function attachment_access()
{
global $post, $wpdb;
if (empty($post)) {
global $wp_query;
if (!empty($wp_query->query_vars['attachment_id'])) {
$post = scoper_get_row("SELECT * FROM {$wpdb->posts} WHERE post_type = 'attachment' AND ID = '{$wp_query->query_vars['attachment_id']}'");
} elseif (!empty($wp_query->query_vars['attachment'])) {
$post = scoper_get_row("SELECT * FROM {$wpdb->posts} WHERE post_type = 'attachment' AND post_name = '{$wp_query->query_vars['attachment']}'");
}
}
if (!empty($post)) {
$object_type = scoper_get_var("SELECT post_type FROM {$wpdb->posts} WHERE ID = '{$post->post_parent}'");
// default to 'post' object type if retrieval failed for some reason
if (empty($object_type)) {
$object_type = 'post';
}
if ($post->post_parent) {
if (!current_user_can("read_{$object_type}", $post->post_parent)) {
if (scoper_get_otype_option('do_teaser', 'post')) {
if ($use_teaser_type = scoper_get_otype_option('use_teaser', 'post', $object_type)) {
AttachmentTemplate_RS::impose_post_teaser($post, $object_type, $use_teaser_type);
} else {
unset($post);
}
} else {
unset($post);
}
// WordPress generates 404 if teaser is not enabled
}
} elseif (defined('SCOPER_BLOCK_UNATTACHED_UPLOADS') && SCOPER_BLOCK_UNATTACHED_UPLOADS) {
unset($post);
}
}
}
function identify_protected_posts($attachment_id = 0, $attachments = false, $cols = '', $args = array())
{
$defaults = array('use_object_restrictions' => true, 'use_term_restrictions' => true, 'use_private_status' => true, 'guid' => '');
$args = array_merge($defaults, (array) $args);
extract($args);
global $wpdb, $scoper;
if (!isset($scoper) || is_null($scoper)) {
scoper_get_init_options();
scoper_init();
}
if (empty($scoper->taxonomies)) {
$scoper->load_config();
}
$restricted_roles = array();
$unrestricted_roles = array();
// TODO: also protect uploads based on restriction of other taxonomies
$restricted_terms = array();
$restricted_objects = array();
$term_restriction_clause = '';
$object_restriction_clause = '';
$limit_clause = '';
$unattached_clause = '';
global $scoper;
$reader_roles = array();
foreach ($scoper->role_defs->role_caps as $role_handle => $role_caps) {
$caps_by_op = $scoper->cap_defs->organize_caps_by_op(array_keys($role_caps));
if (count($caps_by_op) == 1 && 'read' == key($caps_by_op)) {
$reader_roles[] = $role_handle;
}
}
$role_clause = "AND rs.role_name IN ('" . implode("','", scoper_role_handles_to_names($reader_roles)) . "')";
//if ( $use_private_status )
// $role_clause = ( 'rs' == SCOPER_ROLE_TYPE ) ? "AND rs.role_name IN ('post_reader', 'page_reader')" : ''; // if also checking for private status, don't need to check for restriction of private_reader roles
//else
// $role_clause = ( 'rs' == SCOPER_ROLE_TYPE ) ? "AND rs.role_name IN ('post_reader', 'page_reader', 'private_post_reader', 'private_page_reader')" : '';
if ($use_term_restrictions) {
$term_restriction_query = "SELECT rs.obj_or_term_id AS term_id, rs.role_name, rs.max_scope FROM {$wpdb->role_scope_rs} AS rs " . "INNER JOIN {$wpdb->term_taxonomy} AS tt ON tt.taxonomy = rs.src_or_tx_name AND tt.taxonomy = 'category' AND tt.term_taxonomy_id = rs.obj_or_term_id " . "WHERE rs.role_type = 'rs' AND rs.require_for IN ('entity', 'both') AND rs.topic = 'term' {$role_clause}";
$term_default_restriction_query = "SELECT rs.role_name FROM {$wpdb->role_scope_rs} AS rs " . "WHERE rs.role_type = 'rs' AND rs.require_for IN ('children', 'both') AND rs.topic = 'term' AND rs.max_scope = 'term' AND rs.src_or_tx_name = 'category' AND rs.obj_or_term_id = '0' {$role_clause}";
$all_terms = array();
$all_terms['category'] = $scoper->get_terms('category', false, COL_ID_RS);
if ($results = scoper_get_results($term_restriction_query)) {
foreach ($results as $row) {
if ('blog' == $row->max_scope) {
$unrestricted_roles['category'][$row->role_name][] = $row->term_id;
} else {
$restricted_roles['category'][$row->role_name][] = $row->term_id;
}
}
}
// if there a role is default-restricted, mark all terms as restricted (may be unrestricted later)
if ($results = scoper_get_col($term_default_restriction_query)) {
foreach ($results as $role_name) {
if (isset($unrestricted_roles['category'][$role_name])) {
$default_restricted = array_diff($all_terms['category'], $unrestricted_roles['category'][$role_name]);
} else {
$default_restricted = $all_terms['category'];
}
if (isset($restricted_roles['category'][$role_name])) {
$restricted_roles['category'][$role_name] = array_unique(array_merge($restricted_roles['category'][$role_name], $default_restricted));
} else {
$restricted_roles['category'][$role_name] = $default_restricted;
}
}
}
$restricted_terms['category'] = isset($restricted_roles['category']) ? agp_array_flatten($restricted_roles['category']) : array();
if ($restricted_terms['category']) {
$term_restriction_clause = "OR post_parent IN ( SELECT {$wpdb->posts}.ID FROM {$wpdb->posts} " . "INNER JOIN {$wpdb->term_relationships} AS tr ON tr.object_id = {$wpdb->posts}.ID " . "WHERE tr.term_taxonomy_id IN ('" . implode("','", $restricted_terms['category']) . "') )";
}
}
if ($attachment_id) {
if (is_array($attachment_id)) {
$id_clause = "AND ID IN ('" . implode("','", $attachment_id) . "')";
} else {
$id_clause = "AND ID = '{$attachment_id}'";
$limit_clause = 'LIMIT 1';
}
} elseif ($guid) {
$id_clause = "AND guid = '{$file_path}'";
} else {
$id_clause = '';
}
if (defined('SCOPER_NO_THUMBNAIL_FILTER')) {
if ($thumbnail_ids = scoper_get_col("SELECT DISTINCT meta_value FROM {$wpdb->postmeta} WHERE meta_key = '_thumbnail_id'")) {
$id_clause .= " AND ID NOT IN ('" . implode("','", $thumbnail_ids) . "')";
}
}
if ($attachments) {
// to reduce pool of objects, we only care about those that have an attachment
$attachment_query = "SELECT {$wpdb->posts}.ID FROM {$wpdb->posts} WHERE {$wpdb->posts}.ID IN ( SELECT post_parent FROM {$wpdb->posts} WHERE post_type = 'attachment' {$id_clause} ) ";
}
if ($use_object_restrictions) {
$object_restriction_query = "SELECT rs.obj_or_term_id AS obj_id, rs.role_name, rs.max_scope FROM {$wpdb->role_scope_rs} AS rs " . "WHERE rs.role_type = 'rs' AND rs.require_for IN ('entity', 'both') AND rs.topic = 'object' AND rs.src_or_tx_name = 'post' {$role_clause} AND rs.obj_or_term_id IN ( {$attachment_query} )";
$object_default_restriction_query = "SELECT rs.role_name FROM {$wpdb->role_scope_rs} AS rs " . "WHERE rs.require_for IN ('children', 'both') AND rs.topic = 'object' AND rs.max_scope = 'object' AND rs.src_or_tx_name = 'post' AND rs.obj_or_term_id = '0' {$role_clause}";
$all_objects = array();
$all_objects['post'] = scoper_get_col($attachment_query);
$restricted_roles = array();
$unrestricted_roles = array();
if ($results = scoper_get_results($object_restriction_query)) {
foreach ($results as $row) {
if ('blog' == $row->max_scope) {
$unrestricted_roles['post'][$row->role_name][] = $row->obj_id;
} else {
$restricted_roles['post'][$row->role_name][] = $row->obj_id;
}
}
}
// if there a role is default-restricted, mark all terms as restricted (may be unrestricted later)
if ($results = scoper_get_col($object_default_restriction_query)) {
foreach ($results as $role_name) {
if (isset($unrestricted_roles['category'][$role_name])) {
$default_restricted = array_diff($all_terms['post'], $unrestricted_roles['post'][$role_name]);
} else {
$default_restricted = $all_objects['post'];
}
if (isset($restricted_roles['post'][$role_name])) {
$restricted_roles['post'][$role_name] = array_unique(array_merge($restricted_roles['post'][$role_name], $default_restricted));
} else {
$restricted_roles['post'][$role_name] = $default_restricted;
}
}
}
if (!empty($restricted_roles)) {
$restricted_objects['post'] = array_unique(agp_array_flatten($restricted_roles['post']));
if ($restricted_objects['post']) {
$object_restriction_clause = "OR post_parent IN ( SELECT ID FROM {$wpdb->posts} WHERE ID IN ('" . implode("','", $restricted_objects['post']) . "') )";
}
}
}
if ($use_private_status) {
$status_query = "AND post_parent IN ( SELECT {$wpdb->posts}.ID FROM {$wpdb->posts} WHERE {$wpdb->posts}.post_status = 'private' )";
}
if ($attachments) {
$attachment_type_clause = "post_type = 'attachment' AND";
$unattached_clause = defined('SCOPER_BLOCK_UNATTACHED_UPLOADS') ? " OR post_parent < 1" : '';
}
$single_col = false;
if (COLS_ALL_RS === $cols) {
$query_cols = '*';
} elseif (COL_ID_RS == $cols) {
$query_cols = 'ID';
$single_col = true;
} elseif (COLS_ID_DISPLAYNAME_RS == $cols) {
if ($attachment) {
$query_cols = 'ID, post_title, guid';
} else {
$query_cols = 'ID, post_title';
}
} else {
if ($attachments) {
$query_cols = 'ID, guid';
} else {
$query_cols = 'ID';
$single_col = true;
}
}
$query = "SELECT {$query_cols} FROM {$wpdb->posts} WHERE {$attachment_type_clause} ( 1=1 {$status_query} {$term_restriction_clause} {$object_restriction_clause} {$unattached_clause} ) {$id_clause} ORDER BY ID DESC {$limit_clause}";
if ($attachment_id && !is_array($attachment_id)) {
if ($single_col) {
$results = scoper_get_var($query);
} else {
$results = scoper_get_row($query);
}
} else {
if ($single_col) {
$results = scoper_get_col($query);
} else {
$results = scoper_get_results($query);
}
}
return $results;
}
/**
* Updates an existing Group
*
* @param int $groupID - Group identifier
* @param string $name - Name of the group
* @param string $description - Group description (optional)
* @return boolean True on successful update
**/
function updateGroup($group_id, $name, $description = '')
{
global $wpdb;
$description = strip_tags($description);
if ($prev = scoper_get_row("SELECT * FROM {$wpdb->groups_rs} WHERE {$wpdb->groups_id_col}='{$group_id}';")) {
if ($prev->{$wpdb->groups_name_col} != $name && !UserGroups_tp::isValidName($name)) {
return false;
}
// don't allow updating of metagroup name / descript
if (!empty($prev->meta_id)) {
return false;
}
}
do_action('update_group_rs', $group_id);
$query = "UPDATE {$wpdb->groups_rs} SET {$wpdb->groups_name_col} = '{$name}', {$wpdb->groups_descript_col}='{$description}' WHERE {$wpdb->groups_id_col}='{$group_id}';";
scoper_query($query);
wpp_cache_flush_group('all_usergroups');
wpp_cache_flush_group('group_members');
wpp_cache_flush_group('usergroups_for_user');
wpp_cache_flush_group('usergroups_for_groups');
wpp_cache_flush_group('usergroups_for_ug');
return true;
}
/**
* Gets a group with a given name
*
* @param string $name - Group Name
* @return Object An object with the group details
**/
function get_group_by_name($name)
{
global $wpdb;
$query = "SELECT {$wpdb->groups_id_col} AS ID, {$wpdb->groups_name_col} AS display_name, {$wpdb->groups_descript_col} as descript " . " FROM {$wpdb->groups_rs} WHERE {$wpdb->groups_name_col}='{$name}'";
$result = scoper_get_row($query);
return $result;
}
function _user_can_read_file($file, &$return_attachment_id, &$matched_published_post, $uploads = '')
{
// don't filter the direct file URL request if filtering is disabled, or if the request is from wp-admin
if (defined('DISABLE_QUERYFILTERS_RS') || is_content_administrator_rs() || !scoper_get_option('file_filtering') || !empty($_SERVER['HTTP_REFERER']) && false !== strpos($_SERVER['HTTP_REFERER'], '/wp-admin') && false !== strpos($_SERVER['HTTP_REFERER'], get_option('siteurl') . '/wp-admin')) {
// note: image links from wp-admin should now never get here due to http_referer RewriteRule, but leave above check just in case - inexpensive since we're checking for wp-admin before calling get_option
//rs_errlog("skipping filtering for $file");
return true;
}
if (!is_array($uploads) || empty($uploads['basedir'])) {
require_once dirname(__FILE__) . '/uploads_rs.php';
$uploads = scoper_get_upload_info();
}
//rs_errlog('_user_can_read_file');
$file_path = $uploads['basedir'] . "/{$file}";
//rs_errlog("$file_path exists.");
global $wpdb, $wp_query;
$file_url = $uploads['baseurl'] . "/{$file}";
// auto-resized copies have -NNNxNNN suffix, but the base filename is stored as attachment. Strip the suffix out for db query.
$orig_file_url = preg_replace("/-[0-9]{2,4}x[0-9]{2,4}./", '.', $file_url);
// manually resized copies have -?????????????? suffix, but the base filename is stored as attachment. Strip the suffix out for db query.
$orig_file_url = preg_replace("/-[0-9,a-z]{14}./", '.', $orig_file_url);
$qry = "SELECT * FROM {$wpdb->posts} WHERE post_type = 'attachment' AND post_parent > 0 AND guid = '{$orig_file_url}'";
$results = scoper_get_results($qry);
$matched_published_post = array();
$return_attachment_id = 0;
if (empty($results)) {
$args = array('skip_any_object_check' => true, 'skip_any_term_check' => true);
return cr_user_can('edit_others_posts', 0, 0, $args) || cr_user_can('edit_others_pages', 0, 0, $args);
} else {
// set global flag (checked by flt_user_has_cap, which filters current_user_Can)
global $scoper_checking_attachment_access;
$scoper_checking_attachment_access = true;
foreach ($results as $attachment) {
//rs_errlog( "found attachment: " . serialize($attachment) );
if (is_content_administrator_rs()) {
$return_attachment_id = $attachment->ID;
break;
}
if ($attachment->post_parent) {
if ($parent_post = scoper_get_row("SELECT post_type, post_status FROM {$wpdb->posts} WHERE ID = '{$attachment->post_parent}' LIMIT 1")) {
$object_type = $parent_post->post_type;
$containing_post_status = $parent_post->post_status;
// Only return content that is attached to published (potentially including private) posts/pages
// If some other statuses for published posts are introduced in later WP versions,
// the failure mode here will be to overly suppress attachments
if ('publish' == $containing_post_status || 'private' == $containing_post_status) {
if (current_user_can("read_{$object_type}", $attachment->post_parent)) {
$return_attachment_id = $attachment->ID;
break;
} else {
global $current_user;
$matched_published_post[$object_type] = $attachment->post_name;
}
}
}
}
}
// clear global flag
$scoper_checking_attachment_access = false;
}
if ($return_attachment_id) {
return true;
}
}
function get_object($src_name, $object_id, $cols = '')
{
// special cases to take advantage of cached post/link
if ('post' == $src_name) {
if ($cols && !strpos($cols, ',')) {
return get_post_field($cols, $object_id, 'raw');
} else {
return get_post($object_id);
}
} elseif ('link' == $src_name) {
return get_bookmark($object_id);
} else {
if (!($src = $this->get($src_name))) {
return;
}
global $wpdb;
if (!$cols) {
$cols = '*';
}
if (empty($object_id)) {
return array();
}
return scoper_get_row("SELECT {$cols} FROM {$src->table} WHERE {$src->cols->id} = '{$object_id}' LIMIT 1");
}
// end switch
}
