Skip to content

Commit

Permalink
Moved permissions check to endpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
kodinkat committed Aug 21, 2024
1 parent be8905f commit 9fd2f94
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 12 deletions.
10 changes: 10 additions & 0 deletions dt-metrics/charts-base.php
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,16 @@ public function has_permission(){
return $pass;
}

public function has_permission_for( $permissions ): bool {
$pass = count( $permissions ) === 0;
foreach ( $permissions as $permission ){
if ( current_user_can( $permission ) ){
$pass = true;
}
}
return $pass;
}

public function my_list() {
$list = Disciple_Tools_Posts::search_viewable_post( 'contacts', [ 'assigned_to' => [ 'shared', 'me' ] ] );
if ( is_wp_error( $list ) ) {
Expand Down
33 changes: 21 additions & 12 deletions dt-metrics/records/dynamic-records-map.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,11 @@ class DT_Metrics_Dynamic_Records_Map extends DT_Metrics_Chart_Base
public $slug = 'dynamic_records_map'; // lowercase
public $js_object_name = 'wp_js_object'; // This object will be loaded into the metrics.js file by the wp_localize_script.
public $js_file_name = '/dt-metrics/records/dynamic-records-map.js'; // should be full file name plus extension
public $permissions = [ 'dt_all_access_contacts', 'view_project_metrics' ];
public $permissions = [];
public $namespace = 'dt-metrics/records';
public $base_filter = [];

public function __construct( $base_slug, $base_title ) {
if ( ( $base_slug === 'records' ) && !$this->has_permission() ) {
return;
}

$this->base_slug = $base_slug;
$this->base_title = $base_title;

Expand Down Expand Up @@ -181,6 +177,7 @@ public function post_type_geojson( WP_REST_Request $request ){

// Ensure to prevent any backdoor entries for non-slug related requests.
if ( !empty( $params['post_type'] ) && !empty( $params['slug'] ) ) {
$slug = $params['slug'];

// Ensure params shape is altered accordingly, for system based post types.
switch ( $params['post_type'] ){
Expand All @@ -191,16 +188,28 @@ public function post_type_geojson( WP_REST_Request $request ){
break;
}

// Determine type of query to be executed, based on incoming slug.
if ( $params['slug'] === 'personal' ) {
$params['user_id'] = get_current_user_id();
// Ensure user has required permissions, based on specified slug request.
$has_permission = false;
if ( ( $slug === 'personal' ) && $this->has_permission_for( [ 'view_project_metrics' ] ) ) {
$has_permission = true;
}
if ( ( $slug === 'records' ) && $this->has_permission_for( [ 'dt_all_access_contacts', 'view_project_metrics' ] ) ) {
$has_permission = true;
}

// Execute request query.
$response = Disciple_Tools_Mapping_Queries::post_type_geojson( $params['post_type'], $params, $offset, $limit );
if ( $has_permission ) {

// Ensure to unset user_id for security reasons.
unset( $params['user_id'] );
// Determine type of query to be executed, based on incoming slug.
if ( $slug === 'personal' ) {
$params['user_id'] = get_current_user_id();
}

// Execute request query.
$response = Disciple_Tools_Mapping_Queries::post_type_geojson( $params['post_type'], $params, $offset, $limit );

// Ensure to unset user_id for security reasons.
unset( $params['user_id'] );
}
}

return [
Expand Down

0 comments on commit 9fd2f94

Please sign in to comment.