Commit inicial - WordPress Análisis de Precios Unitarios

- WordPress core y plugins
- Tema Twenty Twenty-Four configurado
- Plugin allow-unfiltered-html.php simplificado
- .gitignore configurado para excluir wp-config.php y uploads

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

wp-content/plugins/advanced-ads/includes/admin/class-authors.php

@@ -0,0 +1,195 @@
+<?php
+/**
+ * The class manages the ad authors.
+ *
+ * @package AdvancedAds
+ * @author  Advanced Ads <info@wpadvancedads.com>
+ * @since   1.47.0
+ */
+
+namespace AdvancedAds\Admin;
+
+use Advanced_Ads;
+use AdvancedAds\Constants;
+use AdvancedAds\Framework\Interfaces\Integration_Interface;
+use WP_Role;
+use WP_User_Query;
+
+defined( 'ABSPATH' ) || exit;
+
+/**
+ * Control Ad Authors.
+ */
+class Authors implements Integration_Interface {
+
+	/**
+	 * Hook into WordPress.
+	 *
+	 * @return void
+	 */
+	public function hooks(): void {
+		add_filter( 'wp_dropdown_users_args', [ $this, 'filter_ad_authors' ] );
+		add_action( 'pre_post_update', [ $this, 'sanitize_author_saving' ], 10, 2 );
+		add_filter( 'map_meta_cap', [ $this, 'filter_editable_posts' ], 10, 4 );
+	}
+
+	/**
+	 * Ensure that users cannot assign ads to users with unfiltered_html if they don't have the capability themselves.
+	 *
+	 * @param array $query_args WP_User_Query args.
+	 *
+	 * @return array
+	 */
+	public function filter_ad_authors( $query_args ) {
+		$screen = get_current_screen();
+
+		if ( ! $screen || Constants::POST_TYPE_AD !== $screen->post_type ) {
+			return $query_args;
+		}
+
+		if ( is_multisite() ) {
+			return $this->multisite_filter_ad_authors( $query_args );
+		}
+
+		$user_roles_to_display  = $this->filtered_user_roles();
+		$query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );
+
+		return $query_args;
+	}
+
+	/**
+	 * Ensure that users cannot assign ads to users who have more rights on multisite.
+	 *
+	 * @param array $query_args WP_User_Query args.
+	 *
+	 * @return array
+	 */
+	private function multisite_filter_ad_authors( $query_args ) {
+		if ( is_super_admin() ) {
+			return $query_args;
+		}
+
+		$options       = Advanced_Ads::get_instance()->options();
+		$allowed_roles = $options['allow-unfiltered-html'] ?? [];
+
+		// if the current user can unfiltered_html, return the default args.
+		if ( ! empty( array_intersect( wp_get_current_user()->roles, $allowed_roles ) ) ) {
+			return $query_args;
+		}
+
+		// if the current user can't use unfiltered_html, they should not be able to assign the ad to a user that can.
+		$user_roles_to_display = array_filter(
+			wp_roles()->role_objects,
+			function ( WP_Role $role ) use ( $allowed_roles ) {
+				return ! in_array( $role->name, $allowed_roles, true ) && $role->has_cap( 'advanced_ads_edit_ads' );
+			}
+		);
+
+		$query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );
+
+		// Exclude super-admins from the author dropdown.
+		$query_args['exclude'] = array_map(
+			function ( $login ) {
+				return get_user_by( 'login', $login )->ID;
+			},
+			get_super_admins()
+		);
+
+		return $query_args;
+	}
+
+	/**
+	 * Prevent users from editing the form data and assign ads to users they're not allowed to.
+	 * Wp_die() if tampering detected.
+	 *
+	 * @param int   $post_id The current post id.
+	 * @param array $data    The post data to be saved.
+	 *
+	 * @return void
+	 */
+	public function sanitize_author_saving( $post_id, $data ) {
+		if (
+			get_post_type( $post_id ) !== Constants::POST_TYPE_AD ||
+			get_current_user_id() === (int) $data['post_author'] ||
+			(int) get_post_field( 'post_author', $post_id ) === (int) $data['post_author']
+		) {
+			return;
+		}
+
+		$user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );
+		$user_query = array_map( 'absint', $user_query->get_results() );
+
+		if ( ! in_array( (int) $data['post_author'], $user_query, true ) ) {
+			wp_die( esc_html__( 'Sorry, you\'re not allowed to assign this user.', 'advanced-ads' ) );
+		}
+	}
+
+	/**
+	 * Prevent users from editing posts of users with more rights than themselves.
+	 *
+	 * @param array  $caps    Needed capabilities.
+	 * @param string $cap     Requested capability.
+	 * @param int    $user_id The user_id for the cap check.
+	 * @param array  $args    Arguments array for checking primitive capabilities.
+	 *
+	 * @return array
+	 */
+	public function filter_editable_posts( $caps, $cap, $user_id, $args ) {
+		if ( 'advanced_ads_edit_ads' !== $cap || empty( $args ) ) {
+			return $caps;
+		}
+
+		$post_id = (int) $args[0];
+		if ( empty( $post_id ) ) {
+			return $caps;
+		}
+
+		$ad = wp_advads_get_ad( $post_id );
+		if ( $ad && ! $ad->is_type( 'plain' ) ) {
+			return $caps;
+		}
+
+		$author_id = (int) get_post_field( 'post_author', $post_id );
+		$author    = get_userdata( $author_id );
+
+		if ( false === $author ) {
+			$author_id = $user_id;
+		}
+
+		if ( $author_id !== $user_id && ! user_can( $author, $cap, $post_id ) ) {
+			return [ 'do_not_allow' ];
+		}
+
+		static $users;
+
+		if ( null === $users ) {
+			$user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );
+			$users      = array_map( 'absint', $user_query->get_results() );
+		}
+
+		if ( ! in_array( $author_id, $users, true ) ) {
+			return [ 'do_not_allow' ];
+		}
+
+		return $caps;
+	}
+
+	/**
+	 * Get the user roles that are allowed to edit ads.
+	 *
+	 * @return array
+	 */
+	private function filtered_user_roles(): array {
+		$current_user_has_unfiltered_html = current_user_can( 'unfiltered_html' );
+		return array_filter(
+			wp_roles()->role_objects,
+			function ( \WP_Role $role ) use ( $current_user_has_unfiltered_html ) {
+				if ( $current_user_has_unfiltered_html ) {
+					return $role->has_cap( 'advanced_ads_edit_ads' );
+				}
+
+				return ! $role->has_cap( 'unfiltered_html' ) && $role->has_cap( 'advanced_ads_edit_ads' );
+			}
+		);
+	}
+}