PageRenderTime 65ms CodeModel.GetById 24ms RepoModel.GetById 0ms app.codeStats 1ms

/wp-content/plugins/role-scoper/role-scoper_main.php

https://bitbucket.org/broderboy/nycendurance-wordpress
PHP | 1101 lines | 734 code | 258 blank | 109 comment | 252 complexity | 0d0e775a77942124a4499293da41e154 MD5 | raw file
Possible License(s): AGPL-1.0, GPL-3.0, Apache-2.0, GPL-2.0, LGPL-2.1 
    

  1. <?php

    2. 

  2. if( basename(__FILE__) == basename($_SERVER['SCRIPT_FILENAME']) )

    3. 

  3. 	die( 'This page cannot be called directly.' );

    4. 

  4. 	

    5. 

  5. /**

    6. 

  6.  * Scoper PHP class for the WordPress plugin Role Scoper

    7. 

  7.  * role-scoper_main.php

    8. 

  8.  * 

    9. 

  9.  * @author 		Kevin Behrens

    10. 

  10.  * @copyright 	Copyright 2012

    11. 

  11.  * 

    12. 

  12.  */

    13. 

  13. class Scoper

    14. 

  14. {

    15. 

  15. 	var $definitions;

    16. 

  16. 	var $access_types;

    17. 

  17. 	var $data_sources;

    18. 

  18. 	var $taxonomies;

    19. 

  19. 	var $cap_defs;

    20. 

  20. 	var $role_defs;

    21. 

  21. 	

    22. 

  22. 	var $cap_interceptor;		// legacy API

    23. 

  23. 	

    24. 

  24. 	// === Temporary status variables ===

    25. 

  25. 	var $direct_file_access;

    26. 

  26. 	var $listed_ids = array();  // $listed_ids[src_name][object_id] = true : general purpose memory cache for non-post data sources; primary use is with has_cap filter to avoid a separate db query for each listed item 

    27. 

  27. 

    28. 

  28. 	var $default_restrictions = array();

    29. 

  29. 

    30. 

  30. 	// minimal config retrieval to support pre-init usage by WP_Scoped_User before text domain is loaded

    31. 

  31. 	function Scoper() {

    32. 

  32. 		$this->definitions = array( 'data_sources' => 'Data_Sources', 'taxonomies' => 'Taxonomies', 'cap_defs' => 'Capabilities', 'role_defs' => 'Roles' );	

    33. 

  33. 		require_once( dirname(__FILE__).'/definitions_cr.php' );

    34. 

  34. 		

    35. 

  35. 		if ( defined( 'RVY_VERSION' ) )

    36. 

  36. 			$this->cap_interceptor = (object) array();	// legacy support for Revisionary < 1.1 which set flags on this object property

    37. 

  37. 	}

    38. 

  38. 	

    39. 

  39. 	function load_config() {

    40. 

  40. 		require_once( dirname(__FILE__).'/lib/agapetry_config_items.php');

    41. 

  41. 		$this->access_types = new AGP_Config_Items();

    42. 

  42. 		$this->access_types->init( cr_access_types() );  // 'front' and 'admin' are the hardcoded access types

    43. 

  43. 		

    44. 

  44. 		// establish access type for this http request

    45. 

  45. 		$access_name = ( is_admin() || defined('XMLRPC_REQUEST') ) ? 'admin' : 'front';

    46. 

  46. 		$access_name = apply_filters( 'scoper_access_name', $access_name );		// others plugins can apply additional criteria for treating a particular URL with wp-admin or front-end filtering

    47. 

  47. 		if ( ! defined('CURRENT_ACCESS_NAME_RS') )

    48. 

  48. 			define('CURRENT_ACCESS_NAME_RS', $access_name);

    49. 

  49. 

    50. 

  50. 		// disable RS filtering of access type(s) if specified in realm options 

    51. 

  51. 		if ( ! is_admin() || ! defined('SCOPER_REALM_ADMIN_RS') ) {		// don't remove items if the option is being editied

    52. 

  52. 			if ( $disabled_access_types = scoper_get_option('disabled_access_types') )

    53. 

  53. 				$this->access_types->remove_members_by_key($disabled_access_types, true);

    54. 

  54. 				

    55. 

  55. 			// If the detected access type (admin, front or custom) was "disabled", it is still detected, but we note that query filters should not be applied

    56. 

  56. 			if ( ! $this->access_types->is_member($access_name) )

    57. 

  57. 				define('DISABLE_QUERYFILTERS_RS', true);

    58. 

  58. 		}

    59. 

  59. 		

    60. 

  60. 		// populate data_sources, taxonomies, cap_defs, role_defs arrays

    61. 

  61. 		foreach( array_keys($this->definitions) as $topic )

    62. 

  62. 			$this->load_definition( $topic );	

    63. 

  63. 			

    64. 

  64. 		foreach( array_keys($this->definitions) as $topic )

    65. 

  65. 			$this->$topic->lock();

    66. 

  66. 

    67. 

  67. 		// clean up after 3rd party plugins (such as Role Scoping for NGG) which don't set object type and src_name properties for roles

    68. 

  68. 		if ( has_filter( 'define_roles_rs' ) ) {

    69. 

  69. 			require_once( dirname(__FILE__).'/extension-helper_rs.php' );

    70. 

  70. 			scoper_adjust_legacy_extension_cfg( $this->role_defs, $this->cap_defs );

    71. 

  71. 		}

    72. 

  72. 

    73. 

  73. 		add_action( 'set_current_user', array( &$this, 'credit_blogroles' ) );

    74. 

  74. 		

    75. 

  75. 		$this->credit_blogroles();

    76. 

  76. 			

    77. 

  77. 		do_action('config_loaded_rs');

    78. 

  78. 	}

    79. 

  79. 	

    80. 

  80. 	function credit_blogroles() {

    81. 

  81. 		// credit non-logged and "no role" users for any anonymous roles

    82. 

  82. 		global $current_rs_user;

    83. 

  83. 		

    84. 

  84. 		if ( $current_rs_user ) {

    85. 

  85. 			if ( empty($current_rs_user->assigned_blog_roles) ) {

    86. 

  86. 				foreach ( $this->role_defs->filter_keys( -1, array( 'anon_user_blogrole' => true ) ) as $role_handle) {

    87. 

  87. 					$current_rs_user->assigned_blog_roles[ANY_CONTENT_DATE_RS][$role_handle] = true;

    88. 

  88. 					$current_rs_user->blog_roles[ANY_CONTENT_DATE_RS][$role_handle] = true;

    89. 

  89. 				}

    90. 

  90. 			}

    91. 

  91. 	

    92. 

  92. 			if ( isset($current_rs_user->assigned_blog_roles) )

    93. 

  93. 				$this->refresh_blogroles();

    94. 

  94. 		}

    95. 

  95. 	}

    96. 

  96. 	

    97. 

  97. 	function refresh_blogroles() {

    98. 

  98. 		global $current_rs_user;

    99. 

  99. 		

    100. 

  100. 		if ( empty($current_rs_user) )

    101. 

  101. 			return;

    102. 

  102. 		

    103. 

  103. 		$current_rs_user->merge_scoped_blogcaps();

    104. 

  104. 		$GLOBALS['current_user']->allcaps = $current_rs_user->allcaps;

    105. 

  105. 		

    106. 

  106. 		foreach( array( 'groups', 'blog_roles', 'assigned_blog_roles' ) as $var ) {

    107. 

  107. 			$GLOBALS['current_user']->$var = $current_rs_user->$var;

    108. 

  108. 		}

    109. 

  109. 

    110. 

  110. 		if ( $current_rs_user->ID ) {

    111. 

  111. 			foreach ( array_keys($current_rs_user->assigned_blog_roles) as $date_key )

    112. 

  112. 				$current_rs_user->blog_roles[$date_key] = $this->role_defs->add_contained_roles( $current_rs_user->assigned_blog_roles[$date_key] );

    113. 

  113. 		}

    114. 

  114. 	}

    115. 

  115. 	

    116. 

  116. 	function load_definition( $topic ) {

    117. 

  117. 		$class_name = "CR_" . $this->definitions[$topic];

    118. 

  118. 		require_once( strtolower($this->definitions[$topic]) . '_rs.php' );

    119. 

  119. 

    120. 

  120. 		$filter_name = "define_" . strtolower($this->definitions[$topic]) . "_rs";

    121. 

  121. 		$this->$topic = apply_filters( $filter_name, new $class_name( call_user_func("cr_{$topic}") ) );

    122. 

  122. 

    123. 

  123. 		if ( 'role_defs' == $topic ) {

    124. 

  124. 			$this->role_defs->role_caps = apply_filters('define_role_caps_rs', cr_role_caps() );

    125. 

  125. 			

    126. 

  126. 			if ( $user_role_caps = scoper_get_option( 'user_role_caps' ) )

    127. 

  127. 				$this->role_defs->add_role_caps( $user_role_caps );

    128. 

  128. 

    129. 

  129. 			$this->log_cap_usage( $this->role_defs, $this->cap_defs );  // add any otype associations from new user_role_caps, but don't remove an otype association due to disabled_role_caps

    130. 

  130. 

    131. 

  131. 			if ( $disabled_role_caps = scoper_get_option( 'disabled_role_caps' ) )

    132. 

  132. 				$this->role_defs->remove_role_caps( $disabled_role_caps );

    133. 

  133. 

    134. 

  134. 			$this->role_defs->remove_invalid(); // currently don't allow additional custom-defined post, page or link roles

    135. 

  135. 

    136. 

  136. 			$this->customize_role_objscope();

    137. 

  137. 			

    138. 

  138. 			// To support merging in of WP role assignments, always note actual WP-defined roles 

    139. 

  139. 			// regardless of which role type we are scoping with.

    140. 

  140. 			$this->log_wp_roles( $this->role_defs );

    141. 

  141. 		}

    142. 

  142. 	}

    143. 

  143. 	

    144. 

  144. 	function log_cap_usage( &$role_defs, &$cap_defs ) {

    145. 

  145. 		foreach( $role_defs->members as $role_handle => $role_def ) {

    146. 

  146. 			

    147. 

  147. 			foreach( array_keys( $role_defs->role_caps[$role_handle] ) as $cap_name ) {

    148. 

  148. 				if ( empty( $cap_defs->members[$cap_name]->object_types ) || ! in_array( $role_def->object_type, $cap_defs->members[$cap_name]->object_types ) ) {

    149. 

  149. 					if ( 'post' == $role_def->src_name )

    150. 

  150. 						$cap_defs->members[$cap_name]->object_types[] = $role_def->object_type;

    151. 

  151. 						

    152. 

  152. 					elseif ( in_array( $role_def->src_name, array( 'link', 'group' ) ) )	// TODO: other data sources?

    153. 

  153. 						$cap_defs->members[$cap_name]->object_types[] = $role_def->src_name;

    154. 

  154. 				}

    155. 

  155. 			}

    156. 

  156. 		}

    157. 

  157. 	}

    158. 

  158. 	

    159. 

  159. 	function customize_role_objscope() {

    160. 

  160. 		foreach ( $this->role_defs->get_all_keys() as $role_handle ) {

    161. 

  161. 			if ( ! empty($this->role_defs->members[$role_handle]->objscope_equivalents) ) {

    162. 

  162. 				foreach( $this->role_defs->members[$role_handle]->objscope_equivalents as $equiv_key => $equiv_role_handle ) {

    163. 

  163. 					

    164. 

  164. 					if ( scoper_get_option( "{$equiv_role_handle}_role_objscope" ) ) {	// If "Additional Object Role" option is set for this role, treat it as a regular direct-assigned Object Role

    165. 

  165. 

    166. 

  166. 						if ( isset($this->role_defs->members[$equiv_role_handle]->valid_scopes) )

    167. 

  167. 							$this->role_defs->members[$equiv_role_handle]->valid_scopes = array('blog' => 1, 'term' => 1, 'object' => 1);

    168. 

  168. 

    169. 

  169. 						unset( $this->role_defs->members[$role_handle]->objscope_equivalents[$equiv_key] );

    170. 

  170. 				

    171. 

  171. 						if ( ! defined( 'DISABLE_OBJSCOPE_EQUIV_' . $role_handle ) )

    172. 

  172. 							define( 'DISABLE_OBJSCOPE_EQUIV_' . $role_handle, true );	// prevent Role Caption / Abbrev from being substituted from equivalent role

    173. 

  173. 					}

    174. 

  174. 				}

    175. 

  175. 			}

    176. 

  176. 		}	

    177. 

  177. 	}

    178. 

  178. 	

    179. 

  179. 	function log_wp_roles( &$role_defs ) {

    180. 

  180. 		global $wp_roles;

    181. 

  181. 		if ( ! isset($wp_roles) )

    182. 

  182. 			$wp_roles = new WP_Roles();

    183. 

  183. 			

    184. 

  184. 		// populate WP roles least-role-first to match RS roles

    185. 

  185. 		$keys = array_keys($wp_roles->role_objects);

    186. 

  186. 		$keys = array_reverse($keys);

    187. 

  187. 

    188. 

  188. 		$cr_cap_names = $this->cap_defs->get_all_keys();

    189. 

  189. 		

    190. 

  190. 		$last_lock = $role_defs->locked;

    191. 

  191. 		$role_defs->locked = false;

    192. 

  192. 

    193. 

  193. 		foreach ( $keys as $role_name ) {

    194. 

  194. 			if ( ! empty( $wp_roles->role_objects[$role_name]->capabilities ) ) {

    195. 

  195. 				// remove any WP caps which are in array, but have value = false

    196. 

  196. 				if ( $caps = array_intersect( $wp_roles->role_objects[$role_name]->capabilities, array(true) ) )

    197. 

  197. 					$caps = array_intersect_key( $caps, array_flip($cr_cap_names) );  // we only care about WP caps that are RS-defined

    198. 

  198. 			} else

    199. 

  199. 				$caps = array();

    200. 

  200. 

    201. 

  201. 			$role_defs->add( $role_name, 'wordpress', '', '', 'wp' );

    202. 

  202. 

    203. 

  203. 			// temp hardcode for site-wide Nav Menu cap

    204. 

  204. 			if ( ! empty( $caps['edit_theme_options'] ) )

    205. 

  205. 				$caps['manage_nav_menus'] = true;

    206. 

  206. 

    207. 

  207. 			$role_defs->role_caps['wp_' . $role_name] = $caps;

    208. 

  208. 		}

    209. 

  209. 		

    210. 

  210. 		$role_defs->locked = $last_lock;

    211. 

  211. 	}

    212. 

  212. 	

    213. 

  213. 	

    214. 

  214. 	function init() {

    215. 

  215. 		scoper_version_check();

    216. 

  216. 		

    217. 

  217. 		if ( ! isset($this->data_sources) )

    218. 

  218. 			$this->load_config();

    219. 

  219. 		

    220. 

  220. 		$is_administrator = is_content_administrator_rs();

    221. 

  221. 		

    222. 

  222. 		if ( $doing_cron = defined('DOING_CRON') )

    223. 

  223. 			if ( ! defined('DISABLE_QUERYFILTERS_RS') )

    224. 

  224. 				define('DISABLE_QUERYFILTERS_RS', true);

    225. 

  225. 

    226. 

  226. 		if ( ! $this->direct_file_access = strpos($_SERVER['QUERY_STRING'], 'rs_rewrite') )

    227. 

  227. 			$this->add_main_filters();

    228. 

  228. 			

    229. 

  229. 		// ===== Special early exit if this is a plugin install script

    230. 

  230. 		if ( is_admin() ) {

    231. 

  231. 			if ( in_array( $GLOBALS['pagenow'], array( 'plugin-install.php', 'plugin-editor.php' ) ) ) {

    232. 

  232. 				// flush RS cache on activation of any plugin, in case we cached results based on its presence / absence

    233. 

  233. 				if ( ( ! empty($_POST) ) || ( ! empty($_REQUEST['action']) ) ) {

    234. 

  234. 					if ( ! empty($_POST['networkwide']) || ( 'plugin-editor.php' == $GLOBALS['pagenow'] ) )

    235. 

  235. 						wpp_cache_flush_all_sites();

    236. 

  236. 					else

    237. 

  237. 						wpp_cache_flush();

    238. 

  238. 				}

    239. 

  239. 

    240. 

  240. 				do_action( 'scoper_init' );

    241. 

  241. 				return; // no further filtering on WP plugin maintenance scripts

    242. 

  242. 			}

    243. 

  243. 		}

    244. 

  244. 		// =====

    245. 

  245. 

    246. 

  246. 		require_once( dirname(__FILE__).'/attachment-interceptor_rs.php');

    247. 

  247. 		$GLOBALS['attachment_interceptor'] = new AttachmentInterceptor_RS(); // .htaccess file is always there, so we always need to handle its rewrites

    248. 

  248. 				

    249. 

  249. 		// ===== Content Filters to limit/enable the current user

    250. 

  250. 		$disable_queryfilters = defined('DISABLE_QUERYFILTERS_RS');

    251. 

  251. 		

    252. 

  252. 		if ( $disable_queryfilters ) {

    253. 

  253. 			// Some wp-admin pages need to list pages or categories based on front-end access.  Classic example is Subscribe2 categories checklist, included in Subscriber profile

    254. 

  254. 			// In that case, filtering will be applied even if wp-admin filtering is disabled.  API hook enables other plugins to defined their own "always filter" URIs.

    255. 

  255. 			$always_filter_uris = apply_filters( 'scoper_always_filter_uris', array( 'p-admin/profile.php' ) );

    256. 

  256. 

    257. 

  257. 			if ( in_array( $GLOBALS['pagenow'], $always_filter_uris ) || in_array( $GLOBALS['plugin_page_cr'], $always_filter_uris ) ) {

    258. 

  258. 				$disable_queryfilters = false;

    259. 

  259. 				break;

    260. 

  260. 			}

    261. 

  261. 		}

    262. 

  262. 		

    263. 

  263. 		// register a map_meta_cap filter to handle the type-specific meta caps we are forcing

    264. 

  264. 		require_once( dirname(__FILE__).'/meta_caps_rs.php' );	

    265. 

  265. 

    266. 

  266. 		if ( ! $disable_queryfilters ) {

    267. 

  267. 			 if ( ! $is_administrator ) {

    268. 

  268. 				if ( $this->direct_file_access ) {

    269. 

  269. 					require_once( dirname(__FILE__).'/cap-interceptor-basic_rs.php');  // only need to support basic read_post / read_page check for direct file access

    270. 

  270. 					$GLOBALS['cap_interceptor_basic'] = new CapInterceptorBasic_RS();

    271. 

  271. 				} else {

    272. 

  272. 					require_once( dirname(__FILE__).'/cap-interceptor_rs.php');

    273. 

  273. 					$GLOBALS['cap_interceptor'] = new CapInterceptor_RS();

    274. 

  274. 				}

    275. 

  275. 			}

    276. 

  276. 

    277. 

  277. 			// (also use content filters on front end to FILTER IN private content which WP inappropriately hides from administrators)

    278. 

  278. 			if ( ( ! $is_administrator ) || $this->is_front() ) {

    279. 

  279. 				require_once( dirname(__FILE__).'/query-interceptor_rs.php');

    280. 

  280. 				$GLOBALS['query_interceptor'] = new QueryInterceptor_RS();

    281. 

  281. 			}

    282. 

  282. 

    283. 

  283. 			if ( ( ! $this->direct_file_access ) && ( ! $is_administrator || ! defined('XMLRPC_REQUEST') ) ) { // don't tempt trouble by adding hardway filters on XMLRPC for logged administrator

    284. 

  284. 				$this->add_hardway_filters();

    285. 

  285. 				

    286. 

  286. 				if ( $this->is_front() || ! $is_administrator ) {

    287. 

  287. 					require_once( dirname(__FILE__).'/terms-query-lib_rs.php');

    288. 

  288. 				

    289. 

  289. 					if ( awp_ver( '3.1' ) && ! defined( 'SCOPER_LEGACY_TERMS_FILTER' ) ) {

    290. 

  290. 						require_once( dirname(__FILE__).'/terms-interceptor_rs.php');

    291. 

  291. 						$GLOBALS['terms_interceptor'] = new TermsInterceptor_RS();

    292. 

  292. 					} else

    293. 

  293. 						require_once( dirname(__FILE__).'/hardway/hardway-taxonomy-legacy_rs.php');

    294. 

  294. 				}

    295. 

  295. 			}

    296. 

  296. 

    297. 

  297. 		} // endif query filtering not disabled for this access type

    298. 

  298. 

    299. 

  299. 		if ( $is_administrator ) {

    300. 

  300. 			if ( $this->is_front() )

    301. 

  301. 				require_once( 'comments-int-administrator_rs.php' );

    302. 

  302. 		} else

    303. 

  303. 			require_once( 'comments-interceptor_rs.php' );

    304. 

  304. 		

    305. 

  305. 		if ( is_admin() )

    306. 

  306. 			$this->add_admin_ui_filters( $is_administrator );

    307. 

  307. 		

    308. 

  308. 		do_action( 'scoper_init' );

    309. 

  309. 		

    310. 

  310. 		// ===== end Content Filters

    311. 

  311. 		

    312. 

  312. 	} // end function init

    313. 

  313. 	

    314. 

  314. 	

    315. 

  315. 	// filters which are only needed for the wp-admin UI

    316. 

  316. 	function add_admin_ui_filters( $is_administrator ) {

    317. 

  317. 		global $pagenow;

    318. 

  318. 		

    319. 

  319. 		// ===== Admin filters (menu and other basics) which are (almost) always loaded 

    320. 

  320. 		require_once( dirname(__FILE__).'/admin/admin_rs.php');

    321. 

  321. 		$GLOBALS['scoper_admin'] = new ScoperAdmin();

    322. 

  322. 		

    323. 

  323. 		if ( 'async-upload.php' != $pagenow ) {

    324. 

  324. 			if ( ! defined('DISABLE_QUERYFILTERS_RS') || $is_administrator ) {

    325. 

  325. 				require_once( dirname(__FILE__).'/admin/filters-admin-ui_rs.php' );

    326. 

  326. 				$GLOBALS['scoper_admin_filters_ui'] = new ScoperAdminFiltersUI();

    327. 

  327. 			}

    328. 

  328. 		}

    329. 

  329. 		// =====

    330. 

  330. 

    331. 

  331. 		// ===== Script-specific Admin filters 

    332. 

  332. 		if ( 'users.php' == $pagenow ) {

    333. 

  333. 			require_once( dirname(__FILE__).'/admin/filters-admin-users_rs.php' );

    334. 

  334. 			

    335. 

  335. 		} elseif ( 'edit.php' == $pagenow ) {

    336. 

  336. 			if ( ! defined('DISABLE_QUERYFILTERS_RS') || $is_administrator )

    337. 

  337. 				require_once( dirname(__FILE__).'/admin/filters-admin-ui-listing_rs.php' );

    338. 

  338. 

    339. 

  339. 		} elseif ( in_array( $pagenow, array( 'edit-tags.php', 'edit-link-categories.php' ) ) ) {

    340. 

  340. 			if ( ! defined('DISABLE_QUERYFILTERS_RS') )

    341. 

  341. 				require_once( dirname(__FILE__).'/admin/filters-admin-terms_rs.php' );

    342. 

  342. 		}

    343. 

  343. 		// =====

    344. 

  344. 		

    345. 

  345. 		if ( scoper_get_option( 'group_ajax' ) && ( isset( $_GET['rs_user_search'] ) || isset( $_GET['rs_group_search'] ) ) ) {

    346. 

  346. 			require_once( dirname(__FILE__).'/admin/user_query_rs.php' );

    347. 

  347. 			exit;	

    348. 

  348. 		} 

    349. 

  349. 	}

    350. 

  350. 	

    351. 

  351. 	

    352. 

  352. 	function add_hardway_filters() {

    353. 

  353. 		// port or low-level query filters to work around limitations in WP core API

    354. 

  354. 		require_once( dirname(__FILE__).'/hardway/hardway_rs.php'); // need get_pages() filtering to include private pages for some 3rd party plugin config UI (Simple Section Nav)

    355. 

  355. 		

    356. 

  356. 		// buffering of taxonomy children is disabled with non-admin user logged in

    357. 

  357. 		// But that non-admin user may add cats.  Don't allow unfiltered admin to rely on an old copy of children

    358. 

  358. 		global $wp_taxonomies;

    359. 

  359. 		if ( ! empty($wp_taxonomies) ) {

    360. 

  360. 			foreach ( array_keys($wp_taxonomies) as $taxonomy )

    361. 

  361. 				add_filter ( "option_{$taxonomy}_children", create_function( '$option_value', "return rs_get_terms_children('$taxonomy', " . '$option_value );') );

    362. 

  362. 				//add_filter("option_{$taxonomy}_children", create_function( '', "return rs_get_terms_children('$taxonomy');") );

    363. 

  363. 		}

    364. 

  364. 

    365. 

  365. 		if ( is_admin() || defined('XMLRPC_REQUEST') ) {

    366. 

  366.             global $pagenow;

    367. 

  367. 			

    368. 

  368. 			if ( ! in_array( $pagenow, array( 'plugin-editor.php', 'plugins.php' ) ) ) {

    369. 

  369. 	            global $plugin_page_cr;

    370. 

  370. 

    371. 

  371. 				// low-level filtering for miscellaneous admin operations which are not well supported by the WP API

    372. 

  372. 				$hardway_uris = array(

    373. 

  373. 				'index.php',		'revision.php',			'admin.php?page=rvy-revisions',

    374. 

  374. 				'post.php', 		'post-new.php', 		'edit.php', 

    375. 

  375. 				'upload.php', 		'edit-comments.php', 	'edit-tags.php',

    376. 

  376. 				'profile.php',		'admin-ajax.php',

    377. 

  377. 				'link-manager.php', 'link-add.php',			'link.php',		 

    378. 

  378. 				'edit-link-category.php', 	'edit-link-categories.php',

    379. 

  379. 				'media-upload.php',	'nav-menus.php'  

    380. 

  380. 				);

    381. 

  381. 

    382. 

  382. 				$hardway_uris = apply_filters( 'scoper_admin_hardway_uris', $hardway_uris );

    383. 

  383. 																															// support for rs-config-ngg <= 1.0

    384. 

  384. 				if ( defined('XMLRPC_REQUEST') || in_array( $pagenow, $hardway_uris ) || in_array( $plugin_page_cr, $hardway_uris ) || in_array( "p-admin/admin.php?page=$plugin_page_cr", $hardway_uris ) )

    385. 

  385. 					require_once( dirname(__FILE__).'/hardway/hardway-admin_rs.php' );

    386. 

  386.         	}

    387. 

  387. 		} // endif is_admin or xmlrpc

    388. 

  388. 	}

    389. 

  389. 	

    390. 

  390. 	

    391. 

  391. 	// add filters which were skipped due to direct file access, but are now needed for the error page display

    392. 

  392. 	function add_main_filters() {

    393. 

  393. 		$is_admin = is_admin();

    394. 

  394. 		$is_administrator = is_content_administrator_rs();

    395. 

  395. 		$disable_queryfilters = defined('DISABLE_QUERYFILTERS_RS');

    396. 

  396. 		$frontend_admin = false;

    397. 

  397. 		

    398. 

  398. 		if ( ! defined('DOING_CRON') ) {

    399. 

  399. 			if ( $this->is_front() ) {

    400. 

  400. 				if ( ! $disable_queryfilters )

    401. 

  401. 					require_once( dirname(__FILE__).'/query-interceptor-front_rs.php');

    402. 

  402. 	

    403. 

  403. 				if ( ! $is_administrator ) {

    404. 

  404. 					require_once( dirname(__FILE__).'/qry-front_non-administrator_rs.php');

    405. 

  405. 					$GLOBALS['feed_interceptor'] = new FeedInterceptor_RS(); // file already required in role-scoper.php

    406. 

  406. 				}

    407. 

  407. 	

    408. 

  408. 				require_once( dirname(__FILE__).'/template-interceptor_rs.php');

    409. 

  409. 				$GLOBALS['template_interceptor'] = new TemplateInterceptor_RS();

    410. 

  410. 	

    411. 

  411. 				$frontend_admin = ! scoper_get_option('no_frontend_admin'); // potential performance enhancement	

    412. 

  412. 

    413. 

  413. 				if ( ! empty($_REQUEST['s']) && function_exists('relevanssi_query') ) {

    414. 

  414. 					require_once( dirname(__FILE__).'/relevanssi-helper-front_rs.php' );

    415. 

  415. 					$rel_helper_rs = new Relevanssi_Search_Filter_RS();

    416. 

  416. 				}

    417. 

  417. 			}

    418. 

  418. 

    419. 

  419. 			// ===== Filters which are always loaded (except on plugin scripts), for any access type

    420. 

  420. 			include_once( dirname(__FILE__).'/hardway/wp-patches_agp.php' ); // simple patches for WP

    421. 

  421. 			

    422. 

  422. 			if ( $this->is_front() || ( 'edit.php' == $GLOBALS['pagenow'] ) ) {

    423. 

  423. 				require_once( dirname(__FILE__).'/query-interceptor-base_rs.php');

    424. 

  424. 				$GLOBALS['query_interceptor_base'] = new QueryInterceptorBase_RS();  // listing filter used for role status indication in edit posts/pages and on front end by template functions

    425. 

  425. 			}

    426. 

  426. 		}

    427. 

  427. 		

    428. 

  428. 		// ===== Filters which support automated role maintenance following content creation/update

    429. 

  429. 		// Require an explicitly set option to skip these for front end access, just in case other plugins modify content from the front end.

    430. 

  430. 		if ( ( $is_admin || defined('XMLRPC_REQUEST') || $frontend_admin || defined('DOING_CRON') ) ) {

    431. 

  431. 			require_once( dirname(__FILE__).'/admin/cache_flush_rs.php' );

    432. 

  432. 			require_once( dirname(__FILE__).'/admin/filters-admin_rs.php' );

    433. 

  433. 			$GLOBALS['scoper_admin_filters'] = new ScoperAdminFilters();

    434. 

  434. 			

    435. 

  435. 			if ( defined( 'RVY_VERSION' ) ) // Support Revisionary references to $scoper->filters_admin (TODO: eventually phase this out)

    436. 

  436. 				$this->filters_admin =& $GLOBALS['scoper_admin_filters'];

    437. 

  437. 		}

    438. 

  438. 		// =====

    439. 

  439. 	}

    440. 

  440. 	

    441. 

  441. 

    442. 

  442. 	function init_users_interceptor() {

    443. 

  443. 		if ( ! isset($GLOBALS['users_interceptor']) ) {

    444. 

  444. 			require_once( dirname(__FILE__).'/users-interceptor_rs.php');

    445. 

  445. 			$GLOBALS['users_interceptor'] = new UsersInterceptor_RS();

    446. 

  446. 

    447. 

  447. 			//log_mem_usage_rs( 'init Users Interceptor' );

    448. 

  448. 		}

    449. 

  449. 		

    450. 

  450. 		return $GLOBALS['users_interceptor'];

    451. 

  451. 	}

    452. 

  452. 	

    453. 

  453. 	

    454. 

  454. 	// Primarily for internal use. Drops some features of WP core get_terms while adding the following versatility:

    455. 

  455. 	// - supports any RS-defined taxonomy, with or without WP taxonomy schema

    456. 

  456. 	// - optionally return term_id OR term_taxonomy_id as single column

    457. 

  457. 	// - specify filtered or unfiltered via argument

    458. 

  458. 	// - optionally get terms for a specific object

    459. 

  459. 	// - option to order by term hierarchy (but structure as flat array)

    460. 

  460. 	function get_terms($taxonomy, $filtering = true, $cols = COLS_ALL_RS, $object_id = 0, $args = array()) {

    461. 

  461. 		if ( ! $tx = $this->taxonomies->get($taxonomy) )

    462. 

  462. 			return array();

    463. 

  463. 

    464. 

  464. 		global $wpdb;

    465. 

  465. 

    466. 

  466. 		$defaults = array( 'order_by' => '', 'use_object_roles' => false, 'operation' => '' ); // IMPORTANT to default operation to nullstring

    467. 

  467. 		$args = array_merge( $defaults, (array) $args );

    468. 

  468. 		extract($args);

    469. 

  469. 

    470. 

  470. 		if (  is_administrator_rs( $this->taxonomies->member_property( $taxonomy, 'object_source' ) ) )

    471. 

  471. 			$filtering = false;

    472. 

  472. 

    473. 

  473. 		// try to pull it out of wpcache

    474. 

  474. 		$ckey = md5( $taxonomy . $cols . $object_id . serialize($args) . $order_by );

    475. 

  475. 		

    476. 

  476. 		if ( $filtering ) {

    477. 

  477. 			$src_name = $this->taxonomies->member_property($taxonomy, 'object_source', 'name');

    478. 

  478. 

    479. 

  479. 			$args['reqd_caps_by_otype'] = $this->get_terms_reqd_caps( $taxonomy, $operation, ADMIN_TERMS_FILTER_RS === $filtering );

    480. 

  480. 

    481. 

  481. 			$ckey = md5( $ckey . serialize($args['reqd_caps_by_otype']) ); ; // can vary based on request URI

    482. 

  482. 		

    483. 

  483. 			global $current_rs_user;

    484. 

  484. 			$cache_flag = 'rs_scoper_get_terms';

    485. 

  485. 			$cache = $current_rs_user->cache_get($cache_flag);

    486. 

  486. 		} else {			

    487. 

  487. 			$cache_flag = "all_terms";

    488. 

  488. 			$cache_id = 'all';

    489. 

  489. 			$cache = wpp_cache_get( $cache_id, $cache_flag );

    490. 

  490. 		}

    491. 

  491. 

    492. 

  492. 		if ( isset( $cache[ $ckey ] ) ) {

    493. 

  493. 			return $cache[ $ckey ];

    494. 

  494. 		}

    495. 

  495. 			

    496. 

  496. 		// call base class method to build query

    497. 

  497. 		$terms_only = ( ! $filtering || empty($use_object_roles) );

    498. 

  498. 	

    499. 

  499. 		$query_base = $this->taxonomies->get_terms_query($taxonomy, $cols, $object_id, $terms_only );

    500. 

  500. 

    501. 

  501. 		if ( ! $query_base )

    502. 

  502. 			return array();

    503. 

  503. 

    504. 

  504. 		$query = ( $filtering ) ? apply_filters('terms_request_rs', $query_base, $taxonomy, $args) : $query_base;

    505. 

  505. 

    506. 

  506. 		// avoid sending alarms to SQL purists if this query was not modified by RS filter

    507. 

  507. 		if ( $query_base == $query )

    508. 

  508. 			$query = str_replace( 'WHERE 1=1 AND', 'WHERE', $query );

    509. 

  509. 		

    510. 

  510. 		if ( COL_ID_RS == $cols )

    511. 

  511. 			$results = scoper_get_col($query);

    512. 

  512. 		elseif ( COL_COUNT_RS == $cols )

    513. 

  513. 			$results = intval( scoper_get_var($query) );

    514. 

  514. 		else {

    515. 

  515. 			// TODO: why is this still causing an extra (and costly) scoped query?

    516. 

  516. 			/*

    517. 

  517. 			// for COLS_ALL query, need to call core get_terms call in case another plugin is translating term names

    518. 

  518. 			if ( has_filter( 'get_terms', array('ScoperHardwayTaxonomy', 'flt_get_terms') ) ) {

    519. 

  519. 				remove_filter( 'get_terms', array('ScoperHardwayTaxonomy', 'flt_get_terms'), 1, 3 );

    520. 

  520. 				$all_terms = get_terms($taxonomy);

    521. 

  521. 				add_filter( 'get_terms', array('ScoperHardwayTaxonomy', 'flt_get_terms'), 1, 3 );

    522. 

  522. 

    523. 

  523. 				$term_names = scoper_get_property_array( $all_terms, 'term_id', 'name' );

    524. 

  524. 			}

    525. 

  525. 			*/

    526. 

  526. 			

    527. 

  527. 			$results = scoper_get_results($query);

    528. 

  528. 

    529. 

  529. 			//scoper_restore_property_array( $results, $term_names, 'term_id', 'name' );

    530. 

  530. 				

    531. 

  531. 			if ( ORDERBY_HIERARCHY_RS == $order_by ) {

    532. 

  532. 				require_once( dirname(__FILE__).'/admin/admin_lib_rs.php');

    533. 

  533. 				

    534. 

  534. 				if ( $src = $this->data_sources->get( $tx->source ) ) {

    535. 

  535. 					if ( ! empty($src->cols->id) && ! empty($src->cols->parent) ) {

    536. 

  536. 						require_once( dirname(__FILE__).'/admin/admin_lib-bulk-parent_rs.php');

    537. 

  537. 						$results = ScoperAdminBulkParent::order_by_hierarchy($results, $src->cols->id, $src->cols->parent);

    538. 

  538. 					}

    539. 

  539. 				}

    540. 

  540. 			}

    541. 

  541. 		}

    542. 

  542. 		

    543. 

  543. 		$cache[ $ckey ] = $results;

    544. 

  544. 

    545. 

  545. 		if ( $results || empty( $_POST ) ) { // todo: why do we get an empty array for unfiltered request for object terms early in POST processing? (on submission of a new post by a contributor)

    546. 

  546. 			if ( $filtering )

    547. 

  547. 				$current_rs_user->cache_force_set( $cache, $cache_flag );

    548. 

  548. 			else

    549. 

  549. 				wpp_cache_force_set( $cache_id, $cache, $cache_flag );	

    550. 

  550. 		}

    551. 

  551. 		

    552. 

  552. 		return $results;

    553. 

  553. 	}

    554. 

  554. 	

    555. 

  555. 	function get_default_restrictions($scope, $args = array()) {

    556. 

  556. 		$defaults = array( 'force_refresh' => false );

    557. 

  557. 		$args = array_merge( $defaults, (array) $args );

    558. 

  558. 		extract($args);

    559. 

  559. 	

    560. 

  560. 		if ( isset($this->default_restrictions[$scope]) && ! $force_refresh )

    561. 

  561. 			return $this->default_restrictions[$scope];

    562. 

  562. 		

    563. 

  563. 		if ( empty($force_refresh) ) {

    564. 

  564. 			$cache_flag = "rs_{$scope}_def_restrictions";

    565. 

  565. 			$cache_id = md5('');	// maintain default id generation from previous versions

    566. 

  566. 

    567. 

  567. 			$default_strict = wpp_cache_get($cache_id, $cache_flag);

    568. 

  568. 		}

    569. 

  569. 		

    570. 

  570. 		if ( $force_refresh || ! is_array($default_strict) ) {

    571. 

  571. 			global $wpdb;

    572. 

  572. 			

    573. 

  573. 			$qry = "SELECT src_or_tx_name, role_name FROM $wpdb->role_scope_rs WHERE role_type = 'rs' AND topic = '$scope' AND max_scope = '$scope' AND obj_or_term_id = '0'";

    574. 

  574. 

    575. 

  575. 			$default_strict = array();

    576. 

  576. 			if ( $results = scoper_get_results($qry) ) {

    577. 

  577. 				foreach ( $results as $row ) {

    578. 

  578. 					$role_handle = scoper_get_role_handle($row->role_name, 'rs');

    579. 

  579. 					$default_strict[$row->src_or_tx_name][$role_handle] = true;

    580. 

  580. 					

    581. 

  581. 					if (OBJECT_SCOPE_RS == $scope) {

    582. 

  582. 						if ( $objscope_equivalents = $this->role_defs->member_property($role_handle, 'objscope_equivalents') )

    583. 

  583. 							foreach ( $objscope_equivalents as $equiv_role_handle )

    584. 

  584. 								$default_strict[$row->src_or_tx_name][$equiv_role_handle] = true;

    585. 

  585. 					}

    586. 

  586. 					

    587. 

  587. 				}

    588. 

  588. 			}

    589. 

  589. 		}

    590. 

  590. 		

    591. 

  591. 		$this->default_restrictions[$scope] = $default_strict;

    592. 

  592. 

    593. 

  593. 		wpp_cache_set($cache_id, $default_strict, $cache_flag);

    594. 

  594. 		

    595. 

  595. 		return $default_strict;

    596. 

  596. 	}

    597. 

  597. 	

    598. 

  598. 	// for any given role requirement, a strict term is one which won't blend in blog role assignments

    599. 

  599. 	// (i.e. a term which requires the specified role to be assigned as a term role or object role)

    600. 

  600. 	//

    601. 

  601. 	// returns $arr['restrictions'][role_handle][obj_or_term_id] = array( 'assign_for' => $row->assign_for, 'inherited_from' => $row->inherited_from ),

    602. 

  602. 	//				['unrestrictions'][role_handle][obj_or_term_id] = array( 'assign_for' => $row->assign_for, 'inherited_from' => $row->inherited_from )

    603. 

  603. 	function get_restrictions($scope, $src_or_tx_name, $args = array()) {

    604. 

  604. 		$def_cols = COL_ID_RS;

    605. 

  605. 

    606. 

  606. 		// Note: propogating child restrictions are always directly assigned to the child term(s).

    607. 

  607. 		// Use include_child_restrictions to force inclusion of restrictions that are set for child items only,

    608. 

  608. 		// for direct admin of these restrictions and for propagation on term/object creation.

    609. 

  609. 		$defaults = array( 	'id' => 0,					'include_child_restrictions' => false,

    610. 

  610. 						 	'force_refresh' => false, 

    611. 

  611. 						 	'cols' => $def_cols,		'return_array' => false );

    612. 

  612. 		$args = array_merge( $defaults, (array) $args );

    613. 

  613. 		extract($args);

    614. 

  614. 		

    615. 

  615. 		$cache_flag = "rs_{$scope}_restrictions_{$src_or_tx_name}";

    616. 

  616. 		$cache_id = md5($src_or_tx_name . $cols . strval($return_array) . strval($include_child_restrictions) );

    617. 

  617. 

    618. 

  618. 		if ( ! $force_refresh ) {

    619. 

  619. 			$items = wpp_cache_get($cache_id, $cache_flag);

    620. 

  620. 

    621. 

  621. 			if ( is_array($items) ) {

    622. 

  622. 				if ( $id ) {

    623. 

  623. 					foreach ( $items as $setting_type => $roles )

    624. 

  624. 						foreach ( array_keys($roles) as $role_handle )

    625. 

  625. 							$items[$setting_type][$role_handle] = array_intersect_key( $items[$setting_type][$role_handle], array( $id => true ) );

    626. 

  626. 				}

    627. 

  627. 

    628. 

  628. 				return $items;

    629. 

  629. 			}

    630. 

  630. 		}

    631. 

  631. 		

    632. 

  632. 		if ( ! isset($this->default_restrictions[$scope]) )

    633. 

  633. 			$this->default_restrictions[$scope] = $this->get_default_restrictions($scope);

    634. 

  634. 

    635. 

  635. 		global $wpdb;

    636. 

  636. 

    637. 

  637. 		if ( ! empty($this->default_restrictions[$scope][$src_or_tx_name]) ) {

    638. 

  638. 			if ( $strict_roles = array_keys($this->default_restrictions[$scope][$src_or_tx_name]) ) {

    639. 

  639. 				if ( OBJECT_SCOPE_RS == $scope ) {

    640. 

  640. 					// apply default_strict handling to objscope equivalents of each strict role

    641. 

  641. 					foreach ( $strict_roles as $role_handle )

    642. 

  642. 						if ( $objscope_equivalents = $this->role_defs->member_property($role_handle, 'objscope_equivalents') )

    643. 

  643. 							$strict_roles = array_merge($strict_roles, $objscope_equivalents);

    644. 

  644. 							

    645. 

  645. 					$strict_roles = array_unique($strict_roles);

    646. 

  646. 				}

    647. 

  647. 			}

    648. 

  648. 			

    649. 

  649. 			$strict_role_in = "'" . implode("', '", scoper_role_handles_to_names($strict_roles) ) . "'";

    650. 

  650. 		} else

    651. 

  651. 			$strict_role_in = '';

    652. 

  652. 		

    653. 

  653. 		$items = array();				

    654. 

  654. 		if ( ! empty($strict_roles) ) {

    655. 

  655. 			foreach ( $strict_roles as $role_handle )

    656. 

  656. 				$items['unrestrictions'][$role_handle] = array();  // calling code will use this as an indication that the role is default strict

    657. 

  657. 		}

    658. 

  658. 		

    659. 

  659. 		$default_strict_modes = array( false );

    660. 

  660. 		

    661. 

  661. 		if ( $strict_role_in )

    662. 

  662. 			$default_strict_modes []= true;

    663. 

  663. 

    664. 

  664. 		foreach ( $default_strict_modes as $default_strict ) {

    665. 

  665. 			$setting_type = ( $default_strict ) ? 'unrestrictions' : 'restrictions';

    666. 

  666. 

    667. 

  667. 			if ( TERM_SCOPE_RS == $scope )

    668. 

  668. 				$max_scope = ( $default_strict ) ? 'blog' : 'term';  // note: max_scope='object' entries are treated as separate, overriding requirements

    669. 

  669. 			else

    670. 

  670. 				$max_scope = ( $default_strict ) ? 'blog' : 'object'; // Storage of 'blog' max_scope as object restriction does not eliminate any term restrictions.  It merely indicates, for data sources that are default strict, that this object does not restrict roles

    671. 

  671. 				

    672. 

  672. 			if ( $default_strict )

    673. 

  673. 				$role_clause = "AND role_name IN ($strict_role_in)";

    674. 

  674. 			elseif ($strict_role_in)

    675. 

  675. 				$role_clause = "AND role_name NOT IN ($strict_role_in)";

    676. 

  676. 			else

    677. 

  677. 				$role_clause = '';

    678. 

  678. 

    679. 

  679. 			$for_clause = ( $include_child_restrictions ) ? '' : "AND require_for IN ('entity', 'both')";

    680. 

  680. 			

    681. 

  681. 			$qry_base = "FROM $wpdb->role_scope_rs WHERE role_type = 'rs' AND topic = '$scope' AND max_scope = '$max_scope' AND src_or_tx_name = '$src_or_tx_name' $for_clause $role_clause";

    682. 

  682. 			

    683. 

  683. 			if ( COL_COUNT_RS == $cols )

    684. 

  684. 				$qry = "SELECT role_name, count(obj_or_term_id) AS item_count, require_for $qry_base GROUP BY role_name";

    685. 

  685. 			else

    686. 

  686. 				$qry = "SELECT role_name, obj_or_term_id, require_for AS assign_for, inherited_from $qry_base";

    687. 

  687. 

    688. 

  688. 			if ( $results = scoper_get_results($qry) ) {

    689. 

  689. 				foreach( $results as $row) {

    690. 

  690. 					$role_handle = scoper_get_role_handle($row->role_name, 'rs');

    691. 

  691. 					

    692. 

  692. 					if ( COL_COUNT_RS == $cols )

    693. 

  693. 						$items[$setting_type][$role_handle] = $row->item_count;

    694. 

  694. 					elseif ( $return_array )

    695. 

  695. 						$items[$setting_type][$role_handle][$row->obj_or_term_id] = array( 'assign_for' => $row->assign_for, 'inherited_from' => $row->inherited_from );

    696. 

  696. 					else

    697. 

  697. 						$items[$setting_type][$role_handle][$row->obj_or_term_id] = $row->assign_for;

    698. 

  698. 				}

    699. 

  699. 			}

    700. 

  700. 			

    701. 

  701. 		} // end foreach default_strict_mode

    702. 

  702. 

    703. 

  703. 		wpp_cache_force_set($cache_id, $items, $cache_flag);

    704. 

  704. 

    705. 

  705. 		if ( $id ) {

    706. 

  706. 			foreach ( $items as $setting_type => $roles )

    707. 

  707. 				foreach ( array_keys($roles) as $role_handle )

    708. 

  708. 					$items[$setting_type][$role_handle] = array_intersect_key( $items[$setting_type][$role_handle], array( $id => true ) );

    709. 

  709. 		}

    710. 

  710. 

    711. 

  711. 		return $items;

    712. 

  712. 	}

    713. 

  713. 	

    714. 

  714. 	

    715. 

  715. 	// wrapper for back-compat with calling code expecting array without date limit dimension

    716. 

  716. 	function qualify_terms($reqd_caps, $taxonomy = 'category', $qualifying_roles = '', $args = array()) {

    717. 

  717. 		$terms = $this->qualify_terms_daterange( $reqd_caps, $taxonomy, $qualifying_roles, $args );

    718. 

  718. 		

    719. 

  719. 		if ( isset($terms['']) && is_array($terms['']) )

    720. 

  720. 			return $terms[''];

    721. 

  721. 		else

    722. 

  722. 			return array();

    723. 

  723. 	}

    724. 

  724. 

    725. 

  725. 	// $qualifying_roles = array[role_handle] = 1 : qualifying roles

    726. 

  726. 	// returns array of term_ids (terms which have at least one of the qualifying roles assigned)

    727. 

  727. 	function qualify_terms_daterange($reqd_caps, $taxonomy = 'category', $qualifying_roles = '', $args = array()) {

    728. 

  728. 		$defaults = array( 'user' => '', 'return_id_type' => COL_ID_RS, 'use_blog_roles' => true, 'ignore_restrictions' => false );

    729. 

  729. 

    730. 

  730. 		if ( isset($args['qualifying_roles']) )

    731. 

  731. 			unset($args['qualifying_roles']);

    732. 

  732. 			

    733. 

  733. 		if ( isset($args['reqd_caps']) )

    734. 

  734. 			unset($args['reqd_caps']);

    735. 

  735. 

    736. 

  736. 		$args = array_merge( $defaults, (array) $args );

    737. 

  737. 		extract($args);

    738. 

  738. 

    739. 

  739. 		if ( ! $qualifying_roles )  // calling function might save a little work or limit to a subset of qualifying roles

    740. 

  740. 			$qualifying_roles = $this->role_defs->qualify_roles( $reqd_caps );

    741. 

  741. 

    742. 

  742. 		if ( ! $this->taxonomies->is_member($taxonomy) )

    743. 

  743. 			return array( '' => array() );

    744. 

  744. 		

    745. 

  745. 		if ( ! is_object($user) ) {

    746. 

  746. 			$user = $GLOBALS['current_rs_user'];

    747. 

  747. 		}

    748. 

  748. 		

    749. 

  749. 		// If the taxonomy does not require objects to have at least one term, there are no strict terms.

    750. 

  750. 		if ( ! $this->taxonomies->member_property($taxonomy, 'requires_term') )

    751. 

  751. 			$ignore_restrictions = true;

    752. 

  752. 			

    753. 

  753. 		if ( ! is_array($qualifying_roles) )

    754. 

  754. 			$qualifying_roles = array($qualifying_roles => 1);	

    755. 

  755. 

    756. 

  756. 		// no need to serialize and md5 the whole user object

    757. 

  757. 		if ( ! empty($user) )

    758. 

  758. 			$args['user'] = $user->ID;

    759. 

  759. 

    760. 

  760. 		// try to pull previous result out of memcache

    761. 

  761. 		ksort($qualifying_roles);

    762. 

  762. 		$rolereq_key = md5( serialize($reqd_caps) . serialize( array_keys($qualifying_roles) ) . serialize($args) );

    763. 

  763. 		

    764. 

  764. 		if ( isset($user->qualified_terms[$taxonomy][$rolereq_key]) )

    765. 

  765. 			return $user->qualified_terms[$taxonomy][$rolereq_key];

    766. 

  766. 			

    767. 

  767. 		if ( ! $qualifying_roles )

    768. 

  768. 			return array( '' => array() );

    769. 

  769. 

    770. 

  770. 		$all_terms = $this->get_terms($taxonomy, UNFILTERED_RS, COL_ID_RS); // returns term_id, even for WP > 2.3

    771. 

  771. 

    772. 

  772. 		if ( ! isset($user->term_roles[$taxonomy]) )

    773. 

  773. 			$user->get_term_roles_daterange($taxonomy);  // returns term_id for categories

    774. 

  774. 

    775. 

  775. 		$good_terms = array( '' => array() );

    776. 

  776. 		

    777. 

  777. 		if ( $user->term_roles[$taxonomy] ) {

    778. 

  778. 			foreach ( array_keys($user->term_roles[$taxonomy]) as $date_key ) {

    779. 

  779. 				//narrow down to roles which satisfy this call AND are owned by current user

    780. 

  780. 				if ( $good_terms[$date_key] = array_intersect_key( $user->term_roles[$taxonomy][$date_key], $qualifying_roles ) )

    781. 

  781. 					// flatten from term_roles_terms[role_handle] = array of term_ids

    782. 

  782. 					// to term_roles_terms = array of term_ids

    783. 

  783. 					$good_terms[$date_key] = agp_array_flatten( $good_terms[$date_key] );

    784. 

  784. 			}

    785. 

  785. 		}

    786. 

  786. 

    787. 

  787. 		if ( $use_blog_roles ) {

    788. 

  788. 			foreach ( array_keys($user->blog_roles) as $date_key ) {	

    789. 

  789. 				$user_blog_roles = array_intersect_key( $user->blog_roles[$date_key], $qualifying_roles );

    790. 

  790. 

    791. 

  791. 				// Also include user's WP blogrole(s) which correspond to the qualifying RS role(s)

    792. 

  792. 				if ( $wp_qualifying_roles = $this->role_defs->qualify_roles($reqd_caps, 'wp') ) {

    793. 

  793. 					

    794. 

  794. 					if ( $user_blog_roles_wp = array_intersect_key( $user->blog_roles[$date_key], $wp_qualifying_roles ) ) {

    795. 

  795. 					

    796. 

  796. 						// Credit user's qualifying WP blogrole via equivalent RS role(s)

    797. 

  797. 						// so we can also enforce "term restrictions", which are based on RS roles

    798. 

  798. 						$user_blog_roles_via_wp = $this->role_defs->get_contained_roles( array_keys($user_blog_roles_wp), false, 'rs' );

    799. 

  799. 						$user_blog_roles_via_wp = array_intersect_key( $user_blog_roles_via_wp, $qualifying_roles );

    800. 

  800. 						$user_blog_roles = array_merge( $user_blog_roles, $user_blog_roles_via_wp );

    801. 

  801. 					}

    802. 

  802. 				}

    803. 

  803. 				

    804. 

  804. 				if ( $user_blog_roles ) {

    805. 

  805. 					if ( empty($ignore_restrictions) ) {

    806. 

  806. 						// array of term_ids that require the specified role to be assigned via taxonomy or object role (user blog caps ignored)

    807. 

  807. 						$strict_terms = $this->get_restrictions(TERM_SCOPE_RS, $taxonomy);

    808. 

  808. 					} else

    809. 

  809. 						$strict_terms = array();

    810. 

  810. 

    811. 

  811. 					foreach ( array_keys($user_blog_roles) as $role_handle ) {

    812. 

  812. 						if ( isset($strict_terms['restrictions'][$role_handle]) && is_array($strict_terms['restrictions'][$role_handle]) )

    813. 

  813. 							$terms_via_this_role = array_diff( $all_terms, array_keys($strict_terms['restrictions'][$role_handle]) );

    814. 

  814. 						

    815. 

  815. 						elseif ( isset($strict_terms['unrestrictions'][$role_handle]) && is_array($strict_terms['unrestrictions'][$role_handle]) )

    816. 

  816. 							$terms_via_this_role = array_intersect( $all_terms, array_keys( $strict_terms['unrestrictions'][$role_handle] ) );

    817. 

  817. 						

    818. 

  818. 						else

    819. 

  819. 							$terms_via_this_role = $all_terms;

    820. 

  820. 	

    821. 

  821. 						if( $good_terms[$date_key] )

    822. 

  822. 							$good_terms[$date_key] = array_merge( $good_terms[$date_key], $terms_via_this_role );

    823. 

  823. 						else

    824. 

  824. 							$good_terms[$date_key] = $terms_via_this_role;

    825. 

  825. 					}

    826. 

  826. 				}

    827. 

  827. 			}

    828. 

  828. 		}

    829. 

  829. 

    830. 

  830. 		foreach ( array_keys($good_terms) as $date_key ) {

    831. 

  831. 			if ( $good_terms[$date_key] = array_intersect( $good_terms[$date_key], $all_terms ) )  // prevent orphaned category roles from skewing access

    832. 

  832. 				$good_terms[$date_key] = array_unique( $good_terms[$date_key] );

    833. 

  833. 		

    834. 

  834. 			// if COL_TAXONOMY_ID_RS, return a term_taxonomy_id instead of term_id

    835. 

  835. 			if ( $good_terms[$date_key] && (COL_TAXONOMY_ID_RS == $return_id_type) && taxonomy_exists($taxonomy) ) {

    836. 

  836. 				$all_terms_cols = $this->get_terms( $taxonomy, UNFILTERED_RS );

    837. 

  837. 				$good_tt_ids = array();

    838. 

  838. 				foreach ( $good_terms[$date_key] as $term_id )

    839. 

  839. 					foreach ( array_keys($all_terms_cols) as $termkey )

    840. 

  840. 						if ( $all_terms_cols[$termkey]->term_id == $term_id ) {

    841. 

  841. 							$good_tt_ids []= $all_terms_cols[$termkey]->term_taxonomy_id;

    842. 

  842. 							break;

    843. 

  843. 						}

    844. 

  844. 						

    845. 

  845. 				$good_terms[$date_key] = $good_tt_ids;

    846. 

  846. 			}

    847. 

  847. 		}

    848. 

  848. 		

    849. 

  849. 		$user->qualified_terms[$taxonomy][$rolereq_key] = $good_terms;

    850. 

  850. 

    851. 

  851. 		return $good_terms;

    852. 

  852. 	}

    853. 

  853. 	

    854. 

  854. 	// account for different contexts of get_terms calls 

    855. 

  855. 	// (Scoped roles can dictate different results for front end, edit page/post, manage categories)

    856. 

  856. 	function get_terms_reqd_caps( $taxonomy, $operation = '', $is_term_admin = false ) {

    857. 

  857. 		global $pagenow;

    858. 

  858. 

    859. 

  859. 		if ( ! $src_name = $this->taxonomies->member_property( $taxonomy, 'object_source' ) ) {

    860. 

  860. 			if ( taxonomy_exists( $taxonomy ) )

    861. 

  861. 				$src_name = 'post';

    862. 

  862. 		}

    863. 

  863. 

    864. 

  864. 		$return_caps = array();

    865. 

  865. 

    866. 

  866. 		$is_term_admin = $is_term_admin 

    867. 

  867. 		|| in_array( $pagenow, array( 'edit-tags.php' ) ) 

    868. 

  868. 		|| ( 'nav_menu' == $taxonomy && ( 'nav-menus.php' == $pagenow ) 

    869. 

  869. 		|| ( ( 'admin-ajax.php' == $pagenow ) && ( ! empty($_REQUEST['action']) && in_array( $_REQUEST['action'], array( 'add-menu-item', 'menu-locations-save' ) ) ) )

    870. 

  870. 		);	// possible TODO: abstract for non-WP taxonomies

    871. 

  871. 

    872. 

  872. 		if ( $is_term_admin ) {

    873. 

  873. 			// query pertains to the management of terms

    874. 

  874. 			if ( 'post' == $src_name ) {

    875. 

  875. 				$taxonomy_obj = get_taxonomy( $taxonomy );

    876. 

  876. 				$return_caps[$taxonomy] = array( $taxonomy_obj->cap->manage_terms );

    877. 

  877. 			} elseif ( 'link_category' == $taxonomy ) { 

    878. 

  878. 				$return_caps[$taxonomy] = array( 'manage_categories' );

    879. 

  879. 			} else {

    880. 

  880. 				global $scoper;

    881. 

  881. 				$cap_defs = $scoper->cap_defs->get_matching( $src_name, $taxonomy, OP_ADMIN_RS );

    882. 

  882. 				$return_caps[$taxonomy] = $cap_defs ? array_keys( $cap_defs ) : array();

    883. 

  883. 			}

    884. 

  884. 

    885. 

  885. 		} else {

    886. 

  886. 			// query pertains to reading or editing content within certain terms, or adding terms to content

    887. 

  887. 			

    888. 

  888. 			$base_caps_only = true;

    889. 

  889. 			

    890. 

  890. 			if ( 'post' == $src_name ) {

    891. 

  891. 				if ( ! $operation )

    892. 

  892. 					$operation = ( $this->is_front() || ( 'profile.php' == $pagenow ) || ( is_admin() && ( 's2' == $GLOBALS['plugin_page'] ) ) ) ? 'read' : 'edit';  // hack to support subscribe2 categories checklist

    893. 

  893. 

    894. 

  894. 				$status = ( 'read' == $operation ) ? 'publish' : 'draft';

    895. 

  895. 				

    896. 

  896. 				// terms query should be limited to a single object type for post.php, post-new.php, so only return caps for that object type (TODO: do this in wp-admin regardless of URI ?)

    897. 

  897. 				if ( in_array( $pagenow, array( 'post.php', 'post-new.php' ) ) )

    898. 

  898. 					$object_type = cr_find_post_type();

    899. 

  899. 			} else {

    900. 

  900. 				if ( ! $operation )

    901. 

  901. 					$operation = ( $this->is_front() ) ? 'read' : 'edit';

    902. 

  902. 

    903. 

  903. 				$status = '';

    904. 

  904. 			}

    905. 

  905. 				

    906. 

  906. 			// The return array will indicate term role enable / disable, as well as associated capabilities

    907. 

  907. 			if ( ! empty($object_type) )

    908. 

  908. 				$check_object_types = array( $object_type );

    909. 

  909. 			else {

    910. 

  910. 				if ( $check_object_types = (array) $this->data_sources->member_property( $src_name, 'object_types' ) )

    911. 

  911. 					$check_object_types = array_keys( $check_object_types );

    912. 

  912. 			}

    913. 

  913. 				

    914. 

  914. 			if ( 'post' == $src_name )

    915. 

  915. 				$use_post_types = scoper_get_option( 'use_post_types' );	

    916. 

  916. 			

    917. 

  917. 			$enabled_object_types = array();

    918. 

  918. 			foreach ( $check_object_types as $_object_type ) {

    919. 

  919. 				if ( $use_term_roles = scoper_get_otype_option( 'use_term_roles', $src_name, $_object_type ) )

    920. 

  920. 					if ( ! empty( $use_term_roles[$taxonomy] ) ) {

    921. 

  921. 						if ( ( 'post' != $src_name ) || ! empty( $use_post_types[$_object_type] ) )

    922. 

  922. 							$enabled_object_types []= $_object_type;

    923. 

  923. 					}

    924. 

  924. 			}

    925. 

  925. 

    926. 

  926. 			foreach( $enabled_object_types as $object_type )

    927. 

  927. 				$return_caps[$object_type] = cr_get_reqd_caps( $src_name, $operation, $object_type, $status, $base_caps_only );	

    928. 

  928. 		}

    929. 

  929. 		

    930. 

  930. 		return $return_caps;

    931. 

  931. 	}

    932. 

  932. 	

    933. 

  933. 	function users_who_can($reqd_caps, $cols = COLS_ALL_RS, $object_src_name = '', $object_id = 0, $args = array() ) {

    934. 

  934. 		// if there are not capability requirements, no need to load Users_Interceptor filtering class

    935. 

  935. 		if ( ! $reqd_caps ) {

    936. 

  936. 			if ( COL_ID_RS == $cols )

    937. 

  937. 				$qcols = 'ID';

    938. 

  938. 			elseif ( COLS_ID_NAME_RS == $cols )

    939. 

  939. 				$qcols = "ID, user_login AS display_name";	// calling code assumes display_name property for user or group object

    940. 

  940. 			elseif ( COLS_ID_DISPLAYNAME_RS == $cols )

    941. 

  941. 				$qcols = "ID, display_name";

    942. 

  942. 			elseif ( COLS_ALL_RS == $cols )

    943. 

  943. 				$qcols = "*";

    944. 

  944. 			else

    945. 

  945. 				$qcols = $cols;

    946. 

  946. 				

    947. 

  947. 			global $wpdb;

    948. 

  948. 				

    949. 

  949. 			$orderby = ( $cols == COL_ID_RS ) ? '' : 'ORDER BY display_name';

    950. 

  950. 

    951. 

  951. 			if ( IS_MU_RS && ! scoper_get_option( 'mu_sitewide_groups' ) && ! defined( 'FORCE_ALL_SITE_USERS_RS' ) )

    952. 

  952. 				$qry = "SELECT $qcols FROM $wpdb->users INNER JOIN $wpdb->usermeta AS um ON $wpdb->users.ID = um.user_id AND um.meta_key = '{$wpdb->prefix}capabilities' $orderby";

    953. 

  953. 			else

    954. 

  954. 				$qry = "SELECT $qcols FROM $wpdb->users $orderby";

    955. 

  955. 

    956. 

  956. 			if ( COL_ID_RS == $cols )

    957. 

  957. 				return scoper_get_col( $qry );

    958. 

  958. 			else

    959. 

  959. 				return scoper_get_results( $qry );	

    960. 

  960. 			

    961. 

  961. 		} else {

    962. 

  962. 			$defaults = array( 'where' => '', 'orderby' => '', 'disable_memcache' => false, 'group_ids' => '', 'force_refresh' => false, 'force_all_users' => false );

    963. 

  963. 			$args = array_merge( $defaults, (array) $args );

    964. 

  964. 			extract($args);

    965. 

  965. 	

    966. 

  966. 			$cache_flag = "rs_users_who_can";

    967. 

  967. 			$cache_id = md5(serialize($reqd_caps) . $cols . 'src' . $object_src_name . 'id' . $object_id . serialize($args) );

    968. 

  968. 		

    969. 

  969. 			if ( ! $force_refresh ) {

    970. 

  970. 				// if we already have the results cached, no need to load Users_Interceptor filtering class

    971. 

  971. 				$users = wpp_cache_get($cache_id, $cache_flag);

    972. 

  972. 	

    973. 

  973. 				if ( is_array($users) )

    974. 

  974. 					return $users;

    975. 

  975. 			}

    976. 

  976. 			

    977. 

  977. 			$this->init_users_interceptor();

    978. 

  978. 			$users = $GLOBALS['users_interceptor']->users_who_can($reqd_caps, $cols, $object_src_name, $object_id, $args );

    979. 

  979. 

    980. 

  980. 			wpp_cache_set($cache_id, $users, $cache_flag);

    981. 

  981. 			return $users;

    982. 

  982. 		}

    983. 

  983. 	}

    984. 

  984. 	

    985. 

  985. 	function groups_who_can($reqd_caps, $cols = COLS_ALL_RS, $object_src_name = '', $object_id = 0, $args = array() ) {

    986. 

  986. 		$this->init_users_interceptor();

    987. 

  987. 		return $GLOBALS['users_interceptor']->groups_who_can($reqd_caps, $cols, $object_src_name, $object_id, $args );

    988. 

  988. 	}

    989. 

  989. 	

    990. 

  990. 	function is_front() {

    991. 

  991. 		return ( defined('CURRENT_ACCESS_NAME_RS') && ( 'front' == CURRENT_ACCESS_NAME_RS ) );

    992. 

  992. 	}

    993. 

  993. 	

    994. 

  994. 	

    995. 

  995. 	// returns array of role names which have the required caps (or their basecap equivalent)

    996. 

  996. 	// AND have been applied to at least one object, for any user or group

    997. 

  997. 	function qualify_object_roles( $reqd_caps, $object_type = '', $user = '', $base_caps_only = false ) {

    998. 

  998. 		$roles = array();

    999. 

  999. 

    1000. 

  1000. 		if ( $base_caps_only )

    1001. 

  1001. 			$reqd_caps = $this->cap_defs->get_base_caps($reqd_caps);

    1002. 

  1002. 

    1003. 

  1003. 		$roles = $this->role_defs->qualify_roles($reqd_caps, 'rs', $object_type);

    1004. 

  1004. 

    1005. 

  1005. 		return $this->confirm_object_scope( $roles, $user );

    1006. 

  1006. 	}

    1007. 

  1007. 

    1008. 

  1008. 	// $roles[$role_handle] = array

    1009. 

  1009. 	// returns arr[$role_handle] 

    1010. 

  1010. 	function confirm_object_scope( $roles, $user = '' ) {

    1011. 

  1011. 		foreach ( array_keys($roles) as $role_handle ) {

    1012. 

  1012. 			if ( empty( $this->role_defs->members[$role_handle]->valid_scopes['object'] ) )

    1013. 

  1013. 				unset( $roles[$role_handle] );

    1014. 

  1014. 		}

    1015. 

  1015. 

    1016. 

  1016. 		if ( ! $roles )

    1017. 

  1017. 			return array();

    1018. 

  1018. 		

    1019. 

  1019. 		if ( is_object($user) )

    1020. 

  1020. 			$applied_obj_roles = $this->get_applied_object_roles( $user );

    1021. 

  1021. 		elseif ( empty($user) ) {

    1022. 

  1022. 			$applied_obj_roles = $this->get_applied_object_roles( $GLOBALS['current_rs_user'] );

    1023. 

  1023. 		} else // -1 value passed to indicate check for all users

    1024. 

  1024. 			$applied_obj_roles = $this->get_applied_object_roles();

    1025. 

  1025. 			

    1026. 

  1026. 		return array_intersect_key( $roles, $applied_obj_roles );	

    1027. 

  1027. 	}

    1028. 

  1028. 	

    1029. 

  1029. 	

    1030. 

  1030. 	// returns array of role_handles which have been applied to any object

    1031. 

  1031. 	// if $user arg is supplied, returns only roles applied for that user (or that user's groups) 

    1032. 

  1032. 	function get_applied_object_roles( $user = '' ) {

    1033. 

  1033. 		if ( is_object( $user ) ) {

    1034. 

  1034. 			$cache_flag = 'rs_object-roles';			// v 1.1: changed cache key from "object_roles" to "object-roles" to match new key format for blog, term roles

    1035. 

  1035. 			$cache = $user->cache_get($cache_flag);

    1036. 

  1036. 			

    1037. 

  1037. 			$limit = '';

    1038. 

  1038. 			$u_g_clause = $user->get_user_clause('');

    1039. 

  1039. 		} else {

    1040. 

  1040. 			$cache_flag = 'rs_applied_object-roles';	// v 1.1: changed cache key from "object_roles" to "object-roles" to match new key format for blog, term roles

    1041. 

  1041. 			$cache_id = 'all';

    1042. 

  1042. 			$cache = wpp_cache_get($cache_id, $cache_flag);

    1043. 

  1043. 			

    1044. 

  1044. 			$u_g_clause = '';

    1045. 

  1045. 		}

    1046. 

  1046. 		

    1047. 

  1047. 		if ( is_array($cache) )

    1048. 

  1048. 			return $cache;

    1049. 

  1049. 		

    1050. 

  1050. 		$role_handles = array();

    1051. 

  1051. 			

    1052. 

  1052. 		global $wpdb;

    1053. 

  1053. 		

    1054. 

  1054. 		// object roles support date limits, but content date limits (would be redundant and a needless performance hit)

    1055. 

  1055. 		$duration_clause = scoper_get_duration_clause( '', $wpdb->user2role2object_rs );

    1056. 

  1056. 

    1057. 

  1057. 		if ( $role_names = scoper_get_col("SELECT DISTINCT role_name FROM $wpdb->user2role2object_rs WHERE role_type='rs' AND scope='object' $duration_clause $u_g_clause") )

    1058. 

  1058. 			$role_handles = scoper_role_names_to_handles($role_names, 'rs', true); //arg: return role keys as array key

    1059. 

  1059. 		

    1060. 

  1060. 		if ( is_object($user) ) {

    1061. 

  1061. 			$user->cache_force_set($role_handles, $cache_flag);

    1062. 

  1062. 		} else

    1063. 

  1063. 			wpp_cache_force_set($cache_id, $role_handles, $cache_flag);

    1064. 

  1064. 		

    1065. 

  1065. 		return $role_handles;

    1066. 

  1066. 	}

    1067. 

  1067. 	

    1068. 

  1068. 	function user_can_edit_blogwide( $src_name = '', $object_type = '', $args = '' ) {

    1069. 

  1069. 		if ( is_administrator_rs($src_name) )

    1070. 

  1070. 			return true;

    1071. 

  1071. 	

    1072. 

  1072. 		require_once( dirname(__FILE__).'/admin/permission_lib_rs.php' );

    1073. 

  1073. 		return user_can_edit_blogwide_rs($src_name, $object_type, $args);

    1074. 

  1074. 	}

    1075. 

  1075. 	

    1076. 

  1076. } // end Scoper class

    1077. 

  1077. 

    1078. 

  1078. 

    1079. 

  1079. // (needed to stop using shared core library function with Revisionary due to changes in meta_flag handling)

    1080. 

  1080. if ( ! function_exists('awp_user_can') ) {

    1081. 

  1081. function awp_user_can( $reqd_caps, $object_id = 0, $user_id = 0, $meta_flags = array() ) {	

    1082. 

  1082. 	return cr_user_can( $reqd_caps, $object_id, $user_id, $meta_flags );

    1083. 

  1083. }

    1084. 

  1084. }

    1085. 

  1085. 

    1086. 

  1086. // equivalent to current_user_can, 

    1087. 

  1087. // except it supports array of reqd_caps, supports non-current user, and does not support numeric reqd_caps

    1088. 

  1088. function cr_user_can( $reqd_caps, $object_id = 0, $user_id = 0, $meta_flags = array() ) {	

    1089. 

  1089. 	if ( ! $user_id ) {

    1090. 

  1090. 		if ( function_exists('is_super_admin') && is_super_admin() ) 

    1091. 

  1091. 			return true;

    1092. 

  1092. 			

    1093. 

  1093. 		if ( is_content_administrator_rs() || ! function_exists( '_cr_user_can' ) )

    1094. 

  1094. 			return current_user_can( $reqd_caps );

    1095. 

  1095. 	}

    1096. 

  1096. 

    1097. 

  1097. 	if ( function_exists( '_cr_user_can' ) )

    1098. 

  1098. 		return _cr_user_can( $reqd_caps, $object_id, $user_id, $meta_flags );

    1099. 

  1099. }

    1100. 

  1100. 

    1101. 

  1101. ?>
    1102.