Edit File by line

<?php

[0] Fix | Delete

[1] Fix | Delete

use AdvancedAds\Entities;

[2] Fix | Delete

[3] Fix | Delete

/**

[4] Fix | Delete

* Control Ad Authors.

[5] Fix | Delete

[6] Fix | Delete

class Advanced_Ads_Ad_Authors {

[7] Fix | Delete

/**

[8] Fix | Delete

* Singleton instance of this class.

[9] Fix | Delete

[10] Fix | Delete

* @var Advanced_Ads_Ad_Authors

[11] Fix | Delete

[12] Fix | Delete

private static $instance;

[13] Fix | Delete

[14] Fix | Delete

/**

[15] Fix | Delete

* Attach callbacks to hooks and filters.

[16] Fix | Delete

[17] Fix | Delete

private function __construct() {

[18] Fix | Delete

add_filter( 'wp_dropdown_users_args', [ $this, 'filter_ad_authors' ] );

[19] Fix | Delete

add_action( 'pre_post_update', [ $this, 'sanitize_author_saving' ], 10, 2 );

[20] Fix | Delete

add_filter( 'map_meta_cap', [ $this, 'filter_editable_posts' ], 10, 4 );

[21] Fix | Delete

}

[22] Fix | Delete

[23] Fix | Delete

/**

[24] Fix | Delete

* Singleton.

[25] Fix | Delete

[26] Fix | Delete

* @return Advanced_Ads_Ad_Authors

[27] Fix | Delete

[28] Fix | Delete

public static function get_instance() {

[29] Fix | Delete

if ( self::$instance === null ) {

[30] Fix | Delete

self::$instance = new self();

[31] Fix | Delete

}

[32] Fix | Delete

[33] Fix | Delete

return self::$instance;

[34] Fix | Delete

}

[35] Fix | Delete

[36] Fix | Delete

/**

[37] Fix | Delete

* Ensure that users cannot assign ads to users with unfiltered_html if they don't have the capability themselves.

[38] Fix | Delete

[39] Fix | Delete

* @param array $query_args WP_User_Query args.

[40] Fix | Delete

[41] Fix | Delete

* @return array

[42] Fix | Delete

[43] Fix | Delete

public function filter_ad_authors( $query_args ) {

[44] Fix | Delete

if ( get_current_screen()->post_type !== Entities::POST_TYPE_AD ) {

[45] Fix | Delete

return $query_args;

[46] Fix | Delete

}

[47] Fix | Delete

[48] Fix | Delete

if ( is_multisite() ) {

[49] Fix | Delete

return $this->multisite_filter_ad_authors( $query_args );

[50] Fix | Delete

}

[51] Fix | Delete

[52] Fix | Delete

$current_user_has_unfiltered_html = current_user_can( 'unfiltered_html' );

[53] Fix | Delete

$user_roles_to_display = array_filter( wp_roles()->role_objects, static function( WP_Role $role ) use ( $current_user_has_unfiltered_html ) {

[54] Fix | Delete

if ( $current_user_has_unfiltered_html ) {

[55] Fix | Delete

return $role->has_cap( 'advanced_ads_edit_ads' );

[56] Fix | Delete

}

[57] Fix | Delete

[58] Fix | Delete

return ! $role->has_cap( 'unfiltered_html' ) && $role->has_cap( 'advanced_ads_edit_ads' );

[59] Fix | Delete

} );

[60] Fix | Delete

[61] Fix | Delete

$query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );

[62] Fix | Delete

[63] Fix | Delete

return $query_args;

[64] Fix | Delete

}

[65] Fix | Delete

[66] Fix | Delete

/**

[67] Fix | Delete

* Ensure that users cannot assign ads to users who have more rights on multisite.

[68] Fix | Delete

[69] Fix | Delete

* @param array $query_args WP_User_Query args.

[70] Fix | Delete

[71] Fix | Delete

* @return array

[72] Fix | Delete

[73] Fix | Delete

private function multisite_filter_ad_authors( $query_args ) {

[74] Fix | Delete

if ( is_super_admin() ) {

[75] Fix | Delete

return $query_args;

[76] Fix | Delete

}

[77] Fix | Delete

[78] Fix | Delete

$options = Advanced_Ads::get_instance()->options();

[79] Fix | Delete

$allowed_roles = isset( $options['allow-unfiltered-html'] ) ? $options['allow-unfiltered-html'] : [];

[80] Fix | Delete

[81] Fix | Delete

// if the current user can unfiltered_html, return the default args.

[82] Fix | Delete

if ( ! empty( array_intersect( wp_get_current_user()->roles, $allowed_roles ) ) ) {

[83] Fix | Delete

return $query_args;

[84] Fix | Delete

}

[85] Fix | Delete

[86] Fix | Delete

// if the current user can't use unfiltered_html, they should not be able to assign the ad to a user that can.

[87] Fix | Delete

$user_roles_to_display = array_filter( wp_roles()->role_objects, static function( WP_Role $role ) use ( $allowed_roles ) {

[88] Fix | Delete

return ! in_array( $role->name, $allowed_roles, true ) && $role->has_cap( 'advanced_ads_edit_ads' );

[89] Fix | Delete

} );

[90] Fix | Delete

[91] Fix | Delete

$query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );

[92] Fix | Delete

// exclude super-admins from the author dropdown.

[93] Fix | Delete

$query_args['exclude'] = array_map( static function( $login ) {

[94] Fix | Delete

return get_user_by( 'login', $login )->ID;

[95] Fix | Delete

}, get_super_admins() );

[96] Fix | Delete

[97] Fix | Delete

return $query_args;

[98] Fix | Delete

}

[99] Fix | Delete

[100] Fix | Delete

/**

[101] Fix | Delete

* Prevent users from editing the form data and assign ads to users they're not allowed to.

[102] Fix | Delete

* Wp_die() if tampering detected.

[103] Fix | Delete

[104] Fix | Delete

* @param int $post_id The current post id.

[105] Fix | Delete

* @param array $data The post data to be saved.

[106] Fix | Delete

[107] Fix | Delete

* @return void

[108] Fix | Delete

[109] Fix | Delete

public function sanitize_author_saving( $post_id, $data ) {

[110] Fix | Delete

if (

[111] Fix | Delete

get_post_type( $post_id ) !== Entities::POST_TYPE_AD

[112] Fix | Delete

|| (int) $data['post_author'] === get_current_user_id()

[113] Fix | Delete

|| (int) $data['post_author'] === (int) get_post_field( 'post_author', $post_id )

[114] Fix | Delete

) {

[115] Fix | Delete

return;

[116] Fix | Delete

}

[117] Fix | Delete

[118] Fix | Delete

$user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );

[119] Fix | Delete

if ( ! in_array( (int) $data['post_author'], array_map( function($value) { return (int)$value; }, $user_query->get_results() ), true ) ) {

[120] Fix | Delete

wp_die( esc_html__( 'Sorry, you\'re not allowed to assign this user.', 'advanced-ads' ) );

[121] Fix | Delete

}

[122] Fix | Delete

}

[123] Fix | Delete

[124] Fix | Delete

/**

[125] Fix | Delete

* Prevent users from editing posts of users with more rights than themselves.

[126] Fix | Delete

[127] Fix | Delete

* @param array $caps Needed capabilities.

[128] Fix | Delete

* @param string $cap Requested capability.

[129] Fix | Delete

* @param int $user_id The user_id for the cap check.

[130] Fix | Delete

* @param array $args Arguments array for checking primitive capabilities.

[131] Fix | Delete

[132] Fix | Delete

* @return array

[133] Fix | Delete

[134] Fix | Delete

public function filter_editable_posts( $caps, $cap, $user_id, $args ) {

[135] Fix | Delete

if ( $cap !== 'advanced_ads_edit_ads' || empty( $args ) ) {

[136] Fix | Delete

return $caps;

[137] Fix | Delete

}

[138] Fix | Delete

[139] Fix | Delete

$post_id = (int) $args[0];

[140] Fix | Delete

if ( empty( $post_id ) ) {

[141] Fix | Delete

return $caps;

[142] Fix | Delete

}

[143] Fix | Delete

[144] Fix | Delete

$ad = \Advanced_Ads\Ad_Repository::get( $post_id );

[145] Fix | Delete

if ( $ad->type !== 'plain' ) {

[146] Fix | Delete

return $caps;

[147] Fix | Delete

}

[148] Fix | Delete

[149] Fix | Delete

$author_id = (int) get_post_field( 'post_author', $post_id );

[150] Fix | Delete

$author = get_userdata( $author_id );

[151] Fix | Delete

if ( $author === false || ( $author_id !== $user_id && ! user_can( $author, $cap, $post_id ) ) ) {

[152] Fix | Delete

$author_id = $user_id;

[153] Fix | Delete

}

[154] Fix | Delete

[155] Fix | Delete

static $user_query;

[156] Fix | Delete

if ( $user_query === null ) {

[157] Fix | Delete

$user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );

[158] Fix | Delete

}

[159] Fix | Delete

[160] Fix | Delete

if ( ! in_array( $author_id, array_map( function($value) { return (int)$value; }, $user_query->get_results() ), true ) ) {

[161] Fix | Delete

$caps[] = 'do_not_allow';

[162] Fix | Delete

}

[163] Fix | Delete

[164] Fix | Delete

return $caps;

[165] Fix | Delete

}

[166] Fix | Delete

}

[167] Fix | Delete

[168] Fix | Delete