solepixel · December 16, 2015 08:39
diff --git a/app_components.php b/app_components.php
 <?php

 // ...

 /* Line 418 */
 public static function render_sidebar_attached_groups($security=null,$cur_page_id=null){

  if(is_numeric($security) || is_string($security)){
      //Get array with security requirements for this page
      $security = CTXPS_Security::get_post_protection( $security, false );
  }

  //Default vars
  $return = '';
  $termGroups = array();

  //If $cur_page_id isn't set, try to get the value from the querystring
  if(empty($cur_page_id)){
      if (!empty($_REQUEST['post_id'])){
          $cur_page_id = $_REQUEST['post_id'];
      }
      else if(!empty($_REQUEST['post'])){
          $cur_page_id = $_REQUEST['post'];
      }
      else if (!empty($_REQUEST['postid'])){
          $cur_page_id = $_REQUEST['postid'];
      }
  }

  //Fetch term groups, if we have a page id
  if(!empty($cur_page_id))
      $termGroups = CTXPS_Queries::get_groups_by_post_terms($cur_page_id,true);

  //Count the number of term groups
  $groupcount = count($termGroups);

  //Count the number of groups directly attached to this page (including inherited groups)
  if(!empty($security)){
      foreach($security as $securityGroups){
          $groupcount += count($securityGroups);
      }
  }

  //Show groups that are already added to this page
  if($groupcount===0){
      //Display this if we have no groups (inherited or otherwise)
      $return .= '<div><em>'.__('No groups have been added yet.','contexture-page-security').'</em></div>';
  }else{
      if(!empty($security)){
          foreach($security as $pageid => $grouparray){
              //If this is the current page (and not an ancestor)
              if($pageid == $cur_page_id){
                  foreach($grouparray as $currentGroup_id => $currentGroup_name){
                      $return .= '<div class="ctx-ps-sidebar-group">&bull; <span class="ctx-ps-sidebar-group-title">'.$currentGroup_name.'</span> <a style="text-decoration:none;" href="'
                              .admin_url('/users.php?page=ps_groups_edit&groupid='.$currentGroup_id).'">&raquo;</a><span class="removegrp" onclick="CTXPS_Ajax.removeGroupFromPage('.$currentGroup_id.',jQuery(this))" title="'
                              .__('Click to remove group access.','contexture-page-security').'" >'
                              .__('remove','contexture-page-security').'</span></div>';
                  }
              }else{
                  foreach($grouparray as $currentGroup_id => $currentGroup_name){
                      $return .= '<div class="ctx-ps-sidebar-group inherited">&bull; <span class="ctx-ps-sidebar-group-title">'
                          .$currentGroup_name.'</span> <a style="text-decoration:none;" href="'
                          .admin_url('/users.php?page=ps_groups_edit&groupid='
                          .$currentGroup_id).'">&raquo;</a><a class="viewgrp" target="_blank" href="'
                          .admin_url('post.php?post='.$pageid.'&action=edit').'" title="'
                          .__('Protection has been inherited from an ancestor. Click to view ancestor.','contexture-page-security').'">'
                          .__('ancestor','contexture-page-security')
                          .'</a></div>';
                  }//foreach
              }//else
          }//foreach
      }//if

      //Show terms that are already added to this list
      foreach($termGroups as $tgroup){

          //Get the term archive URL. If one doesnt exist, dont link
          $term_archive_link = admin_url(sprintf('/edit-tags.php?action=edit&taxonomy=%s&tag_ID=%s',$tgroup['taxonomy'],$tgroup['term_id']));

          //Build the link HTML for terms
          $return .= '<div class="ctx-ps-sidebar-group inherited">&bull; <span class="ctx-ps-sidebar-group-title">'
              .$tgroup['group_title']
              .'</span> <a style="text-decoration:none;" href="'.$term_archive_link.'">&raquo;</a><a class="viewgrp" target="_blank" href="'.$term_archive_link.'" title="'.__('Protection has been inherited from a term. Click to view term.','contexture-page-security').'">'
              .__('term','contexture-page-security')
              .'</a></div>';
      }
  }
  return $return;
 }

 // ...
diff --git a/CTXPS_Security.php b/CTXPS_Security.php
 <?php

 // ...

 /* Line 91 */
 public static function filter_loops($content){
    global $current_user;

    //Get plugin options
    $dbOpts = get_option('contexture_ps_options');

    if(is_feed() && $dbOpts['ad_msg_usefilter_rss']=='false'){
        //If this is a feed and it's filtering is explicitly disabled, do no filtering. Otherwise... filter as normal (below)
        return $content;
    }else{
        //Do this only if user is not an admin, or if this is the blog page, category page, tag page, or feed (and isnt an admin page)
        if( !current_user_can('edit_others_posts') && ( is_home() || is_category() || is_tag() || is_tax() || is_feed() || is_author() || is_search() || is_archive() )  && !is_admin()) {
            foreach($content as $key => $value){

                /**Groups that this user is a member of*/
                $useraccess = CTXPS_Queries::get_user_groups($current_user->ID);
                /**Groups required to access this post*/
                $pagereqs = self::get_post_protection($value->ID);
                /**Term groups required to access this post - default is false (no protection) */
                $termreqs = false;

 //                    //First, check if the post has any protected terms
 //                    if(CTXPS_Queries::check_post_term_protection($value->ID)){
 //                        //If the term-branch is protected, get an array of groups
 //                        $termreqs = CTXPS_Queries::get_groups_by_post_terms($value->ID);
 //                    }

                //If necessary, validate group membership for page
                if($pagereqs !== false && is_array($pagereqs)){
                    $secureallowed = self::check_access($useraccess,$pagereqs);
                    //NOT ALLOWED TO ACCESS!!
                    if(!$secureallowed){
                        //If we're NOT allowed to access this page
                        unset($content[$key]);
                    }
                }

 //                    //If necessary, validate group membership for page's terms
 //                    if($termreqs !== false && is_array($termreqs)){
 //
 //                        //Determine if user can access this content
 //                        $termallowed = CTXPS_Security::check_access($useraccess,$termreqs);
 //
 //                        //NOT ALLOWED TO ACCESS!
 //                        if(!$termallowed){
 //                            unset($content[$key]);
 //                        }
 //                    }//End if
                
                
            }//End foreach
        }//End appropriate section check
    }

    //Adjust top-level array key numbers to be concurrent (since a gap between numbers can cause wp to freak out)
    $content = array_merge($content,array());

    return $content;
 }

 // ...

 /* line 160 */
 public static function filter_auto_menus($content){
    global $current_user;

    $dbOpts = get_option('contexture_ps_options');//ad_msg_usefilter_menus

    //Do this filtering only if the user isn't an admin (and isn't in admin section)... and provided the user hasn't explicitly set menu filtering to false
    if( !current_user_can('edit_others_posts')  && !is_admin() && $dbOpts['ad_msg_usefilter_menus']!='false') {

        //NO MENU!!! If site protect is on, menu filtering is on, and user is anon, remove EVERYTHING
        if($dbOpts['ad_opt_protect_site']==='true' &&
           (!is_user_logged_in() || $current_user->ID==0)){
            return array();
        }

        //Loop through the content array
        foreach($content as $key => $value){

            //Get groups that this user is a member of
            $useraccess = CTXPS_Queries::get_user_groups($current_user->ID);
            //Get groups required to access this page
            $pagereqs = self::get_post_protection($value->ID);

            //So long as $pagereqs is anything but false
            if(!!$pagereqs){

                //Determine user access
                $secureallowed = self::check_access($useraccess,$pagereqs);

                if($secureallowed){
                    //If we're allowed to access this page
                }else{
                    //If we're NOT allowed to access this page
                    unset($content[$key]); //Remove content from array
                }
            }

            //If this is an AD page, strip it too
            if($dbOpts['ad_msg_usepages']==='true'){
                if($value->ID==$dbOpts['ad_page_auth_id'] || $value->ID==$dbOpts['ad_page_anon_id']){
                    unset($content[$key]);
                }
            }
        }
    }

    return $content;
 }

 // ...

 /* line 217 */
 public static function filter_custom_menus($content,$menu=null){
    global $current_user;

    
    //wp_die(sprintf('<pre>%s</pre>',print_r($content,true)));
    
    $dbOpts = get_option('contexture_ps_options');//ad_msg_usefilter_menus


    //Do this filtering only if user isn't an admin, in admin section... and provided the user hasn't explicitly set menu filtering to false
    if( !current_user_can('edit_others_posts') && !is_admin() && $dbOpts['ad_msg_usefilter_menus']!='false' ) {

        //NO MENU!!! If site protect is on, menu filtering is on, and user is anon, remove EVERYTHING
        if($dbOpts['ad_opt_protect_site']==='true' &&
           (!is_user_logged_in() || $current_user->ID==0)){
            return array();
        }

        //Redundant: Get options (in case we need to strip access denied pages)
        //$dbOpts = get_option('contexture_ps_options');

        foreach($content as $key => $value){

            //Get groups that this user is a member of
            $useraccess = CTXPS_Queries::get_user_groups($current_user->ID);
            
            
            //Determine menu item type to be filtered (post or term)
            if ( 'taxonomy' === $value->type ) {
                //Get groups required to access this term archive
                $pagereqs = self::get_term_protection($value->object_id, $value->object);
            }
            else {
                //Get groups required to access this page (assume post)
                $pagereqs = self::get_post_protection($value->object_id);
            }
            

            //So long as $pagereqs is anything but false
            if(!!$pagereqs){

                //Determine user access
                $secureallowed = self::check_access($useraccess,$pagereqs);

                if($secureallowed){
                    //If we're allowed to access this page
                }else{
                    //If we're NOT allowed to access this page
                    unset($content[$key]);
                }
            }
            //If this is an AD page, strip it too
            if($dbOpts['ad_msg_usepages']==='true'){
                if($value->object_id == $dbOpts['ad_page_auth_id'] || $value->object_id==$dbOpts['ad_page_anon_id']){
                    unset($content[$key]);
                }
            }
        }
    }

    return $content;
 }

 // ...

 /* Line 289 */
 public static function check_access($UserGroupsArray,$PageSecurityArray){

    //Testing...
    //wp_die('<h2>User Groups</h2><pre>'.print_r($UserGroupsArray,true).'</pre><h2>Required Groups (by Page/Content)</h2><pre>'.print_r($PageSecurityArray,true).'</pre>');

    //If our page-security array is empty, automatically return false (no groups have been granted access)
    if( empty($PageSecurityArray) )
        return false;

    //If our user array is empty, automatically return false (user does not belong to any groups)
    if( empty($UserGroupsArray) )
        return false;

    //Used to count each page that has at least one group
    $loopswithgroups = 0;

    //Loop through each page's permissions, starting with current page and travelling UP the heirarchy...
    foreach($PageSecurityArray as $security_page => $security_secarray){

        //Ensure secarray is an array - if not, make it one (needed for some term checks)
        if(!is_array($security_secarray))
            $security_secarray = array($security_secarray);

        //If the current page has group settings attached...
        if(count($security_secarray) != 0){
            //Increment our group tracking var
            $loopswithgroups += 1;
            //If any of this user's groups do not match any of this page's groups...
            if( count(array_intersect($UserGroupsArray,$security_secarray)) == 0 ){
                //We return false as the user does not have access
                return false;
            }
            //No expiration check necessary here. Expired memberships arent returned from db.
        }
    }

    //If no pages have groups, then no-one can access the page
    if($loopswithgroups === 0){return false;}

    //If we haven't triggered a false return already, return true
    return true;

 }

 // ...
	<?php

	// ...

	/* Line 418 */
	public static function render_sidebar_attached_groups($security=null,$cur_page_id=null){

	if(is_numeric($security) \|\| is_string($security)){
	//Get array with security requirements for this page
	$security = CTXPS_Security::get_post_protection( $security, false );
	}

	//Default vars
	$return = '';
	$termGroups = array();

	//If $cur_page_id isn't set, try to get the value from the querystring
	if(empty($cur_page_id)){
	if (!empty($_REQUEST['post_id'])){
	$cur_page_id = $_REQUEST['post_id'];
	}
	else if(!empty($_REQUEST['post'])){
	$cur_page_id = $_REQUEST['post'];
	}
	else if (!empty($_REQUEST['postid'])){
	$cur_page_id = $_REQUEST['postid'];
	}
	}

	//Fetch term groups, if we have a page id
	if(!empty($cur_page_id))
	$termGroups = CTXPS_Queries::get_groups_by_post_terms($cur_page_id,true);

	//Count the number of term groups
	$groupcount = count($termGroups);

	//Count the number of groups directly attached to this page (including inherited groups)
	if(!empty($security)){
	foreach($security as $securityGroups){
	$groupcount += count($securityGroups);
	}
	}

	//Show groups that are already added to this page
	if($groupcount===0){
	//Display this if we have no groups (inherited or otherwise)
	$return .= '<div><em>'.__('No groups have been added yet.','contexture-page-security').'</em></div>';
	}else{
	if(!empty($security)){
	foreach($security as $pageid => $grouparray){
	//If this is the current page (and not an ancestor)
	if($pageid == $cur_page_id){
	foreach($grouparray as $currentGroup_id => $currentGroup_name){
	$return .= '<div class="ctx-ps-sidebar-group">• <span class="ctx-ps-sidebar-group-title">'.$currentGroup_name.'</span> <a style="text-decoration:none;" href="'
	.admin_url('/users.php?page=ps_groups_edit&groupid='.$currentGroup_id).'">»</a><span class="removegrp" onclick="CTXPS_Ajax.removeGroupFromPage('.$currentGroup_id.',jQuery(this))" title="'
	.__('Click to remove group access.','contexture-page-security').'" >'
	.__('remove','contexture-page-security').'</span></div>';
	}
	}else{
	foreach($grouparray as $currentGroup_id => $currentGroup_name){
	$return .= '<div class="ctx-ps-sidebar-group inherited">• <span class="ctx-ps-sidebar-group-title">'
	.$currentGroup_name.'</span> <a style="text-decoration:none;" href="'
	.admin_url('/users.php?page=ps_groups_edit&groupid='
	.$currentGroup_id).'">»</a><a class="viewgrp" target="_blank" href="'
	.admin_url('post.php?post='.$pageid.'&action=edit').'" title="'
	.__('Protection has been inherited from an ancestor. Click to view ancestor.','contexture-page-security').'">'
	.__('ancestor','contexture-page-security')
	.'</a></div>';
	}//foreach
	}//else
	}//foreach
	}//if

	//Show terms that are already added to this list
	foreach($termGroups as $tgroup){

	//Get the term archive URL. If one doesnt exist, dont link
	$term_archive_link = admin_url(sprintf('/edit-tags.php?action=edit&taxonomy=%s&tag_ID=%s',$tgroup['taxonomy'],$tgroup['term_id']));

	//Build the link HTML for terms
	$return .= '<div class="ctx-ps-sidebar-group inherited">• <span class="ctx-ps-sidebar-group-title">'
	.$tgroup['group_title']
	.'</span> <a style="text-decoration:none;" href="'.$term_archive_link.'">»</a><a class="viewgrp" target="_blank" href="'.$term_archive_link.'" title="'.__('Protection has been inherited from a term. Click to view term.','contexture-page-security').'">'
	.__('term','contexture-page-security')
	.'</a></div>';
	}
	}
	return $return;
	}

	// ...
	<?php

	// ...

	/* Line 91 */
	public static function filter_loops($content){
	global $current_user;

	//Get plugin options
	$dbOpts = get_option('contexture_ps_options');

	if(is_feed() && $dbOpts['ad_msg_usefilter_rss']=='false'){
	//If this is a feed and it's filtering is explicitly disabled, do no filtering. Otherwise... filter as normal (below)
	return $content;
	}else{
	//Do this only if user is not an admin, or if this is the blog page, category page, tag page, or feed (and isnt an admin page)
	if( !current_user_can('edit_others_posts') && ( is_home() \|\| is_category() \|\| is_tag() \|\| is_tax() \|\| is_feed() \|\| is_author() \|\| is_search() \|\| is_archive() ) && !is_admin()) {
	foreach($content as $key => $value){

	/*Groups that this user is a member of/
	$useraccess = CTXPS_Queries::get_user_groups($current_user->ID);
	/*Groups required to access this post/
	$pagereqs = self::get_post_protection($value->ID);
	/*Term groups required to access this post - default is false (no protection) /
	$termreqs = false;

	// //First, check if the post has any protected terms
	// if(CTXPS_Queries::check_post_term_protection($value->ID)){
	// //If the term-branch is protected, get an array of groups
	// $termreqs = CTXPS_Queries::get_groups_by_post_terms($value->ID);
	// }

	//If necessary, validate group membership for page
	if($pagereqs !== false && is_array($pagereqs)){
	$secureallowed = self::check_access($useraccess,$pagereqs);
	//NOT ALLOWED TO ACCESS!!
	if(!$secureallowed){
	//If we're NOT allowed to access this page
	unset($content[$key]);
	}
	}

	// //If necessary, validate group membership for page's terms
	// if($termreqs !== false && is_array($termreqs)){
	//
	// //Determine if user can access this content
	// $termallowed = CTXPS_Security::check_access($useraccess,$termreqs);
	//
	// //NOT ALLOWED TO ACCESS!
	// if(!$termallowed){
	// unset($content[$key]);
	// }
	// }//End if


	}//End foreach
	}//End appropriate section check
	}

	//Adjust top-level array key numbers to be concurrent (since a gap between numbers can cause wp to freak out)
	$content = array_merge($content,array());

	return $content;
	}

	// ...

	/* line 160 */
	public static function filter_auto_menus($content){
	global $current_user;

	$dbOpts = get_option('contexture_ps_options');//ad_msg_usefilter_menus

	//Do this filtering only if the user isn't an admin (and isn't in admin section)... and provided the user hasn't explicitly set menu filtering to false
	if( !current_user_can('edit_others_posts') && !is_admin() && $dbOpts['ad_msg_usefilter_menus']!='false') {

	//NO MENU!!! If site protect is on, menu filtering is on, and user is anon, remove EVERYTHING
	if($dbOpts['ad_opt_protect_site']==='true' &&
	(!is_user_logged_in() \|\| $current_user->ID==0)){
	return array();
	}

	//Loop through the content array
	foreach($content as $key => $value){

	//Get groups that this user is a member of
	$useraccess = CTXPS_Queries::get_user_groups($current_user->ID);
	//Get groups required to access this page
	$pagereqs = self::get_post_protection($value->ID);

	//So long as $pagereqs is anything but false
	if(!!$pagereqs){

	//Determine user access
	$secureallowed = self::check_access($useraccess,$pagereqs);

	if($secureallowed){
	//If we're allowed to access this page
	}else{
	//If we're NOT allowed to access this page
	unset($content[$key]); //Remove content from array
	}
	}

	//If this is an AD page, strip it too
	if($dbOpts['ad_msg_usepages']==='true'){
	if($value->ID==$dbOpts['ad_page_auth_id'] \|\| $value->ID==$dbOpts['ad_page_anon_id']){
	unset($content[$key]);
	}
	}
	}
	}

	return $content;
	}

	// ...

	/* line 217 */
	public static function filter_custom_menus($content,$menu=null){
	global $current_user;


	//wp_die(sprintf('<pre>%s</pre>',print_r($content,true)));

	$dbOpts = get_option('contexture_ps_options');//ad_msg_usefilter_menus


	//Do this filtering only if user isn't an admin, in admin section... and provided the user hasn't explicitly set menu filtering to false
	if( !current_user_can('edit_others_posts') && !is_admin() && $dbOpts['ad_msg_usefilter_menus']!='false' ) {

	//NO MENU!!! If site protect is on, menu filtering is on, and user is anon, remove EVERYTHING
	if($dbOpts['ad_opt_protect_site']==='true' &&
	(!is_user_logged_in() \|\| $current_user->ID==0)){
	return array();
	}

	//Redundant: Get options (in case we need to strip access denied pages)
	//$dbOpts = get_option('contexture_ps_options');

	foreach($content as $key => $value){

	//Get groups that this user is a member of
	$useraccess = CTXPS_Queries::get_user_groups($current_user->ID);


	//Determine menu item type to be filtered (post or term)
	if ( 'taxonomy' === $value->type ) {
	//Get groups required to access this term archive
	$pagereqs = self::get_term_protection($value->object_id, $value->object);
	}
	else {
	//Get groups required to access this page (assume post)
	$pagereqs = self::get_post_protection($value->object_id);
	}


	//So long as $pagereqs is anything but false
	if(!!$pagereqs){

	//Determine user access
	$secureallowed = self::check_access($useraccess,$pagereqs);

	if($secureallowed){
	//If we're allowed to access this page
	}else{
	//If we're NOT allowed to access this page
	unset($content[$key]);
	}
	}
	//If this is an AD page, strip it too
	if($dbOpts['ad_msg_usepages']==='true'){
	if($value->object_id == $dbOpts['ad_page_auth_id'] \|\| $value->object_id==$dbOpts['ad_page_anon_id']){
	unset($content[$key]);
	}
	}
	}
	}

	return $content;
	}

	// ...

	/* Line 289 */
	public static function check_access($UserGroupsArray,$PageSecurityArray){

	//Testing...
	//wp_die('<h2>User Groups</h2><pre>'.print_r($UserGroupsArray,true).'</pre><h2>Required Groups (by Page/Content)</h2><pre>'.print_r($PageSecurityArray,true).'</pre>');

	//If our page-security array is empty, automatically return false (no groups have been granted access)
	if( empty($PageSecurityArray) )
	return false;

	//If our user array is empty, automatically return false (user does not belong to any groups)
	if( empty($UserGroupsArray) )
	return false;

	//Used to count each page that has at least one group
	$loopswithgroups = 0;

	//Loop through each page's permissions, starting with current page and travelling UP the heirarchy...
	foreach($PageSecurityArray as $security_page => $security_secarray){

	//Ensure secarray is an array - if not, make it one (needed for some term checks)
	if(!is_array($security_secarray))
	$security_secarray = array($security_secarray);

	//If the current page has group settings attached...
	if(count($security_secarray) != 0){
	//Increment our group tracking var
	$loopswithgroups += 1;
	//If any of this user's groups do not match any of this page's groups...
	if( count(array_intersect($UserGroupsArray,$security_secarray)) == 0 ){
	//We return false as the user does not have access
	return false;
	}
	//No expiration check necessary here. Expired memberships arent returned from db.
	}
	}

	//If no pages have groups, then no-one can access the page
	if($loopswithgroups === 0){return false;}

	//If we haven't triggered a false return already, return true
	return true;

	}

	// ...