Skip to content

Commit

Permalink
Pods 2.8.23.1
Browse files Browse the repository at this point in the history
  • Loading branch information
sc0ttkclark committed Feb 21, 2024
1 parent bbaeac5 commit 6fd0f2d
Show file tree
Hide file tree
Showing 101 changed files with 3,458 additions and 335 deletions.
232 changes: 139 additions & 93 deletions classes/Pods.php
Original file line number Diff line number Diff line change
Expand Up @@ -1315,10 +1315,8 @@ public function field( $name, $single = null, $raw = false ) {
continue;
}

// Bypass pass field.
if ( isset( $item->user_pass ) ) {
unset( $item->user_pass );
}
// Bypass sensitive fields.
$item = pods_access_bleep_data( $item );

// Get Item ID.
$item_id = $item->pod_item_id;
Expand All @@ -1331,6 +1329,10 @@ public function field( $name, $single = null, $raw = false ) {
} elseif ( 'objects' === $params->output ) {
if ( in_array( $object_type, array( 'post_type', 'media' ), true ) ) {
$item = get_post( $item_id );

if ( ! empty( $item ) ) {
$item = pods_access_bleep_data( $item );
}
} elseif ( 'taxonomy' === $object_type ) {
$item = get_term( $item_id, $object );
} elseif ( 'user' === $object_type ) {
Expand All @@ -1349,7 +1351,7 @@ public function field( $name, $single = null, $raw = false ) {
$item->caps = $caps;
$item->allcaps = $allcaps;

unset( $item->user_pass );
$item = pods_access_bleep_data( $item );
}
} elseif ( 'comment' === $object_type ) {
$item = get_comment( $item_id );
Expand Down Expand Up @@ -3462,20 +3464,6 @@ public function helper( $helper, $value = null, $name = null ) {
$params = array_merge( $params, $helper );
}

/**
* Allows changing whether callbacks are allowed to run.
*
* @param bool $allow_callbacks Whether callbacks are allowed to run.
* @param array $params Parameters used by Pods::helper() method.
*
* @since 2.8.0
*/
$allow_callbacks = (boolean) apply_filters( 'pods_helper_allow_callbacks', true, $params );

if ( ! $allow_callbacks ) {
return $value;
}

/**
* Allows changing whether to include the Pods object as the second value to the callback.
*
Expand All @@ -3486,78 +3474,42 @@ public function helper( $helper, $value = null, $name = null ) {
*/
$include_obj = (boolean) apply_filters( 'pods_helper_include_obj', false, $params );

if ( ! is_callable( $params['helper'] ) ) {
if ( $include_obj ) {
return apply_filters( $params['helper'], $value, $this );
} else {
return apply_filters( $params['helper'], $value );
}
}

$disallowed = array(
'system',
'exec',
'popen',
'eval',
'preg_replace',
'preg_replace_array',
'preg_replace_callback',
'preg_replace_callback_array',
'preg_match',
'preg_match_all',
'create_function',
'include',
'include_once',
'require',
'require_once',
);

$allowed = array();

/**
* Allows adjusting the disallowed callbacks as needed.
*
* @param array $disallowed List of callbacks not allowed.
* @param array $params Parameters used by Pods::helper() method.
*
* @since 2.7.0
*/
$disallowed = apply_filters( 'pods_helper_disallowed_callbacks', $disallowed, $params );

/**
* Allows adjusting the allowed callbacks as needed.
*
* @param array $allowed List of callbacks explicitly allowed.
* @param array $params Parameters used by Pods::helper() method.
*
* @since 2.7.0
*/
$allowed = apply_filters( 'pods_helper_allowed_callbacks', $allowed, $params );

// Clean up helper callback (if string).
if ( is_string( $params['helper'] ) ) {
$params['helper'] = strip_tags( str_replace( array( '`', chr( 96 ) ), "'", $params['helper'] ) );
}

$is_allowed = false;
if ( ! pods_access_callback_allowed( $params['helper'], $params ) ) {
return $value;
}

if ( ! empty( $allowed ) ) {
if ( in_array( $params['helper'], $allowed, true ) ) {
$is_allowed = true;
if ( ! is_callable( $params['helper'] ) ) {
if ( ! is_string( $params['helper'] ) ) {
return '';
}
} elseif ( ! in_array( $params['helper'], $disallowed, true ) ) {
$is_allowed = true;
}

if ( ! $is_allowed ) {
return $value;
if ( $include_obj ) {
return apply_filters( $params['helper'], $value, $this );
}

return apply_filters( $params['helper'], $value );
}

if ( $include_obj ) {
return call_user_func( $params['helper'], $value, $this );
try {
if ( $include_obj ) {
return call_user_func( $params['helper'], $value, $this );
}

return call_user_func( $params['helper'], $value );
} catch ( Exception $exception ) {
pods_debug_log( $exception );

if ( pods_is_debug_display() ) {
throw $exception;
}
}

return call_user_func( $params['helper'], $value );
return '';
}

/**
Expand Down Expand Up @@ -3596,20 +3548,21 @@ public function template_singular( $template_name, $code = null, $deprecated = f
* @param string $template_name The template name.
* @param string|null $code Custom template code to use instead.
* @param bool $deprecated Whether to use deprecated functionality based on old function usage.
* @param bool $check_access Whether to check access for Posts that are Password-protected.
*
* @return mixed Template output
*
* @since 2.0.0
* @link https://docs.pods.io/code/pods/template/
*/
public function template( $template_name, $code = null, $deprecated = false ) {
public function template( $template_name, $code = null, $deprecated = false, $check_access = false ) {

$out = null;

$obj =& $this;

if ( class_exists( 'Pods_Templates' ) ) {
$out = Pods_Templates::template( $template_name, $code, $this, $deprecated );
$out = Pods_Templates::template( $template_name, $code, $this, $deprecated, $check_access );
} elseif ( ! empty( $code ) ) {
// backwards compatibility.
$code = str_replace( '$this->', '$obj->', $code );
Expand All @@ -3632,18 +3585,43 @@ public function template( $template_name, $code = null, $deprecated = false ) {
*/
$code = apply_filters( "pods_templates_pre_template_{$template_name}", $code, $template_name, $this );

$info = $check_access ? pods_info_from_args( [ 'pods' => $this ] ) : [];

ob_start();

if ( ! empty( $code ) ) {
// Only detail templates need $this->id.
if ( empty( $this->id ) ) {
while ( $this->fetch() ) {
$info['item_id'] = $this->id();

// Ensure the post is not password protected.
if (
$check_access
&& (
pods_access_bypass_post_with_password( $info )
|| pods_access_bypass_private_post( $info )
)
) {
continue;
}

// @codingStandardsIgnoreLine
echo $this->do_magic_tags( $code );
}
} else {
// @codingStandardsIgnoreLine
echo $this->do_magic_tags( $code );
$info['item_id'] = $this->id();

if (
! $check_access
|| (
! pods_access_bypass_post_with_password( $info )
&& ! pods_access_bypass_private_post( $info )
)
) {
// @codingStandardsIgnoreLine
echo $this->do_magic_tags( $code );
}
}
}

Expand Down Expand Up @@ -3696,10 +3674,33 @@ public function template( $template_name, $code = null, $deprecated = false ) {
// Only detail templates need $this->id.
if ( empty( $this->id ) ) {
while ( $this->fetch() ) {
$info['item_id'] = $this->id();

// Ensure the post is not password protected.
if (
$check_access
&& (
pods_access_bypass_post_with_password( $info )
|| pods_access_bypass_private_post( $info )
)
) {
continue;
}

pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) );
}
} else {
pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) );
$info['item_id'] = $this->id();

if (
! $check_access
|| (
! pods_access_bypass_post_with_password( $info )
&& ! pods_access_bypass_private_post( $info )
)
) {
pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) );
}
}

$out = ob_get_clean();
Expand Down Expand Up @@ -3768,7 +3769,7 @@ public function form( $params = null, $label = null, $thank_you = null ) {
esc_html__( 'Anonymous form submissions are not enabled for this site', 'pods' ),
esc_url( wp_login_url( pods_current_url() ) ),
esc_html__( 'try logging in first', 'pods' ),
esc_html__( 'contacting your site administrator', 'pods' )
esc_html__( 'or contacting your site administrator', 'pods' )
);
}

Expand All @@ -3793,20 +3794,65 @@ public function form( $params = null, $label = null, $thank_you = null ) {
}
}

$defaults = array(
'fields' => $params,
'label' => $label,
'thank_you' => $thank_you,
'fields_only' => false,
'output_type' => 'div',
);
$defaults = [
'fields' => $params,
'label' => $label,
'thank_you' => $thank_you,
'fields_only' => false,
'output_type' => 'div',
'check_access' => false,
];

if ( is_array( $params ) ) {
$params = array_merge( $defaults, $params );
} else {
$params = $defaults;
}

$access_type = $this->exists() ? 'edit' : 'add';

$return = '';

// Check if the current user has access to the object.
if ( ! empty( $params['check_access'] ) ) {
$dynamic_feature_unrestricted = pods_can_use_dynamic_feature_unrestricted(
[
'pods' => $this,
],
'form',
$access_type
);

if (
! pods_current_user_can_access_object(
[
'pods' => $this,
],
$access_type
)
&& ! $dynamic_feature_unrestricted
) {
// Stop display and only return the notice.
return pods_get_access_user_notice(
[
'pods' => $this,
],
false,
esc_html__( 'You do not have access to this embedded form.', 'pods' )
) ?: '';
}

// Show the admin-specific notice that this content may not be visible to others since it is not public.
if ( ! $dynamic_feature_unrestricted && pods_is_admin() ) {
// Include the notice in the display output to let the admin know and continue the display.
$return .= pods_get_access_admin_notice(
[
'pods' => $this,
]
) ?: '';
}
}

$pod =& $this;

$params = $this->do_hook( 'form_params', $params );
Expand Down Expand Up @@ -3943,7 +3989,7 @@ public function form( $params = null, $label = null, $thank_you = null ) {

pods_view( PODS_DIR . 'ui/front/form.php', compact( array_keys( get_defined_vars() ) ) );

$output = ob_get_clean();
$output = $return . ob_get_clean();

if ( empty( $this->id ) ) {
$this->row_override = array();
Expand Down
Loading

0 comments on commit 6fd0f2d

Please sign in to comment.