Issues in class.frame-nonce-preview.php - All Issues - Inspection of "Allow passing headers to `Jetpack_Client::wpcom_js..." - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — add/headers-to-json-request-as... ( a6c961 )

unknown

created 2017-04-25 16:29 UTC

class.frame-nonce-preview.php (1 issue)

Labels

Coding Style 1

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Allows viewing posts on the frontend when the user is not logged in.
 */
class Jetpack_Frame_Nonce_Preview {
	static $instance = null;
class A {
    var $property;
}

	/**
	 * Returns the single instance of the Jetpack_Frame_Nonce_Preview object
	 *
	 * @since 4.3.0
	 *
	 * @return Jetpack_Frame_Nonce_Preview
	 **/
	public static function get_instance() {
		if ( ! is_null( self::$instance ) ) {
			return self::$instance;
		}

		return self::$instance = new Jetpack_Frame_Nonce_Preview();
	}

	function __construct() {
		if ( isset( $_GET['frame-nonce'] ) && ! is_admin() ) {
			add_filter( 'pre_get_posts', array( $this, 'maybe_display_post' ) );
		}

		// autosave previews are validated differently
		if ( isset( $_GET[ 'frame-nonce' ] ) && isset( $_GET[ 'preview_id' ] ) && isset( $_GET[ 'preview_nonce' ] ) ) {
			remove_action( 'init', '_show_post_preview' );
			add_action( 'init', array( $this, 'handle_autosave_nonce_validation' ) );
		}
	}

	/**
	 * Verify that frame nonce exists, and if so, validate the nonce by calling WP.com.
	 *
	 * @since 4.3.0
	 *
	 * @return bool
	 */
	public function is_frame_nonce_valid() {
		if ( empty( $_GET[ 'frame-nonce' ] ) ) {
			return false;
		}

		Jetpack::load_xml_rpc_client();
		$xml = new Jetpack_IXR_Client();
		$xml->query( 'jetpack.verifyFrameNonce', sanitize_key( $_GET['frame-nonce'] ) );

		if ( $xml->isError() ) {
			return false;
		}

		return (bool) $xml->getResponse();
	}

	/**
	 * Conditionally add a hook on posts_results if this is the main query, a preview, and singular.
	 *
	 * @since 4.3.0
	 *
	 * @param WP_Query $query
	 *
	 * @return WP_Query
	 */
	public function maybe_display_post( $query ) {
		if (
			$query->is_main_query() &&
			$query->is_preview() &&
			$query->is_singular()
		) {
			add_filter( 'posts_results', array( $this, 'set_post_to_publish' ), 10, 2 );
		}

		return $query;
	}

	/**
	 * Conditionally set the first post to 'publish' if the frame nonce is valid and there is a post.
	 *
	 * @since 4.3.0
	 *
	 * @param array $posts
	 *
	 * @return array
	 */
	public function set_post_to_publish( $posts ) {
		remove_filter( 'posts_results', array( $this, 'set_post_to_publish' ), 10, 2 );

		if ( empty( $posts ) || is_user_logged_in() || ! $this->is_frame_nonce_valid() ) {
			return $posts;
		}

		$posts[0]->post_status = 'publish';

		// Disable comments and pings for this post.
		add_filter( 'comments_open', '__return_false' );
		add_filter( 'pings_open', '__return_false' );

		return $posts;
	}

	/**
	 * Handle validation for autosave preview request
	 *
	 * @since 4.7.0
	 *
	 */
	public function handle_autosave_nonce_validation() {
		if ( ! $this->is_frame_nonce_valid() ) {
			wp_die( __( 'Sorry, you are not allowed to preview drafts.', 'jetpack' ) );
		}
		add_filter( 'the_preview', '_set_preview' );
	}
}

Jetpack_Frame_Nonce_Preview::get_instance();


1			<?php
2
3			/**
4			* Allows viewing posts on the frontend when the user is not logged in.
5			*/
6			class Jetpack_Frame_Nonce_Preview {
7			static $instance = null;
			0 ignored issues – show Coding Style introduced 2016-08-10 05:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this The visibility should be declared for property `$instance`. The PSR-2 coding standard requires that all properties in a class have their visibility explicitly declared. If you declare a property using class A { var $property; } the property is implicitly global. To learn more about the PSR-2, please see the PHP-FIG site on the PSR-2. Loading history...
8
9			/**
10			* Returns the single instance of the Jetpack_Frame_Nonce_Preview object
11			*
12			* @since 4.3.0
13			*
14			* @return Jetpack_Frame_Nonce_Preview
15			**/
16			public static function get_instance() {
17			if ( ! is_null( self::$instance ) ) {
18			return self::$instance;
19			}
20
21			return self::$instance = new Jetpack_Frame_Nonce_Preview();
22			}
23
24			function __construct() {
25			if ( isset( $_GET['frame-nonce'] ) && ! is_admin() ) {
26			add_filter( 'pre_get_posts', array( $this, 'maybe_display_post' ) );
27			}
28
29			// autosave previews are validated differently
30			if ( isset( $_GET[ 'frame-nonce' ] ) && isset( $_GET[ 'preview_id' ] ) && isset( $_GET[ 'preview_nonce' ] ) ) {
31			remove_action( 'init', '_show_post_preview' );
32			add_action( 'init', array( $this, 'handle_autosave_nonce_validation' ) );
33			}
34			}
35
36			/**
37			* Verify that frame nonce exists, and if so, validate the nonce by calling WP.com.
38			*
39			* @since 4.3.0
40			*
41			* @return bool
42			*/
43			public function is_frame_nonce_valid() {
44			if ( empty( $_GET[ 'frame-nonce' ] ) ) {
45			return false;
46			}
47
48			Jetpack::load_xml_rpc_client();
49			$xml = new Jetpack_IXR_Client();
50			$xml->query( 'jetpack.verifyFrameNonce', sanitize_key( $_GET['frame-nonce'] ) );
51
52			if ( $xml->isError() ) {
53			return false;
54			}
55
56			return (bool) $xml->getResponse();
57			}
58
59			/**
60			* Conditionally add a hook on posts_results if this is the main query, a preview, and singular.
61			*
62			* @since 4.3.0
63			*
64			* @param WP_Query $query
65			*
66			* @return WP_Query
67			*/
68			public function maybe_display_post( $query ) {
69			if (
70			$query->is_main_query() &&
71			$query->is_preview() &&
72			$query->is_singular()
73			) {
74			add_filter( 'posts_results', array( $this, 'set_post_to_publish' ), 10, 2 );
75			}
76
77			return $query;
78			}
79
80			/**
81			* Conditionally set the first post to 'publish' if the frame nonce is valid and there is a post.
82			*
83			* @since 4.3.0
84			*
85			* @param array $posts
86			*
87			* @return array
88			*/
89			public function set_post_to_publish( $posts ) {
90			remove_filter( 'posts_results', array( $this, 'set_post_to_publish' ), 10, 2 );
91
92			if ( empty( $posts ) \|\| is_user_logged_in() \|\| ! $this->is_frame_nonce_valid() ) {
93			return $posts;
94			}
95
96			$posts[0]->post_status = 'publish';
97
98			// Disable comments and pings for this post.
99			add_filter( 'comments_open', '__return_false' );
100			add_filter( 'pings_open', '__return_false' );
101
102			return $posts;
103			}
104
105			/**
106			* Handle validation for autosave preview request
107			*
108			* @since 4.7.0
109			*
110			*/
111			public function handle_autosave_nonce_validation() {
112			if ( ! $this->is_frame_nonce_valid() ) {
113			wp_die( __( 'Sorry, you are not allowed to preview drafts.', 'jetpack' ) );
114			}
115			add_filter( 'the_preview', '_set_preview' );
116			}
117			}
118
119			Jetpack_Frame_Nonce_Preview::get_instance();
120

Automattic / jetpack

Push — add/headers-to-json-request-as... ( a6c961 )

class.frame-nonce-preview.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like