Merge pull request #760 from kprajapatii/master

some new hooks added
AyeCode · Oct 23, 2023 · 8bff90a · 8bff90a
2 parents a584b25 + 365bc79
commit 8bff90a
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 24 deletions.
diff --git a/includes/class-wpinv-ajax.php b/includes/class-wpinv-ajax.php
@@ -121,14 +121,14 @@ public static function add_ajax_events() {
     public static function add_note() {
         check_ajax_referer( 'add-invoice-note', '_nonce' );
 
-        if ( ! wpinv_current_user_can_manage_invoicing() ) {
-            die( -1 );
-        }
-
         $post_id   = absint( $_POST['post_id'] );
         $note      = wp_kses_post( trim( stripslashes( $_POST['note'] ) ) );
         $note_type = sanitize_text_field( $_POST['note_type'] );
 
+        if ( ! wpinv_current_user_can( 'invoice_add_note', array( 'post_id' => $post_id, 'note_type' => $note_type ) ) ) {
+            die( -1 );
+        }
+
         $is_customer_note = $note_type == 'customer' ? 1 : 0;
 
         if ( $post_id > 0 ) {
@@ -145,12 +145,12 @@ public static function add_note() {
     public static function delete_note() {
         check_ajax_referer( 'delete-invoice-note', '_nonce' );
 
-        if ( ! wpinv_current_user_can_manage_invoicing() ) {
+        $note_id = (int)$_POST['note_id'];
+
+        if ( ! wpinv_current_user_can( 'invoice_delete_note', array( 'note_id' => $note_id ) ) ) {
             die( -1 );
         }
 
-        $note_id = (int)$_POST['note_id'];
-
         if ( $note_id > 0 ) {
             wp_delete_comment( $note_id, true );
         }
@@ -172,18 +172,18 @@ public static function get_billing_details() {
         // Verify nonce.
         check_ajax_referer( 'wpinv-nonce' );
 
-        // Can the user manage the plugin?
-        if ( ! wpinv_current_user_can_manage_invoicing() ) {
-            die( -1 );
-        }
-
         // Do we have a user id?
         $user_id = (int) $_GET['user_id'];
 
         if ( empty( $user_id ) || ! is_numeric( $user_id ) ) {
             die( -1 );
         }
 
+        // Can the user manage the plugin?
+        if ( ! wpinv_current_user_can( 'user_get_billing_details', array( 'user_id' => $user_id ) ) ) {
+            die( -1 );
+        }
+
         // Fetch the billing details.
         $billing_details    = wpinv_get_user_address( $user_id );
         $billing_details    = apply_filters( 'wpinv_ajax_billing_details', $billing_details, $user_id );
@@ -598,10 +598,6 @@ public static function create_invoice_item() {
         // Verify nonce.
         check_ajax_referer( 'wpinv-nonce' );
 
-        if ( ! wpinv_current_user_can_manage_invoicing() ) {
-            exit;
-        }
-
         // We need an invoice and item details.
         if ( empty( $_POST['invoice_id'] ) || empty( $_POST['_wpinv_quick'] ) ) {
             exit;
@@ -615,6 +611,10 @@ public static function create_invoice_item() {
             exit;
         }
 
+        if ( ! wpinv_current_user_can( 'invoice_create_item', array( 'invoice' => $invoice ) ) ) {
+            exit;
+        }
+
         // Format the data.
         $data = wp_kses_post_deep( wp_unslash( $_POST['_wpinv_quick'] ) );
 
@@ -718,10 +718,6 @@ public static function recalculate_full_prices() {
         // Verify nonce.
         check_ajax_referer( 'wpinv-nonce' );
 
-        if ( ! wpinv_current_user_can_manage_invoicing() ) {
-            exit;
-        }
-
         // We need an invoice and item.
         if ( empty( $_POST['post_id'] ) ) {
             exit;
@@ -736,6 +732,10 @@ public static function recalculate_full_prices() {
             exit;
         }
 
+        if ( ! wpinv_current_user_can( 'invoice_recalculate_full_prices', array( 'invoice' => $invoice ) ) ) {
+            exit;
+        }
+
         $invoice->set_items( array() );
 
         if ( ! empty( $_POST['getpaid_items'] ) ) {
@@ -788,10 +788,6 @@ public static function admin_add_invoice_item() {
         // Verify nonce.
         check_ajax_referer( 'wpinv-nonce' );
 
-        if ( ! wpinv_current_user_can_manage_invoicing() ) {
-            exit;
-        }
-
         // We need an invoice and item.
         if ( empty( $_POST['post_id'] ) || empty( $_POST['item_id'] ) ) {
             exit;
@@ -808,6 +804,11 @@ public static function admin_add_invoice_item() {
 
         // Add the item.
         $item  = new GetPaid_Form_Item( (int) $_POST['item_id'] );
+
+        if ( ! wpinv_current_user_can( 'invoice_add_item', array( 'invoice' => $invoice, 'invoice_item' => $item ) ) ) {
+            exit;
+        }
+
         $error = $invoice->add_item( $item );
 
         if ( is_wp_error( $error ) ) {

diff --git a/includes/user-functions.php b/includes/user-functions.php
@@ -51,6 +51,21 @@ function wpinv_current_user_can_manage_invoicing() {
     return current_user_can( wpinv_get_capability() );
 }
 
+/**
+ * Returns whether the current user has the specified getpaid capability.
+ *
+ * @since 2.7.8
+ *
+ * @param string $capability Capability name.
+ * @param mixed  $args    Optional further parameters, typically starting with an object.
+ * @return bool Whether the current user has the given capability.
+ */
+function wpinv_current_user_can( $capability, $args = array() ) {
+	$can = wpinv_current_user_can_manage_invoicing();
+
+	return apply_filters( 'getpaid_current_user_can', $can, $capability, $args );
+}
+
 /**
  *  Given an email address, it creates a new user.
  *