_filters( |
| 273 | 'pods_user_can_access_object_pre_check', |
| 274 | null, |
| 275 | $user_id, |
| 276 | $info, |
| 277 | $access_type, |
| 278 | $context, |
| 279 | $capabilities |
| 280 | ); |
| 281 | |
| 282 | // Check for access override and return that instead. |
| 283 | if ( null !== $can_access ) { |
| 284 | return $can_access; |
| 285 | } |
| 286 | |
| 287 | // If we are allowing all access, null will be set for the capability. |
| 288 | if ( null === $capabilities[ $access_type ] ) { |
| 289 | $can_access = true; |
| 290 | } else { |
| 291 | // Support multiple capability checks ("OR" logic). |
| 292 | $capabilities[ $access_type ] = (array) $capabilities[ $access_type ]; |
| 293 | |
| 294 | $can_access = false; |
| 295 | |
| 296 | foreach ( $capabilities[ $access_type ] as $capability ) { |
| 297 | if ( $info['item_id'] ) { |
| 298 | $can_access = $user->has_cap( $capability, $info['item_id'] ); |
| 299 | } else { |
| 300 | $can_access = $user->has_cap( $capability ); |
| 301 | } |
| 302 | |
| 303 | if ( $can_access ) { |
| 304 | break; |
| 305 | } |
| 306 | } |
| 307 | } |
| 308 | |
| 309 | $is_read_access = 'read' === $access_type; |
| 310 | |
| 311 | // Check for password-protected post. |
| 312 | if ( |
| 313 | $can_access |
| 314 | && 'post_type' === $info['object_type'] |
| 315 | && $info['item_id'] |
| 316 | && ( |
| 317 | ( |
| 318 | $is_read_access |
| 319 | && pods_access_bypass_post_with_password( $info ) |
| 320 | ) |
| 321 | || ( |
| 322 | ! $is_read_access |
| 323 | && post_password_required( $info['item_id'] ) |
| 324 | ) |
| 325 | ) |
| 326 | ) { |
| 327 | $can_access = false; |
| 328 | } |
| 329 | |
| 330 | /** |
| 331 | * Allow filtering whether a user has access to an object after the normal capability check runs. |
| 332 | * |
| 333 | * @since 3.1.0 |
| 334 | * |
| 335 | * @param bool $can_access Whether a user has access to an object. |
| 336 | * @param int $user_id The user ID to check against. |
| 337 | * @param array $info { |
| 338 | * The normalized Pod information referenced. |
| 339 | * |
| 340 | * @type string|null $object_type The object type (if set). |
| 341 | * @type string|null $object_name The object name (if set). |
| 342 | * @type int|string|null $item_id The item ID (if set). |
| 343 | * @type Pods|null $pods The Pods object (if built or provided). |
| 344 | * @type Pod|null $pod The Pod object (if built or provided). |
| 345 | * } |
| 346 | * @param string $access_type The type of access to check for (read, add, edit, delete). |
| 347 | * @param string|null $context The unique slug that can be referenced by hooks for context. |
| 348 | * @param array $capabilities The list of capabilities used for checking access against an object. |
| 349 | */ |
| 350 | return (bool) apply_filters( |
| 351 | 'pods_user_can_access_object', |
| 352 | $can_access, |
| 353 | $user_id, |
| 354 | $info, |
| 355 | $access_type, |
| 356 | $context, |
| 357 | $capabilities |
| 358 | ); |
| 359 | } |
| 360 | |
| 361 | /** |
| 362 | * Determine whether the current user has access to an object. |
| 363 | * |
| 364 | * @since 3.1.0 |
| 365 | * |
| 366 | * @param array $args { |
| 367 | * The arguments to use. |
| 368 | * |
| 369 | * @type string|null $object_type The object type. |
| 370 | * @type string|null $object_name The object name. |
| 371 | * @type int|string|null $item_id The item ID. |
| 372 | * @type Pods|null $pods The Pods object. |
| 373 | * @type Pod|null $pod The Pod object. |
| 374 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 375 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 376 | * } |
| 377 | * @param string $access_type The type of access to check for (read, add, edit, delete). |
| 378 | * @param string|null $context The unique slug that can be referenced by hooks for context. |
| 379 | * |
| 380 | * @return bool Whether the current user has access to an object. |
| 381 | */ |
| 382 | function pods_current_user_can_access_object( array $args, string $access_type = 'edit', ?string $context = null ): bool { |
| 383 | $user_id = null; |
| 384 | |
| 385 | if ( is_user_logged_in() ) { |
| 386 | $user_id = get_current_user_id(); |
| 387 | } |
| 388 | |
| 389 | return pods_user_can_access_object( $args, $user_id, $access_type, $context ); |
| 390 | } |
| 391 | |
| 392 | /** |
| 393 | * Build and map the capabilities that a specific object type/name/ID have in relation to a user ID. |
| 394 | * |
| 395 | * @since 3.1.0 |
| 396 | * |
| 397 | * @param array $args { |
| 398 | * The arguments to use. |
| 399 | * |
| 400 | * @type string|null $object_type The object type. |
| 401 | * @type string|null $object_name The object name. |
| 402 | * @type int|string|null $item_id The item ID. |
| 403 | * @type Pods|null $pods The Pods object. |
| 404 | * @type Pod|null $pod The Pod object. |
| 405 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 406 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 407 | * } |
| 408 | * @param int|null $user_id The user ID accessing the object. |
| 409 | * @param bool $strict Whether to strictly get the capabilities or have the 'read' capability evaluate to null if it's public (defaults to false). |
| 410 | * |
| 411 | * @return array|null The capabilities that a specific object type/name/ID have in relation to a user ID, or null if invalid. |
| 412 | */ |
| 413 | function pods_access_map_capabilities( array $args, ?int $user_id = null, bool $strict = false ): ?array { |
| 414 | $args['build_pods'] = true; |
| 415 | $args['build_pod'] = true; |
| 416 | |
| 417 | $info = pods_info_from_args( $args ); |
| 418 | |
| 419 | // If no object type or name, we cannot check access. |
| 420 | if ( empty( $info['object_type'] ) || empty( $info['object_name'] ) ) { |
| 421 | return null; |
| 422 | } |
| 423 | |
| 424 | $wp_object = null; |
| 425 | |
| 426 | $capabilities = []; |
| 427 | |
| 428 | if ( 'post_type' === $info['object_type'] ) { |
| 429 | $info['item_id'] = (int) $info['item_id']; |
| 430 | |
| 431 | if ( $info['item_id'] ) { |
| 432 | $capabilities['read'] = 'read_post'; |
| 433 | $capabilities['edit'] = 'edit_post'; |
| 434 | $capabilities['delete'] = 'delete_post'; |
| 435 | } else { |
| 436 | $capabilities['read'] = 'read'; |
| 437 | $capabilities['edit'] = 'edit_posts'; |
| 438 | $capabilities['delete'] = 'delete_posts'; |
| 439 | } |
| 440 | |
| 441 | $capabilities['add'] = 'create_posts'; |
| 442 | $capabilities['read_private'] = 'read_private_posts'; |
| 443 | $capabilities['edit_others'] = 'edit_others_posts'; |
| 444 | $capabilities['delete_others'] = 'delete_others_posts'; |
| 445 | $capabilities['delete_published'] = 'delete_published_posts'; |
| 446 | $capabilities['delete_private'] = 'delete_private_posts'; |
| 447 | |
| 448 | // Maybe map capabilities to the post type. |
| 449 | $wp_object = get_post_type_object( $info['object_name'] ); |
| 450 | |
| 451 | if ( $info['item_id'] ) { |
| 452 | $post = get_post( $info['item_id'] ); |
| 453 | |
| 454 | // If the post was found, do fine-grained access checks. |
| 455 | if ( $post instanceof WP_Post ) { |
| 456 | $status_obj = get_post_status_object( $post->post_status ); |
| 457 | |
| 458 | // Check if the person is allowed to read other posts. |
| 459 | if ( |
| 460 | $user_id |
| 461 | && $post->post_author |
| 462 | && (int) $user_id === (int) $post->post_author |
| 463 | ) { |
| 464 | // This is their own post, they can have access. |
| 465 | $capabilities['read'] = 'read'; |
| 466 | } elseif ( |
| 467 | ! $status_obj |
| 468 | || $status_obj->private |
| 469 | ) { |
| 470 | // This is a private post, check private post capability. |
| 471 | $capabilities['read'] = $capabilities['read_private']; |
| 472 | } |
| 473 | } |
| 474 | } |
| 475 | } elseif ( 'taxonomy' === $info['object_type'] ) { |
| 476 | $info['item_id'] = (int) $info['item_id']; |
| 477 | |
| 478 | $capabilities['read'] = 'read'; |
| 479 | $capabilities['add'] = 'manage_terms'; |
| 480 | $capabilities['edit'] = 'edit_terms'; |
| 481 | $capabilities['delete'] = 'delete_terms'; |
| 482 | |
| 483 | // Maybe map capabilities to the post type. |
| 484 | $wp_object = get_taxonomy( $info['object_name'] ); |
| 485 | } elseif ( 'user' === $info['object_type'] ) { |
| 486 | $info['item_id'] = (int) $info['item_id']; |
| 487 | |
| 488 | $capabilities['read'] = 'list_users'; |
| 489 | $capabilities['add'] = 'create_users'; |
| 490 | $capabilities['edit'] = 'edit_users'; |
| 491 | $capabilities['delete'] = 'delete_users'; |
| 492 | |
| 493 | // If an object ID is provided, check for access for that specific user. |
| 494 | if ( ! empty( $info['item_id'] ) ) { |
| 495 | $capabilities['edit'] = 'edit_user'; |
| 496 | $capabilities['delete'] = 'delete_user'; |
| 497 | } |
| 498 | |
| 499 | // Fake the WP object for the logic below. |
| 500 | $wp_object = (object) [ |
| 501 | 'public' => false, |
| 502 | 'cap' => (object) [], |
| 503 | ]; |
| 504 | } elseif ( 'media' === $info['object_type'] ) { |
| 505 | $info['item_id'] = (int) $info['item_id']; |
| 506 | |
| 507 | $capabilities['read'] = 'read'; |
| 508 | $capabilities['add'] = 'upload_files'; |
| 509 | $capabilities['edit'] = 'upload_files'; |
| 510 | $capabilities['delete'] = 'upload_files'; |
| 511 | |
| 512 | // Fake the WP object for the logic below. |
| 513 | $wp_object = (object) [ |
| 514 | 'public' => false, |
| 515 | 'cap' => (object) [], |
| 516 | ]; |
| 517 | } elseif ( 'comment' === $info['object_type'] ) { |
| 518 | $info['item_id'] = (int) $info['item_id']; |
| 519 | |
| 520 | $capabilities['read'] = 'read'; |
| 521 | $capabilities['add'] = 1 === (int) get_option( 'comment_registration' ) ? 'read' : null; |
| 522 | $capabilities['edit'] = 'moderate_comments'; |
| 523 | $capabilities['delete'] = 'moderate_comments'; |
| 524 | |
| 525 | // If an object ID is provided, check for access for that specific user. |
| 526 | if ( ! empty( $info['item_id'] ) ) { |
| 527 | $capabilities['edit'] = 'edit_comment'; |
| 528 | } |
| 529 | |
| 530 | // Fake the WP object for the logic below. |
| 531 | $wp_object = (object) [ |
| 532 | 'public' => true, |
| 533 | 'cap' => (object) [], |
| 534 | ]; |
| 535 | } elseif ( 'settings' === $info['object_type'] ) { |
| 536 | $capabilities['read'] = 'manage_options'; |
| 537 | $capabilities['edit'] = 'pods_edit_' . $info['object_name']; |
| 538 | $capabilities['delete'] = 'manage_options'; |
| 539 | |
| 540 | // Fake the WP object for the logic below. |
| 541 | $wp_object = (object) [ |
| 542 | 'public' => false, |
| 543 | 'cap' => (object) [], |
| 544 | ]; |
| 545 | } elseif ( 'pod' === $info['object_type'] || 'table' === $info['object_type'] ) { |
| 546 | $info['item_id'] = (int) $info['item_id']; |
| 547 | |
| 548 | $capabilities['read'] = 'pods_read_' . $info['object_name']; |
| 549 | $capabilities['add'] = 'pods_add_' . $info['object_name']; |
| 550 | $capabilities['edit'] = 'pods_edit_' . $info['object_name']; |
| 551 | $capabilities['delete'] = 'pods_delete_' . $info['object_name']; |
| 552 | $capabilities['edit_others'] = 'pods_edit_others_' . $info['object_name']; |
| 553 | $capabilities['delete_others'] = 'pods_delete_others_' . $info['object_name']; |
| 554 | |
| 555 | $is_public = false; |
| 556 | |
| 557 | if ( $info['pods'] instanceof Pods && $info['pod'] instanceof Pod ) { |
| 558 | // If an object ID is provided, check for access for that specific item. |
| 559 | if ( $info['item_id'] && $info['pods']->exists() ) { |
| 560 | // Check for author field. |
| 561 | $author_field = $info['pod']->get_field( 'author' ); |
| 562 | |
| 563 | $author_user_id = $author_field ? (int) $info['pods']->field( $author_field->get_name() . '.ID' ) : null; |
| 564 | |
| 565 | // If we have an author field, check if they are the author. |
| 566 | if ( $author_field ) { |
| 567 | if ( $user_id && $author_user_id === $user_id ) { |
| 568 | // This is their own post, they can also have access if have edit access. |
| 569 | $capabilities['read'] = [ |
| 570 | $capabilities['read'], |
| 571 | 'pods_edit_' . $info['object_name'], |
| 572 | ]; |
| 573 | } else { |
| 574 | // This is not their post, check if they have access to others. |
| 575 | $capabilities['edit'] = 'pods_edit_others_' . $info['object_name']; |
| 576 | $capabilities['delete'] = 'pods_delete_others_' . $info['object_name']; |
| 577 | } |
| 578 | } |
| 579 | } |
| 580 | |
| 581 | $is_public = $info['pod']->get_arg( 'public', '0', true ); |
| 582 | $is_public = filter_var( $is_public, FILTER_VALIDATE_BOOLEAN ); |
| 583 | |
| 584 | // Fake the WP object for the logic below. |
| 585 | $wp_object = (object) [ |
| 586 | 'public' => $is_public, |
| 587 | 'cap' => (object) [], |
| 588 | ]; |
| 589 | } |
| 590 | |
| 591 | if ( $is_public ) { |
| 592 | $capabilities['read'] = 'read'; |
| 593 | } |
| 594 | } |
| 595 | |
| 596 | // If no post type object is found, we cannot check access. |
| 597 | if ( ! $wp_object ) { |
| 598 | return null; |
| 599 | } |
| 600 | |
| 601 | // Check if there are any capabilities mapped for this type object. |
| 602 | foreach ( $capabilities as $access_type => $capability ) { |
| 603 | if ( $capability ) { |
| 604 | if ( is_array( $capability ) ) { |
| 605 | foreach ( $capability as $k => $cap ) { |
| 606 | if ( isset( $wp_object->cap->{$cap} ) ) { |
| 607 | $capabilities[ $access_type ][ $k ] = $wp_object->cap->{$cap}; |
| 608 | } |
| 609 | } |
| 610 | } elseif ( isset( $wp_object->cap->{$capability} ) ) { |
| 611 | $capabilities[ $access_type ] = $wp_object->cap->{$capability}; |
| 612 | } |
| 613 | } |
| 614 | } |
| 615 | |
| 616 | // If the object is public, allow read for anyone even logged out. |
| 617 | if ( ! $strict && $wp_object->public && 'read' === $capabilities['read'] && ! $user_id ) { |
| 618 | $capabilities['read'] = null; |
| 619 | } |
| 620 | |
| 621 | /** |
| 622 | * Allow filtering the list of capabilities used for checking access against an object type or singular object. |
| 623 | * |
| 624 | * @since 3.1.0 |
| 625 | * |
| 626 | * @param array $capabilities The list of capabilities used for checking access against an object type or singular object. |
| 627 | * @param int $user_id The user ID to check against. |
| 628 | * @param array $info { |
| 629 | * The normalized Pod information referenced. |
| 630 | * |
| 631 | * @type string|null $object_type The object type (if set). |
| 632 | * @type string|null $object_name The object name (if set). |
| 633 | * @type int|string|null $item_id The item ID (if set). |
| 634 | * @type Pods|null $pods The Pods object (if built or provided). |
| 635 | * @type Pod|null $pod The Pod object (if built or provided). |
| 636 | * } |
| 637 | */ |
| 638 | return (array) apply_filters( |
| 639 | 'pods_access_map_capabilities', |
| 640 | $capabilities, |
| 641 | $user_id, |
| 642 | $info |
| 643 | ); |
| 644 | } |
| 645 | |
| 646 | /** |
| 647 | * Determine whether the object type/name is public. |
| 648 | * |
| 649 | * @since 3.1.0 |
| 650 | * |
| 651 | * @param array $args { |
| 652 | * The arguments to use. |
| 653 | * |
| 654 | * @type string|null $object_type The object type. |
| 655 | * @type string|null $object_name The object name. |
| 656 | * @type int|string|null $item_id The item ID. |
| 657 | * @type Pods|null $pods The Pods object. |
| 658 | * @type Pod|null $pod The Pod object. |
| 659 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 660 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 661 | * } |
| 662 | * @param string $context The context we are checking from (defaults to shortcode). |
| 663 | * |
| 664 | * @return bool Whether the object type/name is public. |
| 665 | */ |
| 666 | function pods_is_type_public( array $args, string $context = 'shortcode' ): bool { |
| 667 | $args['build_pod'] = true; |
| 668 | |
| 669 | $info = pods_info_from_args( $args ); |
| 670 | |
| 671 | $is_public = true; |
| 672 | |
| 673 | $pod_has_public = null; |
| 674 | |
| 675 | $is_post_type = 'post_type' === $info['object_type']; |
| 676 | $is_taxonomy = 'taxonomy' === $info['object_type']; |
| 677 | $is_pod = 'pod' === $info['object_type']; |
| 678 | $is_settings_pod = 'settings' === $info['object_type']; |
| 679 | |
| 680 | $is_shortcode_context = 'shortcode' === $context; |
| 681 | |
| 682 | if ( |
| 683 | $info['pod'] instanceof Pod |
| 684 | && ( |
| 685 | $is_post_type |
| 686 | || $is_taxonomy |
| 687 | || $is_pod |
| 688 | || $is_settings_pod |
| 689 | ) |
| 690 | ) { |
| 691 | $is_extended = $info['pod']->is_extended(); |
| 692 | |
| 693 | if ( ! $is_extended ) { |
| 694 | $is_public = $info['pod']->get_arg( 'public', null, true ); |
| 695 | |
| 696 | if ( null !== $is_public ) { |
| 697 | $pod_has_public = true; |
| 698 | |
| 699 | $is_public = filter_var( $is_public, FILTER_VALIDATE_BOOLEAN ); |
| 700 | |
| 701 | if ( $is_post_type || $is_taxonomy ) { |
| 702 | $is_public = $is_public && 1 === (int) $info['pod']->get_arg( 'publicly_queryable', $is_public, true ); |
| 703 | } |
| 704 | } |
| 705 | } |
| 706 | } |
| 707 | |
| 708 | // Maybe handle looking up the visibility based on the object type. |
| 709 | if ( null === $pod_has_public ) { |
| 710 | if ( $is_post_type ) { |
| 711 | // If no object name is provided, we cannot check if it is public. |
| 712 | if ( empty( $info['object_name'] ) ) { |
| 713 | $is_public = false; |
| 714 | } else { |
| 715 | $post_type_object = get_post_type_object( $info['object_name'] ); |
| 716 | |
| 717 | // Post type not found. |
| 718 | if ( ! $post_type_object ) { |
| 719 | $is_public = false; |
| 720 | } else { |
| 721 | $is_public = $post_type_object->public && $post_type_object->publicly_queryable; |
| 722 | } |
| 723 | } |
| 724 | } elseif ( $is_taxonomy ) { |
| 725 | // If no object name is provided, we cannot check if it is public. |
| 726 | if ( empty( $info['object_name'] ) ) { |
| 727 | $is_public = false; |
| 728 | } else { |
| 729 | $taxonomy_object = get_taxonomy( $info['object_name'] ); |
| 730 | |
| 731 | // Post type not found. |
| 732 | if ( ! $taxonomy_object ) { |
| 733 | $is_public = false; |
| 734 | } else { |
| 735 | $is_public = $taxonomy_object->public && $taxonomy_object->publicly_queryable; |
| 736 | } |
| 737 | } |
| 738 | } elseif ( 'user' === $info['object_type'] ) { |
| 739 | // Users are not public for shortcodes. |
| 740 | if ( $is_shortcode_context ) { |
| 741 | $is_public = false; |
| 742 | } |
| 743 | } elseif ( $is_pod || $is_settings_pod ) { |
| 744 | // Pods need special default handling for shortcodes. |
| 745 | if ( $is_shortcode_context ) { |
| 746 | $first_pods_version = get_option( 'pods_framework_version_first' ); |
| 747 | $first_pods_version = '' === $first_pods_version ? PODS_VERSION : $first_pods_version; |
| 748 | |
| 749 | $is_public = version_compare( $first_pods_version, '3.1.0-a-1', '<' ) ? true : false; |
| 750 | } |
| 751 | } |
| 752 | } |
| 753 | |
| 754 | /** |
| 755 | * Allow filtering whether the object type/name is public. |
| 756 | * |
| 757 | * @since 3.1.0 |
| 758 | * |
| 759 | * @param bool $is_public Whether the object type/name is public. |
| 760 | * @param array $info { |
| 761 | * The normalized Pod information referenced. |
| 762 | * |
| 763 | * @type string|null $object_type The object type (if set). |
| 764 | * @type string|null $object_name The object name (if set). |
| 765 | * @type int|string|null $item_id The item ID (if set). |
| 766 | * @type Pods|null $pods The Pods object (if built or provided). |
| 767 | * @type Pod|null $pod The Pod object (if built or provided). |
| 768 | * } |
| 769 | * @param string|null $context The context we are checking from (shortcode or null). |
| 770 | */ |
| 771 | return (bool) apply_filters( |
| 772 | 'pods_is_type_public', |
| 773 | $is_public, |
| 774 | $info, |
| 775 | $context |
| 776 | ); |
| 777 | } |
| 778 | |
| 779 | /** |
| 780 | * Determine whether a post should be bypassed because it it has a password. |
| 781 | * |
| 782 | * @since 3.1.0 |
| 783 | * |
| 784 | * @param array $args { |
| 785 | * The arguments to use. |
| 786 | * |
| 787 | * @type string|null $object_type The object type. |
| 788 | * @type string|null $object_name The object name. |
| 789 | * @type int|string|null $item_id The item ID. |
| 790 | * @type Pods|null $pods The Pods object. |
| 791 | * @type Pod|null $pod The Pod object. |
| 792 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 793 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 794 | * } |
| 795 | * |
| 796 | * @return bool Whether a post should be bypassed because it it has a password. |
| 797 | */ |
| 798 | function pods_access_bypass_post_with_password( array $args ): bool { |
| 799 | $info = pods_info_from_args( $args ); |
| 800 | |
| 801 | if ( 'post_type' !== $info['object_type'] || ! $info['item_id'] ) { |
| 802 | return false; |
| 803 | } |
| 804 | |
| 805 | $post = get_post( (int) $info['item_id'] ); |
| 806 | |
| 807 | if ( ! $post instanceof WP_Post ) { |
| 808 | return false; |
| 809 | } |
| 810 | |
| 811 | // Bypass posts that have a password required but not provided. |
| 812 | $bypass_post_with_password = post_password_required( $post ); |
| 813 | |
| 814 | /** |
| 815 | * Allow filtering whether a post should be bypassed because it it has a password. |
| 816 | * |
| 817 | * @since 3.1.0 |
| 818 | * |
| 819 | * @param bool $bypass_post_with_password Whether a post should be bypassed because it it has a password. |
| 820 | * @param array $info { |
| 821 | * The normalized Pod information referenced. |
| 822 | * |
| 823 | * @type string|null $object_type The object type (if set). |
| 824 | * @type string|null $object_name The object name (if set). |
| 825 | * @type int|string|null $item_id The item ID (if set). |
| 826 | * @type Pods|null $pods The Pods object (if built or provided). |
| 827 | * @type Pod|null $pod The Pod object (if built or provided). |
| 828 | * } |
| 829 | */ |
| 830 | return (bool) apply_filters( |
| 831 | 'pods_access_bypass_post_with_password', |
| 832 | $bypass_post_with_password, |
| 833 | $info |
| 834 | ); |
| 835 | } |
| 836 | |
| 837 | /** |
| 838 | * Determine whether a post should be bypassed because it is private and capabilities are not met. |
| 839 | * |
| 840 | * @since 3.1.0 |
| 841 | * |
| 842 | * @param array $args { |
| 843 | * The arguments to use. |
| 844 | * |
| 845 | * @type string|null $object_type The object type. |
| 846 | * @type string|null $object_name The object name. |
| 847 | * @type int|string|null $item_id The item ID. |
| 848 | * @type Pods|null $pods The Pods object. |
| 849 | * @type Pod|null $pod The Pod object. |
| 850 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 851 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 852 | * } |
| 853 | * |
| 854 | * @return bool Whether a post should be bypassed because it is private and capabilities are not met. |
| 855 | */ |
| 856 | function pods_access_bypass_private_post( array $args ): bool { |
| 857 | $info = pods_info_from_args( $args ); |
| 858 | |
| 859 | if ( 'post_type' !== $info['object_type'] || ! $info['item_id'] ) { |
| 860 | return false; |
| 861 | } |
| 862 | |
| 863 | $post = get_post( $info['item_id'] ); |
| 864 | |
| 865 | if ( ! $post instanceof WP_Post ) { |
| 866 | return false; |
| 867 | } |
| 868 | |
| 869 | $bypass_private_post = false; |
| 870 | |
| 871 | if ( ! is_post_publicly_viewable( $post ) ) { |
| 872 | $can_use_unrestricted = false; |
| 873 | |
| 874 | // Check Pod dynamic features if the status is public. |
| 875 | if ( is_post_status_viewable( $post->post_status ) ) { |
| 876 | $can_use_unrestricted = pods_can_use_dynamic_feature_unrestricted( $info, 'display', 'read' ); |
| 877 | } |
| 878 | |
| 879 | if ( $can_use_unrestricted ) { |
| 880 | $bypass_private_post = false; |
| 881 | } else { |
| 882 | $bypass_private_post = ! pods_current_user_can_access_object( $info, 'read' ); |
| 883 | } |
| 884 | } |
| 885 | |
| 886 | /** |
| 887 | * Allow filtering whether a post should be bypassed because it is private. |
| 888 | * |
| 889 | * @since 3.1.0 |
| 890 | * |
| 891 | * @param bool $bypass_private_post Whether a post should be bypassed because it is private. |
| 892 | * @param array $info { |
| 893 | * The normalized Pod information referenced. |
| 894 | * |
| 895 | * @type string|null $object_type The object type (if set). |
| 896 | * @type string|null $object_name The object name (if set). |
| 897 | * @type int|string|null $item_id The item ID (if set). |
| 898 | * @type Pods|null $pods The Pods object (if built or provided). |
| 899 | * @type Pod|null $pod The Pod object (if built or provided). |
| 900 | * } |
| 901 | */ |
| 902 | return (bool) apply_filters( |
| 903 | 'pods_access_bypass_private_post', |
| 904 | $bypass_private_post, |
| 905 | $info |
| 906 | ); |
| 907 | } |
| 908 | |
| 909 | /** |
| 910 | * Determine whether dynamic features can be used. |
| 911 | * |
| 912 | * @since 3.1.0 |
| 913 | * |
| 914 | * @return bool Whether dynamic features can be used. |
| 915 | */ |
| 916 | function pods_can_use_dynamic_features( ?Pod $pod = null ): bool { |
| 917 | // Check if the constant is defined and only override if no $pod is set or dynamic features are totally disabled. |
| 918 | if ( |
| 919 | defined( 'PODS_DYNAMIC_FEATURES_ALLOW' ) |
| 920 | && ( |
| 921 | ! $pod |
| 922 | || ! PODS_DYNAMIC_FEATURES_ALLOW |
| 923 | ) |
| 924 | ) { |
| 925 | return PODS_DYNAMIC_FEATURES_ALLOW; |
| 926 | } |
| 927 | |
| 928 | $can_use_dynamic_features = apply_filters( 'pods_access_can_use_dynamic_features', null, $pod ); |
| 929 | |
| 930 | if ( is_bool( $can_use_dynamic_features ) ) { |
| 931 | return $can_use_dynamic_features; |
| 932 | } |
| 933 | |
| 934 | // Check if all dynamic features are disabled. |
| 935 | $dynamic_features_allow = pods_get_setting( 'dynamic_features_allow', '1' ); |
| 936 | $dynamic_features_allow = filter_var( $dynamic_features_allow, FILTER_VALIDATE_BOOLEAN ); |
| 937 | |
| 938 | if ( $dynamic_features_allow && $pod instanceof Pod ) { |
| 939 | // Check if all dynamic features are disabled for the Pod. |
| 940 | $dynamic_features_allow = $pod->get_arg( 'dynamic_features_allow', 'inherit' ); |
| 941 | |
| 942 | if ( 'inherit' === $dynamic_features_allow ) { |
| 943 | $dynamic_features_allow = pods_is_type_public( |
| 944 | [ |
| 945 | 'pod' => $pod, |
| 946 | ] |
| 947 | ); |
| 948 | } else { |
| 949 | $dynamic_features_allow = filter_var( $dynamic_features_allow, FILTER_VALIDATE_BOOLEAN ); |
| 950 | } |
| 951 | } |
| 952 | |
| 953 | return $dynamic_features_allow; |
| 954 | } |
| 955 | |
| 956 | /** |
| 957 | * Determine whether any or a specific dynamic feature can be used. |
| 958 | * |
| 959 | * @since 3.1.0 |
| 960 | * |
| 961 | * @param string $type The dynamic feature type. |
| 962 | * |
| 963 | * @return bool Whether any or a specific dynamic feature can be used. |
| 964 | */ |
| 965 | function pods_can_use_dynamic_feature( string $type ): bool { |
| 966 | if ( ! pods_can_use_dynamic_features() ) { |
| 967 | return false; |
| 968 | } |
| 969 | |
| 970 | if ( empty( $type ) ) { |
| 971 | return false; |
| 972 | } |
| 973 | |
| 974 | // Handle the constants. |
| 975 | if ( 'view' === $type && defined( 'PODS_SHORTCODE_ALLOW_VIEWS' ) && ! PODS_SHORTCODE_ALLOW_VIEWS ) { |
| 976 | return false; |
| 977 | } |
| 978 | |
| 979 | $can_use_dynamic_feature = apply_filters( 'pods_access_can_use_dynamic_feature', null, $type ); |
| 980 | |
| 981 | if ( is_bool( $can_use_dynamic_feature ) ) { |
| 982 | return $can_use_dynamic_feature; |
| 983 | } |
| 984 | |
| 985 | $dynamic_features_enabled = (array) pods_get_setting( 'dynamic_features_enabled', [ |
| 986 | 'display', |
| 987 | 'form', |
| 988 | ] ); |
| 989 | $dynamic_features_enabled = array_filter( $dynamic_features_enabled ); |
| 990 | |
| 991 | $constant_dynamic_features_enabled = defined( 'PODS_DYNAMIC_FEATURES_ENABLED' ) ? PODS_DYNAMIC_FEATURES_ENABLED : false; |
| 992 | |
| 993 | if ( false !== $constant_dynamic_features_enabled && ! is_array( $constant_dynamic_features_enabled ) ) { |
| 994 | $constant_dynamic_features_enabled = explode( ',', $constant_dynamic_features_enabled ); |
| 995 | $constant_dynamic_features_enabled = array_filter( $constant_dynamic_features_enabled ); |
| 996 | |
| 997 | $dynamic_features_enabled = $constant_dynamic_features_enabled; |
| 998 | } |
| 999 | |
| 1000 | if ( empty( $dynamic_features_enabled ) ) { |
| 1001 | return false; |
| 1002 | } |
| 1003 | |
| 1004 | return in_array( $type, $dynamic_features_enabled, true ); |
| 1005 | } |
| 1006 | |
| 1007 | /** |
| 1008 | * Determine whether specific dynamic feature is unrestricted. |
| 1009 | * |
| 1010 | * @since 3.1.0 |
| 1011 | * |
| 1012 | * @param array $args { |
| 1013 | * The arguments to use. |
| 1014 | * |
| 1015 | * @type string|null $object_type The object type. |
| 1016 | * @type string|null $object_name The object name. |
| 1017 | * @type int|string|null $item_id The item ID. |
| 1018 | * @type Pods|null $pods The Pods object. |
| 1019 | * @type Pod|null $pod The Pod object. |
| 1020 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 1021 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 1022 | * } |
| 1023 | * @param string $type The dynamic feature type. |
| 1024 | * @param string $mode The dynamic feature mode (like "add" or "edit" for the form feature). |
| 1025 | * |
| 1026 | * @return bool Whether specific dynamic feature is unrestricted. |
| 1027 | */ |
| 1028 | function pods_can_use_dynamic_feature_unrestricted( array $args, string $type, ?string $mode = null ): bool { |
| 1029 | if ( ! pods_can_use_dynamic_feature( $type ) ) { |
| 1030 | return false; |
| 1031 | } |
| 1032 | |
| 1033 | if ( defined( 'PODS_DYNAMIC_FEATURES_RESTRICT' ) && ! PODS_DYNAMIC_FEATURES_RESTRICT ) { |
| 1034 | return true; |
| 1035 | } |
| 1036 | |
| 1037 | $can_use_dynamic_features_unrestricted = apply_filters( 'pods_access_can_use_dynamic_features_unrestricted', null, $args, $type, $mode ); |
| 1038 | |
| 1039 | if ( is_bool( $can_use_dynamic_features_unrestricted ) ) { |
| 1040 | return $can_use_dynamic_features_unrestricted; |
| 1041 | } |
| 1042 | |
| 1043 | $can_use_unrestricted = false; |
| 1044 | |
| 1045 | $args['build_pod'] = true; |
| 1046 | |
| 1047 | $info = pods_info_from_args( $args ); |
| 1048 | |
| 1049 | if ( ! $info['pod'] ) { |
| 1050 | $can_use_unrestricted = false; |
| 1051 | } else { |
| 1052 | $is_public_content_type = pods_is_type_public( $info ); |
| 1053 | |
| 1054 | $default_restricted_dynamic_features = [ |
| 1055 | 'form', |
| 1056 | ]; |
| 1057 | |
| 1058 | if ( ! $is_public_content_type ) { |
| 1059 | $default_restricted_dynamic_features[] = 'display'; |
| 1060 | } |
| 1061 | |
| 1062 | $default_restricted_dynamic_features_forms = [ |
| 1063 | 'edit', |
| 1064 | ]; |
| 1065 | |
| 1066 | if ( ! $is_public_content_type ) { |
| 1067 | $default_restricted_dynamic_features_forms[] = 'add'; |
| 1068 | } |
| 1069 | |
| 1070 | // Check if all dynamic features are unrestricted. |
| 1071 | $restrict_dynamic_features = $info['pod']->get_arg( 'restrict_dynamic_features', '1' ); |
| 1072 | $restrict_dynamic_features = filter_var( $restrict_dynamic_features, FILTER_VALIDATE_BOOLEAN ); |
| 1073 | |
| 1074 | if ( ! $restrict_dynamic_features ) { |
| 1075 | $can_use_unrestricted = true; |
| 1076 | } elseif ( ! empty( $type ) ) { |
| 1077 | if ( defined( 'PODS_DYNAMIC_FEATURES_RESTRICTED' ) && false !== PODS_DYNAMIC_FEATURES_RESTRICTED ) { |
| 1078 | $constant_restricted_dynamic_features = PODS_DYNAMIC_FEATURES_RESTRICTED; |
| 1079 | |
| 1080 | if ( ! is_array( $constant_restricted_dynamic_features ) ) { |
| 1081 | $constant_restricted_dynamic_features = explode( ',', $constant_restricted_dynamic_features ); |
| 1082 | } |
| 1083 | |
| 1084 | $restricted_dynamic_features = $constant_restricted_dynamic_features; |
| 1085 | } else { |
| 1086 | $restricted_dynamic_features = (array) $info['pod']->get_arg( 'restricted_dynamic_features', $default_restricted_dynamic_features ); |
| 1087 | } |
| 1088 | |
| 1089 | $restricted_dynamic_features = array_filter( $restricted_dynamic_features ); |
| 1090 | |
| 1091 | if ( empty( $restricted_dynamic_features ) ) { |
| 1092 | $can_use_unrestricted = true; |
| 1093 | } else { |
| 1094 | $can_use_unrestricted = ! in_array( $type, $restricted_dynamic_features, true ); |
| 1095 | } |
| 1096 | |
| 1097 | if ( ! $can_use_unrestricted && 'form' === $type && $mode ) { |
| 1098 | if ( defined( 'PODS_DYNAMIC_FEATURES_RESTRICTED_FORMS' ) && false !== PODS_DYNAMIC_FEATURES_RESTRICTED_FORMS ) { |
| 1099 | $constant_restricted_dynamic_features_forms = PODS_DYNAMIC_FEATURES_RESTRICTED_FORMS; |
| 1100 | |
| 1101 | if ( ! is_array( $constant_restricted_dynamic_features_forms ) ) { |
| 1102 | $constant_restricted_dynamic_features_forms = explode( ',', $constant_restricted_dynamic_features_forms ); |
| 1103 | } |
| 1104 | |
| 1105 | $restricted_dynamic_features_forms = $constant_restricted_dynamic_features_forms; |
| 1106 | } else { |
| 1107 | $restricted_dynamic_features_forms = (array) $info['pod']->get_arg( 'restricted_dynamic_features_forms', $default_restricted_dynamic_features_forms ); |
| 1108 | } |
| 1109 | |
| 1110 | $restricted_dynamic_features_forms = array_filter( $restricted_dynamic_features_forms ); |
| 1111 | |
| 1112 | if ( empty( $restricted_dynamic_features_forms ) ) { |
| 1113 | $can_use_unrestricted = true; |
| 1114 | } else { |
| 1115 | $can_use_unrestricted = ! in_array( $mode, $restricted_dynamic_features_forms, true ); |
| 1116 | } |
| 1117 | } |
| 1118 | } |
| 1119 | } |
| 1120 | |
| 1121 | return $can_use_unrestricted; |
| 1122 | } |
| 1123 | |
| 1124 | /** |
| 1125 | * Get the access notice for admin user based on object type and object name. |
| 1126 | * |
| 1127 | * @since 3.1.0 |
| 1128 | * |
| 1129 | * @param array $args { |
| 1130 | * The arguments to use. |
| 1131 | * |
| 1132 | * @type string|null $object_type The object type. |
| 1133 | * @type string|null $object_name The object name. |
| 1134 | * @type int|string|null $item_id The item ID. |
| 1135 | * @type Pods|null $pods The Pods object. |
| 1136 | * @type Pod|null $pod The Pod object. |
| 1137 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 1138 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 1139 | * } |
| 1140 | * @param bool $force_message Whether to force the message to show even if messages are hidden by a setting. |
| 1141 | * |
| 1142 | * @return string The access notice for admin user based on object type and object name. |
| 1143 | */ |
| 1144 | function pods_get_access_admin_notice( array $args, bool $force_message = false ): string { |
| 1145 | $args['build_pod'] = true; |
| 1146 | |
| 1147 | $info = pods_info_from_args( $args ); |
| 1148 | |
| 1149 | $identifier_for_html = esc_html( json_encode( [ |
| 1150 | 'object_type' => $info['object_type'], |
| 1151 | 'object_name' => $info['object_name'], |
| 1152 | 'item_id' => $info['item_id'], |
| 1153 | ] ) ); |
| 1154 | |
| 1155 | // Check if constant is hiding all notices. |
| 1156 | if ( ! $force_message && defined( 'PODS_ACCESS_HIDE_NOTICES' ) && PODS_ACCESS_HIDE_NOTICES ) { |
| 1157 | return '<!-- pods:access-notices/admin/hidden-by-constant ' . $identifier_for_html . ' -->'; |
| 1158 | } |
| 1159 | |
| 1160 | // Check notice setting for the Pod itself. |
| 1161 | if ( $info['pod'] instanceof Pod ) { |
| 1162 | $show_access_admin_notices_for_pod = $info['pod']->get_arg( 'show_access_admin_notices', 'inherit' ); |
| 1163 | |
| 1164 | if ( 'inherit' !== $show_access_admin_notices_for_pod ) { |
| 1165 | $show_access_admin_notices_for_pod = filter_var( $show_access_admin_notices_for_pod, FILTER_VALIDATE_BOOLEAN ); |
| 1166 | |
| 1167 | // Check if all notices have been dismissed for the pod. |
| 1168 | if ( ! $force_message && ! $show_access_admin_notices_for_pod ) { |
| 1169 | return '<!-- pods:access-notices/admin/hidden-by-pod ' . $identifier_for_html . ' -->'; |
| 1170 | } |
| 1171 | } |
| 1172 | } |
| 1173 | |
| 1174 | // Show notice that this content may not be visible to others. |
| 1175 | $show_access_admin_notices = pods_get_setting( 'show_access_admin_notices', true ); |
| 1176 | $show_access_admin_notices = filter_var( $show_access_admin_notices, FILTER_VALIDATE_BOOLEAN ); |
| 1177 | |
| 1178 | // Check if all notices have been dismissed. |
| 1179 | if ( ! $force_message && ! $show_access_admin_notices ) { |
| 1180 | return '<!-- pods:access-notices/admin/hidden-by-setting ' . $identifier_for_html . ' -->'; |
| 1181 | } |
| 1182 | |
| 1183 | $summary = esc_html__( 'Pods Access Rights: Admin-only Notice', 'pods' ); |
| 1184 | |
| 1185 | $content = sprintf( |
| 1186 | ' |
| 1187 | <p> |
| 1188 | %1$s |
| 1189 | <br /> |
| 1190 | <span class="pods-ui-notice-action-links"> |
| 1191 | <a href="%2$s" target="_blank" rel="noopener noreferrer">%3$s</a> |
| 1192 | | <a href="%4$s" target="_blank" rel="noopener noreferrer">%5$s</a> |
| 1193 | </span> |
| 1194 | </p> |
| 1195 | ', |
| 1196 | esc_html__( 'The content type or the content below is not public and may not be available to everyone else.', 'pods' ), |
| 1197 | esc_url( 'https://docs.pods.io/displaying-pods/access-rights-in-pods/' ), |
| 1198 | esc_html__( 'How access rights work with Pods (Documentation)', 'pods' ), |
| 1199 | esc_url( admin_url( 'admin.php?page=pods-settings#heading-security' ) ), |
| 1200 | esc_html__( 'Edit other access right options', 'pods' ) |
| 1201 | ); |
| 1202 | |
| 1203 | return '<!-- pods:access-notices/admin/message ' . $identifier_for_html . ' -->' |
| 1204 | . pods_message( |
| 1205 | sprintf( |
| 1206 | ' |
| 1207 | <details open> |
| 1208 | <summary><strong>%1$s</strong></summary> |
| 1209 | %2$s |
| 1210 | </details> |
| 1211 | ', |
| 1212 | wp_strip_all_tags( ! empty( $info['summary'] ) ? $info['summary'] : $summary ), |
| 1213 | ! empty( $info['content'] ) ? wpautop( $info['content'] ) : $content |
| 1214 | ), |
| 1215 | 'notice', |
| 1216 | true |
| 1217 | ); |
| 1218 | } |
| 1219 | |
| 1220 | /** |
| 1221 | * Get the access notice for non-admin user based on object type and object name. |
| 1222 | * |
| 1223 | * @since 3.1.0 |
| 1224 | * |
| 1225 | * @param array $args { |
| 1226 | * The arguments to use. |
| 1227 | * |
| 1228 | * @type string|null $object_type The object type. |
| 1229 | * @type string|null $object_name The object name. |
| 1230 | * @type int|string|null $item_id The item ID. |
| 1231 | * @type Pods|null $pods The Pods object. |
| 1232 | * @type Pod|null $pod The Pod object. |
| 1233 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 1234 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 1235 | * } |
| 1236 | * @param bool $force_message Whether to force the message to show even if messages are hidden by a setting. |
| 1237 | * @param string|null $message A custom message to use for the notice text. |
| 1238 | * |
| 1239 | * @return string The access notice for non-admin user based on object type and object name. |
| 1240 | */ |
| 1241 | function pods_get_access_user_notice( array $args, bool $force_message = false, ?string $message = null ): string { |
| 1242 | $args['build_pod'] = true; |
| 1243 | |
| 1244 | $info = pods_info_from_args( $args ); |
| 1245 | |
| 1246 | $identifier_for_html = esc_html( json_encode( [ |
| 1247 | 'object_type' => $info['object_type'], |
| 1248 | 'object_name' => $info['object_name'], |
| 1249 | 'item_id' => $info['item_id'], |
| 1250 | ] ) ); |
| 1251 | |
| 1252 | // Check for password-protected post. |
| 1253 | if ( $info['item_id'] && pods_access_bypass_post_with_password( $info ) ) { |
| 1254 | $message = get_the_password_form( $info['item_id'] ); |
| 1255 | |
| 1256 | return '<!-- pods:access-notices/user/protected/message ' . $identifier_for_html . ' -->' |
| 1257 | . pods_message( |
| 1258 | sprintf( |
| 1259 | '<p><strong>%1$s</strong></p> %2$s', |
| 1260 | esc_html__( 'Access Restricted', 'pods' ), |
| 1261 | $message |
| 1262 | ), |
| 1263 | 'error', |
| 1264 | true |
| 1265 | ); |
| 1266 | } |
| 1267 | |
| 1268 | // Check if constant is hiding all notices. |
| 1269 | if ( ! $force_message && defined( 'PODS_ACCESS_HIDE_NOTICES' ) && PODS_ACCESS_HIDE_NOTICES ) { |
| 1270 | return '<!-- pods:access-notices/user/hidden-by-constant ' . $identifier_for_html . ' -->'; |
| 1271 | } |
| 1272 | |
| 1273 | // Check notice setting for the Pod itself. |
| 1274 | if ( $info['pod'] instanceof Pod ) { |
| 1275 | $show_access_restricted_messages_for_pod = $info['pod']->get_arg( 'show_access_restricted_messages', 'inherit' ); |
| 1276 | |
| 1277 | if ( 'inherit' !== $show_access_restricted_messages_for_pod ) { |
| 1278 | $show_access_restricted_messages_for_pod = filter_var( $show_access_restricted_messages_for_pod, FILTER_VALIDATE_BOOLEAN ); |
| 1279 | |
| 1280 | // Check if all notices have been dismissed for the pod. |
| 1281 | if ( ! $force_message && ! $show_access_restricted_messages_for_pod ) { |
| 1282 | return '<!-- pods:access-notices/user/hidden-by-pod ' . $identifier_for_html . ' -->'; |
| 1283 | } |
| 1284 | } |
| 1285 | } |
| 1286 | |
| 1287 | // Show notice that this content may not be visible to others. |
| 1288 | $show_access_restricted_messages = pods_get_setting( 'show_access_restricted_messages', false ); |
| 1289 | $show_access_restricted_messages = filter_var( $show_access_restricted_messages, FILTER_VALIDATE_BOOLEAN ); |
| 1290 | |
| 1291 | // Check if all notices have been dismissed. |
| 1292 | if ( ! $force_message && ! $show_access_restricted_messages ) { |
| 1293 | return '<!-- pods:access-notices/user/hidden-by-setting ' . $identifier_for_html . ' -->'; |
| 1294 | } |
| 1295 | |
| 1296 | $message = $message ?? esc_html__( 'You do not have access to this embedded content.', 'pods' ); |
| 1297 | |
| 1298 | return '<!-- pods:access-notices/user/message ' . $identifier_for_html . ' -->' |
| 1299 | . pods_message( |
| 1300 | sprintf( |
| 1301 | '<p><strong>%1$s:</strong> %2$s</p>', |
| 1302 | esc_html__( 'Access Restricted', 'pods' ), |
| 1303 | $message |
| 1304 | ), |
| 1305 | 'error', |
| 1306 | true |
| 1307 | ); |
| 1308 | } |
| 1309 | |
| 1310 | /** |
| 1311 | * Determine whether SQL clauses can be used with dynamic features. |
| 1312 | * |
| 1313 | * @since 3.1.0 |
| 1314 | * |
| 1315 | * @param null|string $clause_type The clause type to check if allowed, if null used then it checks if any clauses are allowed. |
| 1316 | * |
| 1317 | * @return bool Whether SQL clauses can be used with dynamic features. |
| 1318 | */ |
| 1319 | function pods_can_use_dynamic_feature_sql_clauses( ?string $clause_type = null ): bool { |
| 1320 | // Set default to most simple clause type check (simple). |
| 1321 | $clause_type = $clause_type ?: 'simple'; |
| 1322 | |
| 1323 | if ( defined( 'PODS_DISABLE_SHORTCODE_SQL' ) ) { |
| 1324 | // Negate the check since this is a "disable" constant. |
| 1325 | return ! PODS_DISABLE_SHORTCODE_SQL; |
| 1326 | } |
| 1327 | |
| 1328 | if ( defined( 'PODS_DYNAMIC_FEATURES_ALLOW_SQL_CLAUSES' ) ) { |
| 1329 | $allow_sql_clauses = PODS_DYNAMIC_FEATURES_ALLOW_SQL_CLAUSES; |
| 1330 | } else { |
| 1331 | $cached_allow_sql_clauses = pods_transient_get( 'pods_dynamic_features_allow_sql_clauses' ); |
| 1332 | |
| 1333 | if ( is_string( $cached_allow_sql_clauses ) ) { |
| 1334 | $allow_sql_clauses = $cached_allow_sql_clauses; |
| 1335 | } else { |
| 1336 | $first_pods_version = get_option( 'pods_framework_version_first' ); |
| 1337 | $first_pods_version = '' === $first_pods_version ? PODS_VERSION : $first_pods_version; |
| 1338 | |
| 1339 | $allow_sql_clauses = pods_get_setting( 'dynamic_features_allow_sql_clauses', version_compare( $first_pods_version, '3.1.0-a-1', '<' ) ? 'simple' : '0' ); |
| 1340 | |
| 1341 | pods_transient_set( 'pods_dynamic_features_allow_sql_clauses', (string) $allow_sql_clauses ); |
| 1342 | } |
| 1343 | } |
| 1344 | |
| 1345 | if ( |
| 1346 | false === $allow_sql_clauses |
| 1347 | || '0' === (string) $allow_sql_clauses |
| 1348 | ) { |
| 1349 | return false; |
| 1350 | } |
| 1351 | |
| 1352 | // The "all" option is inclusive of "simple". |
| 1353 | if ( 'simple' === $clause_type && 'all' === $allow_sql_clauses ) { |
| 1354 | return true; |
| 1355 | } |
| 1356 | |
| 1357 | return $clause_type === $allow_sql_clauses; |
| 1358 | } |
| 1359 | |
| 1360 | /** |
| 1361 | * Determine whether a callback can be used. |
| 1362 | * |
| 1363 | * @since 3.1.0 |
| 1364 | * |
| 1365 | * @param string|callable $callback The callback to check. |
| 1366 | * @param array $params Parameters used by Pods::helper() method. |
| 1367 | * |
| 1368 | * @return bool Whether the callback can be used. |
| 1369 | */ |
| 1370 | function pods_access_callback_allowed( $callback, array $params = [] ): bool { |
| 1371 | // Real callables are allowed because they are done through PHP calls. |
| 1372 | if ( ! is_string( $callback ) ) { |
| 1373 | return true; |
| 1374 | } |
| 1375 | |
| 1376 | if ( ! pods_can_use_dynamic_feature( 'display' ) ) { |
| 1377 | return false; |
| 1378 | } |
| 1379 | |
| 1380 | if ( |
| 1381 | defined( 'PODS_DISPLAY_CALLBACKS' ) |
| 1382 | && ! PODS_DISPLAY_CALLBACKS |
| 1383 | ) { |
| 1384 | return false; |
| 1385 | } |
| 1386 | |
| 1387 | /** |
| 1388 | * Allows changing whether callbacks are allowed to run. |
| 1389 | * |
| 1390 | * @param bool $allow_callbacks Whether callbacks are allowed to run. |
| 1391 | * @param array $params Parameters used by Pods::helper() method. |
| 1392 | * |
| 1393 | * @since 2.8.0 |
| 1394 | */ |
| 1395 | $allow_callbacks = (bool) apply_filters( 'pods_helper_allow_callbacks', true, $params ); |
| 1396 | |
| 1397 | if ( ! $allow_callbacks ) { |
| 1398 | return false; |
| 1399 | } |
| 1400 | |
| 1401 | $disallowed = [ |
| 1402 | // Regex related. |
| 1403 | 'preg_replace', |
| 1404 | 'preg_replace_array', |
| 1405 | 'preg_replace_callback', |
| 1406 | 'preg_replace_callback_array', |
| 1407 | 'preg_match', |
| 1408 | 'preg_match_all', |
| 1409 | // Shell/Eval related. |
| 1410 | 'system', |
| 1411 | 'exec', |
| 1412 | 'passthru', |
| 1413 | 'proc_close', |
| 1414 | 'proc_get_status', |
| 1415 | 'proc_nice', |
| 1416 | 'proc_open', |
| 1417 | 'proc_terminate', |
| 1418 | 'shell_exec', |
| 1419 | 'system', |
| 1420 | 'eval', |
| 1421 | 'create_function', |
| 1422 | // File related. |
| 1423 | 'popen', |
| 1424 | 'include', |
| 1425 | 'include_once', |
| 1426 | 'require', |
| 1427 | 'require_once', |
| 1428 | 'file_get_contents', |
| 1429 | 'file_put_contents', |
| 1430 | 'get_template_part', |
| 1431 | // Nonce related. |
| 1432 | 'wp_nonce_url', |
| 1433 | 'wp_nonce_field', |
| 1434 | 'wp_create_nonce', |
| 1435 | 'check_admin_referer', |
| 1436 | 'check_ajax_referer', |
| 1437 | 'wp_verify_nonce', |
| 1438 | // PHP related. |
| 1439 | 'constant', |
| 1440 | 'defined', |
| 1441 | 'get_current_user', |
| 1442 | 'get_defined_constants', |
| 1443 | 'get_defined_functions', |
| 1444 | 'get_defined_vars', |
| 1445 | 'get_extension_funcs', |
| 1446 | 'get_include_path', |
| 1447 | 'get_included_files', |
| 1448 | 'get_loaded_extensions', |
| 1449 | 'get_required_files', |
| 1450 | 'get_resources', |
| 1451 | 'getenv', |
| 1452 | 'getopt', |
| 1453 | 'ini_alter', |
| 1454 | 'ini_get', |
| 1455 | 'ini_get_all', |
| 1456 | 'ini_restore', |
| 1457 | 'ini_set', |
| 1458 | 'php_ini_loaded_file', |
| 1459 | 'php_ini_scanned_files', |
| 1460 | 'php_sapi_name', |
| 1461 | 'php_uname', |
| 1462 | 'phpinfo', |
| 1463 | 'phpversion', |
| 1464 | 'putenv', |
| 1465 | // WordPress related. |
| 1466 | 'get_userdata', |
| 1467 | 'get_currentuserinfo', |
| 1468 | 'get_post', |
| 1469 | 'get_term', |
| 1470 | 'get_comment', |
| 1471 | ]; |
| 1472 | |
| 1473 | $allowed = []; |
| 1474 | |
| 1475 | if ( defined( 'PODS_DISPLAY_CALLBACKS' ) ) { |
| 1476 | $display_callbacks = PODS_DISPLAY_CALLBACKS; |
| 1477 | } else { |
| 1478 | $first_pods_version = get_option( 'pods_framework_version_first' ); |
| 1479 | $first_pods_version = '' === $first_pods_version ? PODS_VERSION : $first_pods_version; |
| 1480 | |
| 1481 | $display_callbacks = pods_get_setting( 'display_callbacks', version_compare( $first_pods_version, '3.1.0-a-1', '<' ) ? 'restricted' : 'customized' ); |
| 1482 | } |
| 1483 | |
| 1484 | if ( '0' === $display_callbacks ) { |
| 1485 | return false; |
| 1486 | } |
| 1487 | |
| 1488 | // Maybe specify the list of allowed callbacks. |
| 1489 | if ( 'customized' === $display_callbacks ) { |
| 1490 | if ( defined( 'PODS_DISPLAY_CALLBACKS_ALLOWED' ) ) { |
| 1491 | $display_callbacks_allowed = PODS_DISPLAY_CALLBACKS_ALLOWED; |
| 1492 | } else { |
| 1493 | // Maybe specify the list of allowed callbacks |
| 1494 | $display_callbacks_allowed = pods_get_setting( 'display_callbacks_allowed', 'esc_attr,esc_html' ); |
| 1495 | } |
| 1496 | |
| 1497 | if ( ! is_array( $display_callbacks_allowed ) ) { |
| 1498 | $display_callbacks_allowed = str_replace( "\n", ',', $display_callbacks_allowed ); |
| 1499 | $display_callbacks_allowed = explode( ',', $display_callbacks_allowed ); |
| 1500 | } |
| 1501 | |
| 1502 | $display_callbacks_allowed = array_map( 'trim', $display_callbacks_allowed ); |
| 1503 | $display_callbacks_allowed = array_filter( $display_callbacks_allowed ); |
| 1504 | |
| 1505 | if ( ! empty( $display_callbacks_allowed ) ) { |
| 1506 | $allowed = $display_callbacks_allowed; |
| 1507 | } |
| 1508 | } |
| 1509 | |
| 1510 | /** |
| 1511 | * Allows adjusting the disallowed callbacks as needed. |
| 1512 | * |
| 1513 | * @param array $disallowed List of callbacks not allowed. |
| 1514 | * @param array $params Parameters used by Pods::helper() method. |
| 1515 | * |
| 1516 | * @since 2.7.0 |
| 1517 | */ |
| 1518 | $disallowed = apply_filters( 'pods_helper_disallowed_callbacks', $disallowed, $params ); |
| 1519 | |
| 1520 | /** |
| 1521 | * Allows adjusting the allowed callbacks as needed. |
| 1522 | * |
| 1523 | * @param array $allowed List of callbacks explicitly allowed. |
| 1524 | * @param array $params Parameters used by Pods::helper() method. |
| 1525 | * |
| 1526 | * @since 2.7.0 |
| 1527 | */ |
| 1528 | $allowed = apply_filters( 'pods_helper_allowed_callbacks', $allowed, $params ); |
| 1529 | |
| 1530 | // Clean up helper callback (if string). |
| 1531 | if ( is_string( $callback ) ) { |
| 1532 | $callback = wp_strip_all_tags( str_replace( array( '`', chr( 96 ) ), "'", $callback ) ); |
| 1533 | } |
| 1534 | |
| 1535 | return ( |
| 1536 | ! in_array( $callback, $disallowed, true ) |
| 1537 | && ( |
| 1538 | empty( $allowed ) |
| 1539 | || in_array( $callback, $allowed, true ) |
| 1540 | ) |
| 1541 | ); |
| 1542 | } |
| 1543 | |
| 1544 | /** |
| 1545 | * Get the pod access tab options for a specific pod. |
| 1546 | * |
| 1547 | * @since 3.1.0 |
| 1548 | * |
| 1549 | * @param string $pod_type The pod type. |
| 1550 | * @param string $pod_name The pod name. |
| 1551 | * @param null|Pod $pod The pod object. |
| 1552 | * |
| 1553 | * @return array The pod access tab options for a specific pod. |
| 1554 | */ |
| 1555 | function pods_access_pod_options( string $pod_type, string $pod_name, ?Pod $pod = null ): array { |
| 1556 | $first_pods_version = get_option( 'pods_framework_version_first' ); |
| 1557 | $first_pods_version = '' === $first_pods_version ? PODS_VERSION : $first_pods_version; |
| 1558 | |
| 1559 | $options = []; |
| 1560 | |
| 1561 | $options['security_access_rights_info'] = [ |
| 1562 | 'label' => __( 'How access rights work in Pods', 'pods' ), |
| 1563 | 'type' => 'html', |
| 1564 | 'html_content' => sprintf( |
| 1565 | ' |
| 1566 | <p>%1$s</p> |
| 1567 | <p><a href="https://docs.pods.io/displaying-pods/access-rights-in-pods/" target="_blank" rel="noopener noreferrer">%2$s</a> <span class="dashicon dashicons dashicons-external"></span></p> |
| 1568 | ', |
| 1569 | __( 'Pods handles access rights similar to how WordPress itself works.', 'pods' ), |
| 1570 | __( 'Read more about how access rights work in Pods on our Documentation site', 'pods' ) |
| 1571 | ), |
| 1572 | ]; |
| 1573 | |
| 1574 | if ( 'pod' === $pod_type ) { |
| 1575 | $options['public'] = [ |
| 1576 | 'label' => __( 'Public', 'pods' ), |
| 1577 | 'help' => __( 'You can still embed Pods Content and Forms through PHP and make use of other features directly through code.', 'pods' ), |
| 1578 | 'description' => __( 'When a content type is public, it can be viewed by anyone when it is embedded through Dynamic Features. Otherwise, a user will need to have the corresponding "read" capability for the content type.', 'pods' ), |
| 1579 | 'type' => 'boolean', |
| 1580 | 'default' => version_compare( $first_pods_version, '3.1.0-a-1', '<' ) ? true : false, |
| 1581 | 'boolean_yes_label' => '', |
| 1582 | ]; |
| 1583 | } |
| 1584 | |
| 1585 | if ( pods_can_use_dynamic_features() ) { |
| 1586 | $options['dynamic_features_allow'] = [ |
| 1587 | 'label' => __( 'Dynamic Features', 'pods' ), |
| 1588 | 'help' => [ |
| 1589 | __( 'Enabling Dynamic Features will also enable the additional access rights checks for user access. This ensures that people viewing embedded content and forms have the required capabilities. Even when Dynamic Features are disabled, you can still embed Pods Content and Forms through PHP and make use of other features directly through code.', 'pods' ), |
| 1590 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1591 | ], |
| 1592 | 'description' => __( 'Dynamic features include Pods Shortcodes, Blocks, and Widgets which let you embed content and forms on your site.', 'pods' ), |
| 1593 | 'type' => 'pick', |
| 1594 | 'default' => 'inherit', |
| 1595 | 'pick_format_type' => 'single', |
| 1596 | 'pick_format_single' => 'radio', |
| 1597 | 'data' => [ |
| 1598 | 'inherit' => __( 'WP Default - If the content type is marked "Public" with WordPress then Dynamic Features will be enabled.', 'pods' ), |
| 1599 | '1' => __( 'Enable Dynamic Features including Pods Shortcodes, Blocks, and Widgets for this content type', 'pods' ), |
| 1600 | '0' => __( 'Disable All Dynamic Features in Pods for this content type', 'pods' ), |
| 1601 | ], |
| 1602 | 'dependency' => true, |
| 1603 | ]; |
| 1604 | |
| 1605 | $is_public_content_type = pods_is_type_public( |
| 1606 | [ |
| 1607 | 'pod' => $pod, |
| 1608 | ] |
| 1609 | ); |
| 1610 | |
| 1611 | $options['restrict_dynamic_features'] = [ |
| 1612 | 'label' => __( 'Restrict Dynamic Features', 'pods' ), |
| 1613 | 'help' => [ |
| 1614 | __( 'This will check access rights for whether someone should have access to specific content before a they can view, modify, or interact with that content.', 'pods' ), |
| 1615 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1616 | ], |
| 1617 | 'description' => sprintf( |
| 1618 | '<strong>%1$s</strong> %2$s', |
| 1619 | esc_html__( 'Warning:', 'pods' ), |
| 1620 | esc_html__( 'If you have authors/contributors on your site then disabling this would give them access to embedding content/forms without access checks for them or whoever views the embeds on the front of your site. Caution is always advised before giving access to other users you may not trust.', 'pods' ) |
| 1621 | ), |
| 1622 | 'type' => 'pick', |
| 1623 | 'default' => '1', |
| 1624 | 'pick_format_type' => 'single', |
| 1625 | 'pick_format_single' => 'radio', |
| 1626 | 'data' => [ |
| 1627 | '0' => __( 'Unrestricted - Do not check for access rights for embedded content (only use this if you trust ALL users who have access to create content)', 'pods' ), |
| 1628 | '1' => __( 'Restricted - Check access rights for embedded content', 'pods' ), |
| 1629 | ], |
| 1630 | 'excludes-on' => [ 'dynamic_features_allow' => '0' ], |
| 1631 | ]; |
| 1632 | |
| 1633 | $default_restricted_dynamic_features = [ |
| 1634 | 'form', |
| 1635 | ]; |
| 1636 | |
| 1637 | if ( ! $is_public_content_type ) { |
| 1638 | $default_restricted_dynamic_features[] = 'display'; |
| 1639 | } |
| 1640 | |
| 1641 | $options['restricted_dynamic_features'] = [ |
| 1642 | 'label' => __( 'Dynamic Features to Restrict', 'pods' ), |
| 1643 | 'help' => [ |
| 1644 | __( 'This will check access rights for the dynamic feature for whether someone should have access to specific content before a they can view, modify, or interact with that content.', 'pods' ), |
| 1645 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1646 | ], |
| 1647 | 'type' => 'pick', |
| 1648 | 'default' => $default_restricted_dynamic_features, |
| 1649 | 'pick_format_type' => 'multi', |
| 1650 | 'pick_format_multi' => 'checkbox', |
| 1651 | 'data' => [ |
| 1652 | 'display' => __( 'Restricted Display - Shortcodes and Blocks that allow querying content from this Pod and displaying any field will check access rights.', 'pods' ), |
| 1653 | 'form' => __( 'Restricted Forms - The Form Shortcode and Block submitting new content or editing existing content will check access rights.', 'pods' ), |
| 1654 | ], |
| 1655 | 'depends-on' => [ 'restrict_dynamic_features' => '1' ], |
| 1656 | 'excludes-on' => [ 'dynamic_features_allow' => '0' ], |
| 1657 | ]; |
| 1658 | |
| 1659 | $default_restricted_dynamic_features_forms = [ |
| 1660 | 'edit', |
| 1661 | ]; |
| 1662 | |
| 1663 | if ( ! $is_public_content_type ) { |
| 1664 | $default_restricted_dynamic_features_forms[] = 'add'; |
| 1665 | } |
| 1666 | |
| 1667 | $options['restricted_dynamic_features_forms'] = [ |
| 1668 | 'label' => __( 'Dynamic Features to Restrict for Forms', 'pods' ), |
| 1669 | 'help' => [ |
| 1670 | __( 'This will check access rights for whether someone should have access to specific content before a they can add or edit content.', 'pods' ), |
| 1671 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1672 | ], |
| 1673 | 'type' => 'pick', |
| 1674 | 'default' => $default_restricted_dynamic_features_forms, |
| 1675 | 'pick_format_type' => 'multi', |
| 1676 | 'pick_format_multi' => 'checkbox', |
| 1677 | 'data' => [ |
| 1678 | 'add' => __( 'Restricted Add New Forms - Embedding the Form Shortcode and Block to allow for adding new content will check access rights.', 'pods' ), |
| 1679 | 'edit' => __( 'Restricted Edit Forms - Embedding the Form Shortcode and Block to allow for editing existing content will check access rights.', 'pods' ), |
| 1680 | ], |
| 1681 | 'depends-on-multi' => [ 'restricted_dynamic_features' => 'form' ], |
| 1682 | 'excludes-on' => [ 'dynamic_features_allow' => '0' ], |
| 1683 | ]; |
| 1684 | |
| 1685 | $options['show_access_restricted_messages'] = [ |
| 1686 | 'label' => __( 'Access-related Restricted Messages', 'pods' ), |
| 1687 | 'help' => [ |
| 1688 | __( 'Access-related Restricted Messages will show to anyone who does not have access to add/edit/read a specific item from a content type.', 'pods' ), |
| 1689 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1690 | ], |
| 1691 | 'type' => 'pick', |
| 1692 | 'default' => 'inherit', |
| 1693 | 'pick_format_type' => 'single', |
| 1694 | 'pick_format_single' => 'radio', |
| 1695 | 'data' => [ |
| 1696 | '1' => __( 'Enable access-related restricted messages for forms/content displayed (instead of the form/content output)', 'pods' ), |
| 1697 | '0' => __( 'Disable access-related restricted messages for forms/content displayed (the form/content output will be blank)', 'pods' ), |
| 1698 | 'inherit' => __( 'Default - Use the global Pods setting for this', 'pods' ), |
| 1699 | ], |
| 1700 | 'depends-on' => [ 'restrict_dynamic_features' => '1' ], |
| 1701 | 'excludes-on' => [ 'dynamic_features_allow' => '0' ], |
| 1702 | ]; |
| 1703 | |
| 1704 | $options['show_access_admin_notices'] = [ |
| 1705 | 'label' => __( 'Access-related Admin Notices', 'pods' ), |
| 1706 | 'help' => [ |
| 1707 | __( 'Access-related Admin Notices will only show to admins and will appear above content/forms that may not be entirely public.', 'pods' ), |
| 1708 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1709 | ], |
| 1710 | 'type' => 'pick', |
| 1711 | 'default' => 'inherit', |
| 1712 | 'pick_format_type' => 'single', |
| 1713 | 'pick_format_single' => 'radio', |
| 1714 | 'data' => [ |
| 1715 | '1' => __( 'Enable access-related admin notices above forms/content displayed', 'pods' ), |
| 1716 | '0' => __( 'Disable access-related admin notices above forms/content displayed', 'pods' ), |
| 1717 | 'inherit' => __( 'Default - Use the global Pods setting for this', 'pods' ), |
| 1718 | ], |
| 1719 | 'depends-on' => [ 'restrict_dynamic_features' => '1' ], |
| 1720 | 'excludes-on' => [ 'dynamic_features_allow' => '0' ], |
| 1721 | ]; |
| 1722 | } |
| 1723 | |
| 1724 | $options['security_access_rights_preview'] = [ |
| 1725 | 'label' => __( 'Capabilities preview', 'pods' ), |
| 1726 | 'type' => 'html', |
| 1727 | 'html_content' => ' |
| 1728 | <p>' . esc_html__( 'Below is a list of capabilities that a user will normally need for this content.', 'pods' ) . '</p> |
| 1729 | ' . pods_access_get_capabilities_preview( $pod_type, $pod_name ), |
| 1730 | ]; |
| 1731 | |
| 1732 | return $options; |
| 1733 | } |
| 1734 | |
| 1735 | /** |
| 1736 | * Get the list of dynamic features allow options. |
| 1737 | * |
| 1738 | * @since 3.1.0 |
| 1739 | * |
| 1740 | * @return array The list of dynamic features allow options. |
| 1741 | */ |
| 1742 | function pods_access_get_dynamic_features_allow_options(): array { |
| 1743 | return [ |
| 1744 | 'inherit' => __( 'WP Default (if content type is Public)', 'pods' ), |
| 1745 | '1' => __( 'Enabled', 'pods' ), |
| 1746 | '0' => '🔒 ' . __( 'Disabled', 'pods' ), |
| 1747 | ]; |
| 1748 | } |
| 1749 | |
| 1750 | /** |
| 1751 | * Get the list of restricted dynamic features options. |
| 1752 | * |
| 1753 | * @since 3.1.0 |
| 1754 | * |
| 1755 | * @return array The list of restricted dynamic features options. |
| 1756 | */ |
| 1757 | function pods_access_get_restricted_dynamic_features_options(): array { |
| 1758 | return [ |
| 1759 | 'display' => '🔒 ' . __( 'Display', 'pods' ), |
| 1760 | 'form' => '🔒 ' . __( 'Form', 'pods' ), |
| 1761 | ]; |
| 1762 | } |
| 1763 | |
| 1764 | /** |
| 1765 | * Get the access rights capabilities preview HTML. |
| 1766 | * |
| 1767 | * @since 3.1.0 |
| 1768 | * |
| 1769 | * @param string $pod_type The pod type. |
| 1770 | * @param string $pod_name The pod name. |
| 1771 | * |
| 1772 | * @return string The access rights capabilities preview HTML. |
| 1773 | */ |
| 1774 | function pods_access_get_capabilities_preview( string $pod_type, string $pod_name ): string { |
| 1775 | $capabilities = pods_access_map_capabilities( |
| 1776 | [ |
| 1777 | 'object_type' => $pod_type, |
| 1778 | 'object_name' => $pod_name, |
| 1779 | ], |
| 1780 | null, |
| 1781 | true |
| 1782 | ); |
| 1783 | |
| 1784 | if ( null === $capabilities ) { |
| 1785 | $capabilities = [ |
| 1786 | 'read' => null, |
| 1787 | 'add' => null, |
| 1788 | 'edit' => null, |
| 1789 | 'delete' => null, |
| 1790 | ]; |
| 1791 | } |
| 1792 | |
| 1793 | $capabilities_preview = [ |
| 1794 | 'read' => esc_html__( 'Read capability', 'pods' ), |
| 1795 | 'add' => esc_html__( 'Add New capability', 'pods' ), |
| 1796 | 'edit' => esc_html__( 'Edit capability', 'pods' ), |
| 1797 | 'delete' => esc_html__( 'Delete capability', 'pods' ), |
| 1798 | 'read_private' => esc_html__( 'Read Private capability', 'pods' ), |
| 1799 | 'edit_others' => esc_html__( 'Edit Others capability', 'pods' ), |
| 1800 | 'delete_others' => esc_html__( 'Delete Others capability', 'pods' ), |
| 1801 | 'delete_published' => esc_html__( 'Delete Published capability', 'pods' ), |
| 1802 | 'delete_private' => esc_html__( 'Delete Private capability', 'pods' ), |
| 1803 | ]; |
| 1804 | |
| 1805 | $capabilities_preview_list = [ |
| 1806 | '<strong>' . $capabilities_preview['read'] . ':</strong> ' . ( $capabilities['read'] ?: __( 'Not restricted', 'pods' ) ), |
| 1807 | ]; |
| 1808 | |
| 1809 | if ( 'settings' !== $pod_type ) { |
| 1810 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['add'] . ':</strong> ' . ( $capabilities['add'] ?: __( 'Not restricted', 'pods' ) ); |
| 1811 | } |
| 1812 | |
| 1813 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['edit'] . ':</strong> ' . ( $capabilities['edit'] ?: __( 'Not restricted', 'pods' ) ); |
| 1814 | |
| 1815 | if ( 'settings' !== $pod_type ) { |
| 1816 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['delete'] . ':</strong> ' . ( $capabilities['delete'] ?: __( 'Not restricted', 'pods' ) ); |
| 1817 | } |
| 1818 | |
| 1819 | if ( $capabilities && array_key_exists( 'read_private', $capabilities ) ) { |
| 1820 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['read_private'] . ':</strong> ' . ( $capabilities['read_private'] ?: __( 'Not restricted', 'pods' ) ); |
| 1821 | } |
| 1822 | |
| 1823 | if ( $capabilities && array_key_exists( 'edit_others', $capabilities ) ) { |
| 1824 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['edit_others'] . ':</strong> ' . ( $capabilities['edit_others'] ?: __( 'Not restricted', 'pods' ) ); |
| 1825 | } |
| 1826 | |
| 1827 | if ( $capabilities && array_key_exists( 'delete_others', $capabilities ) ) { |
| 1828 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['delete_others'] . ':</strong> ' . ( $capabilities['delete_others'] ?: __( 'Not restricted', 'pods' ) ); |
| 1829 | } |
| 1830 | |
| 1831 | if ( $capabilities && array_key_exists( 'delete_published', $capabilities ) ) { |
| 1832 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['delete_published'] . ':</strong> ' . ( $capabilities['delete_published'] ?: __( 'Not restricted', 'pods' ) ); |
| 1833 | } |
| 1834 | |
| 1835 | if ( $capabilities && array_key_exists( 'delete_private', $capabilities ) ) { |
| 1836 | $capabilities_preview_list[] = '<strong>' . $capabilities_preview['delete_private'] . ':</strong> ' . ( $capabilities['delete_private'] ?: __( 'Not restricted', 'pods' ) ); |
| 1837 | } |
| 1838 | |
| 1839 | return ' |
| 1840 | <ul> |
| 1841 | <li>' . implode( '</li><li>', $capabilities_preview_list ) . '</li> |
| 1842 | </ul> |
| 1843 | '; |
| 1844 | } |
| 1845 | |
| 1846 | /** |
| 1847 | * Get the pod settings config for access-related settings. |
| 1848 | * |
| 1849 | * @since 3.1.0 |
| 1850 | * |
| 1851 | * @return array The pod settings config for access-related settings. |
| 1852 | */ |
| 1853 | function pods_access_settings_config(): array { |
| 1854 | // Only use translation functions after `init` to prevent a WP core notice. |
| 1855 | $did_init = doing_action( 'init' ) || did_action( 'init' ); |
| 1856 | |
| 1857 | $first_pods_version = get_option( 'pods_framework_version_first' ); |
| 1858 | $first_pods_version = '' === $first_pods_version ? PODS_VERSION : $first_pods_version; |
| 1859 | |
| 1860 | $fields = []; |
| 1861 | |
| 1862 | $fields['dynamic_features_allow'] = [ |
| 1863 | 'name' => 'dynamic_features_allow', |
| 1864 | 'label' => $did_init ? __( 'Dynamic Features', 'pods' ) : '', |
| 1865 | 'help' => [ |
| 1866 | $did_init ? __( 'Enabling Dynamic Features will also enable the additional access rights checks for user access. This ensures that people viewing embedded content and forms have the required capabilities. Even when Dynamic Features are disabled, you can still embed Pods Content and Forms through PHP and make use of other features directly through code.', 'pods' ) : '', |
| 1867 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1868 | ], |
| 1869 | 'description' => $did_init ? __( 'Dynamic features include Pods Shortcodes, Blocks, and Widgets which let you embed content and forms on your site.', 'pods' ) : '', |
| 1870 | 'type' => 'pick', |
| 1871 | 'default' => '1', |
| 1872 | 'pick_format_type' => 'single', |
| 1873 | 'pick_format_single' => 'radio', |
| 1874 | 'data' => [ |
| 1875 | '1' => $did_init ? __( 'Enable Dynamic Features including Pods Shortcodes, Blocks, and Widgets', 'pods' ) : '', |
| 1876 | '0' => $did_init ? __( 'Disable All Dynamic Features in Pods', 'pods' ) : '', |
| 1877 | ], |
| 1878 | 'site_health_data' => [ |
| 1879 | '1' => $did_init ? __( 'Enable', 'pods' ) : '', |
| 1880 | '0' => $did_init ? __( 'Disable', 'pods' ) : '', |
| 1881 | ], |
| 1882 | 'site_health_include_in_info' => true, |
| 1883 | ]; |
| 1884 | |
| 1885 | $fields['security_access_rights_info'] = [ |
| 1886 | 'name' => 'security_access_rights_info', |
| 1887 | 'label' => $did_init ? __( 'How access rights work in Pods', 'pods' ) : '', |
| 1888 | 'type' => 'html', |
| 1889 | 'html_content' => sprintf( |
| 1890 | ' |
| 1891 | <p>%1$s</p> |
| 1892 | <p><a href="https://docs.pods.io/displaying-pods/access-rights-in-pods/" target="_blank" rel="noopener noreferrer">%2$s</a> <span class="dashicon dashicons dashicons-external"></span></p> |
| 1893 | ', |
| 1894 | $did_init ? __( 'Pods handles access rights similar to how WordPress itself works.', 'pods' ) : '', |
| 1895 | $did_init ? __( 'Read more about how access rights work in Pods on our Documentation site', 'pods' ) : '' |
| 1896 | ), |
| 1897 | 'depends-on' => [ 'dynamic_features_allow' => '1' ], |
| 1898 | ]; |
| 1899 | |
| 1900 | $fields['dynamic_features_enabled'] = [ |
| 1901 | 'name' => 'dynamic_features_enabled', |
| 1902 | 'label' => $did_init ? __( 'Dynamic Features to Enable', 'pods' ) : '', |
| 1903 | 'help' => [ |
| 1904 | $did_init ? __( 'You can choose one or more dynamic features to enable. By default, only Display and Form are enabled.', 'pods' ) : '', |
| 1905 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1906 | ], |
| 1907 | 'type' => 'pick', |
| 1908 | 'default' => [ |
| 1909 | 'display', |
| 1910 | 'form', |
| 1911 | ], |
| 1912 | 'pick_format_type' => 'multi', |
| 1913 | 'pick_format_multi' => 'checkbox', |
| 1914 | 'data' => [ |
| 1915 | 'display' => $did_init ? __( 'Display - Shortcodes and Blocks that allow querying content from *any* Pod and displaying any field (WordPress access rights are still checked).', 'pods' ) : '', |
| 1916 | 'form' => $did_init ? __( 'Form - The Form Shortcode and Block that allows submitting new content or editing existing content from *any* Pod (WordPress access rights are still checked).', 'pods' ) : '', |
| 1917 | 'view' => $did_init ? __( 'View - The View Shortcode and Block that allows embedding *any* theme file on a page.', 'pods' ) : '', |
| 1918 | ], |
| 1919 | 'site_health_data' => [ |
| 1920 | 'display' => $did_init ? __( 'Display', 'pods' ) : '', |
| 1921 | 'form' => $did_init ? __( 'Form', 'pods' ) : '', |
| 1922 | 'view' => $did_init ? __( 'View', 'pods' ) : '', |
| 1923 | ], |
| 1924 | 'depends-on' => [ 'dynamic_features_allow' => '1' ], |
| 1925 | 'site_health_include_in_info' => true, |
| 1926 | ]; |
| 1927 | |
| 1928 | $fields['show_access_restricted_messages'] = [ |
| 1929 | 'name' => 'show_access_restricted_messages', |
| 1930 | 'label' => $did_init ? __( 'Access-related Restricted Messages', 'pods' ) : '', |
| 1931 | 'help' => [ |
| 1932 | $did_init ? __( 'Access-related Restricted Messages will show to anyone who does not have access to add/edit/read a specific item from a content type.', 'pods' ) : '', |
| 1933 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1934 | ], |
| 1935 | 'type' => 'pick', |
| 1936 | 'default' => '0', |
| 1937 | 'pick_format_type' => 'single', |
| 1938 | 'pick_format_single' => 'radio', |
| 1939 | 'data' => [ |
| 1940 | '1' => $did_init ? __( 'Enable access-related restricted messages for forms/content displayed (instead of the form/content output)', 'pods' ) : '', |
| 1941 | '0' => $did_init ? __( 'Disable access-related restricted messages for forms/content displayed (the form/content output will be blank)', 'pods' ) : '', |
| 1942 | ], |
| 1943 | 'site_health_data' => [ |
| 1944 | '1' => $did_init ? __( 'Enable', 'pods' ) : '', |
| 1945 | '0' => $did_init ? __( 'Disable', 'pods' ) : '', |
| 1946 | ], |
| 1947 | 'site_health_include_in_info' => true, |
| 1948 | 'depends-on' => [ 'dynamic_features_allow' => '1' ], |
| 1949 | ]; |
| 1950 | |
| 1951 | $fields['show_access_admin_notices'] = [ |
| 1952 | 'name' => 'show_access_admin_notices', |
| 1953 | 'label' => $did_init ? __( 'Access-related Admin Notices', 'pods' ) : '', |
| 1954 | 'help' => [ |
| 1955 | $did_init ? __( 'Access-related Admin Notices will only show to admins and will appear above content/forms that may not be entirely public.', 'pods' ) : '', |
| 1956 | 'https://docs.pods.io/displaying-pods/access-rights-in-pods/', |
| 1957 | ], |
| 1958 | 'type' => 'pick', |
| 1959 | 'default' => '1', |
| 1960 | 'pick_format_type' => 'single', |
| 1961 | 'pick_format_single' => 'radio', |
| 1962 | 'data' => [ |
| 1963 | '1' => $did_init ? __( 'Enable access-related admin notices above forms/content displayed', 'pods' ) : '', |
| 1964 | '0' => $did_init ? __( 'Disable access-related admin notices above forms/content displayed', 'pods' ) : '', |
| 1965 | ], |
| 1966 | 'site_health_data' => [ |
| 1967 | '1' => $did_init ? __( 'Enable', 'pods' ) : '', |
| 1968 | '0' => $did_init ? __( 'Disable', 'pods' ) : '', |
| 1969 | ], |
| 1970 | 'site_health_include_in_info' => true, |
| 1971 | 'depends-on' => [ 'dynamic_features_allow' => '1' ], |
| 1972 | ]; |
| 1973 | |
| 1974 | $fields['dynamic_features_allow_sql_clauses'] = [ |
| 1975 | 'name' => 'dynamic_features_allow_sql_clauses', |
| 1976 | 'label' => $did_init ? __( 'Allow SQL clauses to be used in Dynamic Features', 'pods' ) : '', |
| 1977 | 'description' => $did_init ? __( 'SQL clauses in general should only be enabled for sites with trusted users. Since WordPress allows anyone to enter any shortcode or block in the editor, any person with the Contributor role or higher could have access to use this.', 'pods' ) : '', |
| 1978 | 'type' => 'pick', |
| 1979 | 'default' => version_compare( $first_pods_version, '3.1.0-a-1', '<' ) ? 'simple' : '0', |
| 1980 | 'pick_format_type' => 'single', |
| 1981 | 'pick_format_single' => 'radio', |
| 1982 | 'data' => [ |
| 1983 | 'all' => $did_init ? __( 'Unrestricted - Enable ALL SQL clause usage through dynamic features (only use this if you trust ALL users who have access to create content)', 'pods' ) : '', |
| 1984 | 'simple' => $did_init ? __( 'Restricted - Enable Simple SQL clause usage (only SELECT, WHERE, and ORDER BY) through dynamic features (only use this if you trust ALL users who have access to create content)', 'pods' ) : '', |
| 1985 | '0' => $did_init ? __( 'Disable SQL clause usage through dynamic features', 'pods' ) : '', |
| 1986 | ], |
| 1987 | 'site_health_data' => [ |
| 1988 | 'all' => $did_init ? __( 'Unrestricted', 'pods' ) : '', |
| 1989 | 'simple' => $did_init ? __( 'Restricted', 'pods' ) : '', |
| 1990 | '0' => $did_init ? __( 'Disable', 'pods' ) : '', |
| 1991 | ], |
| 1992 | 'depends-on' => [ |
| 1993 | 'dynamic_features_allow' => '1', |
| 1994 | ], |
| 1995 | 'depends-on-multi' => [ |
| 1996 | 'dynamic_features_enabled' => 'display', |
| 1997 | ], |
| 1998 | 'site_health_include_in_info' => true, |
| 1999 | ]; |
| 2000 | |
| 2001 | $fields['display_callbacks'] = [ |
| 2002 | 'name' => 'display_callbacks', |
| 2003 | 'label' => $did_init ? __( 'Display callbacks', 'pods' ) : '', |
| 2004 | 'description' => $did_init ? __( 'Callbacks can be used when using Pods Templating syntax like {@my_field,my_callback} in your magic tags.', 'pods' ) : '', |
| 2005 | 'type' => 'pick', |
| 2006 | 'default' => version_compare( $first_pods_version, '3.1.0-a-1', '<' ) ? 'restricted' : 'customized', |
| 2007 | 'pick_format_type' => 'single', |
| 2008 | 'pick_format_single' => 'radio', |
| 2009 | 'data' => [ |
| 2010 | 'restricted' => $did_init ? __( 'Restricted - Certain system PHP functions are disallowed from being used for security reasons.', 'pods' ) : '', |
| 2011 | 'customized' => $did_init ? __( 'Customized - Only allow a list of specific PHP function callbacks.', 'pods' ) : '', |
| 2012 | '0' => $did_init ? __( 'Disable display callbacks', 'pods' ) : '', |
| 2013 | ], |
| 2014 | 'site_health_data' => [ |
| 2015 | 'restricted' => $did_init ? __( 'Restricted', 'pods' ) : '', |
| 2016 | 'customized' => $did_init ? __( 'Customized', 'pods' ) : '', |
| 2017 | '0' => $did_init ? __( 'Disable', 'pods' ) : '', |
| 2018 | ], |
| 2019 | 'depends-on' => [ |
| 2020 | 'dynamic_features_allow' => '1', |
| 2021 | ], |
| 2022 | 'depends-on-multi' => [ |
| 2023 | 'dynamic_features_enabled' => 'display', |
| 2024 | ], |
| 2025 | 'site_health_include_in_info' => true, |
| 2026 | ]; |
| 2027 | |
| 2028 | $fields['display_callbacks_allowed'] = [ |
| 2029 | 'name' => 'display_callbacks_allowed', |
| 2030 | 'label' => $did_init ? __( 'Display callbacks allowed', 'pods' ) : '', |
| 2031 | 'description' => $did_init ? __( 'Please provide a comma-separated list of PHP function names to allow in callbacks.', 'pods' ) : '', |
| 2032 | 'type' => 'text', |
| 2033 | 'default' => 'esc_attr,esc_html', |
| 2034 | 'depends-on' => [ |
| 2035 | 'dynamic_features_allow' => '1', |
| 2036 | 'display_callbacks' => 'customized', |
| 2037 | ], |
| 2038 | 'depends-on-multi' => [ |
| 2039 | 'dynamic_features_enabled' => 'display', |
| 2040 | ], |
| 2041 | 'site_health_include_in_info' => true, |
| 2042 | ]; |
| 2043 | |
| 2044 | return $fields; |
| 2045 | } |
| 2046 | |
| 2047 | /** |
| 2048 | * Get the bleep placeholder text. |
| 2049 | * |
| 2050 | * @since 3.1.0 |
| 2051 | * |
| 2052 | * @return string The bleep placeholder text. |
| 2053 | */ |
| 2054 | function pods_access_bleep_placeholder(): string { |
| 2055 | return '****************'; |
| 2056 | } |
| 2057 | |
| 2058 | /** |
| 2059 | * Process the value and bleep it if it needs to be. |
| 2060 | * |
| 2061 | * @since 3.1.0 |
| 2062 | * |
| 2063 | * @param string|mixed $value The value to be bleeped. |
| 2064 | * |
| 2065 | * @return string|mixed The bleeped text if not empty, otherwise the value as it was. |
| 2066 | */ |
| 2067 | function pods_access_bleep_text( $value ) { |
| 2068 | $bleep_text = pods_access_bleep_placeholder(); |
| 2069 | |
| 2070 | if ( 0 < strlen( (string) $value ) ) { |
| 2071 | $value = $bleep_text; |
| 2072 | } |
| 2073 | |
| 2074 | return $value; |
| 2075 | } |
| 2076 | |
| 2077 | /** |
| 2078 | * Process the data and bleep anything that needs to be. |
| 2079 | * |
| 2080 | * @since 3.1.0 |
| 2081 | * |
| 2082 | * @param array|object $data The data to be bleeped. |
| 2083 | * @param array $additional_bleep_properties The additional properties to be bleeped from objects and arrays. |
| 2084 | * |
| 2085 | * @return array|object The bleeped data. |
| 2086 | */ |
| 2087 | function pods_access_bleep_data( $data, array $additional_bleep_properties = [] ) { |
| 2088 | $bleep_properties = [ |
| 2089 | 'user_pass', |
| 2090 | 'user_activation_key', |
| 2091 | 'post_password', |
| 2092 | ]; |
| 2093 | |
| 2094 | /** |
| 2095 | * Allow filtering the additional properties to be bleeped from objects and arrays. |
| 2096 | * |
| 2097 | * @since 3.1.0 |
| 2098 | * |
| 2099 | * @param array $additional_bleep_properties The additional properties to be bleeped from objects and arrays. |
| 2100 | * @param array|object $data The data to be bleeped. |
| 2101 | */ |
| 2102 | $additional_bleep_properties = apply_filters( 'pods_access_bleep_properties', $additional_bleep_properties, $data ); |
| 2103 | |
| 2104 | $bleep_properties = array_merge( $bleep_properties, $additional_bleep_properties ); |
| 2105 | |
| 2106 | $bleep_text = pods_access_bleep_placeholder(); |
| 2107 | |
| 2108 | if ( is_object( $data ) ) { |
| 2109 | foreach ( $bleep_properties as $bleep_property ) { |
| 2110 | if ( isset( $data->{$bleep_property} ) ) { |
| 2111 | $data->{$bleep_property} = 0 < strlen( (string) $data->{$bleep_property} ) ? $bleep_text : ''; |
| 2112 | } |
| 2113 | } |
| 2114 | } elseif ( is_array( $data ) ) { |
| 2115 | foreach ( $bleep_properties as $bleep_property ) { |
| 2116 | if ( isset( $data[ $bleep_property ] ) ) { |
| 2117 | $data[ $bleep_property ] = 0 < strlen( (string) $data[ $bleep_property ] ) ? $bleep_text : ''; |
| 2118 | } |
| 2119 | } |
| 2120 | } |
| 2121 | |
| 2122 | return $data; |
| 2123 | } |
| 2124 | |
| 2125 | /** |
| 2126 | * Process the data and bleep anything that needs to be. |
| 2127 | * |
| 2128 | * @since 3.1.0 |
| 2129 | * |
| 2130 | * @param array $items The items to be bleeped. |
| 2131 | * @param array $additional_bleep_properties The additional properties to be bleeped from objects and arrays. |
| 2132 | * |
| 2133 | * @return array|object The bleeped data. |
| 2134 | */ |
| 2135 | function pods_access_bleep_items( array $items, array $additional_bleep_properties = [] ) { |
| 2136 | // Call the pods_access_bleep_data() function for all items in the $items array. |
| 2137 | return array_map( |
| 2138 | static function ( $item ) use ( $additional_bleep_properties ) { |
| 2139 | return pods_access_bleep_data( $item, $additional_bleep_properties ); |
| 2140 | }, |
| 2141 | $items |
| 2142 | ); |
| 2143 | } |
| 2144 | |
| 2145 | /** |
| 2146 | * Determine whether the SQL fragment is allowed to be used. |
| 2147 | * |
| 2148 | * @since 3.1.0 |
| 2149 | * |
| 2150 | * @param string $sql The SQL fragment to check. |
| 2151 | * @param string $context The SQL fragment context. |
| 2152 | * @param array $args { |
| 2153 | * The arguments to use. |
| 2154 | * |
| 2155 | * @type string|null $object_type The object type. |
| 2156 | * @type string|null $object_name The object name. |
| 2157 | * @type int|string|null $item_id The item ID. |
| 2158 | * @type Pods|null $pods The Pods object. |
| 2159 | * @type Pod|null $pod The Pod object. |
| 2160 | * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). |
| 2161 | * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). |
| 2162 | * } |
| 2163 | * |
| 2164 | * @return bool Whether the SQL fragment is allowed to be used. |
| 2165 | */ |
| 2166 | function pods_access_sql_fragment_is_allowed( string $sql, string $context, array $args = [] ): bool { |
| 2167 | $context = strtoupper( $context ); |
| 2168 | |
| 2169 | $info = pods_info_from_args( $args ); |
| 2170 | |
| 2171 | /** |
| 2172 | * Allows filtering whether the SQL fragment is allowed to be used. |
| 2173 | * |
| 2174 | * @since 3.1.0 |
| 2175 | * |
| 2176 | * @param bool $allowed Whether the SQL fragment is allowed to be used. |
| 2177 | * @param string $sql The SQL fragment to check. |
| 2178 | * @param string $context The SQL fragment context. |
| 2179 | * @param array $info Pod information. |
| 2180 | */ |
| 2181 | return (bool) apply_filters( 'pods_access_sql_fragment_is_allowed', true, $sql, $context, $info ); |
| 2182 | } |
| 2183 | |
| 2184 | add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_mismatch_parenthesis', 10, 2 ); |
| 2185 | add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_unsafe_functions', 10, 2 ); |
| 2186 | add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_unsafe_tables', 10, 2 ); |
| 2187 | add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_double_hyphens', 10, 2 ); |
| 2188 | add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_subqueries', 10, 2 ); |
| 2189 | add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_post_status', 10, 4 ); |
| 2190 | |
| 2191 | /** |
| 2192 | * Disallow mismatched parenthesis from being used in SQL fragments. |
| 2193 | * |
| 2194 | * @since 3.1.0 |
| 2195 | * |
| 2196 | * @param bool $allowed Whether the SQL fragment is allowed to be used. |
| 2197 | * @param string $sql The SQL fragment to check. |
| 2198 | * |
| 2199 | * @return bool Whether the SQL fragment is allowed to be used. |
| 2200 | */ |
| 2201 | function pods_access_sql_fragment_disallow_mismatch_parenthesis( bool $allowed, string $sql ): bool { |
| 2202 | return ( |
| 2203 | $allowed |
| 2204 | && substr_count( $sql, '(' ) === substr_count( $sql, ')' ) |
| 2205 | ); |
| 2206 | } |
| 2207 | |
| 2208 | /** |
| 2209 | * Disallow unsafe functions from being used in SQL fragments. |
| 2210 | * |
| 2211 | * @since 3.1.0 |
| 2212 | * |
| 2213 | * @param bool $allowed Whether the SQL fragment is allowed to be used. |
| 2214 | * @param string $sql The SQL fragment to check. |
| 2215 | * |
| 2216 | * @return bool Whether the SQL fragment is allowed to be used. |
| 2217 | */ |
| 2218 | function pods_access_sql_fragment_disallow_unsafe_functions( bool $allowed, string $sql ): bool { |
| 2219 | if ( ! $allowed ) { |
| 2220 | return $allowed; |
| 2221 | } |
| 2222 | |
| 2223 | $unsafe_functions = [ |
| 2224 | 'USER', |
| 2225 | 'DATABASE', |
| 2226 | 'VERSION', |
| 2227 | 'FROM_BASE64', |
| 2228 | 'TO_BASE64', |
| 2229 | 'SLEEP', |
| 2230 | 'WAIT_FOR_EXECUTED_GTID_SET', |
| 2231 | 'WAIT_UNTIL_SQL_THREAD_AFTER_GTIDS', |
| 2232 | 'MASTER_POS_WAIT', |
| 2233 | 'SOURCE_POS_WAIT', |
| 2234 | 'LOAD_FILE', |
| 2235 | ]; |
| 2236 | |
| 2237 | /** |
| 2238 | * Allow filtering the list of unsafe functions to disallow. |
| 2239 | * |
| 2240 | * @since 3.1.0 |
| 2241 | * |
| 2242 | * @param array $unsafe_functions The list of unsafe functions to disallow. |
| 2243 | * @param string $sql The SQL fragment to check. |
| 2244 | */ |
| 2245 | $unsafe_functions = (array) apply_filters( 'pods_access_sql_fragment_disallow_unsafe_functions', $unsafe_functions, $sql ); |
| 2246 | |
| 2247 | $unsafe_functions = array_filter( $unsafe_functions ); |
| 2248 | |
| 2249 | foreach ( $unsafe_functions as $unsafe_function ) { |
| 2250 | if ( 1 === (int) preg_match( '/\s*' . preg_quote( $unsafe_function, '/' ) . '\s*\(/i', $sql ) ) { |
| 2251 | return false; |
| 2252 | } |
| 2253 | } |
| 2254 | |
| 2255 | return $allowed; |
| 2256 | } |
| 2257 | |
| 2258 | /** |
| 2259 | * Disallow unsafe tables from being used in SQL fragments. |
| 2260 | * |
| 2261 | * @since 3.1.0 |
| 2262 | * |
| 2263 | * @param bool $allowed Whether the SQL fragment is allowed to be used. |
| 2264 | * @param string $sql The SQL fragment to check. |
| 2265 | * |
| 2266 | * @return bool Whether the SQL fragment is allowed to be used. |
| 2267 | */ |
| 2268 | function pods_access_sql_fragment_disallow_unsafe_tables( bool $allowed, string $sql ): bool { |
| 2269 | if ( ! $allowed ) { |
| 2270 | return $allowed; |
| 2271 | } |
| 2272 | |
| 2273 | $unsafe_tables = [ |
| 2274 | 'mysql.', |
| 2275 | 'information_schema.', |
| 2276 | 'performance_schema.', |
| 2277 | 'sys.', |
| 2278 | ]; |
| 2279 | |
| 2280 | /** |
| 2281 | * Allow filtering the list of unsafe tables to disallow. |
| 2282 | * |
| 2283 | * @since 3.1.0 |
| 2284 | * |
| 2285 | * @param array $unsafe_tables The list of unsafe tables to disallow. |
| 2286 | * @param string $sql The SQL fragment to check. |
| 2287 | */ |
| 2288 | $unsafe_tables = (array) apply_filters( 'pods_access_sql_fragment_disallow_unsafe_tables', $unsafe_tables, $sql ); |
| 2289 | |
| 2290 | $unsafe_tables = array_filter( $unsafe_tables ); |
| 2291 | |
| 2292 | foreach ( $unsafe_tables as $unsafe_table ) { |
| 2293 | if ( 1 === (int) preg_match( '/\s*' . preg_quote( $unsafe_table, '/' ) . '/i', $sql ) ) { |
| 2294 | return false; |
| 2295 | } |
| 2296 | } |
| 2297 | |
| 2298 | return $allowed; |
| 2299 | } |
| 2300 | |
| 2301 | /** |
| 2302 | * Disallow double hyphens from being used in SQL fragments. |
| 2303 | * |
| 2304 | * @since 3.1.0 |
| 2305 | * |
| 2306 | * @param bool $allowed Whether the SQL fragment is allowed to be used. |
| 2307 | * @param string $sql The SQL fragment to check. |
| 2308 | * |
| 2309 | * @return bool Whether the SQL fragment is allowed to be used. |
| 2310 | */ |
| 2311 | function pods_access_sql_fragment_disallow_double_hyphens( bool $allowed, string $sql ): bool { |
| 2312 | return ( |
| 2313 | $allowed |
| 2314 | && false === strpos( $sql, '--' ) |
| 2315 | ); |
| 2316 | } |
| 2317 | |
| 2318 | /** |
| 2319 | * Disallow subqueries from being used in SQL fragments. |
| 2320 | * |
| 2321 | * @since 3.1.0 |
| 2322 | * |
| 2323 | * @param bool $allowed Whether the SQL fragment is allowed to be used. |
| 2324 | * @param string $sql The SQL fragment to check. |
| 2325 | * |
| 2326 | * @return bool Whether the SQL fragment is allowed to be used. |
| 2327 | */ |
| 2328 | function pods_access_sql_fragment_disallow_subqueries( bool $allowed, string $sql ): bool { |
| 2329 | return ( |
| 2330 | $allowed |
| 2331 | && 0 === (int) preg_match( '/\s*SELECT(\s|\()+/i', $sql ) |
| 2332 | ); |
| 2333 | } |
| 2334 | |
| 2335 | /** |
| 2336 | * Disallow post_status from being used in the WHERE/HAVING SQL fragment unless they have admin access. |
| 2337 | * |
| 2338 | * @since 3.1.0 |
| 2339 | * |
| 2340 | * @param bool $allowed Whether the SQL fragment is allowed to be used. |
| 2341 | * @param string $sql The SQL fragment to check. |
| 2342 | * @param string $context The SQL fragment context. |
| 2343 | * @param array $info Pod information. |
| 2344 | * |
| 2345 | * @return bool Whether the SQL fragment is allowed to be used. |
| 2346 | */ |
| 2347 | function pods_access_sql_fragment_disallow_post_status( bool $allowed, string $sql, string $context, array $info ): bool { |
| 2348 | if ( 'WHERE' !== $context && 'HAVING' !== $context ) { |
| 2349 | return $allowed; |
| 2350 | } |
| 2351 | |
| 2352 | return ( |
| 2353 | $allowed |
| 2354 | && ( |
| 2355 | false === stripos( $sql, 'post_status' ) |
| 2356 | || pods_is_admin( 'edit_posts' ) |
| 2357 | ) |
| 2358 | ); |
| 2359 | } |
| 2360 | |
| 2361 | /** |
| 2362 | * Safely unserialize data if it's PHP serialized. |
| 2363 | * |
| 2364 | * @since 3.1.0 |
| 2365 | * |
| 2366 | * @param string|mixed $data The data to unserialize. |
| 2367 | * |
| 2368 | * @return array|string|mixed The unserialized data if it was PHP serialized, otherwise the data as it was. |
| 2369 | */ |
| 2370 | function pods_maybe_safely_unserialize( $data ) { |
| 2371 | // The $options parameter of unserialize() requires PHP 7.0+. |
| 2372 | if ( version_compare( PHP_VERSION, '7.0', '<' ) ) { |
| 2373 | // Fall back to normal WP function. |
| 2374 | return maybe_unserialize( $data ); |
| 2375 | } |
| 2376 | |
| 2377 | // Check if the data is serialized. |
| 2378 | if ( is_serialized( $data ) ) { |
| 2379 | $data = trim( $data ); |
| 2380 | |
| 2381 | // Unserialize the data but exclude classes. |
| 2382 | return @unserialize( $data, [ 'allowed_classes' => false ] ); |
| 2383 | } |
| 2384 | |
| 2385 | return $data; |
| 2386 | } |
| 2387 |