update: admin can change product author from rest api (#1913)

* update: admin can change product author from rest api * refactor: extracted method for better readability * fix: admin capability for api access * fix: add `validate_post_author_override()` added * update: remove changed author's `dokan_add_product` check * update: override author's `dokan_add_product` check for admin * update: post status changed according to override author's selling capability * update: post status changed to draft according to override author's selling capability --------- Co-authored-by: Nurul Umbhiya <nurul-umbhiya@users.noreply.github.com>
getdokan · Apr 4, 2024 · 87b95cc · 87b95cc
1 parent 4ba9597
commit 87b95cc
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 19 deletions.
diff --git a/includes/Abstracts/DokanRESTController.php b/includes/Abstracts/DokanRESTController.php
@@ -102,13 +102,7 @@ public function create_item( $request ) {
 
  $object->save();
 
- //Update post author
- wp_update_post(
- array(
- 'ID' => $object->get_id(),
- 'post_author' => dokan_get_current_user_id(),
- )
- );
+ $this->update_post_author_if_needed( $request, $object->get_id() );
 
  /**
  * Fires after a single object is created or updated via the REST API.
@@ -149,6 +143,9 @@ public function update_item( $request ) {
  }
 
  $object->save();
+
+ $this->update_post_author_if_needed( $request, $object->get_id() );
+
  $this->update_additional_fields_for_object( $object, $request );
 
  /**
@@ -454,6 +451,36 @@ public function format_collection_response( $response, $request, $total_items )
  return $response;
  }
 
+ /**
+ * Update post author if requested.
+ *
+ * @since DOKAN_SINCE
+ *
+ * @param WP_REST_Request $request Request object.
+ * @param int $object_id Object ID.
+ *
+ * @return void
+ */
+ public function update_post_author_if_needed( WP_REST_Request $request, int $object_id ) {
+ $author_id = dokan_get_current_user_id();
+
+ if ( current_user_can( 'manage_options' ) ) {
+ $post_author = absint( $request->get_param( 'post_author' ) );
+ $author = new \WP_User( $post_author );
+
+ // phpcs:ignore WordPress.WP.Capabilities.Unknown
+ $author_id = ( ! empty( $post_author ) && $author->exists() && user_can( $author->ID, 'dokan_add_product' ) ) ? $author->ID : $author_id;
+ }
+
+ //Update post author
+ wp_update_post(
+ array(
+ 'ID' => $object_id,
+ 'post_author' => $author_id,
+ )
+ );
+ }
+
  /**
  * Add meta query.
  *

diff --git a/includes/REST/ProductController.php b/includes/REST/ProductController.php
@@ -20,6 +20,8 @@
 /**
  * Store API Controller
  *
+ * phpcs:disable WordPress.WP.Capabilities.Unknown
+ *
  * @package dokan
  *
  * @author weDevs <info@wedevs.com>
@@ -285,13 +287,13 @@ public function get_object( $id ) {
  * @return bool|WP_Error
  */
  public function validation_before_create_item( $request ) {
- $store_id = dokan_get_current_user_id();
+ $store_id = $this->validate_post_author_override( $request, dokan_get_current_user_id() );
 
  if ( empty( $store_id ) ) {
  return new WP_Error( 'no_store_found', __( 'No seller found', 'dokan-lite' ), [ 'status' => 404 ] );
  }
 
- if ( ! dokan_is_seller_enabled( $store_id ) ) {
+ if ( ! dokan_is_seller_enabled( $store_id ) && ! current_user_can( 'manage_options' ) ) {
  return new WP_Error( 'invalid_request', __( 'Error! Your account is not enabled for selling, please contact the admin', 'dokan-lite' ), [ 'status' => 400 ] );
  }
 
@@ -329,7 +331,7 @@ public function validation_before_create_item( $request ) {
  * @return bool|WP_Error
  */
  public function validation_before_update_item( $request ) {
- $store_id = dokan_get_current_user_id();
+ $store_id = $this->validate_post_author_override( $request, dokan_get_current_user_id() );
 
  if ( empty( $store_id ) ) {
  return new WP_Error( 'no_store_found', __( 'No seller found', 'dokan-lite' ), [ 'status' => 404 ] );
@@ -343,7 +345,7 @@ public function validation_before_update_item( $request ) {
 
  $product_author = (int) get_post_field( 'post_author', $object->get_id() );
 
- if ( $store_id !== $product_author ) {
+ if ( $store_id !== $product_author && ! current_user_can( 'manage_options' ) ) {
  return new WP_Error( "dokan_rest_{$this->post_type}_invalid_id", __( 'Sorry, you have no permission to do this. Since it\'s not your product.', 'dokan-lite' ), [ 'status' => 400 ] );
  }
 
@@ -358,7 +360,7 @@ public function validation_before_update_item( $request ) {
  * @return WP_Error|Boolean
  */
  public function validation_before_delete_item( $request ) {
- $store_id = dokan_get_current_user_id();
+ $store_id = $this->validate_post_author_override( $request, dokan_get_current_user_id() );
  $object = $this->get_object( (int) $request['id'] );
  $result = false;
 
@@ -368,7 +370,7 @@ public function validation_before_delete_item( $request ) {
 
  $product_author = (int) get_post_field( 'post_author', $object->get_id() );
 
- if ( $store_id !== $product_author ) {
+ if ( $store_id !== $product_author && ! current_user_can( 'manage_options' ) ) {
  return new WP_Error( "dokan_rest_{$this->post_type}_invalid_id", __( 'Sorry, you have no permission to do this. Since it\'s not your product.', 'dokan-lite' ), [ 'status' => 400 ] );
  }
 
@@ -383,7 +385,7 @@ public function validation_before_delete_item( $request ) {
  * @return bool
  */
  public function get_product_permissions_check() {
- return current_user_can( 'dokan_view_product_menu' );
+ return current_user_can( 'dokan_view_product_menu' ) || current_user_can( 'manage_options' );
  }
 
  /**
@@ -394,7 +396,7 @@ public function get_product_permissions_check() {
  * @return bool
  */
  public function create_product_permissions_check() {
- return current_user_can( 'dokan_add_product' );
+ return current_user_can( 'dokan_add_product' ) || current_user_can( 'manage_options' );
  }
 
  /**
@@ -405,7 +407,7 @@ public function create_product_permissions_check() {
  * @return bool
  */
  public function get_single_product_permissions_check() {
- return current_user_can( 'dokandar' );
+ return current_user_can( 'dokandar' ) || current_user_can( 'manage_options' );
  }
 
  /**
@@ -416,7 +418,7 @@ public function get_single_product_permissions_check() {
  * @return bool
  */
  public function update_product_permissions_check() {
- return current_user_can( 'dokan_edit_product' );
+ return current_user_can( 'dokan_edit_product' ) || current_user_can( 'manage_options' );
  }
 
  /**
@@ -427,7 +429,7 @@ public function update_product_permissions_check() {
  * @return bool
  */
  public function delete_product_permissions_check() {
- return current_user_can( 'dokan_delete_product' );
+ return current_user_can( 'dokan_delete_product' ) || current_user_can( 'manage_options' );
  }
 
  /**
@@ -594,6 +596,28 @@ public function get_latest_product( $request ) {
  return $response;
  }
 
+ /**
+ * Validate post author overrides.
+ *
+ * @since DOKAN_SINCE
+ *
+ * @param WP_REST_Request $request Request object.
+ * @param int $store_id fallback Store or author id.
+ *
+ * @return int
+ */
+ public function validate_post_author_override( WP_REST_Request $request, int $store_id ): int {
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return $store_id;
+ }
+
+ $post_author = absint( $request->get_param( 'post_author' ) );
+ $author = new \WP_User( $post_author );
+
+ // phpcs:ignore WordPress.WP.Capabilities.Unknown
+ return ( ! empty( $post_author ) && $author->exists() ) ? $author->ID : $store_id;
+ }
+
  /**
  * Prepare objects query
  *
@@ -829,7 +853,7 @@ protected function prepare_data_for_response( $product, $request ) {
  /**
  * Prepare object for database mapping
  *
- * @param object $request
+ * @param WP_REST_Request $request
  * @param boolean $creating
  *
  * @return object