$object_types = $src->object_types;
if ('post' == $src_name) {
$use_post_types = scoper_get_option('use_post_types');
$use_post_types['nav_menu_item'] = true;
// currently no RS Options switch for this
$object_types['nav_menu_item'] = (object) array('labels' => (object) array('name' => __('Nav Menu Manager', 'scoper')));
}
$include_taxonomy_otypes = true;
foreach ($object_types as $object_type => $otype) {
if ('post' == $src_name && empty($use_post_types[$object_type])) {
continue;
}
$otype_roles = array();
$otype_roles[$object_type] = $scoper->role_defs->get_matching('rs', $src_name, $object_type);
$otype_source[$object_type] = $src_name;
$uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_type);
if ($include_taxonomy_otypes) {
foreach ($uses_taxonomies as $taxonomy) {
if ($tx_roles = $scoper->role_defs->get_matching('rs', $src_name, $taxonomy)) {
$otype_roles[$taxonomy] = $tx_roles;
}
}
}
if (!$otype_roles) {
continue;
}
echo "<br /><h4><a name='{$object_type}'></a><strong>";
printf(__('Modify role assignments for %s', 'scoper'), $otype->labels->name);
echo '</strong></h4>';
//display each role eligible for group/user assignment
$row_class = 'rs-backwhite';
function users_queryroles($reqd_caps, $src_name, $object_id = '', $args = array())
{
$defaults = array('roles' => '', 'user' => '', 'querying_groups' => 0, 'use_term_roles' => 1, 'use_blog_roles' => 1, 'skip_object_roles' => false, 'ignore_strict_terms' => 0, 'object_terms' => array(), 'object_type' => '', 'objscope_roles' => '', 'any_object' => false);
$args = array_merge($defaults, (array) $args);
extract($args);
$src = $this->scoper->data_sources->get($src_name);
// ---- The following default argument generation is included to support potential direct usage of this function
// (not needed for flt_users_where call -----------------
// Treat empty reqd_caps array as an error
if (empty($reqd_caps)) {
return array();
}
$reqd_caps = (array) $reqd_caps;
// Calling function may save us a little work if it has already made this call
if (!$roles) {
if (!($roles = $this->scoper->role_defs->qualify_roles($reqd_caps))) {
return array();
}
} else {
$roles = (array) $roles;
}
// this set of reqd_caps cannot be satisfied by any role
if (!$reqd_caps && !$roles) {
return;
}
if ($object_id && !$src_name) {
$object_id = 0;
}
// -----------------------------------------------------------------------------------
// Default to not honoring custom user caps, but support option
$custom_user_blogcaps = SCOPER_CUSTOM_USER_BLOGCAPS;
if (!$object_type) {
if ($object_types = $this->scoper->cap_defs->object_types_from_caps($reqd_caps, $src_name)) {
if (count($object_types) == 1) {
$object_type = reset($object_types);
}
}
if (!$object_type) {
$object_type = cr_find_object_type($src_name, $object_id);
}
}
// RS roles are object type-specific
$roles_wp = $this->scoper->role_defs->filter($roles, array('role_type' => 'wp'));
$roles_rs = $this->scoper->role_defs->filter($roles, array('role_type' => 'rs'));
$this_otype_roles = $this->scoper->role_defs->get_matching('rs', $src_name, $object_type);
$roles_rs = array_intersect_key($roles_rs, $this_otype_roles);
$roles = array_merge($roles_rs, $roles_wp);
$qualifying_roles = array();
// --------- ACCOUNT FOR OBJECT ROLES -----------
// If this set of reqd_caps can be satisfied by a scopable role, check for object role assignements
if (!$skip_object_roles && ($object_id || $any_object)) {
// exclude roles which have never been assigned to any object
if ($object_roles = $this->scoper->qualify_object_roles($reqd_caps, $object_type, -1)) {
$qualifying_roles[OBJECT_SCOPE_RS][''] = scoper_role_handles_to_names(array_keys($roles));
}
}
// If this inquiry is for a particular object, find out which roles must be object-assigned for it
if ($object_id) {
// For term and blog role clauses, exclude roles which require object assignment for that object
// But don't disqualify a role if any of the roles it "contains" also qualify and are not object-scoped.
// (i.e. If the required caps are satisfied by admin, editor and contributor, the actual minimum requirement
// is contributor. A specification that admin and editor roles "require object assignment" does not apply
// in this scenario.
if (!is_array($objscope_roles)) {
$objscope_roles = $this->get_objscope_roles($src_name, $object_id, '', true);
}
if ($objscope_roles) {
$contained_roles = array();
$roles_wp = $this->scoper->role_defs->filter($roles, array('role_type' => 'wp'));
foreach (array_keys($roles_wp) as $role_handle) {
// If scoping with RS roles, this will also have the effect of disqualifying a WP blog role if all of the qualifying RS roles it contains are objscoped.
$contained_roles[$role_handle] = $this->scoper->role_defs->get_contained_roles($role_handle, false, 'rs');
$contained_roles[$role_handle] = array_intersect_key($contained_roles[$role_handle], $roles);
if (!array_diff_key($contained_roles[$role_handle], $objscope_roles)) {
unset($roles[$role_handle]);
}
}
foreach (array_keys($roles) as $role_handle) {
$contained_roles[$role_handle] = $this->scoper->role_defs->get_contained_roles($role_handle, true, 'rs');
//true: include this role in return array
$contained_roles[$role_handle] = array_intersect_key($contained_roles[$role_handle], $roles);
if (!array_diff_key($contained_roles[$role_handle], $objscope_roles)) {
unset($roles[$role_handle]);
}
}
}
}
// --------- ACCOUNT FOR TERM ROLES -----------
// Consider term scope settings and role assignments
//
$uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_type);
if ($use_term_roles && $src_name && $roles && !empty($uses_taxonomies)) {
// If scoping with RS roles, strip out WP role definitions (which were included for blogrole clause)
$term_roles = $this->scoper->role_defs->filter($roles, array('role_type' => 'rs'));
if ($term_roles) {
foreach ($uses_taxonomies as $taxonomy) {
// include users with a sufficient term role assignment in any term
$qualifying_roles[TERM_SCOPE_RS][$taxonomy] = scoper_role_handles_to_names(array_keys($term_roles));
}
}
// Honor blog-wide assignment of any non-objscope role, but only if at least one term
// is not "strict" (i.e. merges blogroles into term-specific assignments).
if (!$ignore_strict_terms) {
$term_roles = $this->get_unrestricted_term_roles($term_roles, $uses_taxonomies, $object_id, $object_terms);
// disqualify a WP blog role if all of the qualifying RS roles it contains were excluded by the strict terms filter.
if ($roles_wp = $this->scoper->role_defs->filter($roles, array('role_type' => 'wp'))) {
$contained_roles = array();
foreach (array_keys($roles_wp) as $role_handle) {
$contained_roles[$role_handle] = $this->scoper->role_defs->get_contained_roles($role_handle, false, 'rs');
$contained_roles[$role_handle] = array_intersect_key($contained_roles[$role_handle], $roles);
if (!$term_roles || !$contained_roles[$role_handle] || !array_intersect_key($contained_roles[$role_handle], $term_roles)) {
unset($roles[$role_handle]);
}
}
}
$roles_current = $this->scoper->role_defs->filter($roles, array('role_type' => 'rs'));
foreach (array_keys($roles_current) as $role_handle) {
if (!isset($term_roles[$role_handle])) {
unset($roles[$role_handle]);
}
}
// Since this term role is restricted for all terms, prevent corresponding blog role from being added to qualifying_roles array by subsequent code
}
}
// --------- ACCOUNT FOR BLOG ROLES -----------
// For each qualifying role, recognize blog assignment if the reqd_caps set is not associated
// with a defined data source, if this source/object type does not use term roles,
// or if some of the the terms are not strict.
//
// Note that WP blogrole assignments (if not taxonomy or object-scoped) are honored
// regardless of Role Scoper role_type setting.
if ($use_blog_roles) {
if ($admin_roles = awp_administrator_roles()) {
$roles = $roles ? array_merge($roles, $admin_roles) : $admin_roles;
}
if ($roles) {
$role_types = array('rs', 'wp');
foreach ($role_types as $role_type) {
//if ( ('rs' == $role_type) && ! RS_BLOG_ROLES ) // rs_blog_roles option has never been active in any RS release; leave commented here in case need arises
// continue;
$this_type_roles = $this->scoper->role_defs->filter($roles, array('role_type' => $role_type));
$qualifying_roles[BLOG_SCOPE_RS][$role_type] = scoper_role_handles_to_names(array_keys($this_type_roles));
}
}
if ($custom_user_blogcaps && $use_blog_roles) {
// If custom user blogcaps option is enabled, this function is called separately for each reqd cap.
// Custom user caps are stored as "hidden" single-cap role of type WP_CAP, sync'd to WP usermeta storage.
if ($custom_user_blogcaps) {
$qualifying_roles[BLOG_SCOPE_RS]['wp_cap'] = $reqd_caps;
}
// ...which contains one cap
}
}
return $qualifying_roles;
}
function user_can_for_any_term($reqd_caps, $user = '')
{
if (!is_object($user)) {
$user = $GLOBALS['current_rs_user'];
}
// Instead of just intersecting the missing reqd_caps with termcaps from all term_roles,
// require each subset of caps with matching src_name, object type and op_type to
// all be satisfied by the same role (any assigned term role). This simulates flt_objects_where behavior (which does so to support role restrictions.
$grant_caps = array();
$caps_by_otype = $this->scoper->cap_defs->organize_caps_by_otype($reqd_caps);
// temp workaround
if ('manage_categories' == current($reqd_caps) && isset($caps_by_otype['post']['link'])) {
$caps_by_otype['link']['link_category'] = $caps_by_otype['post']['link'];
unset($caps_by_otype['post']['link']);
}
foreach ($caps_by_otype as $src_name => $otypes) {
$object_types = $this->scoper->data_sources->member_property($src_name, 'object_types');
// deal with upload_files and other capabilities which have no specific object type
if (!array_diff_key($otypes, array('' => true))) {
foreach (array_keys($object_types) as $_object_type) {
$otypes[$_object_type] = $otypes[''];
}
unset($otypes['']);
}
$uses_taxonomies = scoper_get_taxonomy_usage($src_name, array_keys($otypes));
// this ensures we don't credit term roles on custom taxonomies which have been disabled
if (!($uses_taxonomies = array_intersect($uses_taxonomies, $this->scoper->taxonomies->get_all_keys()))) {
continue;
}
foreach ($otypes as $this_otype_caps) {
// keyed by object_type
$caps_by_op = $this->scoper->cap_defs->organize_caps_by_op((array) $this_otype_caps);
foreach ($caps_by_op as $this_op_caps) {
// keyed by op_type
$roles = $this->scoper->role_defs->qualify_roles($this_op_caps);
foreach ($uses_taxonomies as $taxonomy) {
if (!isset($user->term_roles[$taxonomy])) {
$user->term_roles[$taxonomy] = $user->get_term_roles_daterange($taxonomy);
}
// call daterange function populate term_roles property - possible perf enhancement for subsequent code even though we don't conider content_date-limited roles here
if (array_intersect_key($roles, agp_array_flatten($user->term_roles[$taxonomy], false))) {
// okay to include all content date ranges because can_for_any_term checks are only preliminary measures to keep the admin UI open
$grant_caps = array_merge($grant_caps, $this_op_caps);
break;
}
}
}
}
}
if ($grant_caps) {
return array_fill_keys(array_unique($grant_caps), true);
} else {
return array();
}
}
function scoper_admin_object_restrictions($src_name, $object_type)
{
global $scoper, $scoper_admin;
if (!($src = $scoper->data_sources->get($src_name)) || !empty($src->no_object_roles) || !empty($src->taxonomy_only) || $src_name == 'group') {
wp_die(__('Invalid data source', 'scoper'));
}
$is_administrator = is_administrator_rs($src, 'user');
$role_bases = array();
if (USER_ROLES_RS && ($is_administrator || $scoper_admin->user_can_admin_object($src_name, $object_type, 0, true))) {
$role_bases[] = ROLE_BASIS_USER;
}
if (GROUP_ROLES_RS && ($is_administrator || $scoper_admin->user_can_admin_object($src_name, $object_type, 0, true) || current_user_can('manage_groups'))) {
$role_bases[] = ROLE_BASIS_GROUPS;
}
if (empty($role_bases)) {
wp_die(__awp('Cheatin’ uh?'));
}
$otype = $scoper->data_sources->member_property($src_name, 'object_types', $object_type);
require_once dirname(__FILE__) . '/admin-bulk_rs.php';
require_once dirname(__FILE__) . '/admin_lib-bulk-parent_rs.php';
$role_assigner = init_role_assigner();
$nonce_id = 'scoper-assign-roles';
$role_codes = ScoperAdminBulk::get_role_codes();
echo '<a name="scoper_top"></a>';
// ==== Process Submission =====
$err = 0;
if (isset($_POST['rs_submit'])) {
$err = ScoperAdminBulk::role_submission(OBJECT_SCOPE_RS, ROLE_RESTRICTION_RS, '', $src_name, $role_codes, '', $nonce_id);
if (scoper_get_option('file_filtering')) {
scoper_flush_file_rules();
}
}
?>
<div class="wrap agp-width97">
<?php
$src_otype = isset($src->object_types) ? "{$src_name}:{$object_type}" : $src_name;
$item_label_singular = $scoper_admin->interpret_src_otype($src_otype, 'singular_name');
$item_label = $scoper_admin->interpret_src_otype($src_otype);
echo '<h2>' . sprintf(__('%s Restrictions', 'scoper'), $item_label_singular) . ' <span style="font-size: 0.6em; font-style: normal">(<a href="#scoper_notes">' . __('see notes', 'scoper') . '</a>)</span>' . '</h2>';
if (scoper_get_option('display_hints')) {
echo '<div class="rs-hint">';
$link_open = "<a href='admin.php?page=rs-{$object_type}-roles'>";
$uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_type);
if ($uses_taxonomies && 1 == count($uses_taxonomies)) {
$tx_display = $scoper->taxonomies->member_property(reset($uses_taxonomies), 'display_name');
printf(__('Reduce access to a specific %1$s by requiring some role(s) to be %2$s%3$s-assigned%4$s. Corresponding WP-assigned Roles and RS-assigned General and %5$s Role assignments are ignored.', 'scoper'), $item_label_singular, $link_open, $item_label_singular, '</a>', $tx_display);
} elseif (count($uses_taxonomies)) {
printf(__('Reduce access to a specific %1$s by requiring some role(s) to be %2$s%3$s-assigned%4$s. Corresponding WP-assigned Roles and RS-assigned General and Term Role assignments are ignored.', 'scoper'), $item_label_singular, $link_open, $item_label_singular, '</a>');
} else {
printf(__('Reduce access to a specific %1$s by requiring some role(s) to be %2$s%3$s-assigned%4$s. Corresponding WP-assigned Roles and RS-assigned General Role assignments are ignored.', 'scoper'), $item_label_singular, $link_open, $item_label_singular, '</a>');
}
echo '</div>';
}
$ignore_hierarchy = !empty($otype->ignore_object_hierarchy);
?>
<form action="" method="post" name="role_assign" id="role_assign">
<?php
wp_nonce_field($nonce_id);
// ============ Users / Groups and Assignment Mode Selection Display ================
if (empty($src->cols->parent) || $ignore_hierarchy) {
$assignment_modes = array(ASSIGN_FOR_ENTITY_RS => sprintf(__('for selected %s', 'scoper'), $item_label));
} else {
$assignment_modes = array(ASSIGN_FOR_ENTITY_RS => sprintf(__('for selected %s', 'scoper'), $item_label), ASSIGN_FOR_CHILDREN_RS => sprintf(__('for sub-%s of selected', 'scoper'), $item_label), ASSIGN_FOR_BOTH_RS => sprintf(__('for selected and sub-%s', 'scoper'), $item_label));
}
$max_scopes = array('object' => __('Restrict selected roles', 'scoper'), 'blog' => __('Unrestrict selected roles', 'scoper'));
$args = array('max_scopes' => $max_scopes, 'scope' => OBJECT_SCOPE_RS);
ScoperAdminBulk::display_inputs(ROLE_RESTRICTION_RS, $assignment_modes, $args);
echo '<br />';
$args = array('default_hide_empty' => !empty($otype->admin_default_hide_empty), 'hide_roles' => true, 'scope' => OBJECT_SCOPE_RS, 'src' => $src, 'otype' => $otype);
ScoperAdminBulk::item_tree_jslinks(ROLE_RESTRICTION_RS, $args);
// buffer prev/next caption for display with each obj type
//$prevtext = _ x('prev', 'abbreviated link to previous item', 'scoper');
//$nexttext = _ x('next', 'abbreviated link to next item', 'scoper');
$prevtext = __('prev', 'scoper');
$nexttext = __('next', 'scoper');
$site_url = get_option('siteurl');
$args = array('include_child_restrictions' => true, 'return_array' => true, 'role_type' => 'rs', 'force_refresh' => true);
$strict_objects = $scoper->get_restrictions(OBJECT_SCOPE_RS, $src_name, $args);
$object_names = array();
$object_status = array();
$listed_objects = array();
$unlisted_objects = array();
$col_id = $src->cols->id;
$col_parent = isset($src->cols->parent) && !$ignore_hierarchy ? $src->cols->parent : '';
$object_ids = array();
if (isset($strict_objects['restrictions'])) {
foreach (array_keys($strict_objects['restrictions']) as $role_handle) {
$object_ids = $object_ids + array_keys($strict_objects['restrictions'][$role_handle]);
}
} elseif (isset($strict_objects['unrestrictions'])) {
foreach (array_keys($strict_objects['unrestrictions']) as $role_handle) {
$object_ids = $object_ids + array_keys($strict_objects['unrestrictions'][$role_handle]);
}
}
$object_ids = array_flip(array_unique($object_ids));
// Get the obj name, parent associated with each role (also sets $object_names, $unlisted objects)
$listed_objects = ScoperAdminBulkParent::get_objects_info($object_ids, $object_names, $object_status, $unlisted_objects, $src, $otype, $ignore_hierarchy);
if ($col_parent) {
if ($listed_objects) {
if ($unlisted_objects) {
// query for any parent objects which don't have their own role assignments
$listed_objects = ScoperAdminBulkParent::add_missing_parents($listed_objects, $unlisted_objects, $col_parent);
}
// convert keys from object ID to title+ID so we can alpha sort them
$listed_objects_alpha = array();
foreach (array_keys($listed_objects) as $id) {
$listed_objects_alpha[$listed_objects[$id]->{$src->cols->name} . chr(11) . $id] = $listed_objects[$id];
}
uksort($listed_objects_alpha, "strnatcasecmp");
$listed_objects = ScoperAdminBulkParent::order_by_hierarchy($listed_objects_alpha, $col_id, $col_parent);
}
// endif any listed objects
} else {
// endif doing object hierarchy
if ($listed_objects) {
// convert keys from object ID to title+ID so we can alpha sort them
$listed_objects_alpha = array();
foreach (array_keys($listed_objects) as $id) {
$listed_objects_alpha[$listed_objects[$id]->{$src->cols->name} . chr(11) . $id] = $listed_objects[$id];
}
uksort($listed_objects_alpha, "strnatcasecmp");
// convert to ordinal integer index
$listed_objects = array_combine(array_keys(array_fill(0, count($listed_objects_alpha), true)), $listed_objects_alpha);
}
}
if (!$is_administrator) {
$cu_admin_results = ScoperAdminBulk::filter_objects_listing(ROLE_RESTRICTION_RS, $strict_objects, $src, $object_type);
} else {
$cu_admin_results = '';
}
// no need to filter admins
// membuffer ids so user_can_admin_role() doesn't trigger a separate has_cap query for each one
if ($cu_admin_results) {
$scoper->listed_ids[$src_name] = $cu_admin_results;
}
global $scoper_admin;
$role_display = array();
$editable_roles = array();
$role_defs_by_otype = array();
$role_defs_by_otype[$object_type] = $scoper->role_defs->get_matching('rs', $src_name, $object_type);
foreach (array_keys($role_defs_by_otype[$object_type]) as $role_handle) {
$role_display[$role_handle] = $scoper->role_defs->get_abbrev($role_handle, OBJECT_UI_RS);
if ($cu_admin_results && !is_user_administrator_rs()) {
foreach (array_keys($cu_admin_results) as $object_id) {
if ($scoper_admin->user_can_admin_role($role_handle, $object_id, $src_name, $object_type)) {
$editable_roles[$object_id][$role_handle] = true;
}
}
}
}
$table_captions = ScoperAdminUI::restriction_captions(OBJECT_SCOPE_RS, '', $item_label_singular, $item_label);
$args = array('admin_items' => $cu_admin_results, 'editable_roles' => $editable_roles, 'default_hide_empty' => !empty($otype->admin_default_hide_empty), 'ul_class' => 'rs-objlist', 'object_names' => $object_names, 'object_status' => $object_status, 'table_captions' => $table_captions, 'ie_link_style' => '', 'err' => $err);
ScoperAdminBulk::item_tree(OBJECT_SCOPE_RS, ROLE_RESTRICTION_RS, $src, $otype, $listed_objects, '', $strict_objects, $role_defs_by_otype, $role_codes, $args);
//ScoperAdminBulk::item_tree( OBJECT_SCOPE_RS, ROLE_ASSIGNMENT_RS, $src, $otype, $all_objects, $object_roles, $strict_objects, $role_defs_by_otype, $role_codes, $args);
echo '<hr /><div style="background-color: white;"></div>';
echo '<div class="rs-objlistkey">';
$args = array('display_links' => true, 'display_restriction_key' => true);
ScoperAdminUI::role_owners_key($otype, $args);
echo '</div>';
echo '</form><br /><h4 style="margin-bottom:0.1em"><a name="scoper_notes"></a>' . __("Notes", 'scoper') . ':</h4><ul class="rs-notes">';
echo '<li>';
printf(__('To edit all roles for any %1$s, click on the %1$s name.', 'scoper'), $otype->labels->singular_name);
echo '</li>';
echo '<li>';
printf(__("To edit the %s via its default editor, click on the ID link.", 'scoper'), $otype->labels->singular_name);
echo '</li>';
if (!$is_administrator) {
echo '<li>';
printf(__('To enhance performance, the role editing checkboxes here may not include some roles which you can only edit due to your own %1$s-specific role. In such cases, click on the editing link to edit roles for the individual %1$s.', 'scoper'), $otype->labels->singular_name);
echo '</li>';
}
echo '</ul>';
echo '<a href="#scoper_top">' . __('top', 'scoper') . '</a>';
?>
</div>
<?php
}
function determine_role_usage_rs($src_name = 'post', $listed_ids = '')
{
global $scoper, $wpdb;
if ('post' != $src_name) {
return;
}
if (empty($listed_ids)) {
if (!empty($scoper->listed_ids[$src_name])) {
$listed_ids = $scoper->listed_ids[$src_name];
} else {
return;
}
}
if (empty($this->checked_ids[$src_name])) {
$this->checked_ids[$src_name] = array();
} else {
if (!array_diff_key($this->checked_ids[$src_name], $listed_ids)) {
return;
}
}
$this->checked_ids[$src_name] = $this->checked_ids[$src_name] + $listed_ids;
$src = $scoper->data_sources->get($src_name);
$col_id = $src->cols->id;
$col_type = isset($src->cols->type) ? $src->cols->type : '';
if ($viewing_object_type = cr_find_post_type()) {
$object_types = (array) $viewing_object_type;
} else {
$object_types = array_diff_key(get_post_types(array('public' => true)), array('attachment'));
}
// For now, only determine restricted posts if using RS role type.
// Backing this out will be more convoluted for WP role type; may need to just list which roles are restricted rather than trying to give an Restricted Read/Edit summary
$roles = array();
if (is_admin()) {
foreach ($object_types as $_post_type) {
$roles["edit"][$_post_type] = array("publish" => "rs_{$_post_type}_editor", "private" => "rs_{$_post_type}_editor", "draft" => "rs_{$_post_type}_contributor", "pending" => "rs_{$_post_type}_contributor", "future" => "rs_{$_post_type}_editor", "trash" => "rs_{$_post_type}_editor");
$roles["read"][$_post_type] = array("publish" => "rs_{$_post_type}_reader", "private" => "rs_private_{$_post_type}_reader", "draft" => "rs_{$_post_type}_reader", "pending" => "rs_{$_post_type}_reader", "future" => "rs_{$_post_type}_reader", "trash" => "rs_{$_post_type}_editor");
}
} else {
foreach ($object_types as $_post_type) {
$roles["read"][$_post_type] = array("publish" => "rs_{$_post_type}_reader", "private" => "rs_private_{$_post_type}_reader");
}
}
// which of these results ignore blog role assignments?
$uses_taxonomies = scoper_get_taxonomy_usage($src_name, $object_types);
if (!empty($uses_taxonomies)) {
foreach ($uses_taxonomies as $taxonomy) {
$tx_object_types = $object_types;
foreach ($tx_object_types as $key => $object_type) {
// ignore term restrictions / roles for object types which have them disabled
$_use_term_roles = scoper_get_otype_option('use_term_roles', $src_name, $object_type);
if (empty($_use_term_roles[$taxonomy])) {
unset($tx_object_types[$key]);
}
}
if (!$tx_object_types) {
continue;
}
if (!$scoper->taxonomies->is_member($taxonomy)) {
continue;
}
$qvars = $scoper->taxonomies->get_terms_query_vars($taxonomy);
$term_join = " INNER JOIN {$qvars->term->table} {$qvars->term->as} ON {$src->table}.{$src->cols->id} = {$qvars->term->alias}.{$qvars->term->col_obj_id} ";
// ======== Log term restrictions ========
//
if ($scoper->taxonomies->member_property($taxonomy, 'requires_term')) {
if ($strict_terms = $scoper->get_restrictions(TERM_SCOPE_RS, $taxonomy)) {
$this->any_restricted_terms = true;
}
$all_terms = $scoper->get_terms($taxonomy, UNFILTERED_RS, COL_ID_RS);
foreach (array_keys($roles) as $op_type) {
$status_where = array();
foreach ($tx_object_types as $object_type) {
$term_clauses = array();
foreach ($roles[$op_type][$object_type] as $status => $check_role) {
if (isset($strict_terms['restrictions'][$check_role]) && is_array($strict_terms['restrictions'][$check_role])) {
$this_strict_terms = array_keys($strict_terms['restrictions'][$check_role]);
} elseif (isset($strict_terms['unrestrictions'][$check_role]) && is_array($strict_terms['unrestrictions'][$check_role])) {
$this_strict_terms = array_diff($all_terms, array_keys($strict_terms['unrestrictions'][$check_role]));
} else {
$this_strict_terms = array();
}
if (!$this_strict_terms) {
// no terms in this taxonomy have restricted roles
$term_clauses[$status] = '1=2';
} elseif (count($this_strict_terms) < count($all_terms)) {
// some (but not all) terms in this taxonomy honor blog-wide assignment of the pertinent role
$term_clauses[$status] = " {$qvars->term->alias}.{$qvars->term->col_id} IN ('" . implode("', '", $this_strict_terms) . "')";
} else {
$term_clauses[$status] = '1=1';
}
if (isset($term_clauses[$status])) {
$status_where[$object_type][$status] = " {$src->cols->status} = '{$status}' AND ( {$term_clauses[$status]} ) ";
}
}
// end foreach statuses
if (isset($status_where[$object_type])) {
// object_type='type_val' AND ( (status 1 clause) OR (status 2 clause) ...
$status_where[$object_type] = " {$src->cols->type} = '{$object_type}' AND ( " . agp_implode(' ) OR ( ', $status_where[$object_type], ' ( ', ' ) ') . " )";
}
}
// end foreach tx_object_types
// NOTE: we are querying for posts/pages which HAVE restrictions that apply to their current post_status
//
if ($status_where) {
// (object type 1 clause) OR (object type 2 clause) ...
$where = ' AND (' . agp_implode(' ) OR ( ', $status_where, ' ( ', ' ) ') . ' )';
$where .= " AND {$src->table}.{$col_id} IN ('" . implode("', '", array_keys($listed_ids)) . "')";
$query = "SELECT DISTINCT {$col_id} FROM {$src->table} {$term_join} WHERE 1=1 {$where}";
if (isset($query_results[$query])) {
$restricted_ids = $query_results[$query];
} else {
$restricted_ids = scoper_get_col($query);
$query_results[$query] = $restricted_ids;
}
foreach ($restricted_ids as $id) {
$this->termscoped_ids[$src_name][$id][$op_type] = true;
$this->restricted_ids[$src_name][$id][$op_type] = true;
}
}
}
// end foreach op_type (read/edit)
}
// end term restrictions logging
// ======== Log term roles ========
//
if (is_admin() && !empty($qvars)) {
if ($src_roles = $scoper->role_defs->get_matching('rs', 'post', $tx_object_types)) {
$otype_role_names = array();
foreach (array_keys($src_roles) as $role_handle) {
$otype_role_names[] = $src_roles[$role_handle]->name;
}
$role_clause = "AND uro.role_name IN ('" . implode("', '", $otype_role_names) . "')";
$join_assigned = $term_join . " INNER JOIN {$wpdb->user2role2object_rs} AS uro ON uro.obj_or_term_id = {$qvars->term->alias}.{$qvars->term->col_id}" . " AND uro.scope = 'term' AND uro.role_type = 'rs' {$role_clause} AND uro.src_or_tx_name = '{$taxonomy}'";
$where = " AND {$src->table}.{$col_id} IN ('" . implode("', '", array_keys($listed_ids)) . "')";
$query = "SELECT DISTINCT {$col_id}, uro.role_name FROM {$src->table} {$join_assigned} WHERE 1=1 {$where}";
$role_results = scoper_get_results($query);
foreach ($role_results as $row) {
$role_handle = scoper_get_role_handle($row->role_name, 'rs');
$this->have_termrole_ids[$src_name][$row->{$col_id}][$role_handle] = true;
}
}
}
// end term roles logging
}
// end foreach of this data source's taxonomies
}
// endif this data source uses taxonomies
// which of these results ignore blog AND term role assignments?
if ($objscope_objects = $scoper->get_restrictions(OBJECT_SCOPE_RS, $src_name)) {
$this->any_restricted_objects = true;
}
foreach (array_keys($roles) as $op_type) {
foreach ($object_types as $object_type) {
if (!scoper_get_otype_option('use_object_roles', $src_name, $object_type)) {
continue;
}
if (is_array($roles[$op_type][$object_type])) {
foreach (array_keys($listed_ids) as $id) {
foreach ($roles[$op_type][$object_type] as $check_role) {
// If a restriction is set for this object and role,
// OR if the role is default-restricted with no unrestriction for this object...
if (isset($objscope_objects['restrictions'][$check_role][$id]) || isset($objscope_objects['unrestrictions'][$check_role]) && is_array($objscope_objects['unrestrictions'][$check_role]) && !isset($objscope_objects['unrestrictions'][$check_role][$id])) {
$this->objscoped_ids[$src_name][$id][$op_type] = true;
$this->restricted_ids[$src_name][$id][$op_type] = true;
}
}
}
//end foreach listed ids
}
// endif any applicable roles defined
}
// end forach object type
}
// end foreach op_type (read/edit)
// query for object role assignments
if (is_admin()) {
if ($scoper->get_applied_object_roles()) {
//$this->any_object_roles = true;
$join_assigned = " INNER JOIN {$wpdb->user2role2object_rs} AS uro ON uro.obj_or_term_id = {$src->table}.{$col_id}" . " AND uro.src_or_tx_name = '{$src_name}' AND uro.scope = 'object' AND uro.role_type = 'rs'";
$where = " AND {$src->table}.{$col_id} IN ('" . implode("', '", array_keys($listed_ids)) . "')";
$query = "SELECT DISTINCT {$col_id}, uro.role_name FROM {$src->table} {$join_assigned} WHERE 1=1 {$where}";
$role_results = scoper_get_results($query);
foreach ($role_results as $row) {
$role_handle = scoper_get_role_handle($row->role_name, 'rs');
$this->have_objrole_ids[$src_name][$row->{$col_id}][$role_handle] = true;
//$this->any_object_roles = true;
}
}
}
}
