$object_types = $src->object_types; if ('post' == $src_name) { $use_post_types = scoper_get_option('use_post_types'); $use_post_types['nav_menu_item'] = true; // currently no RS Options switch for this $object_types['nav_menu_item'] = (object) array('labels' => (object) array('name' => __('Nav Menu Manager', 'scoper'))); } $include_taxonomy_otypes = true; foreach ($object_types as $object_type => $otype) { if ('post' == $src_name && empty($use_post_types[$object_type])) { continue; } $otype_roles = array(); $otype_roles[$object_type] = $scoper->role_defs->get_matching('rs', $src_name, $object_type); $otype_source[$object_type] = $src_name; $uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_type); if ($include_taxonomy_otypes) { foreach ($uses_taxonomies as $taxonomy) { if ($tx_roles = $scoper->role_defs->get_matching('rs', $src_name, $taxonomy)) { $otype_roles[$taxonomy] = $tx_roles; } } } if (!$otype_roles) { continue; } echo "<br /><h4><a name='{$object_type}'></a><strong>"; printf(__('Modify role assignments for %s', 'scoper'), $otype->labels->name); echo '</strong></h4>'; //display each role eligible for group/user assignment $row_class = 'rs-backwhite';
function users_queryroles($reqd_caps, $src_name, $object_id = '', $args = array()) { $defaults = array('roles' => '', 'user' => '', 'querying_groups' => 0, 'use_term_roles' => 1, 'use_blog_roles' => 1, 'skip_object_roles' => false, 'ignore_strict_terms' => 0, 'object_terms' => array(), 'object_type' => '', 'objscope_roles' => '', 'any_object' => false); $args = array_merge($defaults, (array) $args); extract($args); $src = $this->scoper->data_sources->get($src_name); // ---- The following default argument generation is included to support potential direct usage of this function // (not needed for flt_users_where call ----------------- // Treat empty reqd_caps array as an error if (empty($reqd_caps)) { return array(); } $reqd_caps = (array) $reqd_caps; // Calling function may save us a little work if it has already made this call if (!$roles) { if (!($roles = $this->scoper->role_defs->qualify_roles($reqd_caps))) { return array(); } } else { $roles = (array) $roles; } // this set of reqd_caps cannot be satisfied by any role if (!$reqd_caps && !$roles) { return; } if ($object_id && !$src_name) { $object_id = 0; } // ----------------------------------------------------------------------------------- // Default to not honoring custom user caps, but support option $custom_user_blogcaps = SCOPER_CUSTOM_USER_BLOGCAPS; if (!$object_type) { if ($object_types = $this->scoper->cap_defs->object_types_from_caps($reqd_caps, $src_name)) { if (count($object_types) == 1) { $object_type = reset($object_types); } } if (!$object_type) { $object_type = cr_find_object_type($src_name, $object_id); } } // RS roles are object type-specific $roles_wp = $this->scoper->role_defs->filter($roles, array('role_type' => 'wp')); $roles_rs = $this->scoper->role_defs->filter($roles, array('role_type' => 'rs')); $this_otype_roles = $this->scoper->role_defs->get_matching('rs', $src_name, $object_type); $roles_rs = array_intersect_key($roles_rs, $this_otype_roles); $roles = array_merge($roles_rs, $roles_wp); $qualifying_roles = array(); // --------- ACCOUNT FOR OBJECT ROLES ----------- // If this set of reqd_caps can be satisfied by a scopable role, check for object role assignements if (!$skip_object_roles && ($object_id || $any_object)) { // exclude roles which have never been assigned to any object if ($object_roles = $this->scoper->qualify_object_roles($reqd_caps, $object_type, -1)) { $qualifying_roles[OBJECT_SCOPE_RS][''] = scoper_role_handles_to_names(array_keys($roles)); } } // If this inquiry is for a particular object, find out which roles must be object-assigned for it if ($object_id) { // For term and blog role clauses, exclude roles which require object assignment for that object // But don't disqualify a role if any of the roles it "contains" also qualify and are not object-scoped. // (i.e. If the required caps are satisfied by admin, editor and contributor, the actual minimum requirement // is contributor. A specification that admin and editor roles "require object assignment" does not apply // in this scenario. if (!is_array($objscope_roles)) { $objscope_roles = $this->get_objscope_roles($src_name, $object_id, '', true); } if ($objscope_roles) { $contained_roles = array(); $roles_wp = $this->scoper->role_defs->filter($roles, array('role_type' => 'wp')); foreach (array_keys($roles_wp) as $role_handle) { // If scoping with RS roles, this will also have the effect of disqualifying a WP blog role if all of the qualifying RS roles it contains are objscoped. $contained_roles[$role_handle] = $this->scoper->role_defs->get_contained_roles($role_handle, false, 'rs'); $contained_roles[$role_handle] = array_intersect_key($contained_roles[$role_handle], $roles); if (!array_diff_key($contained_roles[$role_handle], $objscope_roles)) { unset($roles[$role_handle]); } } foreach (array_keys($roles) as $role_handle) { $contained_roles[$role_handle] = $this->scoper->role_defs->get_contained_roles($role_handle, true, 'rs'); //true: include this role in return array $contained_roles[$role_handle] = array_intersect_key($contained_roles[$role_handle], $roles); if (!array_diff_key($contained_roles[$role_handle], $objscope_roles)) { unset($roles[$role_handle]); } } } } // --------- ACCOUNT FOR TERM ROLES ----------- // Consider term scope settings and role assignments // $uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_type); if ($use_term_roles && $src_name && $roles && !empty($uses_taxonomies)) { // If scoping with RS roles, strip out WP role definitions (which were included for blogrole clause) $term_roles = $this->scoper->role_defs->filter($roles, array('role_type' => 'rs')); if ($term_roles) { foreach ($uses_taxonomies as $taxonomy) { // include users with a sufficient term role assignment in any term $qualifying_roles[TERM_SCOPE_RS][$taxonomy] = scoper_role_handles_to_names(array_keys($term_roles)); } } // Honor blog-wide assignment of any non-objscope role, but only if at least one term // is not "strict" (i.e. merges blogroles into term-specific assignments). if (!$ignore_strict_terms) { $term_roles = $this->get_unrestricted_term_roles($term_roles, $uses_taxonomies, $object_id, $object_terms); // disqualify a WP blog role if all of the qualifying RS roles it contains were excluded by the strict terms filter. if ($roles_wp = $this->scoper->role_defs->filter($roles, array('role_type' => 'wp'))) { $contained_roles = array(); foreach (array_keys($roles_wp) as $role_handle) { $contained_roles[$role_handle] = $this->scoper->role_defs->get_contained_roles($role_handle, false, 'rs'); $contained_roles[$role_handle] = array_intersect_key($contained_roles[$role_handle], $roles); if (!$term_roles || !$contained_roles[$role_handle] || !array_intersect_key($contained_roles[$role_handle], $term_roles)) { unset($roles[$role_handle]); } } } $roles_current = $this->scoper->role_defs->filter($roles, array('role_type' => 'rs')); foreach (array_keys($roles_current) as $role_handle) { if (!isset($term_roles[$role_handle])) { unset($roles[$role_handle]); } } // Since this term role is restricted for all terms, prevent corresponding blog role from being added to qualifying_roles array by subsequent code } } // --------- ACCOUNT FOR BLOG ROLES ----------- // For each qualifying role, recognize blog assignment if the reqd_caps set is not associated // with a defined data source, if this source/object type does not use term roles, // or if some of the the terms are not strict. // // Note that WP blogrole assignments (if not taxonomy or object-scoped) are honored // regardless of Role Scoper role_type setting. if ($use_blog_roles) { if ($admin_roles = awp_administrator_roles()) { $roles = $roles ? array_merge($roles, $admin_roles) : $admin_roles; } if ($roles) { $role_types = array('rs', 'wp'); foreach ($role_types as $role_type) { //if ( ('rs' == $role_type) && ! RS_BLOG_ROLES ) // rs_blog_roles option has never been active in any RS release; leave commented here in case need arises // continue; $this_type_roles = $this->scoper->role_defs->filter($roles, array('role_type' => $role_type)); $qualifying_roles[BLOG_SCOPE_RS][$role_type] = scoper_role_handles_to_names(array_keys($this_type_roles)); } } if ($custom_user_blogcaps && $use_blog_roles) { // If custom user blogcaps option is enabled, this function is called separately for each reqd cap. // Custom user caps are stored as "hidden" single-cap role of type WP_CAP, sync'd to WP usermeta storage. if ($custom_user_blogcaps) { $qualifying_roles[BLOG_SCOPE_RS]['wp_cap'] = $reqd_caps; } // ...which contains one cap } } return $qualifying_roles; }
function user_can_for_any_term($reqd_caps, $user = '') { if (!is_object($user)) { $user = $GLOBALS['current_rs_user']; } // Instead of just intersecting the missing reqd_caps with termcaps from all term_roles, // require each subset of caps with matching src_name, object type and op_type to // all be satisfied by the same role (any assigned term role). This simulates flt_objects_where behavior (which does so to support role restrictions. $grant_caps = array(); $caps_by_otype = $this->scoper->cap_defs->organize_caps_by_otype($reqd_caps); // temp workaround if ('manage_categories' == current($reqd_caps) && isset($caps_by_otype['post']['link'])) { $caps_by_otype['link']['link_category'] = $caps_by_otype['post']['link']; unset($caps_by_otype['post']['link']); } foreach ($caps_by_otype as $src_name => $otypes) { $object_types = $this->scoper->data_sources->member_property($src_name, 'object_types'); // deal with upload_files and other capabilities which have no specific object type if (!array_diff_key($otypes, array('' => true))) { foreach (array_keys($object_types) as $_object_type) { $otypes[$_object_type] = $otypes['']; } unset($otypes['']); } $uses_taxonomies = scoper_get_taxonomy_usage($src_name, array_keys($otypes)); // this ensures we don't credit term roles on custom taxonomies which have been disabled if (!($uses_taxonomies = array_intersect($uses_taxonomies, $this->scoper->taxonomies->get_all_keys()))) { continue; } foreach ($otypes as $this_otype_caps) { // keyed by object_type $caps_by_op = $this->scoper->cap_defs->organize_caps_by_op((array) $this_otype_caps); foreach ($caps_by_op as $this_op_caps) { // keyed by op_type $roles = $this->scoper->role_defs->qualify_roles($this_op_caps); foreach ($uses_taxonomies as $taxonomy) { if (!isset($user->term_roles[$taxonomy])) { $user->term_roles[$taxonomy] = $user->get_term_roles_daterange($taxonomy); } // call daterange function populate term_roles property - possible perf enhancement for subsequent code even though we don't conider content_date-limited roles here if (array_intersect_key($roles, agp_array_flatten($user->term_roles[$taxonomy], false))) { // okay to include all content date ranges because can_for_any_term checks are only preliminary measures to keep the admin UI open $grant_caps = array_merge($grant_caps, $this_op_caps); break; } } } } } if ($grant_caps) { return array_fill_keys(array_unique($grant_caps), true); } else { return array(); } }
function scoper_admin_object_restrictions($src_name, $object_type) { global $scoper, $scoper_admin; if (!($src = $scoper->data_sources->get($src_name)) || !empty($src->no_object_roles) || !empty($src->taxonomy_only) || $src_name == 'group') { wp_die(__('Invalid data source', 'scoper')); } $is_administrator = is_administrator_rs($src, 'user'); $role_bases = array(); if (USER_ROLES_RS && ($is_administrator || $scoper_admin->user_can_admin_object($src_name, $object_type, 0, true))) { $role_bases[] = ROLE_BASIS_USER; } if (GROUP_ROLES_RS && ($is_administrator || $scoper_admin->user_can_admin_object($src_name, $object_type, 0, true) || current_user_can('manage_groups'))) { $role_bases[] = ROLE_BASIS_GROUPS; } if (empty($role_bases)) { wp_die(__awp('Cheatin’ uh?')); } $otype = $scoper->data_sources->member_property($src_name, 'object_types', $object_type); require_once dirname(__FILE__) . '/admin-bulk_rs.php'; require_once dirname(__FILE__) . '/admin_lib-bulk-parent_rs.php'; $role_assigner = init_role_assigner(); $nonce_id = 'scoper-assign-roles'; $role_codes = ScoperAdminBulk::get_role_codes(); echo '<a name="scoper_top"></a>'; // ==== Process Submission ===== $err = 0; if (isset($_POST['rs_submit'])) { $err = ScoperAdminBulk::role_submission(OBJECT_SCOPE_RS, ROLE_RESTRICTION_RS, '', $src_name, $role_codes, '', $nonce_id); if (scoper_get_option('file_filtering')) { scoper_flush_file_rules(); } } ?> <div class="wrap agp-width97"> <?php $src_otype = isset($src->object_types) ? "{$src_name}:{$object_type}" : $src_name; $item_label_singular = $scoper_admin->interpret_src_otype($src_otype, 'singular_name'); $item_label = $scoper_admin->interpret_src_otype($src_otype); echo '<h2>' . sprintf(__('%s Restrictions', 'scoper'), $item_label_singular) . ' <span style="font-size: 0.6em; font-style: normal">(<a href="#scoper_notes">' . __('see notes', 'scoper') . '</a>)</span>' . '</h2>'; if (scoper_get_option('display_hints')) { echo '<div class="rs-hint">'; $link_open = "<a href='admin.php?page=rs-{$object_type}-roles'>"; $uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_type); if ($uses_taxonomies && 1 == count($uses_taxonomies)) { $tx_display = $scoper->taxonomies->member_property(reset($uses_taxonomies), 'display_name'); printf(__('Reduce access to a specific %1$s by requiring some role(s) to be %2$s%3$s-assigned%4$s. Corresponding WP-assigned Roles and RS-assigned General and %5$s Role assignments are ignored.', 'scoper'), $item_label_singular, $link_open, $item_label_singular, '</a>', $tx_display); } elseif (count($uses_taxonomies)) { printf(__('Reduce access to a specific %1$s by requiring some role(s) to be %2$s%3$s-assigned%4$s. Corresponding WP-assigned Roles and RS-assigned General and Term Role assignments are ignored.', 'scoper'), $item_label_singular, $link_open, $item_label_singular, '</a>'); } else { printf(__('Reduce access to a specific %1$s by requiring some role(s) to be %2$s%3$s-assigned%4$s. Corresponding WP-assigned Roles and RS-assigned General Role assignments are ignored.', 'scoper'), $item_label_singular, $link_open, $item_label_singular, '</a>'); } echo '</div>'; } $ignore_hierarchy = !empty($otype->ignore_object_hierarchy); ?> <form action="" method="post" name="role_assign" id="role_assign"> <?php wp_nonce_field($nonce_id); // ============ Users / Groups and Assignment Mode Selection Display ================ if (empty($src->cols->parent) || $ignore_hierarchy) { $assignment_modes = array(ASSIGN_FOR_ENTITY_RS => sprintf(__('for selected %s', 'scoper'), $item_label)); } else { $assignment_modes = array(ASSIGN_FOR_ENTITY_RS => sprintf(__('for selected %s', 'scoper'), $item_label), ASSIGN_FOR_CHILDREN_RS => sprintf(__('for sub-%s of selected', 'scoper'), $item_label), ASSIGN_FOR_BOTH_RS => sprintf(__('for selected and sub-%s', 'scoper'), $item_label)); } $max_scopes = array('object' => __('Restrict selected roles', 'scoper'), 'blog' => __('Unrestrict selected roles', 'scoper')); $args = array('max_scopes' => $max_scopes, 'scope' => OBJECT_SCOPE_RS); ScoperAdminBulk::display_inputs(ROLE_RESTRICTION_RS, $assignment_modes, $args); echo '<br />'; $args = array('default_hide_empty' => !empty($otype->admin_default_hide_empty), 'hide_roles' => true, 'scope' => OBJECT_SCOPE_RS, 'src' => $src, 'otype' => $otype); ScoperAdminBulk::item_tree_jslinks(ROLE_RESTRICTION_RS, $args); // buffer prev/next caption for display with each obj type //$prevtext = _ x('prev', 'abbreviated link to previous item', 'scoper'); //$nexttext = _ x('next', 'abbreviated link to next item', 'scoper'); $prevtext = __('prev', 'scoper'); $nexttext = __('next', 'scoper'); $site_url = get_option('siteurl'); $args = array('include_child_restrictions' => true, 'return_array' => true, 'role_type' => 'rs', 'force_refresh' => true); $strict_objects = $scoper->get_restrictions(OBJECT_SCOPE_RS, $src_name, $args); $object_names = array(); $object_status = array(); $listed_objects = array(); $unlisted_objects = array(); $col_id = $src->cols->id; $col_parent = isset($src->cols->parent) && !$ignore_hierarchy ? $src->cols->parent : ''; $object_ids = array(); if (isset($strict_objects['restrictions'])) { foreach (array_keys($strict_objects['restrictions']) as $role_handle) { $object_ids = $object_ids + array_keys($strict_objects['restrictions'][$role_handle]); } } elseif (isset($strict_objects['unrestrictions'])) { foreach (array_keys($strict_objects['unrestrictions']) as $role_handle) { $object_ids = $object_ids + array_keys($strict_objects['unrestrictions'][$role_handle]); } } $object_ids = array_flip(array_unique($object_ids)); // Get the obj name, parent associated with each role (also sets $object_names, $unlisted objects) $listed_objects = ScoperAdminBulkParent::get_objects_info($object_ids, $object_names, $object_status, $unlisted_objects, $src, $otype, $ignore_hierarchy); if ($col_parent) { if ($listed_objects) { if ($unlisted_objects) { // query for any parent objects which don't have their own role assignments $listed_objects = ScoperAdminBulkParent::add_missing_parents($listed_objects, $unlisted_objects, $col_parent); } // convert keys from object ID to title+ID so we can alpha sort them $listed_objects_alpha = array(); foreach (array_keys($listed_objects) as $id) { $listed_objects_alpha[$listed_objects[$id]->{$src->cols->name} . chr(11) . $id] = $listed_objects[$id]; } uksort($listed_objects_alpha, "strnatcasecmp"); $listed_objects = ScoperAdminBulkParent::order_by_hierarchy($listed_objects_alpha, $col_id, $col_parent); } // endif any listed objects } else { // endif doing object hierarchy if ($listed_objects) { // convert keys from object ID to title+ID so we can alpha sort them $listed_objects_alpha = array(); foreach (array_keys($listed_objects) as $id) { $listed_objects_alpha[$listed_objects[$id]->{$src->cols->name} . chr(11) . $id] = $listed_objects[$id]; } uksort($listed_objects_alpha, "strnatcasecmp"); // convert to ordinal integer index $listed_objects = array_combine(array_keys(array_fill(0, count($listed_objects_alpha), true)), $listed_objects_alpha); } } if (!$is_administrator) { $cu_admin_results = ScoperAdminBulk::filter_objects_listing(ROLE_RESTRICTION_RS, $strict_objects, $src, $object_type); } else { $cu_admin_results = ''; } // no need to filter admins // membuffer ids so user_can_admin_role() doesn't trigger a separate has_cap query for each one if ($cu_admin_results) { $scoper->listed_ids[$src_name] = $cu_admin_results; } global $scoper_admin; $role_display = array(); $editable_roles = array(); $role_defs_by_otype = array(); $role_defs_by_otype[$object_type] = $scoper->role_defs->get_matching('rs', $src_name, $object_type); foreach (array_keys($role_defs_by_otype[$object_type]) as $role_handle) { $role_display[$role_handle] = $scoper->role_defs->get_abbrev($role_handle, OBJECT_UI_RS); if ($cu_admin_results && !is_user_administrator_rs()) { foreach (array_keys($cu_admin_results) as $object_id) { if ($scoper_admin->user_can_admin_role($role_handle, $object_id, $src_name, $object_type)) { $editable_roles[$object_id][$role_handle] = true; } } } } $table_captions = ScoperAdminUI::restriction_captions(OBJECT_SCOPE_RS, '', $item_label_singular, $item_label); $args = array('admin_items' => $cu_admin_results, 'editable_roles' => $editable_roles, 'default_hide_empty' => !empty($otype->admin_default_hide_empty), 'ul_class' => 'rs-objlist', 'object_names' => $object_names, 'object_status' => $object_status, 'table_captions' => $table_captions, 'ie_link_style' => '', 'err' => $err); ScoperAdminBulk::item_tree(OBJECT_SCOPE_RS, ROLE_RESTRICTION_RS, $src, $otype, $listed_objects, '', $strict_objects, $role_defs_by_otype, $role_codes, $args); //ScoperAdminBulk::item_tree( OBJECT_SCOPE_RS, ROLE_ASSIGNMENT_RS, $src, $otype, $all_objects, $object_roles, $strict_objects, $role_defs_by_otype, $role_codes, $args); echo '<hr /><div style="background-color: white;"></div>'; echo '<div class="rs-objlistkey">'; $args = array('display_links' => true, 'display_restriction_key' => true); ScoperAdminUI::role_owners_key($otype, $args); echo '</div>'; echo '</form><br /><h4 style="margin-bottom:0.1em"><a name="scoper_notes"></a>' . __("Notes", 'scoper') . ':</h4><ul class="rs-notes">'; echo '<li>'; printf(__('To edit all roles for any %1$s, click on the %1$s name.', 'scoper'), $otype->labels->singular_name); echo '</li>'; echo '<li>'; printf(__("To edit the %s via its default editor, click on the ID link.", 'scoper'), $otype->labels->singular_name); echo '</li>'; if (!$is_administrator) { echo '<li>'; printf(__('To enhance performance, the role editing checkboxes here may not include some roles which you can only edit due to your own %1$s-specific role. In such cases, click on the editing link to edit roles for the individual %1$s.', 'scoper'), $otype->labels->singular_name); echo '</li>'; } echo '</ul>'; echo '<a href="#scoper_top">' . __('top', 'scoper') . '</a>'; ?> </div> <?php }
function determine_role_usage_rs($src_name = 'post', $listed_ids = '') { global $scoper, $wpdb; if ('post' != $src_name) { return; } if (empty($listed_ids)) { if (!empty($scoper->listed_ids[$src_name])) { $listed_ids = $scoper->listed_ids[$src_name]; } else { return; } } if (empty($this->checked_ids[$src_name])) { $this->checked_ids[$src_name] = array(); } else { if (!array_diff_key($this->checked_ids[$src_name], $listed_ids)) { return; } } $this->checked_ids[$src_name] = $this->checked_ids[$src_name] + $listed_ids; $src = $scoper->data_sources->get($src_name); $col_id = $src->cols->id; $col_type = isset($src->cols->type) ? $src->cols->type : ''; if ($viewing_object_type = cr_find_post_type()) { $object_types = (array) $viewing_object_type; } else { $object_types = array_diff_key(get_post_types(array('public' => true)), array('attachment')); } // For now, only determine restricted posts if using RS role type. // Backing this out will be more convoluted for WP role type; may need to just list which roles are restricted rather than trying to give an Restricted Read/Edit summary $roles = array(); if (is_admin()) { foreach ($object_types as $_post_type) { $roles["edit"][$_post_type] = array("publish" => "rs_{$_post_type}_editor", "private" => "rs_{$_post_type}_editor", "draft" => "rs_{$_post_type}_contributor", "pending" => "rs_{$_post_type}_contributor", "future" => "rs_{$_post_type}_editor", "trash" => "rs_{$_post_type}_editor"); $roles["read"][$_post_type] = array("publish" => "rs_{$_post_type}_reader", "private" => "rs_private_{$_post_type}_reader", "draft" => "rs_{$_post_type}_reader", "pending" => "rs_{$_post_type}_reader", "future" => "rs_{$_post_type}_reader", "trash" => "rs_{$_post_type}_editor"); } } else { foreach ($object_types as $_post_type) { $roles["read"][$_post_type] = array("publish" => "rs_{$_post_type}_reader", "private" => "rs_private_{$_post_type}_reader"); } } // which of these results ignore blog role assignments? $uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_types); if (!empty($uses_taxonomies)) { foreach ($uses_taxonomies as $taxonomy) { $tx_object_types = $object_types; foreach ($tx_object_types as $key => $object_type) { // ignore term restrictions / roles for object types which have them disabled $_use_term_roles = scoper_get_otype_option('use_term_roles', $src_name, $object_type); if (empty($_use_term_roles[$taxonomy])) { unset($tx_object_types[$key]); } } if (!$tx_object_types) { continue; } if (!$scoper->taxonomies->is_member($taxonomy)) { continue; } $qvars = $scoper->taxonomies->get_terms_query_vars($taxonomy); $term_join = " INNER JOIN {$qvars->term->table} {$qvars->term->as} ON {$src->table}.{$src->cols->id} = {$qvars->term->alias}.{$qvars->term->col_obj_id} "; // ======== Log term restrictions ======== // if ($scoper->taxonomies->member_property($taxonomy, 'requires_term')) { if ($strict_terms = $scoper->get_restrictions(TERM_SCOPE_RS, $taxonomy)) { $this->any_restricted_terms = true; } $all_terms = $scoper->get_terms($taxonomy, UNFILTERED_RS, COL_ID_RS); foreach (array_keys($roles) as $op_type) { $status_where = array(); foreach ($tx_object_types as $object_type) { $term_clauses = array(); foreach ($roles[$op_type][$object_type] as $status => $check_role) { if (isset($strict_terms['restrictions'][$check_role]) && is_array($strict_terms['restrictions'][$check_role])) { $this_strict_terms = array_keys($strict_terms['restrictions'][$check_role]); } elseif (isset($strict_terms['unrestrictions'][$check_role]) && is_array($strict_terms['unrestrictions'][$check_role])) { $this_strict_terms = array_diff($all_terms, array_keys($strict_terms['unrestrictions'][$check_role])); } else { $this_strict_terms = array(); } if (!$this_strict_terms) { // no terms in this taxonomy have restricted roles $term_clauses[$status] = '1=2'; } elseif (count($this_strict_terms) < count($all_terms)) { // some (but not all) terms in this taxonomy honor blog-wide assignment of the pertinent role $term_clauses[$status] = " {$qvars->term->alias}.{$qvars->term->col_id} IN ('" . implode("', '", $this_strict_terms) . "')"; } else { $term_clauses[$status] = '1=1'; } if (isset($term_clauses[$status])) { $status_where[$object_type][$status] = " {$src->cols->status} = '{$status}' AND ( {$term_clauses[$status]} ) "; } } // end foreach statuses if (isset($status_where[$object_type])) { // object_type='type_val' AND ( (status 1 clause) OR (status 2 clause) ... $status_where[$object_type] = " {$src->cols->type} = '{$object_type}' AND ( " . agp_implode(' ) OR ( ', $status_where[$object_type], ' ( ', ' ) ') . " )"; } } // end foreach tx_object_types // NOTE: we are querying for posts/pages which HAVE restrictions that apply to their current post_status // if ($status_where) { // (object type 1 clause) OR (object type 2 clause) ... $where = ' AND (' . agp_implode(' ) OR ( ', $status_where, ' ( ', ' ) ') . ' )'; $where .= " AND {$src->table}.{$col_id} IN ('" . implode("', '", array_keys($listed_ids)) . "')"; $query = "SELECT DISTINCT {$col_id} FROM {$src->table} {$term_join} WHERE 1=1 {$where}"; if (isset($query_results[$query])) { $restricted_ids = $query_results[$query]; } else { $restricted_ids = scoper_get_col($query); $query_results[$query] = $restricted_ids; } foreach ($restricted_ids as $id) { $this->termscoped_ids[$src_name][$id][$op_type] = true; $this->restricted_ids[$src_name][$id][$op_type] = true; } } } // end foreach op_type (read/edit) } // end term restrictions logging // ======== Log term roles ======== // if (is_admin() && !empty($qvars)) { if ($src_roles = $scoper->role_defs->get_matching('rs', 'post', $tx_object_types)) { $otype_role_names = array(); foreach (array_keys($src_roles) as $role_handle) { $otype_role_names[] = $src_roles[$role_handle]->name; } $role_clause = "AND uro.role_name IN ('" . implode("', '", $otype_role_names) . "')"; $join_assigned = $term_join . " INNER JOIN {$wpdb->user2role2object_rs} AS uro ON uro.obj_or_term_id = {$qvars->term->alias}.{$qvars->term->col_id}" . " AND uro.scope = 'term' AND uro.role_type = 'rs' {$role_clause} AND uro.src_or_tx_name = '{$taxonomy}'"; $where = " AND {$src->table}.{$col_id} IN ('" . implode("', '", array_keys($listed_ids)) . "')"; $query = "SELECT DISTINCT {$col_id}, uro.role_name FROM {$src->table} {$join_assigned} WHERE 1=1 {$where}"; $role_results = scoper_get_results($query); foreach ($role_results as $row) { $role_handle = scoper_get_role_handle($row->role_name, 'rs'); $this->have_termrole_ids[$src_name][$row->{$col_id}][$role_handle] = true; } } } // end term roles logging } // end foreach of this data source's taxonomies } // endif this data source uses taxonomies // which of these results ignore blog AND term role assignments? if ($objscope_objects = $scoper->get_restrictions(OBJECT_SCOPE_RS, $src_name)) { $this->any_restricted_objects = true; } foreach (array_keys($roles) as $op_type) { foreach ($object_types as $object_type) { if (!scoper_get_otype_option('use_object_roles', $src_name, $object_type)) { continue; } if (is_array($roles[$op_type][$object_type])) { foreach (array_keys($listed_ids) as $id) { foreach ($roles[$op_type][$object_type] as $check_role) { // If a restriction is set for this object and role, // OR if the role is default-restricted with no unrestriction for this object... if (isset($objscope_objects['restrictions'][$check_role][$id]) || isset($objscope_objects['unrestrictions'][$check_role]) && is_array($objscope_objects['unrestrictions'][$check_role]) && !isset($objscope_objects['unrestrictions'][$check_role][$id])) { $this->objscoped_ids[$src_name][$id][$op_type] = true; $this->restricted_ids[$src_name][$id][$op_type] = true; } } } //end foreach listed ids } // endif any applicable roles defined } // end forach object type } // end foreach op_type (read/edit) // query for object role assignments if (is_admin()) { if ($scoper->get_applied_object_roles()) { //$this->any_object_roles = true; $join_assigned = " INNER JOIN {$wpdb->user2role2object_rs} AS uro ON uro.obj_or_term_id = {$src->table}.{$col_id}" . " AND uro.src_or_tx_name = '{$src_name}' AND uro.scope = 'object' AND uro.role_type = 'rs'"; $where = " AND {$src->table}.{$col_id} IN ('" . implode("', '", array_keys($listed_ids)) . "')"; $query = "SELECT DISTINCT {$col_id}, uro.role_name FROM {$src->table} {$join_assigned} WHERE 1=1 {$where}"; $role_results = scoper_get_results($query); foreach ($role_results as $row) { $role_handle = scoper_get_role_handle($row->role_name, 'rs'); $this->have_objrole_ids[$src_name][$row->{$col_id}][$role_handle] = true; //$this->any_object_roles = true; } } } }