Making WordPress.org


Ignore:
Timestamp:
09/11/2015 02:30:16 PM (9 years ago)
Author:
kovshenin
Message:

WordCamp.org: Update the trusted deputy capabilities plugin.

This new version filters user_has_cap rather than map_meta_cap
and adds an extra set of primitive capabilities to trusted users.
It does use map_meta_cap to map some meta capabilities back
to primitive capabilities, such as the ones defined in Jetpack.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/trusted-deputy-capabilities.php

    r1673 r1877  
    1616 */
    1717
     18/**
     19 * Give extra capabilities to trusted deputies.
     20 *
     21 * Uses the user_has_cap filter to add more primitive capabilities to trusted deputies.
     22 *
     23 * @param array  $allcaps   This user's capabilities.
     24 * @param string $caps      Requested set of capabilities.
     25 * @param array  $args      Adds the context to the cap.
     26 * @param int    $user      The WP_User object.
     27 *
     28 * @return array An array of this user's capabilities.
     29 */
     30function trusted_deputy_has_cap( $allcaps, $caps, $args, $user ) {
     31    if ( ! is_deputy( $user->ID ) )
     32        return $allcaps;
     33
     34    $allcaps = array_merge( get_role( 'administrator' )->capabilities, array(
     35        'manage_network' => true,
     36        'manage_sites'   => true,
     37
     38        'jetpack_network_admin_page' => true,
     39        'jetpack_network_sites_page' => true,
     40        'jetpack_network_settings_page' => true,
     41    ) );
     42
     43    return $allcaps;
     44}
     45add_filter( 'user_has_cap', __NAMESPACE__ . '\trusted_deputy_has_cap', 10, 4 );
    1846
    1947/**
    20  * Give extra capabilities to trusted Deputies
     48 * Filter meta-capabilities.
    2149 *
    22  * @param array  $required_capabilities The primitive capabilities that are required to perform the requested meta capability
    23  * @param string $requested_capability  The requested meta capability
    24  * @param int    $user_id               The user ID.
    25  * @param array  $args                  Adds the context to the cap. Typically the object ID.
     50 * Uses the map_meta_cap filter to add some additional logic around meta-caps.
     51 * Mainly we just map some custom meta-caps back to primitive ones.
    2652 *
    27  * @return array
     53 * @param array $required_caps An array of capabilites required to perform $cap.
     54 * @param string $cap The requested capability.
     55 * @param int $user_id The user ID.
     56 *
     57 * @return array An array of required capababilities to perform $cap.
    2858 */
    29 function allow_trusted_deputy_capabilities( $required_capabilities, $requested_capability, $user_id, $args ) {
    30     global $trusted_deputies;
    31     $allow_capability = true;
     59function trusted_deputy_meta_caps( $required_caps, $cap, $user_id ) {
     60    if ( ! is_deputy( $user_id ) )
     61        return $required_caps;
    3262
    33     if ( ! in_array( $user_id, $trusted_deputies ) ) {
    34         $allow_capability = false;
    35     } else if ( in_array( 'do_not_allow', $required_capabilities ) ) {
    36         $allow_capability = false;
    37     } else if ( ! is_allowed_capability( $requested_capability, $required_capabilities ) ) {
    38         $allow_capability = false;
     63    switch ( $cap ) {
     64
     65        // With multisite and plugin menus turned off, core requires
     66        // the manage_network_plugins cap via a meta cap.
     67        case 'activate_plugins':
     68            if ( ! is_network_admin() ) {
     69                $required_caps = array( 'activate_plugins' );
     70            }
     71            break;
     72
     73        // Map some Jetpack meta caps back to regular caps.
     74        // See https://github.com/Automattic/jetpack/commit/bf3f4b9a8eb8b689b33a106d2e9b2fefd9a4c2fb
     75        case 'jetpack_network_admin_page':
     76        case 'jetpack_network_sites_page':
     77        case 'jetpack_network_settings_page':
     78            $required_caps = array( $cap );
     79            break;
    3980    }
    4081
    41     if ( $allow_capability ) {
    42         $required_capabilities = array();
    43     }
    44 
    45     return $required_capabilities;
     82    return $required_caps;
    4683}
    47 add_filter( 'map_meta_cap', __NAMESPACE__ . '\allow_trusted_deputy_capabilities', 10, 4 );
     84add_filter( 'map_meta_cap', __NAMESPACE__ . '\trusted_deputy_meta_caps', 10, 3 );
    4885
    4986/**
    50  * Determine if the given capability should be allowed for trusted Deputies
     87 * Returns true if $user_id is a deputy.
    5188 *
    52  * @param string $capability
    53  * @param array  $dependent_capabilities
     89 * @param int $user_id A user ID.
    5490 *
    55  * @return bool
     91 * @return bool True if $user_id is a deputy.
    5692 */
    57 function is_allowed_capability( $capability, $dependent_capabilities ) {
    58     $allowed = false;
    59     $deputy_capabilities = get_trusted_deputy_capabilities();
    60    
    61     if ( array_key_exists( $capability, $deputy_capabilities ) ) {
    62         $allowed = true;
    63     } else {
    64         foreach ( $dependent_capabilities as $dependent_capability ) {
    65             if ( array_key_exists( $dependent_capability, $deputy_capabilities ) ) {
    66                 $allowed = true;
    67                 break;
    68             }
    69         }
    70     }
    71 
    72     return $allowed;
    73 }
    74 
    75 /**
    76  * Get the capabilities that trusted Deputies should have
    77  *
    78  * @return array
    79  */
    80 function get_trusted_deputy_capabilities() {
    81     $administrator_role = get_role( 'administrator' );
    82 
    83     $capabilities = array_merge(
    84         $administrator_role->capabilities,
    85         array(
    86             'manage_network' => true,
    87             'manage_sites'   => true,
    88         )
    89     );
    90 
    91     return $capabilities;
     93function is_deputy( $user_id = null ) {
     94    global $trusted_deputies;
     95    return in_array( $user_id, (array) $trusted_deputies );
    9296}
    9397
     
    109113        'edit_theme_options' => true,
    110114
     115        // Jetpack-specific caps.
     116        'jetpack_network_admin_page' => true,
     117        'jetpack_network_sites_page' => true,
     118        'jetpack_network_settings_page' => true,
     119
    111120        'manage_network_users'   => false,
    112121        'manage_network_plugins' => false,
     
    125134    foreach ( $capabilities as $capability => $allowed ) {
    126135        printf(
    127             "<li>%s should be %s and was %s</li>",
     136            "<li>%s: %s should be %s and was %s</li>",
     137            $allowed == current_user_can( $capability ) ? 'OK' : 'ERROR',
    128138            $capability,
    129139            $allowed ? 'granted' : 'denied',
     
    134144    wp_die();
    135145}
    136 //add_action( 'init', __NAMESPACE__ . '\test_allow_trusted_deputy_capabilities' );
     146// add_action( 'init', __NAMESPACE__ . '\test_allow_trusted_deputy_capabilities' );
Note: See TracChangeset for help on using the changeset viewer.