Skip to content

Commit

Permalink
Revised permission checks + Updated genmap to follow new checks
Browse files Browse the repository at this point in the history
  • Loading branch information
kodinkat committed Aug 22, 2024
1 parent 9fd2f94 commit 1cacd6f
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 56 deletions.
10 changes: 0 additions & 10 deletions dt-metrics/charts-base.php
Original file line number Diff line number Diff line change
Expand Up @@ -97,16 +97,6 @@ public function has_permission(){
return $pass;
}

public function has_permission_for( $permissions ): bool {
$pass = count( $permissions ) === 0;
foreach ( $permissions as $permission ){
if ( current_user_can( $permission ) ){
$pass = true;
}
}
return $pass;
}

public function my_list() {
$list = Disciple_Tools_Posts::search_viewable_post( 'contacts', [ 'assigned_to' => [ 'shared', 'me' ] ] );
if ( is_wp_error( $list ) ) {
Expand Down
4 changes: 2 additions & 2 deletions dt-metrics/records/dynamic-records-map.php
Original file line number Diff line number Diff line change
Expand Up @@ -190,10 +190,10 @@ public function post_type_geojson( WP_REST_Request $request ){

// Ensure user has required permissions, based on specified slug request.
$has_permission = false;
if ( ( $slug === 'personal' ) && $this->has_permission_for( [ 'view_project_metrics' ] ) ) {
if ( ( $slug === 'personal' ) && current_user_can( 'access_contacts' ) ) {
$has_permission = true;
}
if ( ( $slug === 'records' ) && $this->has_permission_for( [ 'dt_all_access_contacts', 'view_project_metrics' ] ) ) {
if ( ( $slug === 'records' ) && ( current_user_can( 'dt_all_access_contacts' ) || current_user_can( 'view_project_metrics' ) ) ) {
$has_permission = true;
}

Expand Down
97 changes: 53 additions & 44 deletions dt-metrics/records/genmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,10 @@ class DT_Metrics_Groups_Genmap extends DT_Metrics_Chart_Base
public $base_title;
public $title;
public $js_object_name = 'wp_js_object'; // This object will be loaded into the metrics.js file by the wp_localize_script.
public $permissions = [ 'dt_all_access_contacts', 'view_project_metrics', 'multiplier' ];
public $permissions = [];
public $namespace = null;

public function __construct( $base_slug, $base_title ) {
if ( !$this->has_permission() ){
return;
}

$this->base_slug = $base_slug;
$this->base_title = $base_title;

Expand Down Expand Up @@ -52,53 +48,66 @@ public function add_api_routes() {
}

public function tree( WP_REST_Request $request ) {
if ( !$this->has_permission() ){
return new WP_Error( __METHOD__, 'Missing Permissions', [ 'status' => 400 ] );
}
$params = dt_recursive_sanitize_array( $request->get_params() );
if ( ! isset( $params['p2p_type'], $params['p2p_direction'], $params['post_type'] ) ) {
return new WP_Error( __METHOD__, 'Missing parameters! [Required: p2p_type, p2p_direction, post_type ]', [ 'status' => 400 ] );
if ( ! isset( $params['p2p_type'], $params['p2p_direction'], $params['post_type'], $params['slug'] ) ) {
return new WP_Error( __METHOD__, 'Missing parameters! [Required: p2p_type, p2p_direction, post_type, slug ]', [ 'status' => 400 ] );
}

$user = wp_get_current_user();
$post_type = $params['post_type'];
$post_settings = DT_Posts::get_post_settings( $post_type );

// Determine scope of query focus, based on specified slug.
$slug = $params['slug'] ?? 'personal';
$focus_id = $params['focus_id'] ?? 0;
if ( ( $post_type === 'contacts' ) && ( $slug === 'personal' ) ) {
$user_contact_id = Disciple_Tools_Users::get_contact_for_user( $user->ID );
if ( intval( $user_contact_id ) ){
$focus_id = $user_contact_id;
}
$slug = $params['slug'];

// Ensure user has required permissions, based on specified slug request.
$has_permission = false;
if ( ( $slug === 'personal' ) && current_user_can( 'access_contacts' ) ) {
$has_permission = true;
}
if ( ( $slug === 'records' ) && ( current_user_can( 'dt_all_access_contacts' ) || current_user_can( 'view_project_metrics' ) ) ) {
$has_permission = true;
}

$filters = [
'slug' => $slug,
'post_type' => $post_type,
'show_archived' => $params['show_archived'] ?? false,
'status_key' => $post_settings['status_field']['status_key'] ?? '',
'archived_key' => $post_settings['status_field']['archived_key'] ?? ''
];
$query = $this->get_query( $post_type, $params['p2p_type'], $params['p2p_direction'], $filters );
if ( $has_permission ) {
$user = wp_get_current_user();
$post_type = $params['post_type'];
$post_settings = DT_Posts::get_post_settings( $post_type );

$can_list_all = current_user_can( 'list_all_' . $post_type );
if ( $post_type === 'contacts' && current_user_can( 'dt_all_access_contacts' ) ){
$can_list_all = true;
}
$generated_genmap = $this->get_genmap( $query, $params['gen_depth_limit'] ?? 100, $focus_id, $filters, $can_list_all );
// Determine scope of query focus, based on specified slug.
$focus_id = $params['focus_id'] ?? 0;
if ( ( $post_type === 'contacts' ) && ( $slug === 'personal' ) ) {
$focus_id = Disciple_Tools_Users::get_contact_for_user( $user->ID );
}

// Ensure empty hits on personal based slugs, still ensure user node is accessible.
if ( ( $focus_id !== 0 ) && empty( $generated_genmap['children'] ) ) {
$generated_genmap['shared'] = 1;
$generated_genmap['name'] = $user->display_name;
}
// Ensure sourced focus_id is not a wp exception.
if ( is_wp_error( $focus_id ) ) {
return new WP_Error( __METHOD__, 'Missing Permissions', [ 'status' => 400 ] );
}

return [
'data_layers' => $this->package_data_layer_post_fields( $query, $post_type, $post_settings, $params['data_layers'] ?? [] ),
'genmap' => $generated_genmap
];
$filters = [
'slug' => $slug,
'post_type' => $post_type,
'show_archived' => $params['show_archived'] ?? false,
'status_key' => $post_settings['status_field']['status_key'] ?? '',
'archived_key' => $post_settings['status_field']['archived_key'] ?? ''
];
$query = $this->get_query( $post_type, $params['p2p_type'], $params['p2p_direction'], $filters );

$can_list_all = current_user_can( 'list_all_' . $post_type );
if ( $post_type === 'contacts' && current_user_can( 'dt_all_access_contacts' ) ){
$can_list_all = true;
}
$generated_genmap = $this->get_genmap( $query, $params['gen_depth_limit'] ?? 100, $focus_id, $filters, $can_list_all );

// Ensure empty hits on personal based slugs, still ensure user node is accessible.
if ( ( $focus_id !== 0 ) && empty( $generated_genmap['children'] ) ) {
$generated_genmap['shared'] = 1;
$generated_genmap['name'] = $user->display_name;
}

return [
'data_layers' => $this->package_data_layer_post_fields( $query, $post_type, $post_settings, $params['data_layers'] ?? [] ),
'genmap' => $generated_genmap
];
} else {
return new WP_Error( __METHOD__, 'Missing Permissions', [ 'status' => 400 ] );
}
}

public function scripts() {
Expand Down

0 comments on commit 1cacd6f

Please sign in to comment.