helper
2 years ago
importers
2 years ago
list-tables
2 years ago
marketplace-suggestions
2 years ago
meta-boxes
2 years ago
notes
2 years ago
plugin-updates
2 years ago
reports
2 years ago
settings
2 years ago
views
2 years ago
class-wc-admin-addons.php
2 years ago
class-wc-admin-api-keys-table-list.php
2 years ago
class-wc-admin-api-keys.php
2 years ago
class-wc-admin-assets.php
2 years ago
class-wc-admin-attributes.php
3 years ago
class-wc-admin-customize.php
5 years ago
class-wc-admin-dashboard-setup.php
2 years ago
class-wc-admin-dashboard.php
2 years ago
class-wc-admin-duplicate-product.php
5 years ago
class-wc-admin-exporters.php
3 years ago
class-wc-admin-help.php
2 years ago
class-wc-admin-importers.php
2 years ago
class-wc-admin-log-table-list.php
2 years ago
class-wc-admin-marketplace-promotions.php
2 years ago
class-wc-admin-menus.php
2 years ago
class-wc-admin-meta-boxes.php
2 years ago
class-wc-admin-notices.php
2 years ago
class-wc-admin-permalink-settings.php
5 years ago
class-wc-admin-pointers.php
3 years ago
class-wc-admin-post-types.php
2 years ago
class-wc-admin-profile.php
2 years ago
class-wc-admin-reports.php
5 years ago
class-wc-admin-settings.php
2 years ago
class-wc-admin-setup-wizard.php
2 years ago
class-wc-admin-status.php
2 years ago
class-wc-admin-taxonomies.php
3 years ago
class-wc-admin-upload-downloadable-product.php
2 years ago
class-wc-admin-webhooks-table-list.php
2 years ago
class-wc-admin-webhooks.php
2 years ago
class-wc-admin.php
2 years ago
wc-admin-functions.php
2 years ago
wc-meta-box-functions.php
2 years ago
class-wc-admin-api-keys.php
275 lines
| 1 | <?php |
| 2 | /** |
| 3 | * WooCommerce Admin API Keys Class |
| 4 | * |
| 5 | * @package WooCommerce\Admin |
| 6 | * @version 2.4.0 |
| 7 | */ |
| 8 | |
| 9 | defined( 'ABSPATH' ) || exit; |
| 10 | |
| 11 | /** |
| 12 | * WC_Admin_API_Keys. |
| 13 | */ |
| 14 | class WC_Admin_API_Keys { |
| 15 | |
| 16 | /** |
| 17 | * Initialize the API Keys admin actions. |
| 18 | */ |
| 19 | public function __construct() { |
| 20 | add_action( 'admin_init', array( $this, 'actions' ) ); |
| 21 | add_action( 'woocommerce_settings_page_init', array( $this, 'screen_option' ) ); |
| 22 | add_filter( 'woocommerce_save_settings_advanced_keys', array( $this, 'allow_save_settings' ) ); |
| 23 | } |
| 24 | |
| 25 | /** |
| 26 | * Check if should allow save settings. |
| 27 | * This prevents "Your settings have been saved." notices on the table list. |
| 28 | * |
| 29 | * @param bool $allow If allow save settings. |
| 30 | * @return bool |
| 31 | */ |
| 32 | public function allow_save_settings( $allow ) { |
| 33 | if ( ! isset( $_GET['create-key'], $_GET['edit-key'] ) ) { // WPCS: input var okay, CSRF ok. |
| 34 | return false; |
| 35 | } |
| 36 | |
| 37 | return $allow; |
| 38 | } |
| 39 | |
| 40 | /** |
| 41 | * Check if is API Keys settings page. |
| 42 | * |
| 43 | * @return bool |
| 44 | */ |
| 45 | private function is_api_keys_settings_page() { |
| 46 | return isset( $_GET['page'], $_GET['tab'], $_GET['section'] ) && 'wc-settings' === $_GET['page'] && 'advanced' === $_GET['tab'] && 'keys' === $_GET['section']; // WPCS: input var okay, CSRF ok. |
| 47 | } |
| 48 | |
| 49 | /** |
| 50 | * Page output. |
| 51 | */ |
| 52 | public static function page_output() { |
| 53 | // Hide the save button. |
| 54 | $GLOBALS['hide_save_button'] = true; |
| 55 | |
| 56 | if ( isset( $_GET['create-key'] ) || isset( $_GET['edit-key'] ) ) { |
| 57 | $key_id = isset( $_GET['edit-key'] ) ? absint( $_GET['edit-key'] ) : 0; // WPCS: input var okay, CSRF ok. |
| 58 | $key_data = self::get_key_data( $key_id ); |
| 59 | $user_id = (int) $key_data['user_id']; |
| 60 | |
| 61 | if ( $key_id && $user_id && ! current_user_can( 'edit_user', $user_id ) ) { |
| 62 | if ( get_current_user_id() !== $user_id ) { |
| 63 | wp_die( esc_html__( 'You do not have permission to edit this API Key', 'woocommerce' ) ); |
| 64 | } |
| 65 | } |
| 66 | |
| 67 | include dirname( __FILE__ ) . '/settings/views/html-keys-edit.php'; |
| 68 | } else { |
| 69 | self::table_list_output(); |
| 70 | } |
| 71 | } |
| 72 | |
| 73 | /** |
| 74 | * Add screen option. |
| 75 | */ |
| 76 | public function screen_option() { |
| 77 | global $keys_table_list; |
| 78 | |
| 79 | if ( ! isset( $_GET['create-key'] ) && ! isset( $_GET['edit-key'] ) && $this->is_api_keys_settings_page() ) { // WPCS: input var okay, CSRF ok. |
| 80 | $keys_table_list = new WC_Admin_API_Keys_Table_List(); |
| 81 | |
| 82 | // Add screen option. |
| 83 | add_screen_option( |
| 84 | 'per_page', |
| 85 | array( |
| 86 | 'default' => 10, |
| 87 | 'option' => 'woocommerce_keys_per_page', |
| 88 | ) |
| 89 | ); |
| 90 | } |
| 91 | } |
| 92 | |
| 93 | /** |
| 94 | * Table list output. |
| 95 | */ |
| 96 | private static function table_list_output() { |
| 97 | global $wpdb, $keys_table_list; |
| 98 | |
| 99 | echo '<h2 class="wc-table-list-header">' . esc_html__( 'REST API', 'woocommerce' ) . ' <a href="' . esc_url( admin_url( 'admin.php?page=wc-settings&tab=advanced§ion=keys&create-key=1' ) ) . '" class="page-title-action">' . esc_html__( 'Add key', 'woocommerce' ) . '</a></h2>'; |
| 100 | |
| 101 | // Get the API keys count. |
| 102 | $count = $wpdb->get_var( "SELECT COUNT(key_id) FROM {$wpdb->prefix}woocommerce_api_keys WHERE 1 = 1;" ); |
| 103 | |
| 104 | if ( absint( $count ) && $count > 0 ) { |
| 105 | $keys_table_list->prepare_items(); |
| 106 | |
| 107 | echo '<input type="hidden" name="page" value="wc-settings" />'; |
| 108 | echo '<input type="hidden" name="tab" value="advanced" />'; |
| 109 | echo '<input type="hidden" name="section" value="keys" />'; |
| 110 | |
| 111 | $keys_table_list->views(); |
| 112 | $keys_table_list->search_box( __( 'Search key', 'woocommerce' ), 'key' ); |
| 113 | $keys_table_list->display(); |
| 114 | } else { |
| 115 | echo '<div class="woocommerce-BlankState woocommerce-BlankState--api">'; |
| 116 | ?> |
| 117 | <h2 class="woocommerce-BlankState-message"><?php esc_html_e( 'The WooCommerce REST API allows external apps to view and manage store data. Access is granted only to those with valid API keys.', 'woocommerce' ); ?></h2> |
| 118 | <a class="woocommerce-BlankState-cta button-primary button" href="<?php echo esc_url( admin_url( 'admin.php?page=wc-settings&tab=advanced§ion=keys&create-key=1' ) ); ?>"><?php esc_html_e( 'Create an API key', 'woocommerce' ); ?></a> |
| 119 | <style type="text/css">#posts-filter .wp-list-table, #posts-filter .tablenav.top, .tablenav.bottom .actions { display: none; }</style> |
| 120 | <?php |
| 121 | } |
| 122 | } |
| 123 | |
| 124 | /** |
| 125 | * Get key data. |
| 126 | * |
| 127 | * @param int $key_id API Key ID. |
| 128 | * @return array |
| 129 | */ |
| 130 | private static function get_key_data( $key_id ) { |
| 131 | global $wpdb; |
| 132 | |
| 133 | $empty = array( |
| 134 | 'key_id' => 0, |
| 135 | 'user_id' => '', |
| 136 | 'description' => '', |
| 137 | 'permissions' => '', |
| 138 | 'truncated_key' => '', |
| 139 | 'last_access' => '', |
| 140 | ); |
| 141 | |
| 142 | if ( 0 === $key_id ) { |
| 143 | return $empty; |
| 144 | } |
| 145 | |
| 146 | $key = $wpdb->get_row( |
| 147 | $wpdb->prepare( |
| 148 | "SELECT key_id, user_id, description, permissions, truncated_key, last_access |
| 149 | FROM {$wpdb->prefix}woocommerce_api_keys |
| 150 | WHERE key_id = %d", |
| 151 | $key_id |
| 152 | ), |
| 153 | ARRAY_A |
| 154 | ); |
| 155 | |
| 156 | if ( is_null( $key ) ) { |
| 157 | return $empty; |
| 158 | } |
| 159 | |
| 160 | return $key; |
| 161 | } |
| 162 | |
| 163 | /** |
| 164 | * API Keys admin actions. |
| 165 | */ |
| 166 | public function actions() { |
| 167 | if ( $this->is_api_keys_settings_page() ) { |
| 168 | // Revoke key. |
| 169 | if ( isset( $_REQUEST['revoke-key'] ) ) { // WPCS: input var okay, CSRF ok. |
| 170 | $this->revoke_key(); |
| 171 | } |
| 172 | |
| 173 | // Bulk actions. |
| 174 | if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['key'] ) ) { // WPCS: input var okay, CSRF ok. |
| 175 | $this->bulk_actions(); |
| 176 | } |
| 177 | } |
| 178 | } |
| 179 | |
| 180 | /** |
| 181 | * Notices. |
| 182 | */ |
| 183 | public static function notices() { |
| 184 | if ( isset( $_GET['revoked'] ) ) { // WPCS: input var okay, CSRF ok. |
| 185 | $revoked = absint( $_GET['revoked'] ); // WPCS: input var okay, CSRF ok. |
| 186 | |
| 187 | /* translators: %d: count */ |
| 188 | WC_Admin_Settings::add_message( sprintf( _n( '%d API key permanently revoked.', '%d API keys permanently revoked.', $revoked, 'woocommerce' ), $revoked ) ); |
| 189 | } |
| 190 | } |
| 191 | |
| 192 | /** |
| 193 | * Revoke key. |
| 194 | */ |
| 195 | private function revoke_key() { |
| 196 | global $wpdb; |
| 197 | |
| 198 | check_admin_referer( 'revoke' ); |
| 199 | |
| 200 | if ( isset( $_REQUEST['revoke-key'] ) ) { // WPCS: input var okay, CSRF ok. |
| 201 | $key_id = absint( $_REQUEST['revoke-key'] ); // WPCS: input var okay, CSRF ok. |
| 202 | $user_id = (int) $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM {$wpdb->prefix}woocommerce_api_keys WHERE key_id = %d", $key_id ) ); |
| 203 | |
| 204 | if ( $key_id && $user_id && ( current_user_can( 'edit_user', $user_id ) || get_current_user_id() === $user_id ) ) { |
| 205 | $this->remove_key( $key_id ); |
| 206 | } else { |
| 207 | wp_die( esc_html__( 'You do not have permission to revoke this API Key', 'woocommerce' ) ); |
| 208 | } |
| 209 | } |
| 210 | |
| 211 | wp_safe_redirect( esc_url_raw( add_query_arg( array( 'revoked' => 1 ), admin_url( 'admin.php?page=wc-settings&tab=advanced§ion=keys' ) ) ) ); |
| 212 | exit(); |
| 213 | } |
| 214 | |
| 215 | /** |
| 216 | * Bulk actions. |
| 217 | */ |
| 218 | private function bulk_actions() { |
| 219 | check_admin_referer( 'woocommerce-settings' ); |
| 220 | |
| 221 | if ( ! current_user_can( 'manage_woocommerce' ) ) { |
| 222 | wp_die( esc_html__( 'You do not have permission to edit API Keys', 'woocommerce' ) ); |
| 223 | } |
| 224 | |
| 225 | if ( isset( $_REQUEST['action'] ) ) { // WPCS: input var okay, CSRF ok. |
| 226 | $action = sanitize_text_field( wp_unslash( $_REQUEST['action'] ) ); // WPCS: input var okay, CSRF ok. |
| 227 | $keys = isset( $_REQUEST['key'] ) ? array_map( 'absint', (array) $_REQUEST['key'] ) : array(); // WPCS: input var okay, CSRF ok. |
| 228 | |
| 229 | if ( 'revoke' === $action ) { |
| 230 | $this->bulk_revoke_key( $keys ); |
| 231 | } |
| 232 | } |
| 233 | } |
| 234 | |
| 235 | /** |
| 236 | * Bulk revoke key. |
| 237 | * |
| 238 | * @param array $keys API Keys. |
| 239 | */ |
| 240 | private function bulk_revoke_key( $keys ) { |
| 241 | if ( ! current_user_can( 'remove_users' ) ) { |
| 242 | wp_die( esc_html__( 'You do not have permission to revoke API Keys', 'woocommerce' ) ); |
| 243 | } |
| 244 | |
| 245 | $qty = 0; |
| 246 | foreach ( $keys as $key_id ) { |
| 247 | $result = $this->remove_key( $key_id ); |
| 248 | |
| 249 | if ( $result ) { |
| 250 | $qty++; |
| 251 | } |
| 252 | } |
| 253 | |
| 254 | // Redirect to webhooks page. |
| 255 | wp_safe_redirect( esc_url_raw( add_query_arg( array( 'revoked' => $qty ), admin_url( 'admin.php?page=wc-settings&tab=advanced§ion=keys' ) ) ) ); |
| 256 | exit(); |
| 257 | } |
| 258 | |
| 259 | /** |
| 260 | * Remove key. |
| 261 | * |
| 262 | * @param int $key_id API Key ID. |
| 263 | * @return bool |
| 264 | */ |
| 265 | private function remove_key( $key_id ) { |
| 266 | global $wpdb; |
| 267 | |
| 268 | $delete = $wpdb->delete( $wpdb->prefix . 'woocommerce_api_keys', array( 'key_id' => $key_id ), array( '%d' ) ); |
| 269 | |
| 270 | return $delete; |
| 271 | } |
| 272 | } |
| 273 | |
| 274 | new WC_Admin_API_Keys(); |
| 275 |