senaduka/old-experiments
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add hierarhical managment

Browse Source
This commit is contained in:
Almira Krdzic
2018-07-09 12:34:06 +02:00
parent 06982f22e5
commit 77cb549a3f
9320 changed files with 436076 additions and 4793 deletions
Download Patch File Download Diff File Expand all files Collapse all files

677
backend/wordpress/wp-content/plugins/groups/legacy/access/class-groups-access-meta-boxes-legacy.php Normal file
View File

@@ -0,0 +1,677 @@
<?php
/**
* class-groups-access-meta-boxes-legacy.php
*
* Copyright (c) "kento" Karim Rahimpur www.itthinx.com
*
* This code is released under the GNU General Public License.
* See COPYRIGHT.txt and LICENSE.txt.
*
* This code is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This header and all notices must be kept intact.
*
* @author Karim Rahimpur
* @package groups
* @since groups 2.0.0
*/
if ( !defined( 'ABSPATH' ) ) {
exit;
}
require_once( GROUPS_LEGACY_LIB . '/access/class-groups-post-access-legacy.php' );
/**
* Adds meta boxes to edit screens.
*
* @link http://codex.wordpress.org/Function_Reference/add_meta_box
*/
class Groups_Access_Meta_Boxes_Legacy {
const NONCE = 'groups-meta-box-nonce-legacy';
const SET_CAPABILITY = 'set-capability';
const READ_ACCESS = 'read-access';
const CAPABILITY = 'capability';
const SHOW_GROUPS = 'access-meta-box-show-groups';
/**
* Sets up an init hook where actions and filters are added.
*/
public static function init() {
add_action( 'init', array( __CLASS__, 'wp_init' ) );
add_action( 'admin_init', array( __CLASS__,'admin_init' ) );
}
/**
* Hooks for capabilities meta box and saving options.
*/
public static function wp_init() {
if ( current_user_can( GROUPS_ACCESS_GROUPS ) ) {
require_once GROUPS_VIEWS_LIB . '/class-groups-uie.php';
add_action( 'add_meta_boxes', array( __CLASS__, 'add_meta_boxes' ), 10, 2 );
add_action( 'save_post', array( __CLASS__, 'save_post' ), 10, 2 );
add_filter( 'wp_insert_post_empty_content', array( __CLASS__, 'wp_insert_post_empty_content' ), 10, 2 );
add_filter( 'attachment_fields_to_edit', array( __CLASS__, 'attachment_fields_to_edit' ), 10, 2 );
add_filter( 'attachment_fields_to_save', array( __CLASS__, 'attachment_fields_to_save' ), 10, 2 );
}
}
/**
* Hooked on admin_init to register our action on admin_enqueue_scripts.
*/
public static function admin_init() {
add_action( 'admin_enqueue_scripts', array( __CLASS__, 'admin_enqueue_scripts' ) );
}
/**
* Hooked on admin_enqueue_scripts to timely enqueue resources required
* on the media upload / attachment popup.
*/
public static function admin_enqueue_scripts() {
global $pagenow;
if ( $pagenow == 'upload.php' ) {
Groups_UIE::enqueue( 'select' );
}
}
/**
* Triggered by init() to add capability meta box.
*/
public static function add_meta_boxes( $post_type, $post = null ) {
global $wp_version;
$post_type_object = get_post_type_object( $post_type );
if ( $post_type_object && $post_type != 'attachment' ) {
$post_types_option = Groups_Options::get_option( Groups_Post_Access_Legacy::POST_TYPES, array() );
if ( !isset( $post_types_option[$post_type]['add_meta_box'] ) || $post_types_option[$post_type]['add_meta_box'] ) {
if ( $wp_version < 3.3 ) {
$post_types = get_post_types();
foreach ( $post_types as $post_type ) {
add_meta_box(
'groups-access',
__( "Access restrictions", 'groups' ),
array( __CLASS__, 'capability' ),
$post_type,
'side',
'high'
);
}
} else {
add_meta_box(
'groups-access',
__( 'Access restrictions', 'groups' ),
array( __CLASS__, 'capability' ),
null,
'side',
'high'
);
}
Groups_UIE::enqueue( 'select' );
if ( current_user_can( GROUPS_ADMINISTER_GROUPS ) ) {
if ( $screen = get_current_screen() ) {
$screen->add_help_tab( array(
'id' => 'groups-access',
'title' => __( 'Access restrictions', 'groups' ),
'content' =>
'<p>' .
'<strong>' . __( 'Access restrictions', 'groups' ) . '</strong>' .
'</p>' .
'<p>' .
__( 'Use the <em>Access restrictions</em> box to limit the visibility of posts, pages and other post types.', 'groups' ) .
'</p>' .
'<p>' .
__( 'You can select one or more capabilities that are enabled for access restriction.', 'groups' ) .
' ' .
__( 'Note that you must be a member of a group that has such a capability assigned.', 'groups' ) .
'</p>' .
'<p>' .
'<strong>' . __( 'Example:', 'groups' ) . '</strong>' .
'</p>' .
__( 'Let\'s assume that you want to limit the visibility of a post to members of the <em>Premium</em> group.', 'groups' ) .
'<p>' .
'<strong>' . __( 'The quick way:', 'groups' ) . '</strong>' .
' ' .
__( 'Using the quick-create field', 'groups' ) .
'</p>' .
__( 'Enter <em>Premium</em> in the quick-create field located in the Access restrictions panel and save or update the post (or hit Enter).', 'groups' ) .
'<p>' .
'<p>' .
__( 'Using the quick-create field, you can create a new group and capability. The capability will be assigned to the group and enabled to enforce read access. Group names are case-sensitive, the name of the capability is the lower-case version of the name of the group. If the group already exists, a new capability is created and assigned to the existing group. If the capability already exists, it will be assigned to the group. If both already exist, the capability is enabled to enforce read access. In order to be able to use the capability, your user account will be assigned to the group.', 'groups' ) .
'</p>' .
'<em>' . __( 'The manual way:', 'groups' ) . '</em>' .
' ' .
__( 'Adding the group and capability manually and enabling it for access restriction', 'groups' ) .
'</p>' .
'<p>' .
__( 'Try the quick-create field first. Unless you need a more complex setup, there is no reason to go this way instead.', 'groups' ) .
'</p>' .
'<ol>' .
'<li>' . __( 'Go to <strong>Groups > Groups</strong> and add the <em>Premium</em> group.', 'groups' ) . '</li>' .
'<li>' . __( 'Go to <strong>Groups > Capabilities</strong> and add the <em>premium</em> capability.', 'groups' ) . '</li>' .
'<li>' . __( 'Go to <strong>Groups > Groups</strong> and assign the <em>premium</em> capability to the <em>Premium</em> group.', 'groups' ) . '</li>' .
'<li>' . __( 'Go to <strong>Groups > Options</strong> and enable the <em>premium</em> capability to restrict access.', 'groups' ) . '</li>' .
'<li>' . __( 'Become a member of the <em>Premium</em> group - this is required so you can choose the <em>premium</em> capability to restrict access to a post.', 'groups' ) . '</li>' .
'<li>' . __( 'Edit the post for which you want to restrict access and choose<sup>*</sup> the <em>premium</em> capability.', 'groups' ) . '</li>' .
'</ol>' .
'<p>' .
__( '<sup>*</sup> For each capability, the groups that have the capability assigned are shown within parenthesis. You can choose a capability by typing part of the group\'s or the capability\'s name.', 'groups' ) .
'</p>'
) );
}
}
}
}
}
/**
* Render meta box for capabilities.
*
* @see do_meta_boxes()
*
* @param Object $object
* @param Object $box
*/
public static function capability( $object = null, $box = null ) {
$output = '';
$show_groups = Groups_Options::get_user_option( self::SHOW_GROUPS, true );
$post_id = isset( $object->ID ) ? $object->ID : null;
$post_type = isset( $object->post_type ) ? $object->post_type : null;
$post_singular_name = __( 'Post', 'groups' );
if ( $post_type !== null ) {
$post_type_object = get_post_type_object( $post_type );
$labels = isset( $post_type_object->labels ) ? $post_type_object->labels : null;
if ( $labels !== null ) {
if ( isset( $labels->singular_name ) ) {
$post_singular_name = __( $labels->singular_name );
}
}
}
$output .= wp_nonce_field( self::SET_CAPABILITY, self::NONCE, true, false );
if ( self::user_can_restrict() ) {
$user = new Groups_User( get_current_user_id() );
$output .= __( 'Enforce read access', 'groups' );
$read_caps = get_post_meta( $post_id, Groups_Post_Access_Legacy::POSTMETA_PREFIX . Groups_Post_Access_Legacy::READ_POST_CAPABILITY );
$valid_read_caps = Groups_Options::get_option( Groups_Post_Access_Legacy::READ_POST_CAPABILITIES, array( Groups_Post_Access_Legacy::READ_POST_CAPABILITY ) );
$output .= '<div class="select-capability-container">';
$output .= sprintf(
'<select class="select capability" name="%s" multiple="multiple" placeholder="%s" data-placeholder="%s" title="%s">',
self::CAPABILITY . '[]',
__( 'Type and choose &hellip;', 'groups'),
__( 'Type and choose &hellip;', 'groups'),
__( 'Choose one or more capabilities to restrict access. Groups that grant access through the capabilities are shown in parenthesis. If no capabilities are available yet, you can use the quick-create box to create a group and capability enabled for access restriction on the fly.', 'groups' )
);
$output .= '<option value=""></option>';
foreach( $valid_read_caps as $valid_read_cap ) {
if ( $capability = Groups_Capability::read_by_capability( $valid_read_cap ) ) {
if ( $user->can( $capability->capability ) ) {
$c = new Groups_Capability( $capability->capability_id );
$groups = $c->groups;
$group_names = array();
if ( !empty( $groups ) ) {
foreach( $groups as $group ) {
$group_names[] = $group->name;
}
}
if ( count( $group_names ) > 0 ) {
$label_title = sprintf(
_n(
'Members of the %1$s group can access this %2$s through this capability.',
'Members of the %1$s groups can access this %2$s through this capability.',
count( $group_names ),
'groups'
),
wp_filter_nohtml_kses( implode( ',', $group_names ) ),
$post_singular_name
);
} else {
$label_title = __( 'No groups grant access through this capability. To grant access to group members using this capability, you should assign it to a group and enable the capability for access restriction.', 'groups' );
}
$selected = apply_filters(
'groups_access_restrictions_capability_selected',
in_array( $capability->capability, $read_caps ),
$capability->capability,
$capability->capability_id,
$read_caps,
$post_id,
$post_type
);
$output .= sprintf( '<option value="%s" %s>', esc_attr( $capability->capability_id ), $selected ? ' selected="selected" ': '' );
$output .= wp_filter_nohtml_kses( $capability->capability );
if ( $show_groups ) {
if ( count( $group_names ) > 0 ) {
$output .= ' ';
$output .= '(' . wp_filter_nohtml_kses( implode( ', ', $group_names ) ) . ')';
}
}
$output .= '</option>';
}
}
}
$output .= '</select>';
$output .= Groups_UIE::render_select( '.select.capability' );
$output .= '</div>';
$output .= '<p class="description">';
$output .= sprintf( __( "Only groups or users that have one of the selected capabilities are allowed to read this %s.", 'groups' ), $post_singular_name );
$output .= '</p>';
$output .= '<p class="description">';
$output .= sprintf( '<label title="%s">', __( 'Click to toggle the display of groups that grant the capabilities.', 'groups' ) );
$output .= sprintf( '<input id="access-show-groups" type="checkbox" name="%s" %s />', esc_attr( self::SHOW_GROUPS ), $show_groups ? ' checked="checked" ' : '' );
$output .= ' ';
$output .= __( 'Show groups', 'groups' );
$output .= '</label>';
$output .= '</p>';
$output .= '<script type="text/javascript">';
$output .= 'if (typeof jQuery !== "undefined"){';
$output .= !$show_groups ? 'jQuery("span.groups.description").hide();' : '';
$output .= 'jQuery("#access-show-groups").click(function(){';
$output .= 'jQuery("span.groups.description").toggle();';
$output .= '});';
$output .= '}';
$output .= '</script>';
} else {
$output .= '<p class="description">';
$output .= sprintf( __( 'You cannot set any access restrictions.', 'groups' ), $post_singular_name );
$style = 'cursor:help;vertical-align:middle;';
if ( current_user_can( GROUPS_ADMINISTER_OPTIONS ) ) {
$style = 'cursor:pointer;vertical-align:middle;';
$output .= sprintf( '<a href="%s">', esc_url( admin_url( 'admin.php?page=groups-admin-options' ) ) );
}
$output .= sprintf( '<img style="%s" alt="?" title="%s" src="%s" />', $style, esc_attr( __( 'You must be in a group that has at least one capability enabled to enforce read access.', 'groups' ) ), esc_attr( GROUPS_PLUGIN_URL . 'images/help.png' ) );
if ( current_user_can( GROUPS_ADMINISTER_OPTIONS ) ) {
$output .= '</a>';
}
$output .= '</p>';
}
// quick-create
if ( current_user_can( GROUPS_ADMINISTER_GROUPS ) ) {
$style = 'cursor:help;vertical-align:middle;';
$output .= '<div class="quick-create-group-capability" style="margin:4px 0">';
$output .= '<label>';
$output .= sprintf( '<input style="width:100%%;margin-right:-20px;" id="quick-group-capability" name="quick-group-capability" class="quick-group-capability" type="text" value="" placeholder="%s"/>', __( 'Quick-create group &amp; capability', 'groups' ) );
$output .= sprintf(
'<img id="quick-create-help-icon" style="%s" alt="?" title="%s" src="%s" />',
$style,
esc_attr( __( 'You can create a new group and capability here. The capability will be assigned to the group and enabled to enforce read access. Group names are case-sensitive, the name of the capability is the lower-case version of the name of the group. If the group already exists, a new capability is created and assigned to the existing group. If the capability already exists, it will be assigned to the group. If both already exist, the capability is enabled to enforce read access. In order to be able to use the capability, your user account will be assigned to the group.', 'groups' ) ),
esc_attr( GROUPS_PLUGIN_URL . 'images/help.png' )
);
$output .= '</label>';
$output .= '</div>';
$output .= '<script type="text/javascript">';
$output .= 'if (typeof jQuery !== "undefined"){';
$output .= 'jQuery("#quick-create-help-icon").click(function(){';
$output .= 'jQuery("#contextual-help-link").click();';
$output .= '});';
$output .= '}';
$output .= '</script>';
}
echo $output;
}
/**
* Invokes our save_post() if the post content is considered empty.
* This is required because even on an empty post, we want to allow to
* quick-create group and category as well as assign capabilities.
* At WordPress 3.6.1, this is the only way we can achieve that, because
* the save_post action is not invoked if the post content is considered
* empty.
*
* @param boolean $maybe_empty
* @param array $postarr
* @return boolean
*/
public static function wp_insert_post_empty_content( $maybe_empty, $postarr ) {
// Only consider invoking save_post() here, if the post content is
// considered to be empty at this stage. This is so we don't end up
// having save_post() invoked twice when the post is not empty.
if ( $maybe_empty ) {
$post_id = !empty( $postarr['ID'] ) ? $postarr['ID'] : !empty( $postarr['post_ID'] ) ? $postarr['post_ID'] : null;
if ( $post_id ) {
self::save_post( $post_id );
}
}
return $maybe_empty;
}
/**
* Save capability options.
*
* @param int $post_id
* @param mixed $post post data (not used here)
*/
public static function save_post( $post_id = null, $post = null ) {
if ( ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) ) {
} else {
$post_type = get_post_type( $post_id );
$post_type_object = get_post_type_object( $post_type );
if ( $post_type_object && $post_type != 'attachment' ) {
$post_types_option = Groups_Options::get_option( Groups_Post_Access_Legacy::POST_TYPES, array() );
if ( !isset( $post_types_option[$post_type]['add_meta_box'] ) || $post_types_option[$post_type]['add_meta_box'] ) {
if ( isset( $_POST[self::NONCE] ) && wp_verify_nonce( $_POST[self::NONCE], self::SET_CAPABILITY ) ) {
$post_type = isset( $_POST['post_type'] ) ? $_POST['post_type'] : null;
if ( $post_type !== null ) {
// See http://codex.wordpress.org/Function_Reference/current_user_can 20130119 WP 3.5
// "... Some capability checks (like 'edit_post' or 'delete_page') require this [the post ID] be provided."
// If the post ID is not provided, it will throw:
// PHP Notice: Undefined offset: 0 in /var/www/groups-forums/wp-includes/capabilities.php on line 1067
$edit_post_type = 'edit_' . $post_type;
if ( $post_type_object = get_post_type_object( $post_type ) ) {
if ( !isset( $post_type_object->capabilities ) ) {
// get_post_type_capabilities() (WP 3.8) will throw a warning
// when trying to merge the missing property otherwise. It's either a
// bug or the function's documentation should make it clear that you
// have to provide that.
$post_type_object->capabilities = array();
}
$caps_object = get_post_type_capabilities( $post_type_object );
if ( isset( $caps_object->edit_post ) ) {
$edit_post_type = $caps_object->edit_post;
}
}
if ( current_user_can( $edit_post_type, $post_id ) ) {
// quick-create ?
if ( current_user_can( GROUPS_ADMINISTER_GROUPS ) ) {
if ( !empty( $_POST['quick-group-capability'] ) ) {
$creator_id = get_current_user_id();
$datetime = date( 'Y-m-d H:i:s', time() );
$name = ucfirst( strtolower( trim( $_POST['quick-group-capability'] ) ) );
if ( strlen( $name ) > 0 ) {
// create or obtain the group
if ( $group = Groups_Group::read_by_name( $name ) ) {
} else {
if ( $group_id = Groups_Group::create( compact( 'creator_id', 'datetime', 'name' ) ) ) {
$group = Groups_Group::read( $group_id );
}
}
// create or obtain the capability
$name = strtolower( $name );
if ( $capability = Groups_Capability::read_by_capability( $name ) ) {
} else {
if ( $capability_id = Groups_Capability::create( array( 'capability' => $name ) ) ) {
$capability = Groups_Capability::read( $capability_id );
}
}
if ( $group && $capability ) {
// add the capability to the group
if ( !Groups_Group_Capability::read( $group->group_id, $capability->capability_id ) ) {
Groups_Group_Capability::create(
array(
'group_id' => $group->group_id,
'capability_id' => $capability->capability_id
)
);
}
// enable the capability for access restriction
$valid_read_caps = Groups_Options::get_option( Groups_Post_Access_Legacy::READ_POST_CAPABILITIES, array( Groups_Post_Access_Legacy::READ_POST_CAPABILITY ) );
if ( !in_array( $capability->capability, $valid_read_caps ) ) {
$valid_read_caps[] = $capability->capability;
}
Groups_Options::update_option( Groups_Post_Access_Legacy::READ_POST_CAPABILITIES, $valid_read_caps );
// add the current user to the group
Groups_User_Group::create(
array(
'user_id' => get_current_user_id(),
'group_id' => $group->group_id
)
);
// put the capability ID in $_POST[self::CAPABILITY] so it is treated below
if ( empty( $_POST[self::CAPABILITY] ) ) {
$_POST[self::CAPABILITY] = array();
}
if ( !in_array( $capability->capability_id, $_POST[self::CAPABILITY] ) ) {
$_POST[self::CAPABILITY][] = $capability->capability_id;
}
}
}
}
}
// set
if ( self::user_can_restrict() ) {
$valid_read_caps = self::get_valid_read_caps_for_user();
foreach( $valid_read_caps as $valid_read_cap ) {
if ( $capability = Groups_Capability::read_by_capability( $valid_read_cap ) ) {
if ( !empty( $_POST[self::CAPABILITY] ) && is_array( $_POST[self::CAPABILITY] ) && in_array( $capability->capability_id, $_POST[self::CAPABILITY] ) ) {
Groups_Post_Access_Legacy::create( array(
'post_id' => $post_id,
'capability' => $capability->capability
) );
} else {
Groups_Post_Access_Legacy::delete( $post_id, $capability->capability );
}
}
}
}
// show groups
Groups_Options::update_user_option( self::SHOW_GROUPS, !empty( $_POST[self::SHOW_GROUPS] ) );
}
}
}
}
}
}
}
/**
* Enqueue scripts and styles.
*/
private static function enqueue() {
global $groups_version;
if ( !wp_script_is( 'selectize' ) ) {
wp_enqueue_script( 'selectize', GROUPS_PLUGIN_URL . 'js/selectize/selectize.min.js', array( 'jquery' ), $groups_version, false );
}
if ( !wp_style_is( 'selectize' ) ) {
wp_enqueue_style( 'selectize', GROUPS_PLUGIN_URL . 'css/selectize/selectize.bootstrap2.css', array(), $groups_version );
}
}
/**
* Render capabilities box for attachment post type (Media).
* @param array $form_fields
* @param object $post
* @return array
*/
public static function attachment_fields_to_edit( $form_fields, $post ) {
Groups_UIE::enqueue( 'select' );
$post_types_option = Groups_Options::get_option( Groups_Post_Access_Legacy::POST_TYPES, array() );
if ( !isset( $post_types_option['attachment']['add_meta_box'] ) || $post_types_option['attachment']['add_meta_box'] ) {
if ( self::user_can_restrict() ) {
$user = new Groups_User( get_current_user_id() );
$output = "";
$post_singular_name = __( 'Media', 'groups' );
$output .= __( "Enforce read access", 'groups' );
$read_caps = get_post_meta( $post->ID, Groups_Post_Access_Legacy::POSTMETA_PREFIX . Groups_Post_Access_Legacy::READ_POST_CAPABILITY );
$valid_read_caps = self::get_valid_read_caps_for_user();
// On attachments edited within the 'Insert Media' popup, the update is triggered too soon and we end up with only the last capability selected.
// This occurs when using normal checkboxes as well as the select below (Chosen and Selectize tested).
// With checkboxes it's even more confusing, it's actually better to have it using a select as below,
// because the visual feedback corresponds with what is assigned.
// See http://wordpress.org/support/topic/multiple-access-restrictions-for-media-items-are-not-saved-in-grid-view
// and https://core.trac.wordpress.org/ticket/28053 - this is an issue with multiple value fields and should
// be fixed within WordPress.
// $output .= '<div style="padding:0 1em;margin:1em 0;border:1px solid #ccc;border-radius:4px;">';
// $output .= '<ul>';
// foreach( $valid_read_caps as $valid_read_cap ) {
// if ( $capability = Groups_Capability::read_by_capability( $valid_read_cap ) ) {
// $checked = in_array( $capability->capability, $read_caps ) ? ' checked="checked" ' : '';
// $output .= '<li>';
// $output .= '<label>';
// $output .= '<input name="attachments[' . $post->ID . '][' . self::CAPABILITY . '][]" ' . $checked . ' type="checkbox" value="' . esc_attr( $capability->capability_id ) . '" />';
// $output .= wp_filter_nohtml_kses( $capability->capability );
// $output .= '</label>';
// $output .= '</li>';
// }
// }
// $output .= '</ul>';
// $output .= '</div>';
$show_groups = Groups_Options::get_user_option( self::SHOW_GROUPS, true );
$output .= '<div class="select-capability-container">';
$select_id = 'attachments-' . $post->ID . '-' . self::CAPABILITY;
$output .= sprintf(
'<select id="%s" class="select capability" name="%s" multiple="multiple" data-placeholder="%s" title="%s">',
$select_id,
'attachments[' . $post->ID . '][' . self::CAPABILITY . '][]',
__( 'Type and choose &hellip;', 'groups'),
__( 'Choose one or more capabilities to restrict access. Groups that grant access through the capabilities are shown in parenthesis. If no capabilities are available yet, you can use the quick-create box to create a group and capability enabled for access restriction on the fly.', 'groups' )
);
$output .= '<option value=""></option>';
foreach( $valid_read_caps as $valid_read_cap ) {
if ( $capability = Groups_Capability::read_by_capability( $valid_read_cap ) ) {
if ( $user->can( $capability->capability ) ) {
$c = new Groups_Capability( $capability->capability_id );
$groups = $c->groups;
$group_names = array();
if ( !empty( $groups ) ) {
foreach( $groups as $group ) {
$group_names[] = $group->name;
}
}
if ( count( $group_names ) > 0 ) {
$label_title = sprintf(
_n(
'Members of the %1$s group can access this %2$s through this capability.',
'Members of the %1$s groups can access this %2$s through this capability.',
count( $group_names ),
'groups'
),
wp_filter_nohtml_kses( implode( ',', $group_names ) ),
$post_singular_name
);
} else {
$label_title = __( 'No groups grant access through this capability. To grant access to group members using this capability, you should assign it to a group and enable the capability for access restriction.', 'groups' );
}
$output .= sprintf( '<option value="%s" %s>', esc_attr( $capability->capability_id ), in_array( $capability->capability, $read_caps ) ? ' selected="selected" ' : '' );
$output .= wp_filter_nohtml_kses( $capability->capability );
if ( $show_groups ) {
if ( count( $group_names ) > 0 ) {
$output .= ' ';
$output .= '(' . wp_filter_nohtml_kses( implode( ', ', $group_names ) ) . ')';
}
}
$output .= '</option>';
}
}
}
$output .= '</select>';
$output .= Groups_UIE::render_select( '#'.$select_id );
$output .= '</div>';
$output .= '<p class="description">';
$output .= sprintf( __( "Only groups or users that have one of the selected capabilities are allowed to read this %s.", 'groups' ), $post_singular_name );
$output .= '</p>';
$form_fields['groups_access'] = array(
'label' => __( 'Access restrictions', 'groups' ),
'input' => 'html',
'html' => $output
);
}
}
return $form_fields;
}
/**
* Save capabilities for attachment post type (Media).
* When multiple attachments are saved, this is called once for each.
* @param array $post post data
* @param array $attachment attachment field data
* @return array
*/
public static function attachment_fields_to_save( $post, $attachment ) {
$post_types_option = Groups_Options::get_option( Groups_Post_Access_Legacy::POST_TYPES, array() );
if ( !isset( $post_types_option['attachment']['add_meta_box'] ) || $post_types_option['attachment']['add_meta_box'] ) {
// if we're here, we assume the user is allowed to edit attachments,
// but we still need to check if the user can restrict access
if ( self::user_can_restrict() ) {
$post_id = null;
if ( isset( $post['ID'] ) ) {
$post_id = $post['ID'];
} else if ( isset( $post['post_ID'] ) ) {
$post_id = $post['post_ID'];
}
if ( $post_id !== null ) {
$valid_read_caps = self::get_valid_read_caps_for_user();
foreach( $valid_read_caps as $valid_read_cap ) {
if ( $capability = Groups_Capability::read_by_capability( $valid_read_cap ) ) {
if ( !empty( $attachment[self::CAPABILITY] ) && is_array( $attachment[self::CAPABILITY] ) && in_array( $capability->capability_id, $attachment[self::CAPABILITY] ) ) {
Groups_Post_Access_Legacy::create( array(
'post_id' => $post_id,
'capability' => $capability->capability
) );
} else {
Groups_Post_Access_Legacy::delete( $post_id, $capability->capability );
}
}
}
}
}
}
return $post;
}
/**
* Returns true if the current user has at least one of the capabilities
* that can be used to restrict access to posts.
* @return boolean
*/
public static function user_can_restrict() {
$has_read_cap = false;
$user = new Groups_User( get_current_user_id() );
$valid_read_caps = Groups_Options::get_option( Groups_Post_Access_Legacy::READ_POST_CAPABILITIES, array( Groups_Post_Access_Legacy::READ_POST_CAPABILITY ) );
foreach( $valid_read_caps as $valid_read_cap ) {
if ( $capability = Groups_Capability::read_by_capability( $valid_read_cap ) ) {
if ( $user->can( $capability->capability_id ) ) {
$has_read_cap = true;
break;
}
}
}
return $has_read_cap;
}
/**
* @return array of valid read capabilities for the current or given user
*/
public static function get_valid_read_caps_for_user( $user_id = null ) {
$result = array();
$user = new Groups_User( $user_id === null ? get_current_user_id() : $user_id );
$valid_read_caps = Groups_Options::get_option( Groups_Post_Access_Legacy::READ_POST_CAPABILITIES, array( Groups_Post_Access_Legacy::READ_POST_CAPABILITY ) );
foreach( $valid_read_caps as $valid_read_cap ) {
if ( $capability = Groups_Capability::read_by_capability( $valid_read_cap ) ) {
if ( $user->can( $capability->capability ) ) {
$result[] = $valid_read_cap;
}
}
}
return $result;
}
}
Groups_Access_Meta_Boxes_Legacy::init();

424
backend/wordpress/wp-content/plugins/groups/legacy/access/class-groups-post-access-legacy.php Normal file
View File

@@ -0,0 +1,424 @@
<?php
/**
* class-groups-post-access-legacy.php
*
* Copyright (c) "kento" Karim Rahimpur www.itthinx.com
*
* This code is released under the GNU General Public License.
* See COPYRIGHT.txt and LICENSE.txt.
*
* This code is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This header and all notices must be kept intact.
*
* @author Karim Rahimpur
* @package groups
* @since groups 2.0.0
*/
if ( !defined( 'ABSPATH' ) ) {
exit;
}
/**
* Post access restrictions.
*/
class Groups_Post_Access_Legacy {
const POSTMETA_PREFIX = 'groups-';
const CACHE_GROUP = 'groups';
const CAN_READ_POST = 'legacy_can_read_post';
const READ_POST_CAPABILITY = 'groups_read_post';
const READ_POST_CAPABILITY_NAME = 'Read Post';
const READ_POST_CAPABILITIES = 'read_post_capabilities';
const POST_TYPES = 'post_types';
/**
* Create needed capabilities on plugin activation.
* Must be called explicitly or hooked into activation.
*/
public static function activate() {
if ( !Groups_Capability::read_by_capability( self::READ_POST_CAPABILITY ) ) {
Groups_Capability::create( array( 'capability' => self::READ_POST_CAPABILITY ) );
// default read caps
Groups_Options::update_option( Groups_Post_Access_Legacy::READ_POST_CAPABILITIES, array( Groups_Post_Access_Legacy::READ_POST_CAPABILITY ) );
// for translation
// @see self::READ_POST_CAPABILITY_NAME
__( 'Read Post', 'groups' );
}
}
/**
* Sets up filters to restrict access.
*/
public static function init() {
// Before Groups 2.0.0 this was called through Groups_Controller::activate() but
// now we only need to create the capabilities if legacy is enabled.
self::activate();
// post access
add_filter( 'posts_where', array( __CLASS__, 'posts_where' ), 10, 2 );
add_filter( 'get_pages', array( __CLASS__, 'get_pages' ), 1 );
if ( apply_filters( 'groups_filter_the_posts', false ) ) {
add_filter( 'the_posts', array( __CLASS__, 'the_posts' ), 1, 2 );
}
add_filter( 'wp_get_nav_menu_items', array( __CLASS__, 'wp_get_nav_menu_items' ), 1, 3 );
// content access
add_filter( 'get_the_excerpt', array( __CLASS__, 'get_the_excerpt' ), 1 );
add_filter( 'the_content', array( __CLASS__, 'the_content' ), 1 );
// edit & delete post
add_filter( 'map_meta_cap', array( __CLASS__, 'map_meta_cap' ), 10, 4 );
add_action( 'groups_deleted_capability_capability', array( __CLASS__, 'groups_deleted_capability_capability' ) );
}
/**
* Restrict access to edit or delete posts based on the post's access restrictions.
*
* @param array $caps
* @param string $cap
* @param int $user_id
* @param array $args
* @return array
*/
public static function map_meta_cap( $caps, $cap, $user_id, $args ) {
if ( isset( $args[0] ) ) {
if ( strpos( $cap, 'edit_' ) === 0 || strpos( $cap, 'delete_' ) === 0 ) {
if ( $post_type = get_post_type( $args[0] ) ) {
$edit_post_type = 'edit_' . $post_type;
$delete_post_type = 'delete_' . $post_type;
if ( $post_type_object = get_post_type_object( $post_type ) ) {
if ( !isset( $post_type_object->capabilities ) ) {
$post_type_object->capabilities = array();
}
$caps_object = get_post_type_capabilities( $post_type_object );
if ( isset( $caps_object->edit_post ) ) {
$edit_post_type = $caps_object->edit_post;
}
if ( isset( $caps_object->delete_post ) ) {
$delete_post_type = $caps_object->delete_post;
}
}
if ( $cap === $edit_post_type || $cap === $delete_post_type ) {
$post_id = null;
if ( is_numeric( $args[0] ) ) {
$post_id = $args[0];
} else if ( $args[0] instanceof WP_Post ) {
$post_id = $post->ID;
}
if ( $post_id ) {
if ( !self::user_can_read_post( $post_id, $user_id ) ) {
$caps[] = 'do_not_allow';
}
}
}
}
}
}
return $caps;
}
/**
* Filters out posts that the user should not be able to access.
*
* @param string $where current where conditions
* @param WP_Query $query current query
* @return string modified $where
*/
public static function posts_where( $where, $query ) {
global $wpdb;
$user_id = get_current_user_id();
// if administrators can override access, don't filter
if ( _groups_admin_override() ) {
return $where;
}
// 1. Get all the capabilities that the user has, including those that are inherited:
$caps = array();
if ( $user = new Groups_User( $user_id ) ) {
$capabilities = $user->capabilities_deep;
if ( is_array( $capabilities ) ) {
foreach ( $capabilities as $capability ) {
$caps[] = "'". $capability . "'";
}
}
}
if ( count( $caps ) > 0 ) {
$caps = implode( ',', $caps );
} else {
$caps = '\'\'';
}
// 2. Filter the posts that require a capability that the user doesn't
// have, or in other words: exclude posts that the user must NOT access:
// The following is not correct in that it requires the user to have ALL capabilities:
// $where .= sprintf(
// " AND {$wpdb->posts}.ID NOT IN (SELECT DISTINCT ID FROM $wpdb->posts LEFT JOIN $wpdb->postmeta on {$wpdb->posts}.ID = {$wpdb->postmeta}.post_id WHERE {$wpdb->postmeta}.meta_key = '%s' AND {$wpdb->postmeta}.meta_value NOT IN (%s) ) ",
// self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY,
// $caps
// );
// This allows the user to access posts where the posts are not restricted or where
// the user has ANY of the capabilities:
$where .= sprintf(
" AND {$wpdb->posts}.ID IN " .
" ( " .
" SELECT ID FROM $wpdb->posts WHERE ID NOT IN ( SELECT post_id FROM $wpdb->postmeta WHERE {$wpdb->postmeta}.meta_key = '%s' ) " . // posts without access restriction
" UNION ALL " . // we don't care about duplicates here, just make it quick
" SELECT post_id AS ID FROM $wpdb->postmeta WHERE {$wpdb->postmeta}.meta_key = '%s' AND {$wpdb->postmeta}.meta_value IN (%s) " . // posts that require any capability the user has
" ) ",
self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY,
self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY,
$caps
);
return $where;
}
/**
* Filter pages by access capability.
*
* @param array $pages
*/
public static function get_pages( $pages ) {
$result = array();
$user_id = get_current_user_id();
foreach ( $pages as $page ) {
if ( self::user_can_read_post( $page->ID, $user_id ) ) {
$result[] = $page;
}
}
return $result;
}
/**
* Filter posts by access capability.
*
* @param array $posts list of posts
* @param WP_Query $query
*/
public static function the_posts( $posts, &$query ) {
$result = array();
$user_id = get_current_user_id();
foreach ( $posts as $post ) {
if ( self::user_can_read_post( $post->ID, $user_id ) ) {
$result[] = $post;
}
}
return $result;
}
/**
* Filter menu items by access capability.
*
* @param array $items
* @param mixed $menu
* @param array $args
*/
public static function wp_get_nav_menu_items( $items = null, $menu = null, $args = null ) {
$result = array();
$user_id = get_current_user_id();
foreach ( $items as $item ) {
if ( self::user_can_read_post( $item->object_id, $user_id ) ) {
$result[] = $item;
}
}
return $result;
}
/**
* Filter excerpt by access capability.
*
* @param string $output
* @return $output if access granted, otherwise ''
*/
public static function get_the_excerpt( $output ) {
global $post;
$result = '';
if ( isset( $post->ID ) ) {
if ( self::user_can_read_post( $post->ID ) ) {
$result = $output;
}
} else {
// not a post, don't interfere
$result = $output;
}
return $result;
}
/**
* Filter content by access capability.
*
* @param string $output
* @return $output if access granted, otherwise ''
*/
public static function the_content( $output ) {
global $post;
$result = '';
if ( isset( $post->ID ) ) {
if ( self::user_can_read_post( $post->ID ) ) {
$result = $output;
}
} else {
// not a post, don't interfere
$result = $output;
}
return $result;
}
/**
* Adds an access capability requirement.
*
* $map must contain 'post_id' (*)
*
* For now this only should be used to add the READ_POST_CAPABILITY which
* it does automatically. Nothing else is checked for granting access.
*
* (*) Revisions : As of Groups 1.3.13 and at WordPress 3.6.1, as
* add_post_meta stores postmeta for the revision's parent, we retrieve
* the parent's post ID if it applies and check against that to see if
* that capability is already present. This is to avoid duplicating
* the already existing postmeta entry (which ocurred in previous
* versions).
*
* @param array $map
* @return true if the capability could be added to the post, otherwis false
*/
public static function create( $map ) {
extract( $map );
$result = false;
if ( !isset( $capability ) ) {
$capability = self::READ_POST_CAPABILITY;
}
if ( !empty( $post_id ) && !empty( $capability) ) {
if ( Groups_Capability::read_by_capability( $capability ) ) {
if ( $revision_parent_id = wp_is_post_revision( $post_id ) ) {
$post_id = $revision_parent_id;
}
if ( !in_array( $capability, get_post_meta( $post_id, self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY ) ) ) {
$result = add_post_meta( $post_id, self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY, $capability );
}
}
}
return $result;
}
/**
* Returns true if the post requires the given capability to grant access.
*
* Currently only READ_POST_CAPABILITY should be used, this is also taken
* as the default.
*
* @param int $post_id
* @param string $capability capability label
* @return true if the capability is required, otherwise false
*/
public static function read( $post_id, $capability = self::READ_POST_CAPABILITY ) {
$result = false;
$caps = get_post_meta( $post_id, self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY );
if ( $caps ) {
$result = in_array( $capability, $caps );
}
return $result;
}
/**
* Currently does nothing, always returns false.
*
* @param array $map
* @return false
*/
public static function update( $map ) {
return false;
}
/**
* Removes a capability requirement from a post.
*
* @param int $post_id
* @param string $capability defaults to groups_read_post, removes all if null is given
* @return true on success, otherwise false
*/
public static function delete( $post_id, $capability = self::READ_POST_CAPABILITY ) {
$result = false;
if ( !empty( $post_id ) ) {
if ( !empty( $capability ) ) {
$result = delete_post_meta( $post_id, self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY, $capability );
} else {
$result = delete_post_meta( $post_id, self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY );
}
}
return $result;
}
/**
* Returns a list of capabilities that grant access to the post.
*
* @param int $post_id
* @return array of string, capabilities
*/
public static function get_read_post_capabilities( $post_id ) {
return get_post_meta( $post_id, self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY );
}
/**
* Returns true if the user has any of the capabilities that grant access to the post.
*
* @param int $post_id post id
* @param int $user_id user id or null for current user
* @return boolean true if user can read the post
*/
public static function user_can_read_post( $post_id, $user_id = null ) {
$result = false;
if ( !empty( $post_id ) ) {
if ( $user_id === null ) {
$user_id = get_current_user_id();
}
$cached = Groups_Cache::get( self::CAN_READ_POST . '_' . $user_id . '_' . $post_id, self::CACHE_GROUP );
if ( $cached !== null ) {
$result = $cached->value;
unset( $cached ) ;
} else {
$groups_user = new Groups_User( $user_id );
$read_caps = self::get_read_post_capabilities( $post_id );
if ( !empty( $read_caps ) ) {
foreach( $read_caps as $read_cap ) {
if ( $groups_user->can( $read_cap ) ) {
$result = true;
break;
}
}
} else {
$result = true;
}
$result = apply_filters( 'groups_post_access_user_can_read_post', $result, $post_id, $user_id );
Groups_Cache::set( self::CAN_READ_POST . '_' . $user_id . '_' . $post_id, $result, self::CACHE_GROUP );
}
}
return $result;
}
/**
* Hooks into groups_deleted_capability_capability to remove existing access
* restrictions based on the deleted capability.
*
* @param string $name of the deleted capability
*/
public static function groups_deleted_capability_capability( $capability ) {
delete_metadata( 'post', null, self::POSTMETA_PREFIX . self::READ_POST_CAPABILITY, $capability, true );
}
}
Groups_Post_Access_Legacy::init();