Issues in subway-metabox.php (master) - Issues in master - codehaiku/subway-2.0 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (14)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

classes/subway-metabox.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * This file is part of the Subway WordPress Plugin Package.
 * This file contains the class which handles the metabox of the plugin.
 *
 * (c) Joseph G <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 *
 * Props: Jasper Jardin
 *
 * PHP Version 5.4
 *
 * @category Subway\Metabox
 * @package  Subway
 * @author   Joseph G. <[email protected]>
 * @license  http://opensource.org/licenses/gpl-license.php GNU Public License
 * @version  GIT:github.com/codehaiku/subway
 * @link     github.com/codehaiku/subway The Plugin Repository
 */

namespace Subway;

if ( ! defined( 'ABSPATH' ) ) {
	return;
}

/**
 * Subway Metabox methods.
 *
 * @category Subway\Metabox
 * @package  Subway
 * @author   Jasper J. <[email protected]>
 * @license  http://opensource.org/licenses/gpl-license.php GNU Public License
 * @link     github.com/codehaiku/subway The Plugin Repository
 * @since    2.0.9
 */
final class Metabox {


	/**
	 * Subway visibility meta value,
	 *
	 * @since 2.0.9
	 * @const string VISIBILITY_METAKEY
	 */
	const VISIBILITY_METAKEY = 'subway_visibility_meta_key';

	/**
	 * Registers and update metabox with its intended method below.
	 *
	 * @since  2.0.9
	 * @return void
	 */
	public function __construct() {

		add_action( 'add_meta_boxes', array( $this, 'addMetabox' ) );
		add_action( 'save_post', array( $this, 'saveMetaboxValues' ) );
		add_filter( 'the_content', array( $this, 'showContentToAllowedRoles' ) );

		return $this;

	}

	/**
	 * Initialize metabox
	 *
	 * @since  2.0.9
	 * @access public
	 * @return void
	 */
	public static function initMetabox() {

		new Metabox();
	}

	/**
	 * Initialize metabox
	 *
	 * @since  2.0.9
	 * @access public
	 * @return void
	 */
	public function addMetabox() {

		$post_types = $this->getPostTypes();
class A
{
    function getObject()
    {
        return null;
    }

}

$a = new A();
$object = $a->getObject();

		foreach ( $post_types as $post_type => $value ) {

			add_meta_box(
				'subway_visibility_metabox',
				esc_html__( 'Subway: Visibility Option', 'subway' ),
				array( $this, 'visibilityMetabox' ),
				$post_type,
				'side',
				'high'
			);
		}
	}

	/**
	 * This method displays the Subway Visibility checkbox.
	 *
	 * @param object $post Contains data from the current post.
	 *
	 * @since  2.0.9
	 * @access public
	 * @return void
	 */
	public function visibilityMetabox( $post ) {

		$howto = __(
			'Choose the accessibility of this page from the options above.',
			'subway'
		);

		$private_setting_label = __( 'Members Only', 'subway' );

		$is_post_private         = self::isPostPrivate( $post->ID );

		// Make sure the form request comes from WordPress
		wp_nonce_field( basename( __FILE__ ),  'subway_post_visibility_nonce' );

		// Disable the options (radio) when site is selected as public
		?>
		<input type="hidden" name="subway-visibility-form-submitted" value="1" />

		<?php if ( ! Options::isPublicSite() ) :  ?>
		<?php // Site is private. Give them some Beer! ?>
			<p>
				<label class="subway-visibility-settings-checkbox-label" for="subway-visibility-public">
					<input type="radio" class="subway-visibility-settings-radio" id="subway-visibility-public" name="subway-visibility-settings" value="public" <?php echo checked( false, $is_post_private, false ); ?>>
					<?php esc_html_e( 'Public', 'subway' ) ?>
				</label>
			</p>
			<p>
				<label class="subway-visibility-settings-checkbox-label" for="subway-visibility-private">
					<input type="radio" class="subway-visibility-settings-radio" id="subway-visibility-private" name="subway-visibility-settings"
					value="private" <?php echo checked( true, $is_post_private, false ); ?>>
					<?php esc_html_e( 'Members Only', 'subway' ) ?>
				 </label>
			</p>
			<div id="subway-roles-access-visibility-fields" class="hidden">
				<dl>
					<?php $post_allowed_user_roles = self::getAllowedUserRoles( $post->ID ); ?>
					<?php $editable_roles = get_editable_roles(); ?>
					<?php // Remove administrator for editable roles. ?>
					<?php unset( $editable_roles['administrator'] ); ?>
					<?php foreach ( $editable_roles as $role_name => $role_info ) { ?>
						<dt>
							<?php $id = 'subway-visibility-settings-user-role-' . esc_html( $role_name ); ?>
							<label for="<?php echo esc_attr( $id ); ?>">
							<?php if ( is_array( $post_allowed_user_roles ) && in_array( $role_name, $post_allowed_user_roles ) ) { ?>
								<?php $checked = 'checked'; ?>
							<?php } else { ?>
								<?php if ( false === $post_allowed_user_roles ) { ?>
									<?php $checked = 'checked'; ?>
								<?php } else { ?>
										<?php $checked = ''; ?>
								<?php } ?>
							<?php } ?>
							<input <?php echo esc_attr( $checked ); ?> id="<?php echo esc_attr( $id ); ?>" type="checkbox" 
							name="subway-visibility-settings-user-role[]" class="subway-visibility-settings-role-access" value="<?php echo esc_attr( $role_name ); ?>" />
								<?php echo esc_html( $role_info['name'] ); ?>
							</label>
						</dt>
					<?php } ?>
					<p class="howto"><?php echo esc_html_e( 'Uncheck the user roles that you do not want to have access to this content','subway' ); ?></p>
				</dl>
			</div>
			<script>
				jQuery(document).ready(function($){
					'use strict';
					if ( $('#subway-visibility-private').is(':checked') ) {
						$('#subway-roles-access-visibility-fields').css('display', 'block');
					}
					$('.subway-visibility-settings-radio').click(function(){
						$('#subway-roles-access-visibility-fields').css('display', 'none');
						if ( $('#subway-visibility-private').is(':checked') ) {
							$('#subway-roles-access-visibility-fields').css('display', 'block');
						}
					});
				});
			</script>
			<p class="howto"><?php echo esc_html( $howto ); ?></p>
		<?php else : ?>
			<?php // Site is public! Explain to them ?>
			<p><em>
				<?php esc_html_e( 'You have chosen to make your site public inside Settings > Subway.  Subway visibility options will be turned off.', 'subway' ); ?>
			</em>
			</p>
		<?php endif; ?>
		<?php
	}

	/**
	 * This method verify if nonce is valid then updates a post_meta.
	 *
	 * @param integer $post_id Contains ID of the current post.
	 *
	 * @since  2.0.9
	 * @access public
	 * @return boolean false Returns false if nonce is not valid.
	 */
	public function saveVisibilityMetabox( $post_id = '' ) {

		if ( wp_is_post_autosave( $post_id ) ) {
			return;
		}

		$is_form_submitted = filter_input( INPUT_POST, 'subway-visibility-form-submitted', FILTER_DEFAULT );

		if ( ! $is_form_submitted ) {
			return;
		}

		$public_posts     = Options::getPublicPostsIdentifiers();

		$posts_implode    = '';

		$visibility_field = 'subway-visibility-settings';

		$visibility_nonce = filter_input(
			INPUT_POST, 'subway_post_visibility_nonce',
			FILTER_SANITIZE_STRING
		);

		$post_visibility = filter_input( INPUT_POST,  $visibility_field, FILTER_SANITIZE_STRING );

		$is_valid_visibility_nonce = self::isNonceValid( $visibility_nonce );

		$allowed_roles = filter_input( INPUT_POST, 'subway-visibility-settings-user-role', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY );

		// verify taxonomies meta box nonce
		if ( false === $is_valid_visibility_nonce ) {
			return;
		}
		if ( empty( $allowed_roles ) ) {
			$allowed_roles = array();
		}

		// Update user roles.
		update_post_meta( $post_id, 'subway-visibility-settings-allowed-user-roles', $allowed_roles );

		if ( ! empty( $post_visibility ) ) {
			if ( ! empty( $post_id ) ) {
				if ( 'public' === $post_visibility ) {
					if ( ! in_array( $post_id, $public_posts ) ) {
						array_push( $public_posts, $post_id );
					}
				}
				if ( 'private' === $post_visibility ) {
					if ( in_array( $post_id, $public_posts ) ) {
						unset( $public_posts[ array_search( $post_id, $public_posts ) ] );
					}
				}
			}
		}

		if ( ! empty( $post_id ) ) {
			$posts_implode = implode( ', ', $public_posts );

			if ( 'inherit' !== get_post_status( $post_id ) ) {

				if ( true === $is_valid_visibility_nonce ) {
					update_option( 'subway_public_post', $posts_implode );
					update_post_meta(
						$post_id,
						self::VISIBILITY_METAKEY,
						$post_visibility
					);
				}
			}
		}
	}

	/**
	 * This method runs the methods that handles the update for a post_meta.
	 *
	 * @param integer $post_id Contains ID of the current post.
	 *
	 * @since  2.0.9
	 * @access public
	 * @return boolean false Returns false if nonce is not valid.
	 */
	public function saveMetaboxValues( $post_id ) {

		$this->saveVisibilityMetabox( $post_id );
		return;
	}

	/**
	 * Initialize metabox arguments.
	 *
	 * @param array  $args   The arguments for the get_post_types().
	 * @param string $output Your desired output for the data.
	 *
	 * @since  2.0.9
	 * @access public
	 * @return void
	 */
	public static function getPostTypes( $args = '', $output = '' ) {

		if ( empty( $args ) ) {
			$args = array(
			'public'   => true,
			);
			$output = 'names';
		}

		$post_types = get_post_types( $args, $output );

		return $post_types;
	}

	/**
	 * This method verify if nonce is valid.
	 *
	 * @param mixed $nonce the name of a metabox nonce.
	 *
	 * @since  2.0.9
	 * @access public
	 * @return boolean true Returns true if nonce is valid.
	 */
	public function isNonceValid( $nonce ) {

		if ( ! isset( $nonce ) || ! wp_verify_nonce( $nonce, basename( __FILE__ ) ) ) {
			return;
		}

		return true;
	}

	/**
	 * Checks if a post is set to private.
	 *
	 * @param integer $post_id Contains ID of the current post.
	 *
	 * @since  2.0.9
	 * @access public
	 * @return boolean true Returns true if post is private. Otherwise false.
	 */
	public static function isPostPrivate( $post_id ) {

		$meta_value = '';

		if ( ! empty( $post_id ) ) {
			$meta_value = get_post_meta( $post_id, self::VISIBILITY_METAKEY, true );

			// New page or old pages that don't have Subway'\ Visibility Options
			if ( empty( $meta_value ) ) {
				// Get the value from the general settings (Settings > Subway)
				$is_site_public = Options::isPublicSite();
				if ( ! $is_site_public ) {
					// It's private.
					return true;
				}
			}
			if ( 'private' === $meta_value ) {
				return true;
			}
		}

		return false;
	}

	/**
	 * Checks if a post is set to public.
	 *
	 * @param integer $post_id Contains ID of the current post.
	 *
	 * @since  2.0.9
	 * @access public
	 * @return boolean true Returns true if post is public. Otherwise false.
	 */
	public static function isPostPublic( $post_id ) {

		$public_post = Options::getPublicPostsIdentifiers();

		if ( ! empty( $post_id ) ) {
			if ( ! in_array( $post_id, $public_post, true ) ) {
				return true;
			}
		}

		return false;
	}

	/**
	 * Get the allowed users roles
	 *
	 * @param  integer $post_id The post ID.
	 * @return mixed Boolean false if metadata does not exists. Otherwise, return the array value of meta.
	 */
	public static function getAllowedUserRoles( $post_id = 0 ) {

		$allowed_roles = array();

		if ( ! empty( $post_id ) ) {

			// Check if metadata exists for the following post.
			if ( metadata_exists( 'post', $post_id, 'subway-visibility-settings-allowed-user-roles' ) ) {

				$allowed_roles = get_post_meta( $post_id, 'subway-visibility-settings-allowed-user-roles', true );
				if ( ! is_null( $allowed_roles ) ) {
					return $allowed_roles;
				}
				return false;
				
			} else {
				return false;
			}

		} else {
			return false;
		}

		return $allowed_roles;
	}

	/**
	 * Check if the current user has role for the current content.
	 *
	 * @param  string $content The content of the post.
	 * @return string The content of the post.
	 */
	public function showContentToAllowedRoles( $content ) {

		$post_id = get_the_ID();
		$allowed_user_roles = self::getAllowedUserRoles( $post_id );

		if ( ! is_singular() && is_main_query() ) {
			return $content;
		}

		if ( is_user_logged_in() ) {

			$no_privilege = '<div class="subway-role-not-allowed"><p>' . apply_filters( 'subway-content-restricted-to-role', esc_html__( 'You do not have the right privilege or role to view this page.', 'subway' ) ) . '</p></div>';

			// Restrict access to non admins only.
			if ( ! current_user_can( 'manage_options' ) ) {
				if ( ! self::currentUserCanViewPage( $post_id ) ) {
					return $no_privilege;
				}	
			}

			// Return the content if the post is not yet saved.
			if ( false === $allowed_user_roles ) {
				return $content;
			}
		}

		return $content;

	}

	/**
	 * Check to see if current user has a specific roles to view the page
	 * 
	 * @return boolean True on success. Otherwise, false.
	 */
	public function currentUserCanViewPage( $post_id = 0 ) {

		$allowed_roles = self::getAllowedUserRoles( $post_id );
		
		// if $allowed_roles is not set, it means meta data is not yet available.
		// Post roles are checked but are not yet save. So allow viewing.
		if ( ! $allowed_roles ) {
			return true;
		}

		// Only check for logged-in users.
		if ( is_user_logged_in() ) {
			
			$can_view = false;

			$user = wp_get_current_user();

			if ( ! is_array( $user->roles ) ) {
				$user->roles = (array) $user->roles;
			}

			if ( ! empty( $user->roles ) && is_array( $user->roles ) ) {
				foreach( $user->roles as $current_user_role ) {
					if ( in_array( $current_user_role, $allowed_roles ) ) {
						$can_view = true;
					}
				}
			}

			return $can_view;
		
		}

		return false;
	}

}


1			<?php
2			/**
3			* This file is part of the Subway WordPress Plugin Package.
4			* This file contains the class which handles the metabox of the plugin.
5			*
6			* (c) Joseph G <[email protected]>
7			*
8			* For the full copyright and license information, please view the LICENSE
9			* file that was distributed with this source code.
10			*
11			* Props: Jasper Jardin
12			*
13			* PHP Version 5.4
14			*
15			* @category Subway\Metabox
16			* @package Subway
17			* @author Joseph G. <[email protected]>
18			* @license http://opensource.org/licenses/gpl-license.php GNU Public License
19			* @version GIT:github.com/codehaiku/subway
20			* @link github.com/codehaiku/subway The Plugin Repository
21			*/
22
23			namespace Subway;
24
25			if ( ! defined( 'ABSPATH' ) ) {
26			return;
27			}
28
29			/**
30			* Subway Metabox methods.
31			*
32			* @category Subway\Metabox
33			* @package Subway
34			* @author Jasper J. <[email protected]>
35			* @license http://opensource.org/licenses/gpl-license.php GNU Public License
36			* @link github.com/codehaiku/subway The Plugin Repository
37			* @since 2.0.9
38			*/
39			final class Metabox {
40
41
42			/**
43			* Subway visibility meta value,
44			*
45			* @since 2.0.9
46			* @const string VISIBILITY_METAKEY
47			*/
48			const VISIBILITY_METAKEY = 'subway_visibility_meta_key';
49
50			/**
51			* Registers and update metabox with its intended method below.
52			*
53			* @since 2.0.9
54			* @return void
55			*/
56			public function __construct() {
57
58			add_action( 'add_meta_boxes', array( $this, 'addMetabox' ) );
59			add_action( 'save_post', array( $this, 'saveMetaboxValues' ) );
60			add_filter( 'the_content', array( $this, 'showContentToAllowedRoles' ) );
61
62			return $this;
			0 ignored issues – show Bug introduced 2018-06-28 10:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this Constructors do not have meaningful return values, anything that is returned from here is discarded. Are you sure this is correct? Loading history...
63			}
64
65			/**
66			* Initialize metabox
67			*
68			* @since 2.0.9
69			* @access public
70			* @return void
71			*/
72			public static function initMetabox() {
73
74			new Metabox();
75			}
76
77			/**
78			* Initialize metabox
79			*
80			* @since 2.0.9
81			* @access public
82			* @return void
83			*/
84			public function addMetabox() {
85
86			$post_types = $this->getPostTypes();
			0 ignored issues – show Bug introduced 2018-06-20 06:37 UTC by Report Bug Copy Issue Report Show Similar Issues like this Are you sure the assignment to `$post_types` is correct as `$this->getPostTypes()` (which targets `Subway\Metabox::getPostTypes()`) seems to always return null. This check looks for function or method calls that always return null and whose return value is assigned to a variable. class A { function getObject() { return null; } } $a = new A(); $object = $a->getObject(); The method `getObject()` can return nothing but null, so it makes no sense to assign that value to a variable. The reason is most likely that a function or method is imcomplete or has been reduced for debug purposes. Loading history...
87
88			foreach ( $post_types as $post_type => $value ) {
			0 ignored issues – show Bug introduced 2018-06-20 06:37 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$post_types` of type `null` is not traversable. Loading history...
89			add_meta_box(
90			'subway_visibility_metabox',
91			esc_html__( 'Subway: Visibility Option', 'subway' ),
92			array( $this, 'visibilityMetabox' ),
93			$post_type,
94			'side',
95			'high'
96			);
97			}
98			}
99
100			/**
101			* This method displays the Subway Visibility checkbox.
102			*
103			* @param object $post Contains data from the current post.
104			*
105			* @since 2.0.9
106			* @access public
107			* @return void
108			*/
109			public function visibilityMetabox( $post ) {
110
111			$howto = __(
112			'Choose the accessibility of this page from the options above.',
113			'subway'
114			);
115
116			$private_setting_label = __( 'Members Only', 'subway' );
117
118			$is_post_private = self::isPostPrivate( $post->ID );
119
120			// Make sure the form request comes from WordPress
121			wp_nonce_field( basename( __FILE__ ), 'subway_post_visibility_nonce' );
122
123			// Disable the options (radio) when site is selected as public
124			?>
125			<input type="hidden" name="subway-visibility-form-submitted" value="1" />
126
127			<?php if ( ! Options::isPublicSite() ) : ?>
128			<?php // Site is private. Give them some Beer! ?>
129			<p>
130			<label class="subway-visibility-settings-checkbox-label" for="subway-visibility-public">
131			<input type="radio" class="subway-visibility-settings-radio" id="subway-visibility-public" name="subway-visibility-settings" value="public" <?php echo checked( false, $is_post_private, false ); ?>>
132			<?php esc_html_e( 'Public', 'subway' ) ?>
133			</label>
134			</p>
135			<p>
136			<label class="subway-visibility-settings-checkbox-label" for="subway-visibility-private">
137			<input type="radio" class="subway-visibility-settings-radio" id="subway-visibility-private" name="subway-visibility-settings"
138			value="private" <?php echo checked( true, $is_post_private, false ); ?>>
139			<?php esc_html_e( 'Members Only', 'subway' ) ?>
140			</label>
141			</p>
142			<div id="subway-roles-access-visibility-fields" class="hidden">
143			<dl>
144			<?php $post_allowed_user_roles = self::getAllowedUserRoles( $post->ID ); ?>
145			<?php $editable_roles = get_editable_roles(); ?>
146			<?php // Remove administrator for editable roles. ?>
147			<?php unset( $editable_roles['administrator'] ); ?>
148			<?php foreach ( $editable_roles as $role_name => $role_info ) { ?>
149			<dt>
150			<?php $id = 'subway-visibility-settings-user-role-' . esc_html( $role_name ); ?>
151			<label for="<?php echo esc_attr( $id ); ?>">
152			<?php if ( is_array( $post_allowed_user_roles ) && in_array( $role_name, $post_allowed_user_roles ) ) { ?>
153			<?php $checked = 'checked'; ?>
154			<?php } else { ?>
155			<?php if ( false === $post_allowed_user_roles ) { ?>
156			<?php $checked = 'checked'; ?>
157			<?php } else { ?>
158			<?php $checked = ''; ?>
159			<?php } ?>
160			<?php } ?>
161			<input <?php echo esc_attr( $checked ); ?> id="<?php echo esc_attr( $id ); ?>" type="checkbox"
162			name="subway-visibility-settings-user-role[]" class="subway-visibility-settings-role-access" value="<?php echo esc_attr( $role_name ); ?>" />
163			<?php echo esc_html( $role_info['name'] ); ?>
164			</label>
165			</dt>
166			<?php } ?>
167			<p class="howto"><?php echo esc_html_e( 'Uncheck the user roles that you do not want to have access to this content','subway' ); ?></p>
168			</dl>
169			</div>
170			<script>
171			jQuery(document).ready(function($){
172			'use strict';
173			if ( $('#subway-visibility-private').is(':checked') ) {
174			$('#subway-roles-access-visibility-fields').css('display', 'block');
175			}
176			$('.subway-visibility-settings-radio').click(function(){
177			$('#subway-roles-access-visibility-fields').css('display', 'none');
178			if ( $('#subway-visibility-private').is(':checked') ) {
179			$('#subway-roles-access-visibility-fields').css('display', 'block');
180			}
181			});
182			});
183			</script>
184			<p class="howto"><?php echo esc_html( $howto ); ?></p>
185			<?php else : ?>
186			<?php // Site is public! Explain to them ?>
187			<p><em>
188			<?php esc_html_e( 'You have chosen to make your site public inside Settings > Subway. Subway visibility options will be turned off.', 'subway' ); ?>
189			</em>
190			</p>
191			<?php endif; ?>
192			<?php
193			}
194
195			/**
196			* This method verify if nonce is valid then updates a post_meta.
197			*
198			* @param integer $post_id Contains ID of the current post.
199			*
200			* @since 2.0.9
201			* @access public
202			* @return boolean false Returns false if nonce is not valid.
203			*/
204			public function saveVisibilityMetabox( $post_id = '' ) {
205
206			if ( wp_is_post_autosave( $post_id ) ) {
207			return;
208			}
209
210			$is_form_submitted = filter_input( INPUT_POST, 'subway-visibility-form-submitted', FILTER_DEFAULT );
211
212			if ( ! $is_form_submitted ) {
213			return;
214			}
215
216			$public_posts = Options::getPublicPostsIdentifiers();
217
218			$posts_implode = '';
219
220			$visibility_field = 'subway-visibility-settings';
221
222			$visibility_nonce = filter_input(
223			INPUT_POST, 'subway_post_visibility_nonce',
224			FILTER_SANITIZE_STRING
225			);
226
227			$post_visibility = filter_input( INPUT_POST, $visibility_field, FILTER_SANITIZE_STRING );
228
229			$is_valid_visibility_nonce = self::isNonceValid( $visibility_nonce );
230
231			$allowed_roles = filter_input( INPUT_POST, 'subway-visibility-settings-user-role', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY );
232
233			// verify taxonomies meta box nonce
234			if ( false === $is_valid_visibility_nonce ) {
235			return;
236			}
237			if ( empty( $allowed_roles ) ) {
238			$allowed_roles = array();
239			}
240
241			// Update user roles.
242			update_post_meta( $post_id, 'subway-visibility-settings-allowed-user-roles', $allowed_roles );
243
244			if ( ! empty( $post_visibility ) ) {
245			if ( ! empty( $post_id ) ) {
246			if ( 'public' === $post_visibility ) {
247			if ( ! in_array( $post_id, $public_posts ) ) {
248			array_push( $public_posts, $post_id );
249			}
250			}
251			if ( 'private' === $post_visibility ) {
252			if ( in_array( $post_id, $public_posts ) ) {
253			unset( $public_posts[ array_search( $post_id, $public_posts ) ] );
254			}
255			}
256			}
257			}
258
259			if ( ! empty( $post_id ) ) {
260			$posts_implode = implode( ', ', $public_posts );
261
262			if ( 'inherit' !== get_post_status( $post_id ) ) {
263
264			if ( true === $is_valid_visibility_nonce ) {
265			update_option( 'subway_public_post', $posts_implode );
266			update_post_meta(
267			$post_id,
268			self::VISIBILITY_METAKEY,
269			$post_visibility
270			);
271			}
272			}
273			}
274			}
275
276			/**
277			* This method runs the methods that handles the update for a post_meta.
278			*
279			* @param integer $post_id Contains ID of the current post.
280			*
281			* @since 2.0.9
282			* @access public
283			* @return boolean false Returns false if nonce is not valid.
284			*/
285			public function saveMetaboxValues( $post_id ) {
286
287			$this->saveVisibilityMetabox( $post_id );
288			return;
289			}
290
291			/**
292			* Initialize metabox arguments.
293			*
294			* @param array $args The arguments for the get_post_types().
295			* @param string $output Your desired output for the data.
296			*
297			* @since 2.0.9
298			* @access public
299			* @return void
300			*/
301			public static function getPostTypes( $args = '', $output = '' ) {
302
303			if ( empty( $args ) ) {
304			$args = array(
305			'public' => true,
306			);
307			$output = 'names';
308			}
309
310			$post_types = get_post_types( $args, $output );
311
312			return $post_types;
313			}
314
315			/**
316			* This method verify if nonce is valid.
317			*
318			* @param mixed $nonce the name of a metabox nonce.
319			*
320			* @since 2.0.9
321			* @access public
322			* @return boolean true Returns true if nonce is valid.
323			*/
324			public function isNonceValid( $nonce ) {
325
326			if ( ! isset( $nonce ) \|\| ! wp_verify_nonce( $nonce, basename( __FILE__ ) ) ) {
327			return;
328			}
329
330			return true;
331			}
332
333			/**
334			* Checks if a post is set to private.
335			*
336			* @param integer $post_id Contains ID of the current post.
337			*
338			* @since 2.0.9
339			* @access public
340			* @return boolean true Returns true if post is private. Otherwise false.
341			*/
342			public static function isPostPrivate( $post_id ) {
343
344			$meta_value = '';
345
346			if ( ! empty( $post_id ) ) {
347			$meta_value = get_post_meta( $post_id, self::VISIBILITY_METAKEY, true );
348
349			// New page or old pages that don't have Subway'\ Visibility Options
350			if ( empty( $meta_value ) ) {
351			// Get the value from the general settings (Settings > Subway)
352			$is_site_public = Options::isPublicSite();
353			if ( ! $is_site_public ) {
354			// It's private.
355			return true;
356			}
357			}
358			if ( 'private' === $meta_value ) {
359			return true;
360			}
361			}
362
363			return false;
364			}
365
366			/**
367			* Checks if a post is set to public.
368			*
369			* @param integer $post_id Contains ID of the current post.
370			*
371			* @since 2.0.9
372			* @access public
373			* @return boolean true Returns true if post is public. Otherwise false.
374			*/
375			public static function isPostPublic( $post_id ) {
376
377			$public_post = Options::getPublicPostsIdentifiers();
378
379			if ( ! empty( $post_id ) ) {
380			if ( ! in_array( $post_id, $public_post, true ) ) {
381			return true;
382			}
383			}
384
385			return false;
386			}
387
388			/**
389			* Get the allowed users roles
390			*
391			* @param integer $post_id The post ID.
392			* @return mixed Boolean false if metadata does not exists. Otherwise, return the array value of meta.
393			*/
394			public static function getAllowedUserRoles( $post_id = 0 ) {
395
396			$allowed_roles = array();
397
398			if ( ! empty( $post_id ) ) {
399
400			// Check if metadata exists for the following post.
401			if ( metadata_exists( 'post', $post_id, 'subway-visibility-settings-allowed-user-roles' ) ) {
402
403			$allowed_roles = get_post_meta( $post_id, 'subway-visibility-settings-allowed-user-roles', true );
404			if ( ! is_null( $allowed_roles ) ) {
405			return $allowed_roles;
406			}
407			return false;
408
409			} else {
410			return false;
411			}
412
413			} else {
414			return false;
415			}
416
417			return $allowed_roles;
418			}
419
420			/**
421			* Check if the current user has role for the current content.
422			*
423			* @param string $content The content of the post.
424			* @return string The content of the post.
425			*/
426			public function showContentToAllowedRoles( $content ) {
427
428			$post_id = get_the_ID();
429			$allowed_user_roles = self::getAllowedUserRoles( $post_id );
430
431			if ( ! is_singular() && is_main_query() ) {
432			return $content;
433			}
434
435			if ( is_user_logged_in() ) {
436
437			$no_privilege = '<div class="subway-role-not-allowed"><p>' . apply_filters( 'subway-content-restricted-to-role', esc_html__( 'You do not have the right privilege or role to view this page.', 'subway' ) ) . '</p></div>';
438
439			// Restrict access to non admins only.
440			if ( ! current_user_can( 'manage_options' ) ) {
441			if ( ! self::currentUserCanViewPage( $post_id ) ) {
442			return $no_privilege;
443			}
444			}
445
446			// Return the content if the post is not yet saved.
447			if ( false === $allowed_user_roles ) {
448			return $content;
449			}
450			}
451
452			return $content;
453
454			}
455
456			/**
457			* Check to see if current user has a specific roles to view the page
458			*
459			* @return boolean True on success. Otherwise, false.
460			*/
461			public function currentUserCanViewPage( $post_id = 0 ) {
462
463			$allowed_roles = self::getAllowedUserRoles( $post_id );
464
465			// if $allowed_roles is not set, it means meta data is not yet available.
466			// Post roles are checked but are not yet save. So allow viewing.
467			if ( ! $allowed_roles ) {
468			return true;
469			}
470
471			// Only check for logged-in users.
472			if ( is_user_logged_in() ) {
473
474			$can_view = false;
475
476			$user = wp_get_current_user();
477
478			if ( ! is_array( $user->roles ) ) {
479			$user->roles = (array) $user->roles;
480			}
481
482			if ( ! empty( $user->roles ) && is_array( $user->roles ) ) {
483			foreach( $user->roles as $current_user_role ) {
484			if ( in_array( $current_user_role, $allowed_roles ) ) {
485			$can_view = true;
486			}
487			}
488			}
489
490			return $can_view;
491
492			}
493
494			return false;
495			}
496
497			}
498

codehaiku / subway-2.0

Issues (14)

Security Analysis no request data

classes/subway-metabox.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like