function attachment_access() { global $post, $wpdb; if (empty($post)) { global $wp_query; if (!empty($wp_query->query_vars['attachment_id'])) { $post = scoper_get_row("SELECT * FROM {$wpdb->posts} WHERE post_type = 'attachment' AND ID = '{$wp_query->query_vars['attachment_id']}'"); } elseif (!empty($wp_query->query_vars['attachment'])) { $post = scoper_get_row("SELECT * FROM {$wpdb->posts} WHERE post_type = 'attachment' AND post_name = '{$wp_query->query_vars['attachment']}'"); } } if (!empty($post)) { $object_type = scoper_get_var("SELECT post_type FROM {$wpdb->posts} WHERE ID = '{$post->post_parent}'"); // default to 'post' object type if retrieval failed for some reason if (empty($object_type)) { $object_type = 'post'; } if ($post->post_parent) { if (!current_user_can("read_{$object_type}", $post->post_parent)) { if (scoper_get_otype_option('do_teaser', 'post')) { if ($use_teaser_type = scoper_get_otype_option('use_teaser', 'post', $object_type)) { AttachmentTemplate_RS::impose_post_teaser($post, $object_type, $use_teaser_type); } else { unset($post); } } else { unset($post); } // WordPress generates 404 if teaser is not enabled } } elseif (defined('SCOPER_BLOCK_UNATTACHED_UPLOADS') && SCOPER_BLOCK_UNATTACHED_UPLOADS) { unset($post); } } }
function identify_protected_posts($attachment_id = 0, $attachments = false, $cols = '', $args = array()) { $defaults = array('use_object_restrictions' => true, 'use_term_restrictions' => true, 'use_private_status' => true, 'guid' => ''); $args = array_merge($defaults, (array) $args); extract($args); global $wpdb, $scoper; if (!isset($scoper) || is_null($scoper)) { scoper_get_init_options(); scoper_init(); } if (empty($scoper->taxonomies)) { $scoper->load_config(); } $restricted_roles = array(); $unrestricted_roles = array(); // TODO: also protect uploads based on restriction of other taxonomies $restricted_terms = array(); $restricted_objects = array(); $term_restriction_clause = ''; $object_restriction_clause = ''; $limit_clause = ''; $unattached_clause = ''; global $scoper; $reader_roles = array(); foreach ($scoper->role_defs->role_caps as $role_handle => $role_caps) { $caps_by_op = $scoper->cap_defs->organize_caps_by_op(array_keys($role_caps)); if (count($caps_by_op) == 1 && 'read' == key($caps_by_op)) { $reader_roles[] = $role_handle; } } $role_clause = "AND rs.role_name IN ('" . implode("','", scoper_role_handles_to_names($reader_roles)) . "')"; //if ( $use_private_status ) // $role_clause = ( 'rs' == SCOPER_ROLE_TYPE ) ? "AND rs.role_name IN ('post_reader', 'page_reader')" : ''; // if also checking for private status, don't need to check for restriction of private_reader roles //else // $role_clause = ( 'rs' == SCOPER_ROLE_TYPE ) ? "AND rs.role_name IN ('post_reader', 'page_reader', 'private_post_reader', 'private_page_reader')" : ''; if ($use_term_restrictions) { $term_restriction_query = "SELECT rs.obj_or_term_id AS term_id, rs.role_name, rs.max_scope FROM {$wpdb->role_scope_rs} AS rs " . "INNER JOIN {$wpdb->term_taxonomy} AS tt ON tt.taxonomy = rs.src_or_tx_name AND tt.taxonomy = 'category' AND tt.term_taxonomy_id = rs.obj_or_term_id " . "WHERE rs.role_type = 'rs' AND rs.require_for IN ('entity', 'both') AND rs.topic = 'term' {$role_clause}"; $term_default_restriction_query = "SELECT rs.role_name FROM {$wpdb->role_scope_rs} AS rs " . "WHERE rs.role_type = 'rs' AND rs.require_for IN ('children', 'both') AND rs.topic = 'term' AND rs.max_scope = 'term' AND rs.src_or_tx_name = 'category' AND rs.obj_or_term_id = '0' {$role_clause}"; $all_terms = array(); $all_terms['category'] = $scoper->get_terms('category', false, COL_ID_RS); if ($results = scoper_get_results($term_restriction_query)) { foreach ($results as $row) { if ('blog' == $row->max_scope) { $unrestricted_roles['category'][$row->role_name][] = $row->term_id; } else { $restricted_roles['category'][$row->role_name][] = $row->term_id; } } } // if there a role is default-restricted, mark all terms as restricted (may be unrestricted later) if ($results = scoper_get_col($term_default_restriction_query)) { foreach ($results as $role_name) { if (isset($unrestricted_roles['category'][$role_name])) { $default_restricted = array_diff($all_terms['category'], $unrestricted_roles['category'][$role_name]); } else { $default_restricted = $all_terms['category']; } if (isset($restricted_roles['category'][$role_name])) { $restricted_roles['category'][$role_name] = array_unique(array_merge($restricted_roles['category'][$role_name], $default_restricted)); } else { $restricted_roles['category'][$role_name] = $default_restricted; } } } $restricted_terms['category'] = isset($restricted_roles['category']) ? agp_array_flatten($restricted_roles['category']) : array(); if ($restricted_terms['category']) { $term_restriction_clause = "OR post_parent IN ( SELECT {$wpdb->posts}.ID FROM {$wpdb->posts} " . "INNER JOIN {$wpdb->term_relationships} AS tr ON tr.object_id = {$wpdb->posts}.ID " . "WHERE tr.term_taxonomy_id IN ('" . implode("','", $restricted_terms['category']) . "') )"; } } if ($attachment_id) { if (is_array($attachment_id)) { $id_clause = "AND ID IN ('" . implode("','", $attachment_id) . "')"; } else { $id_clause = "AND ID = '{$attachment_id}'"; $limit_clause = 'LIMIT 1'; } } elseif ($guid) { $id_clause = "AND guid = '{$file_path}'"; } else { $id_clause = ''; } if (defined('SCOPER_NO_THUMBNAIL_FILTER')) { if ($thumbnail_ids = scoper_get_col("SELECT DISTINCT meta_value FROM {$wpdb->postmeta} WHERE meta_key = '_thumbnail_id'")) { $id_clause .= " AND ID NOT IN ('" . implode("','", $thumbnail_ids) . "')"; } } if ($attachments) { // to reduce pool of objects, we only care about those that have an attachment $attachment_query = "SELECT {$wpdb->posts}.ID FROM {$wpdb->posts} WHERE {$wpdb->posts}.ID IN ( SELECT post_parent FROM {$wpdb->posts} WHERE post_type = 'attachment' {$id_clause} ) "; } if ($use_object_restrictions) { $object_restriction_query = "SELECT rs.obj_or_term_id AS obj_id, rs.role_name, rs.max_scope FROM {$wpdb->role_scope_rs} AS rs " . "WHERE rs.role_type = 'rs' AND rs.require_for IN ('entity', 'both') AND rs.topic = 'object' AND rs.src_or_tx_name = 'post' {$role_clause} AND rs.obj_or_term_id IN ( {$attachment_query} )"; $object_default_restriction_query = "SELECT rs.role_name FROM {$wpdb->role_scope_rs} AS rs " . "WHERE rs.require_for IN ('children', 'both') AND rs.topic = 'object' AND rs.max_scope = 'object' AND rs.src_or_tx_name = 'post' AND rs.obj_or_term_id = '0' {$role_clause}"; $all_objects = array(); $all_objects['post'] = scoper_get_col($attachment_query); $restricted_roles = array(); $unrestricted_roles = array(); if ($results = scoper_get_results($object_restriction_query)) { foreach ($results as $row) { if ('blog' == $row->max_scope) { $unrestricted_roles['post'][$row->role_name][] = $row->obj_id; } else { $restricted_roles['post'][$row->role_name][] = $row->obj_id; } } } // if there a role is default-restricted, mark all terms as restricted (may be unrestricted later) if ($results = scoper_get_col($object_default_restriction_query)) { foreach ($results as $role_name) { if (isset($unrestricted_roles['category'][$role_name])) { $default_restricted = array_diff($all_terms['post'], $unrestricted_roles['post'][$role_name]); } else { $default_restricted = $all_objects['post']; } if (isset($restricted_roles['post'][$role_name])) { $restricted_roles['post'][$role_name] = array_unique(array_merge($restricted_roles['post'][$role_name], $default_restricted)); } else { $restricted_roles['post'][$role_name] = $default_restricted; } } } if (!empty($restricted_roles)) { $restricted_objects['post'] = array_unique(agp_array_flatten($restricted_roles['post'])); if ($restricted_objects['post']) { $object_restriction_clause = "OR post_parent IN ( SELECT ID FROM {$wpdb->posts} WHERE ID IN ('" . implode("','", $restricted_objects['post']) . "') )"; } } } if ($use_private_status) { $status_query = "AND post_parent IN ( SELECT {$wpdb->posts}.ID FROM {$wpdb->posts} WHERE {$wpdb->posts}.post_status = 'private' )"; } if ($attachments) { $attachment_type_clause = "post_type = 'attachment' AND"; $unattached_clause = defined('SCOPER_BLOCK_UNATTACHED_UPLOADS') ? " OR post_parent < 1" : ''; } $single_col = false; if (COLS_ALL_RS === $cols) { $query_cols = '*'; } elseif (COL_ID_RS == $cols) { $query_cols = 'ID'; $single_col = true; } elseif (COLS_ID_DISPLAYNAME_RS == $cols) { if ($attachment) { $query_cols = 'ID, post_title, guid'; } else { $query_cols = 'ID, post_title'; } } else { if ($attachments) { $query_cols = 'ID, guid'; } else { $query_cols = 'ID'; $single_col = true; } } $query = "SELECT {$query_cols} FROM {$wpdb->posts} WHERE {$attachment_type_clause} ( 1=1 {$status_query} {$term_restriction_clause} {$object_restriction_clause} {$unattached_clause} ) {$id_clause} ORDER BY ID DESC {$limit_clause}"; if ($attachment_id && !is_array($attachment_id)) { if ($single_col) { $results = scoper_get_var($query); } else { $results = scoper_get_row($query); } } else { if ($single_col) { $results = scoper_get_col($query); } else { $results = scoper_get_results($query); } } return $results; }
/** * Updates an existing Group * * @param int $groupID - Group identifier * @param string $name - Name of the group * @param string $description - Group description (optional) * @return boolean True on successful update **/ function updateGroup($group_id, $name, $description = '') { global $wpdb; $description = strip_tags($description); if ($prev = scoper_get_row("SELECT * FROM {$wpdb->groups_rs} WHERE {$wpdb->groups_id_col}='{$group_id}';")) { if ($prev->{$wpdb->groups_name_col} != $name && !UserGroups_tp::isValidName($name)) { return false; } // don't allow updating of metagroup name / descript if (!empty($prev->meta_id)) { return false; } } do_action('update_group_rs', $group_id); $query = "UPDATE {$wpdb->groups_rs} SET {$wpdb->groups_name_col} = '{$name}', {$wpdb->groups_descript_col}='{$description}' WHERE {$wpdb->groups_id_col}='{$group_id}';"; scoper_query($query); wpp_cache_flush_group('all_usergroups'); wpp_cache_flush_group('group_members'); wpp_cache_flush_group('usergroups_for_user'); wpp_cache_flush_group('usergroups_for_groups'); wpp_cache_flush_group('usergroups_for_ug'); return true; }
/** * Gets a group with a given name * * @param string $name - Group Name * @return Object An object with the group details **/ function get_group_by_name($name) { global $wpdb; $query = "SELECT {$wpdb->groups_id_col} AS ID, {$wpdb->groups_name_col} AS display_name, {$wpdb->groups_descript_col} as descript " . " FROM {$wpdb->groups_rs} WHERE {$wpdb->groups_name_col}='{$name}'"; $result = scoper_get_row($query); return $result; }
function _user_can_read_file($file, &$return_attachment_id, &$matched_published_post, $uploads = '') { // don't filter the direct file URL request if filtering is disabled, or if the request is from wp-admin if (defined('DISABLE_QUERYFILTERS_RS') || is_content_administrator_rs() || !scoper_get_option('file_filtering') || !empty($_SERVER['HTTP_REFERER']) && false !== strpos($_SERVER['HTTP_REFERER'], '/wp-admin') && false !== strpos($_SERVER['HTTP_REFERER'], get_option('siteurl') . '/wp-admin')) { // note: image links from wp-admin should now never get here due to http_referer RewriteRule, but leave above check just in case - inexpensive since we're checking for wp-admin before calling get_option //rs_errlog("skipping filtering for $file"); return true; } if (!is_array($uploads) || empty($uploads['basedir'])) { require_once dirname(__FILE__) . '/uploads_rs.php'; $uploads = scoper_get_upload_info(); } //rs_errlog('_user_can_read_file'); $file_path = $uploads['basedir'] . "/{$file}"; //rs_errlog("$file_path exists."); global $wpdb, $wp_query; $file_url = $uploads['baseurl'] . "/{$file}"; // auto-resized copies have -NNNxNNN suffix, but the base filename is stored as attachment. Strip the suffix out for db query. $orig_file_url = preg_replace("/-[0-9]{2,4}x[0-9]{2,4}./", '.', $file_url); // manually resized copies have -?????????????? suffix, but the base filename is stored as attachment. Strip the suffix out for db query. $orig_file_url = preg_replace("/-[0-9,a-z]{14}./", '.', $orig_file_url); $qry = "SELECT * FROM {$wpdb->posts} WHERE post_type = 'attachment' AND post_parent > 0 AND guid = '{$orig_file_url}'"; $results = scoper_get_results($qry); $matched_published_post = array(); $return_attachment_id = 0; if (empty($results)) { $args = array('skip_any_object_check' => true, 'skip_any_term_check' => true); return cr_user_can('edit_others_posts', 0, 0, $args) || cr_user_can('edit_others_pages', 0, 0, $args); } else { // set global flag (checked by flt_user_has_cap, which filters current_user_Can) global $scoper_checking_attachment_access; $scoper_checking_attachment_access = true; foreach ($results as $attachment) { //rs_errlog( "found attachment: " . serialize($attachment) ); if (is_content_administrator_rs()) { $return_attachment_id = $attachment->ID; break; } if ($attachment->post_parent) { if ($parent_post = scoper_get_row("SELECT post_type, post_status FROM {$wpdb->posts} WHERE ID = '{$attachment->post_parent}' LIMIT 1")) { $object_type = $parent_post->post_type; $containing_post_status = $parent_post->post_status; // Only return content that is attached to published (potentially including private) posts/pages // If some other statuses for published posts are introduced in later WP versions, // the failure mode here will be to overly suppress attachments if ('publish' == $containing_post_status || 'private' == $containing_post_status) { if (current_user_can("read_{$object_type}", $attachment->post_parent)) { $return_attachment_id = $attachment->ID; break; } else { global $current_user; $matched_published_post[$object_type] = $attachment->post_name; } } } } } // clear global flag $scoper_checking_attachment_access = false; } if ($return_attachment_id) { return true; } }
function get_object($src_name, $object_id, $cols = '') { // special cases to take advantage of cached post/link if ('post' == $src_name) { if ($cols && !strpos($cols, ',')) { return get_post_field($cols, $object_id, 'raw'); } else { return get_post($object_id); } } elseif ('link' == $src_name) { return get_bookmark($object_id); } else { if (!($src = $this->get($src_name))) { return; } global $wpdb; if (!$cols) { $cols = '*'; } if (empty($object_id)) { return array(); } return scoper_get_row("SELECT {$cols} FROM {$src->table} WHERE {$src->cols->id} = '{$object_id}' LIMIT 1"); } // end switch }