git.admin/roi-theme
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7ba9080f57f4e1e146af9c3b9cbc09c082b483b1
roi-theme/wp-content/plugins/advanced-ads/includes/admin/class-authors.php
root a22573bf0b Commit inicial - WordPress Análisis de Precios Unitarios 
- WordPress core y plugins
- Tema Twenty Twenty-Four configurado
- Plugin allow-unfiltered-html.php simplificado
- .gitignore configurado para excluir wp-config.php y uploads

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-03 21:04:30 -06:00

196 lines
5.2 KiB
PHP
Executable File
Raw Blame History

<?php
/**
* The class manages the ad authors.
*
* @package AdvancedAds
* @author Advanced Ads <info@wpadvancedads.com>
* @since 1.47.0
*/
namespace AdvancedAds\Admin;
use Advanced_Ads;
use AdvancedAds\Constants;
use AdvancedAds\Framework\Interfaces\Integration_Interface;
use WP_Role;
use WP_User_Query;
defined( 'ABSPATH' ) || exit;
/**
* Control Ad Authors.
*/
class Authors implements Integration_Interface {
/**
* Hook into WordPress.
*
* @return void
*/
public function hooks(): void {
add_filter( 'wp_dropdown_users_args', [ $this, 'filter_ad_authors' ] );
add_action( 'pre_post_update', [ $this, 'sanitize_author_saving' ], 10, 2 );
add_filter( 'map_meta_cap', [ $this, 'filter_editable_posts' ], 10, 4 );
}
/**
* Ensure that users cannot assign ads to users with unfiltered_html if they don't have the capability themselves.
*
* @param array $query_args WP_User_Query args.
*
* @return array
*/
public function filter_ad_authors( $query_args ) {
$screen = get_current_screen();
if ( ! $screen || Constants::POST_TYPE_AD !== $screen->post_type ) {
return $query_args;
}
if ( is_multisite() ) {
return $this->multisite_filter_ad_authors( $query_args );
}
$user_roles_to_display = $this->filtered_user_roles();
$query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );
return $query_args;
}
/**
* Ensure that users cannot assign ads to users who have more rights on multisite.
*
* @param array $query_args WP_User_Query args.
*
* @return array
*/
private function multisite_filter_ad_authors( $query_args ) {
if ( is_super_admin() ) {
return $query_args;
}
$options = Advanced_Ads::get_instance()->options();
$allowed_roles = $options['allow-unfiltered-html'] ?? [];
// if the current user can unfiltered_html, return the default args.
if ( ! empty( array_intersect( wp_get_current_user()->roles, $allowed_roles ) ) ) {
return $query_args;
}
// if the current user can't use unfiltered_html, they should not be able to assign the ad to a user that can.
$user_roles_to_display = array_filter(
wp_roles()->role_objects,
function ( WP_Role $role ) use ( $allowed_roles ) {
return ! in_array( $role->name, $allowed_roles, true ) && $role->has_cap( 'advanced_ads_edit_ads' );
}
);
$query_args['role__in'] = wp_list_pluck( $user_roles_to_display, 'name' );
// Exclude super-admins from the author dropdown.
$query_args['exclude'] = array_map(
function ( $login ) {
return get_user_by( 'login', $login )->ID;
},
get_super_admins()
);
return $query_args;
}
/**
* Prevent users from editing the form data and assign ads to users they're not allowed to.
* Wp_die() if tampering detected.
*
* @param int $post_id The current post id.
* @param array $data The post data to be saved.
*
* @return void
*/
public function sanitize_author_saving( $post_id, $data ) {
if (
get_post_type( $post_id ) !== Constants::POST_TYPE_AD ||
get_current_user_id() === (int) $data['post_author'] ||
(int) get_post_field( 'post_author', $post_id ) === (int) $data['post_author']
) {
return;
}
$user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );
$user_query = array_map( 'absint', $user_query->get_results() );
if ( ! in_array( (int) $data['post_author'], $user_query, true ) ) {
wp_die( esc_html__( 'Sorry, you\'re not allowed to assign this user.', 'advanced-ads' ) );
}
}
/**
* Prevent users from editing posts of users with more rights than themselves.
*
* @param array $caps Needed capabilities.
* @param string $cap Requested capability.
* @param int $user_id The user_id for the cap check.
* @param array $args Arguments array for checking primitive capabilities.
*
* @return array
*/
public function filter_editable_posts( $caps, $cap, $user_id, $args ) {
if ( 'advanced_ads_edit_ads' !== $cap || empty( $args ) ) {
return $caps;
}
$post_id = (int) $args[0];
if ( empty( $post_id ) ) {
return $caps;
}
$ad = wp_advads_get_ad( $post_id );
if ( $ad && ! $ad->is_type( 'plain' ) ) {
return $caps;
}
$author_id = (int) get_post_field( 'post_author', $post_id );
$author = get_userdata( $author_id );
if ( false === $author ) {
$author_id = $user_id;
}
if ( $author_id !== $user_id && ! user_can( $author, $cap, $post_id ) ) {
return [ 'do_not_allow' ];
}
static $users;
if ( null === $users ) {
$user_query = new WP_User_Query( $this->filter_ad_authors( [ 'fields' => 'ID' ] ) );
$users = array_map( 'absint', $user_query->get_results() );
}
if ( ! in_array( $author_id, $users, true ) ) {
return [ 'do_not_allow' ];
}
return $caps;
}
/**
* Get the user roles that are allowed to edit ads.
*
* @return array
*/
private function filtered_user_roles(): array {
$current_user_has_unfiltered_html = current_user_can( 'unfiltered_html' );
return array_filter(
wp_roles()->role_objects,
function ( \WP_Role $role ) use ( $current_user_has_unfiltered_html ) {
if ( $current_user_has_unfiltered_html ) {
return $role->has_cap( 'advanced_ads_edit_ads' );
}
return ! $role->has_cap( 'unfiltered_html' ) && $role->has_cap( 'advanced_ads_edit_ads' );
}
);
}
}
Reference in New Issue View Git Blame Copy Permalink