From 08e80701696e98c20f84c2b5959ffb142dca1808 Mon Sep 17 00:00:00 2001 From: Timi Wahalahti Date: Wed, 20 Sep 2023 20:28:33 +0300 Subject: [PATCH 1/5] fix the logic on capability check and add new wordcamp_wrangle_meetups check for granularity --- .../wcpt/wcpt-event/class-event-admin.php | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php b/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php index 584c945d8..624f14f2e 100644 --- a/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php +++ b/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php @@ -64,6 +64,8 @@ public function __construct() { add_action( 'admin_notices', array( $this, 'print_admin_notices' ) ); add_action( 'send_decline_notification_action', 'Event_Admin::send_decline_notification', 10, 3 ); + + add_filter( 'wp_insert_post_empty_content', array( $this, 'maybe_prevent_creation_of_new_post' ), 999, 2 ); } /** @@ -361,6 +363,59 @@ public static function send_decline_notification( $event_id, $label, $location ) return $notification_sent; } + /** + * Prevent users from creating new WordCamp and Meetup posts on dashboard. In most of the cases, all posts should be created + * thru the public application forms in order to get all needed information and to initiate the vetting process correctly. + * + * Expectation is made for users with administrator and deputy roles, as they need to create events manually from time to time. + * + * Used wp_insert_post_empty_content hook is run fo creation and updates, which is why post ID needs to be checked. The hook + * short circuits creation of new post when truthy value is returned. + * + * @param boolean $maybe_empty Whether the post should be considered "empty". + * @param array $postarr Array of post data. + * + * @return mixed Booleab whether the post should be considered "empty" or WP_Error in case user is not allowed to create post. + */ + public function maybe_prevent_creation_of_new_post( $maybe_empty, $postarr ) { + $post_type = $postarr['post_type']; + + // Apply only for WordCamp and Meetup post types. + if ( $this->get_event_type() !== $post_type ) { + return $maybe_empty; + } + + // The action hooked into is used also when updating posts, which all users should be able to do based on their caps. + if ( ! empty( $postarr['ID'] ) ) { + return $maybe_empty; + } + + // Doing the checks only on dashboard ensures that other use cases like application forms do still work. + if ( ! is_admin() ) { + return $maybe_empty; + } + + // Allow WordCamp Wranglers to create new WordCamps. + if ( 'wordcamp' === $post_type && current_user_can( 'wordcamp_wrangle_wordcamps' ) ) { + return $maybe_empty; + } + + // Allow Meetup Wranglers to create new Meetups. + if ( 'wp_meetup' === $post_type && current_user_can( 'wordcamp_wrangle_meetups' ) ) { + return $maybe_empty; + } + + $error = new WP_Error( + 'not_allowed_to_create_new_wcpt', + esc_html( wp_sprintf( 'Only administrators and deputies can create new %s\'s. You should probably be using the public application forms on central.wordcamp.org.', $post_type ) ) + ); + + // Display the error. + wp_die( $error ); // phpcs:ignore -- User input escaped in function. + + return $error; + } + /** * Load common admin side scripts */ From 88811999d1f55642349d792a77b4c3767919ed28 Mon Sep 17 00:00:00 2001 From: Timi Wahalahti Date: Wed, 20 Sep 2023 20:44:33 +0300 Subject: [PATCH 2/5] oh yes, indentation --- .../wcpt/wcpt-event/class-event-admin.php | 102 +++++++++--------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php b/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php index 624f14f2e..ba504851a 100644 --- a/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php +++ b/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php @@ -364,57 +364,57 @@ public static function send_decline_notification( $event_id, $label, $location ) } /** - * Prevent users from creating new WordCamp and Meetup posts on dashboard. In most of the cases, all posts should be created - * thru the public application forms in order to get all needed information and to initiate the vetting process correctly. - * - * Expectation is made for users with administrator and deputy roles, as they need to create events manually from time to time. - * - * Used wp_insert_post_empty_content hook is run fo creation and updates, which is why post ID needs to be checked. The hook - * short circuits creation of new post when truthy value is returned. - * - * @param boolean $maybe_empty Whether the post should be considered "empty". - * @param array $postarr Array of post data. - * - * @return mixed Booleab whether the post should be considered "empty" or WP_Error in case user is not allowed to create post. - */ - public function maybe_prevent_creation_of_new_post( $maybe_empty, $postarr ) { - $post_type = $postarr['post_type']; - - // Apply only for WordCamp and Meetup post types. - if ( $this->get_event_type() !== $post_type ) { - return $maybe_empty; - } - - // The action hooked into is used also when updating posts, which all users should be able to do based on their caps. - if ( ! empty( $postarr['ID'] ) ) { - return $maybe_empty; - } - - // Doing the checks only on dashboard ensures that other use cases like application forms do still work. - if ( ! is_admin() ) { - return $maybe_empty; - } - - // Allow WordCamp Wranglers to create new WordCamps. - if ( 'wordcamp' === $post_type && current_user_can( 'wordcamp_wrangle_wordcamps' ) ) { - return $maybe_empty; - } - - // Allow Meetup Wranglers to create new Meetups. - if ( 'wp_meetup' === $post_type && current_user_can( 'wordcamp_wrangle_meetups' ) ) { - return $maybe_empty; - } - - $error = new WP_Error( - 'not_allowed_to_create_new_wcpt', - esc_html( wp_sprintf( 'Only administrators and deputies can create new %s\'s. You should probably be using the public application forms on central.wordcamp.org.', $post_type ) ) - ); - - // Display the error. - wp_die( $error ); // phpcs:ignore -- User input escaped in function. - - return $error; - } + * Prevent users from creating new WordCamp and Meetup posts on dashboard. In most of the cases, all posts should be created + * thru the public application forms in order to get all needed information and to initiate the vetting process correctly. + * + * Expectation is made for users with administrator and deputy roles, as they need to create events manually from time to time. + * + * Used wp_insert_post_empty_content hook is run fo creation and updates, which is why post ID needs to be checked. The hook + * short circuits creation of new post when truthy value is returned. + * + * @param boolean $maybe_empty Whether the post should be considered "empty". + * @param array $postarr Array of post data. + * + * @return mixed Booleab whether the post should be considered "empty" or WP_Error in case user is not allowed to create post. + */ + public function maybe_prevent_creation_of_new_post( $maybe_empty, $postarr ) { + $post_type = $postarr['post_type']; + + // Apply only for WordCamp and Meetup post types. + if ( $this->get_event_type() !== $post_type ) { + return $maybe_empty; + } + + // The action hooked into is used also when updating posts, which all users should be able to do based on their caps. + if ( ! empty( $postarr['ID'] ) ) { + return $maybe_empty; + } + + // Doing the checks only on dashboard ensures that other use cases like application forms do still work. + if ( ! is_admin() ) { + return $maybe_empty; + } + + // Allow WordCamp Wranglers to create new WordCamps. + if ( 'wordcamp' === $post_type && current_user_can( 'wordcamp_wrangle_wordcamps' ) ) { + return $maybe_empty; + } + + // Allow Meetup Wranglers to create new Meetups. + if ( 'wp_meetup' === $post_type && current_user_can( 'wordcamp_wrangle_meetups' ) ) { + return $maybe_empty; + } + + $error = new WP_Error( + 'not_allowed_to_create_new_wcpt', + esc_html( wp_sprintf( 'Only administrators and deputies can create new %s\'s. You should probably be using the public application forms on central.wordcamp.org.', $post_type ) ) + ); + + // Display the error. + wp_die( $error ); // phpcs:ignore -- User input escaped in function. + + return $error; + } /** * Load common admin side scripts From 86bf7f81526623efbd2527fa50b14acbce78207c Mon Sep 17 00:00:00 2001 From: Timi Wahalahti Date: Fri, 22 Sep 2023 10:10:35 +0300 Subject: [PATCH 3/5] remove over-engineered permission check --- .../wcpt/wcpt-event/class-event-admin.php | 55 ------------------- 1 file changed, 55 deletions(-) diff --git a/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php b/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php index ba504851a..584c945d8 100644 --- a/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php +++ b/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-admin.php @@ -64,8 +64,6 @@ public function __construct() { add_action( 'admin_notices', array( $this, 'print_admin_notices' ) ); add_action( 'send_decline_notification_action', 'Event_Admin::send_decline_notification', 10, 3 ); - - add_filter( 'wp_insert_post_empty_content', array( $this, 'maybe_prevent_creation_of_new_post' ), 999, 2 ); } /** @@ -363,59 +361,6 @@ public static function send_decline_notification( $event_id, $label, $location ) return $notification_sent; } - /** - * Prevent users from creating new WordCamp and Meetup posts on dashboard. In most of the cases, all posts should be created - * thru the public application forms in order to get all needed information and to initiate the vetting process correctly. - * - * Expectation is made for users with administrator and deputy roles, as they need to create events manually from time to time. - * - * Used wp_insert_post_empty_content hook is run fo creation and updates, which is why post ID needs to be checked. The hook - * short circuits creation of new post when truthy value is returned. - * - * @param boolean $maybe_empty Whether the post should be considered "empty". - * @param array $postarr Array of post data. - * - * @return mixed Booleab whether the post should be considered "empty" or WP_Error in case user is not allowed to create post. - */ - public function maybe_prevent_creation_of_new_post( $maybe_empty, $postarr ) { - $post_type = $postarr['post_type']; - - // Apply only for WordCamp and Meetup post types. - if ( $this->get_event_type() !== $post_type ) { - return $maybe_empty; - } - - // The action hooked into is used also when updating posts, which all users should be able to do based on their caps. - if ( ! empty( $postarr['ID'] ) ) { - return $maybe_empty; - } - - // Doing the checks only on dashboard ensures that other use cases like application forms do still work. - if ( ! is_admin() ) { - return $maybe_empty; - } - - // Allow WordCamp Wranglers to create new WordCamps. - if ( 'wordcamp' === $post_type && current_user_can( 'wordcamp_wrangle_wordcamps' ) ) { - return $maybe_empty; - } - - // Allow Meetup Wranglers to create new Meetups. - if ( 'wp_meetup' === $post_type && current_user_can( 'wordcamp_wrangle_meetups' ) ) { - return $maybe_empty; - } - - $error = new WP_Error( - 'not_allowed_to_create_new_wcpt', - esc_html( wp_sprintf( 'Only administrators and deputies can create new %s\'s. You should probably be using the public application forms on central.wordcamp.org.', $post_type ) ) - ); - - // Display the error. - wp_die( $error ); // phpcs:ignore -- User input escaped in function. - - return $error; - } - /** * Load common admin side scripts */ From 9c022c03b7928f7a7bf4f17263df3054cce529f2 Mon Sep 17 00:00:00 2001 From: Timi Wahalahti Date: Fri, 22 Sep 2023 10:11:17 +0300 Subject: [PATCH 4/5] set capabilities on registering the wordcamp CPT --- .../plugins/wcpt/wcpt-wordcamp/wordcamp-loader.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/public_html/wp-content/plugins/wcpt/wcpt-wordcamp/wordcamp-loader.php b/public_html/wp-content/plugins/wcpt/wcpt-wordcamp/wordcamp-loader.php index 40300ec29..af580bbf1 100644 --- a/public_html/wp-content/plugins/wcpt/wcpt-wordcamp/wordcamp-loader.php +++ b/public_html/wp-content/plugins/wcpt/wcpt-wordcamp/wordcamp-loader.php @@ -100,6 +100,19 @@ function register_post_types() { 'show_ui' => true, 'can_export' => true, 'capability_type' => WCPT_POST_TYPE_ID, + 'capabilities' => array( + // `read` and `edit_posts` are intentionally allowed, so organizers can edit their own posts (but not others'). + 'create_posts' => 'wordcamp_wrangle_wordcamps', + 'delete_posts' => 'wordcamp_wrangle_wordcamps', + 'delete_others_posts' => 'wordcamp_wrangle_wordcamps', + 'delete_private_posts' => 'wordcamp_wrangle_wordcamps', + 'delete_published_posts' => 'wordcamp_wrangle_wordcamps', + 'edit_others_posts' => 'wordcamp_wrangle_wordcamps', + 'edit_private_posts' => 'wordcamp_wrangle_wordcamps', + 'edit_published_posts' => 'wordcamp_wrangle_wordcamps', + 'publish_posts' => 'wordcamp_wrangle_wordcamps', + 'read_private_posts' => 'wordcamp_wrangle_wordcamps', + ), 'map_meta_cap' => true, 'hierarchical' => false, 'has_archive' => true, From 4cf0272bec3edc3707a7abba27d6abe88055e7df Mon Sep 17 00:00:00 2001 From: Timi Wahalahti Date: Fri, 22 Sep 2023 10:15:47 +0300 Subject: [PATCH 5/5] set capabilities on registering the wp_meetup CPT --- .../plugins/wcpt/wcpt-meetup/meetup-loader.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/public_html/wp-content/plugins/wcpt/wcpt-meetup/meetup-loader.php b/public_html/wp-content/plugins/wcpt/wcpt-meetup/meetup-loader.php index 79a4a6e2d..5bd423498 100644 --- a/public_html/wp-content/plugins/wcpt/wcpt-meetup/meetup-loader.php +++ b/public_html/wp-content/plugins/wcpt/wcpt-meetup/meetup-loader.php @@ -152,6 +152,19 @@ public function register_post_types() { 'show_ui' => true, 'can_export' => true, 'capability_type' => Meetup_Application::POST_TYPE, + 'capabilities' => array( + // `read` and `edit_posts` are intentionally allowed, so organizers can edit their own posts (but not others'). + 'create_posts' => 'wordcamp_wrangle_meetups', + 'delete_posts' => 'wordcamp_wrangle_meetups', + 'delete_others_posts' => 'wordcamp_wrangle_meetups', + 'delete_private_posts' => 'wordcamp_wrangle_meetups', + 'delete_published_posts' => 'wordcamp_wrangle_meetups', + 'edit_others_posts' => 'wordcamp_wrangle_meetups', + 'edit_private_posts' => 'wordcamp_wrangle_meetups', + 'edit_published_posts' => 'wordcamp_wrangle_meetups', + 'publish_posts' => 'wordcamp_wrangle_meetups', + 'read_private_posts' => 'wordcamp_wrangle_meetups', + ), 'map_meta_cap' => true, 'hierarchical' => false, 'has_archive' => false,