| 1 |  |  | <?php | 
            
                                                                                                            
                            
            
                                    
            
            
                | 2 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 3 |  |  | /** | 
            
                                                                                                            
                            
            
                                    
            
            
                | 4 |  |  |  * Allows viewing posts on the frontend when the user is not logged in. | 
            
                                                                                                            
                            
            
                                    
            
            
                | 5 |  |  |  */ | 
            
                                                                                                            
                            
            
                                    
            
            
                | 6 |  |  | class Jetpack_Frame_Nonce_Preview { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 7 |  |  | 	static $instance = null; | 
                            
                    |  |  |  | 
                                                                                        
                                                                                     | 
            
                                                                                                            
                            
            
                                    
            
            
                | 8 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 9 |  |  | 	/** | 
            
                                                                                                            
                            
            
                                    
            
            
                | 10 |  |  | 	 * Returns the single instance of the Jetpack_Frame_Nonce_Preview object | 
            
                                                                                                            
                            
            
                                    
            
            
                | 11 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 12 |  |  | 	 * @since 4.3.0 | 
            
                                                                                                            
                            
            
                                    
            
            
                | 13 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 14 |  |  | 	 * @return Jetpack_Frame_Nonce_Preview | 
            
                                                                                                            
                                                                
            
                                    
            
            
                | 15 |  |  | 	 **/ | 
            
                                                                        
                            
            
                                    
            
            
                | 16 |  |  | 	public static function get_instance() { | 
            
                                                                        
                            
            
                                    
            
            
                | 17 |  |  | 		if ( ! is_null( self::$instance ) ) { | 
            
                                                                        
                            
            
                                    
            
            
                | 18 |  |  | 			return self::$instance; | 
            
                                                                        
                            
            
                                    
            
            
                | 19 |  |  | 		} | 
            
                                                                        
                            
            
                                    
            
            
                | 20 |  |  |  | 
            
                                                                        
                            
            
                                    
            
            
                | 21 |  |  | 		return self::$instance = new Jetpack_Frame_Nonce_Preview(); | 
            
                                                                        
                            
            
                                    
            
            
                | 22 |  |  | 	} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 23 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 24 |  |  | 	function __construct() { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 25 |  |  | 		if ( isset( $_GET['frame-nonce'] ) && ! is_admin() ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 26 |  |  | 			add_filter( 'pre_get_posts', array( $this, 'maybe_display_post' ) ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 27 |  |  | 		} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 28 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 29 |  |  | 		// autosave previews are validated differently | 
            
                                                                                                            
                            
            
                                    
            
            
                | 30 |  |  | 		if ( isset( $_GET[ 'frame-nonce' ] ) && isset( $_GET[ 'preview_id' ] ) && isset( $_GET[ 'preview_nonce' ] ) ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 31 |  |  | 			remove_action( 'init', '_show_post_preview' ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 32 |  |  | 			add_action( 'init', array( $this, 'handle_autosave_nonce_validation' ) ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 33 |  |  | 		} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 34 |  |  | 	} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 35 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 36 |  |  | 	/** | 
            
                                                                                                            
                            
            
                                    
            
            
                | 37 |  |  | 	 * Verify that frame nonce exists, and if so, validate the nonce by calling WP.com. | 
            
                                                                                                            
                            
            
                                    
            
            
                | 38 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 39 |  |  | 	 * @since 4.3.0 | 
            
                                                                                                            
                            
            
                                    
            
            
                | 40 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 41 |  |  | 	 * @return bool | 
            
                                                                                                            
                            
            
                                    
            
            
                | 42 |  |  | 	 */ | 
            
                                                                                                            
                            
            
                                    
            
            
                | 43 |  |  | 	public function is_frame_nonce_valid() { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 44 |  |  | 		if ( empty( $_GET[ 'frame-nonce' ] ) ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 45 |  |  | 			return false; | 
            
                                                                                                            
                            
            
                                    
            
            
                | 46 |  |  | 		} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 47 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 48 |  |  | 		Jetpack::load_xml_rpc_client(); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 49 |  |  | 		$xml = new Jetpack_IXR_Client(); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 50 |  |  | 		$xml->query( 'jetpack.verifyFrameNonce', sanitize_key( $_GET['frame-nonce'] ) ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 51 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 52 |  |  | 		if ( $xml->isError() ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 53 |  |  | 			return false; | 
            
                                                                                                            
                            
            
                                    
            
            
                | 54 |  |  | 		} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 55 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 56 |  |  | 		return (bool) $xml->getResponse(); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 57 |  |  | 	} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 58 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 59 |  |  | 	/** | 
            
                                                                                                            
                            
            
                                    
            
            
                | 60 |  |  | 	 * Conditionally add a hook on posts_results if this is the main query, a preview, and singular. | 
            
                                                                                                            
                            
            
                                    
            
            
                | 61 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 62 |  |  | 	 * @since 4.3.0 | 
            
                                                                                                            
                            
            
                                    
            
            
                | 63 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 64 |  |  | 	 * @param WP_Query $query | 
            
                                                                                                            
                            
            
                                    
            
            
                | 65 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 66 |  |  | 	 * @return WP_Query | 
            
                                                                                                            
                            
            
                                    
            
            
                | 67 |  |  | 	 */ | 
            
                                                                                                            
                            
            
                                    
            
            
                | 68 |  |  | 	public function maybe_display_post( $query ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 69 |  |  | 		if ( | 
            
                                                                                                            
                            
            
                                    
            
            
                | 70 |  |  | 			$query->is_main_query() && | 
            
                                                                                                            
                            
            
                                    
            
            
                | 71 |  |  | 			$query->is_preview() && | 
            
                                                                                                            
                            
            
                                    
            
            
                | 72 |  |  | 			$query->is_singular() | 
            
                                                                                                            
                            
            
                                    
            
            
                | 73 |  |  | 		) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 74 |  |  | 			add_filter( 'posts_results', array( $this, 'set_post_to_publish' ), 10, 2 ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 75 |  |  | 		} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 76 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 77 |  |  | 		return $query; | 
            
                                                                                                            
                            
            
                                    
            
            
                | 78 |  |  | 	} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 79 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 80 |  |  | 	/** | 
            
                                                                                                            
                            
            
                                    
            
            
                | 81 |  |  | 	 * Conditionally set the first post to 'publish' if the frame nonce is valid and there is a post. | 
            
                                                                                                            
                            
            
                                    
            
            
                | 82 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 83 |  |  | 	 * @since 4.3.0 | 
            
                                                                                                            
                            
            
                                    
            
            
                | 84 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 85 |  |  | 	 * @param array $posts | 
            
                                                                                                            
                            
            
                                    
            
            
                | 86 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 87 |  |  | 	 * @return array | 
            
                                                                                                            
                            
            
                                    
            
            
                | 88 |  |  | 	 */ | 
            
                                                                                                            
                            
            
                                    
            
            
                | 89 |  |  | 	public function set_post_to_publish( $posts ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 90 |  |  | 		remove_filter( 'posts_results', array( $this, 'set_post_to_publish' ), 10, 2 ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 91 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 92 |  |  | 		if ( empty( $posts ) || is_user_logged_in() || ! $this->is_frame_nonce_valid() ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 93 |  |  | 			return $posts; | 
            
                                                                                                            
                            
            
                                    
            
            
                | 94 |  |  | 		} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 95 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 96 |  |  | 		$posts[0]->post_status = 'publish'; | 
            
                                                                                                            
                            
            
                                    
            
            
                | 97 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 98 |  |  | 		// Disable comments and pings for this post. | 
            
                                                                                                            
                            
            
                                    
            
            
                | 99 |  |  | 		add_filter( 'comments_open', '__return_false' ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 100 |  |  | 		add_filter( 'pings_open', '__return_false' ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 101 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 102 |  |  | 		return $posts; | 
            
                                                                                                            
                            
            
                                    
            
            
                | 103 |  |  | 	} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 104 |  |  |  | 
            
                                                                                                            
                            
            
                                    
            
            
                | 105 |  |  | 	/** | 
            
                                                                                                            
                            
            
                                    
            
            
                | 106 |  |  | 	 * Handle validation for autosave preview request | 
            
                                                                                                            
                            
            
                                    
            
            
                | 107 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 108 |  |  | 	 * @since 4.7.0 | 
            
                                                                                                            
                            
            
                                    
            
            
                | 109 |  |  | 	 * | 
            
                                                                                                            
                            
            
                                    
            
            
                | 110 |  |  | 	 */ | 
            
                                                                                                            
                            
            
                                    
            
            
                | 111 |  |  | 	public function handle_autosave_nonce_validation() { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 112 |  |  | 		if ( ! $this->is_frame_nonce_valid() ) { | 
            
                                                                                                            
                            
            
                                    
            
            
                | 113 |  |  | 			wp_die( __( 'Sorry, you are not allowed to preview drafts.', 'jetpack' ) ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 114 |  |  | 		} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 115 |  |  | 		add_filter( 'the_preview', '_set_preview' ); | 
            
                                                                                                            
                            
            
                                    
            
            
                | 116 |  |  | 	} | 
            
                                                                                                            
                            
            
                                    
            
            
                | 117 |  |  | } | 
            
                                                                                                            
                            
            
                                    
            
            
                | 118 |  |  |  | 
            
                                                                                                            
                                                                
            
                                    
            
            
                | 119 |  |  | Jetpack_Frame_Nonce_Preview::get_instance(); | 
            
                                                        
            
                                    
            
            
                | 120 |  |  |  | 
            
                        
The PSR-2 coding standard requires that all properties in a class have their visibility explicitly declared. If you declare a property using
the property is implicitly global.
To learn more about the PSR-2, please see the PHP-FIG site on the PSR-2.