From aa08f03124789a5f1dbcfabe17090af01334119c Mon Sep 17 00:00:00 2001 From: Scott Kingsley Clark Date: Wed, 7 Feb 2024 22:10:00 -0600 Subject: [PATCH] Pods 2.7.31.1 --- classes/Pods.php | 209 +- classes/PodsAPI.php | 59 +- classes/PodsAdmin.php | 39 +- classes/PodsData.php | 25 +- classes/PodsField.php | 148 +- classes/PodsInit.php | 25 +- classes/PodsUI.php | 54 +- classes/PodsView.php | 75 +- classes/fields/code.php | 3 +- classes/fields/datetime.php | 5 +- classes/fields/number.php | 5 +- classes/fields/oembed.php | 2 +- classes/fields/pick.php | 4 +- components/Templates/Templates.php | 55 +- .../includes/functions-view_template.php | 11 +- includes/access.php | 1682 +++++++++++++++++ includes/classes.php | 5 +- includes/data.php | 118 +- includes/general.php | 618 +++++- init.php | 5 +- package.json | 2 +- readme.txt | 21 +- sql/update-1.x.php | 2 +- sql/upgrade/PodsUpgrade_2_0_0.php | 2 +- ui/admin/components-admin.php | 6 + ui/admin/help.php | 6 + ui/admin/postbox-header.php | 5 + ui/admin/settings-reset.php | 5 + ui/admin/settings.php | 6 + ui/admin/setup-add.php | 5 + ui/admin/setup-edit.php | 5 + ui/admin/shortcode.php | 6 + ui/admin/upgrade/backup.php | 6 + ui/admin/upgrade/upgrade_2_0_0.php | 5 + ui/admin/upgrade/upgrade_2_1_0.php | 5 + ui/admin/view.php | 5 + ui/admin/widgets/field.php | 6 + ui/admin/widgets/form.php | 6 + ui/admin/widgets/list.php | 6 + ui/admin/widgets/single.php | 6 + ui/admin/widgets/view.php | 6 + ui/fields/_comment.php | 6 + ui/fields/_db.php | 5 + ui/fields/_hidden.php | 5 + ui/fields/_label.php | 6 + ui/fields/_row.php | 13 +- ui/fields/attachment.php | 5 + ui/fields/checkbox.php | 5 + ui/fields/cleditor.php | 5 + ui/fields/codemirror.php | 5 + ui/fields/color.php | 5 + ui/fields/currency.php | 5 + ui/fields/date.php | 5 + ui/fields/datetime.php | 5 + ui/fields/email.php | 5 + ui/fields/link.php | 4 + ui/fields/number.php | 5 + ui/fields/oembed.php | 5 + ui/fields/password.php | 5 + ui/fields/phone.php | 5 + ui/fields/radio.php | 5 + ui/fields/select.php | 5 + ui/fields/slider.php | 5 + ui/fields/slug.php | 5 + ui/fields/text.php | 5 + ui/fields/textarea.php | 5 + ui/fields/time.php | 5 + ui/fields/tinymce.php | 5 + ui/fields/website.php | 5 + ui/front/filters.php | 6 + ui/front/form.php | 5 + ui/front/pagination/advanced.php | 6 + ui/front/pagination/list.php | 6 + ui/front/pagination/paginate.php | 6 + ui/front/pagination/simple.php | 6 + ui/front/view.php | 7 +- ui/front/widgets.php | 5 + 77 files changed, 3194 insertions(+), 271 deletions(-) create mode 100644 includes/access.php diff --git a/classes/Pods.php b/classes/Pods.php index 383805191c..f9b02fefa9 100644 --- a/classes/Pods.php +++ b/classes/Pods.php @@ -1594,10 +1594,8 @@ public function field( $name, $single = null, $raw = false ) { continue; } - // Bypass pass field. - if ( isset( $item->user_pass ) ) { - unset( $item->user_pass ); - } + // Bypass sensitive fields. + $item = pods_access_bleep_data( $item ); // Get Item ID. $item_id = $item->pod_item_id; @@ -1610,6 +1608,10 @@ public function field( $name, $single = null, $raw = false ) { } elseif ( 'objects' === $params->output ) { if ( in_array( $object_type, array( 'post_type', 'media' ), true ) ) { $item = get_post( $item_id ); + + if ( ! empty( $item ) ) { + $item = pods_access_bleep_data( $item ); + } } elseif ( 'taxonomy' === $object_type ) { $item = get_term( $item_id, $object ); } elseif ( 'user' === $object_type ) { @@ -1628,7 +1630,7 @@ public function field( $name, $single = null, $raw = false ) { $item->caps = $caps; $item->allcaps = $allcaps; - unset( $item->user_pass ); + $item = pods_access_bleep_data( $item ); } } elseif ( 'comment' === $object_type ) { $item = get_comment( $item_id ); @@ -3727,67 +3729,50 @@ public function helper( $helper, $value = null, $name = null ) { $params = array_merge( $params, $helper ); } - if ( class_exists( 'Pods_Helpers' ) ) { - $value = Pods_Helpers::helper( $params, $this ); - } elseif ( is_callable( $params['helper'] ) ) { - $disallowed = array( - 'system', - 'exec', - 'popen', - 'eval', - 'preg_replace', - 'create_function', - 'include', - 'include_once', - 'require', - 'require_once', - ); + /** + * Allows changing whether to include the Pods object as the second value to the callback. + * + * @param bool $include_obj Whether to include the Pods object as the second value to the callback. + * @param array $params Parameters used by Pods::helper() method. + * + * @since 2.8.0 + */ + $include_obj = (boolean) apply_filters( 'pods_helper_include_obj', false, $params ); - $allowed = array(); + // Clean up helper callback (if string). + if ( is_string( $params['helper'] ) ) { + $params['helper'] = strip_tags( str_replace( array( '`', chr( 96 ) ), "'", $params['helper'] ) ); + } - /** - * Allows adjusting the disallowed callbacks as needed. - * - * @param array $disallowed List of callbacks not allowed. - * @param array $params Parameters used by Pods::helper() method. - * - * @since 2.7.0 - */ - $disallowed = apply_filters( 'pods_helper_disallowed_callbacks', $disallowed, $params ); + if ( ! pods_access_callback_allowed( $params['helper'], $params ) ) { + return $value; + } - /** - * Allows adjusting the allowed allowed callbacks as needed. - * - * @param array $allowed List of callbacks explicitly allowed. - * @param array $params Parameters used by Pods::helper() method. - * - * @since 2.7.0 - */ - $allowed = apply_filters( 'pods_helper_allowed_callbacks', $allowed, $params ); + if ( ! is_callable( $params['helper'] ) ) { + if ( ! is_string( $params['helper'] ) ) { + return ''; + } - // Clean up helper callback (if string). - if ( is_string( $params['helper'] ) ) { - $params['helper'] = strip_tags( str_replace( array( '`', chr( 96 ) ), "'", $params['helper'] ) ); + if ( $include_obj ) { + return apply_filters( $params['helper'], $value, $this ); } - $is_allowed = false; + return apply_filters( $params['helper'], $value ); + } - if ( ! empty( $allowed ) ) { - if ( in_array( $params['helper'], $allowed, true ) ) { - $is_allowed = true; - } - } elseif ( ! in_array( $params['helper'], $disallowed, true ) ) { - $is_allowed = true; + try { + if ( $include_obj ) { + return call_user_func( $params['helper'], $value, $this ); } - if ( $is_allowed ) { - $value = call_user_func( $params['helper'], $value ); + return call_user_func( $params['helper'], $value ); + } catch ( Exception $exception ) { + if ( pods_is_debug_display() ) { + throw $exception; } - } else { - $value = apply_filters( $params['helper'], $value ); - }//end if + } - return $value; + return ''; } /** @@ -3798,13 +3783,14 @@ public function helper( $helper, $value = null, $name = null ) { * @param string $template_name The template name. * @param string|null $code Custom template code to use instead. * @param bool $deprecated Whether to use deprecated functionality based on old function usage. + * @param bool $check_access Whether to check access for Posts that are Password-protected. * * @return mixed Template output * * @since 2.0.0 * @link https://pods.io/docs/template/ */ - public function template( $template_name, $code = null, $deprecated = false ) { + public function template( $template_name, $code = null, $deprecated = false, $check_access = false ) { $out = null; @@ -3832,18 +3818,43 @@ public function template( $template_name, $code = null, $deprecated = false ) { */ $code = apply_filters( "pods_templates_pre_template_{$template_name}", $code, $template_name, $this ); + $info = $check_access ? pods_info_from_args( [ 'pods' => $this ] ) : []; + ob_start(); if ( ! empty( $code ) ) { // Only detail templates need $this->id. if ( empty( $this->id ) ) { while ( $this->fetch() ) { + $info['item_id'] = $this->id(); + + // Ensure the post is not password protected. + if ( + $check_access + && ( + pods_access_bypass_post_with_password( $info ) + || pods_access_bypass_private_post( $info ) + ) + ) { + continue; + } + // @codingStandardsIgnoreLine echo $this->do_magic_tags( $code ); } } else { - // @codingStandardsIgnoreLine - echo $this->do_magic_tags( $code ); + $info['item_id'] = $this->id(); + + if ( + ! $check_access + || ( + ! pods_access_bypass_post_with_password( $info ) + && ! pods_access_bypass_private_post( $info ) + ) + ) { + // @codingStandardsIgnoreLine + echo $this->do_magic_tags( $code ); + } } } @@ -3869,7 +3880,7 @@ public function template( $template_name, $code = null, $deprecated = false ) { */ $out = apply_filters( "pods_templates_post_template_{$template_name}", $out, $code, $template_name, $this ); } elseif ( class_exists( 'Pods_Templates' ) ) { - $out = Pods_Templates::template( $template_name, $code, $this, $deprecated ); + $out = Pods_Templates::template( $template_name, $code, $this, $deprecated, $check_access ); } elseif ( trim( preg_replace( '/[^a-zA-Z0-9_\-\/]/', '', $template_name ), ' /-' ) === $template_name ) { ob_start(); @@ -3889,10 +3900,33 @@ public function template( $template_name, $code = null, $deprecated = false ) { // Only detail templates need $this->id. if ( empty( $this->id ) ) { while ( $this->fetch() ) { + $info['item_id'] = $this->id(); + + // Ensure the post is not password protected. + if ( + $check_access + && ( + pods_access_bypass_post_with_password( $info ) + || pods_access_bypass_private_post( $info ) + ) + ) { + continue; + } + pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) ); } } else { - pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) ); + $info['item_id'] = $this->id(); + + if ( + ! $check_access + || ( + ! pods_access_bypass_post_with_password( $info ) + && ! pods_access_bypass_private_post( $info ) + ) + ) { + pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) ); + } } $out = ob_get_clean(); @@ -3937,10 +3971,11 @@ public function template( $template_name, $code = null, $deprecated = false ) { public function form( $params = null, $label = null, $thank_you = null ) { $defaults = array( - 'fields' => $params, - 'label' => $label, - 'thank_you' => $thank_you, - 'fields_only' => false, + 'fields' => $params, + 'label' => $label, + 'thank_you' => $thank_you, + 'fields_only' => false, + 'check_access' => false, ); if ( is_array( $params ) ) { @@ -3949,6 +3984,50 @@ public function form( $params = null, $label = null, $thank_you = null ) { $params = $defaults; } + $access_type = $this->exists() ? 'edit' : 'add'; + + $return = ''; + + // Check if the current user has access to the object. + if ( ! empty( $params['check_access'] ) ) { + $dynamic_feature_unrestricted = pods_can_use_dynamic_feature_unrestricted( + [ + 'pods' => $this, + ], + 'form', + $access_type + ); + + if ( + ! pods_current_user_can_access_object( + [ + 'pods' => $this, + ], + $access_type + ) + && ! $dynamic_feature_unrestricted + ) { + // Stop display and only return the notice. + return pods_get_access_user_notice( + [ + 'pods' => $this, + ], + false, + esc_html__( 'You do not have access to this embedded form.', 'pods' ) + ) ?: ''; + } + + // Show the admin-specific notice that this content may not be visible to others since it is not public. + if ( ! $dynamic_feature_unrestricted && pods_is_admin() ) { + // Include the notice in the display output to let the admin know and continue the display. + $return .= pods_get_access_admin_notice( + [ + 'pods' => $this, + ] + ) ?: ''; + } + } + $pod =& $this; $params = $this->do_hook( 'form_params', $params ); @@ -4067,7 +4146,7 @@ public function form( $params = null, $label = null, $thank_you = null ) { pods_view( PODS_DIR . 'ui/front/form.php', compact( array_keys( get_defined_vars() ) ) ); - $output = ob_get_clean(); + $output = $return . ob_get_clean(); if ( empty( $this->id ) ) { $this->row_override = array(); diff --git a/classes/PodsAPI.php b/classes/PodsAPI.php index f93afbbe72..3908dd352f 100644 --- a/classes/PodsAPI.php +++ b/classes/PodsAPI.php @@ -1064,7 +1064,8 @@ public function get_wp_object_fields( $object = 'post_type', $pod = null, $refre 'name' => 'post_password', 'label' => 'Password', 'type' => 'password', - 'alias' => array() + 'alias' => array(), + 'hide_in_default_form' => true, ), 'post_name' => array( 'name' => 'post_name', @@ -6290,7 +6291,7 @@ public function load_pod( $params, $strict = true ) { if ( is_array( $value ) ) { foreach ( $value as $k => $v ) { if ( ! is_array( $v ) ) { - $value[ $k ] = maybe_unserialize( $v ); + $value[ $k ] = pods_maybe_safely_unserialize( $v ); } } @@ -6298,7 +6299,7 @@ public function load_pod( $params, $strict = true ) { $value = current( $value ); } } else { - $value = maybe_unserialize( $value ); + $value = pods_maybe_safely_unserialize( $value ); } $pod['options'][ $option ] = $value; @@ -6935,7 +6936,7 @@ public function load_field( $params, $strict = false ) { if ( is_array( $value ) ) { foreach ( $value as $k => $v ) { if ( ! is_array( $v ) ) { - $value[ $k ] = maybe_unserialize( $v ); + $value[ $k ] = pods_maybe_safely_unserialize( $v ); } } @@ -6943,7 +6944,7 @@ public function load_field( $params, $strict = false ) { $value = current( $value ); } } else { - $value = maybe_unserialize( $value ); + $value = pods_maybe_safely_unserialize( $value ); } $field['options'][ $option ] = $value; @@ -9258,9 +9259,17 @@ public function process_form( $params, $obj = null, $fields = null, $thank_you = $form = pods_var( '_pods_form', $params ); $location = pods_var( '_pods_location', $params ); + $obj = null; + if ( is_object( $obj ) ) { $pod = $obj->pod; $id = $obj->id(); + } elseif ( $pod ) { + $obj = pods( $pod, $id, true ); + + if ( ! $obj || is_wp_error( $obj ) || ! $obj->valid() ) { + $obj = null; + } } if ( ! empty( $fields ) ) { @@ -9298,6 +9307,46 @@ public function process_form( $params, $obj = null, $fields = null, $thank_you = $data[ $field ] = pods_var_raw( 'pods_field_' . $field, $params, '' ); } + // Check if the user should have access to shortcodes/blocks. + if ( + $obj + && 'post_type' === $obj->pod_data['type'] + && ! empty( $data['post_content'] ) + ) { + $restrict_content = ! current_user_can( 'edit_posts', $id ?: null ); + + /** + * Allow filtering whether the post content needs to be restricted to have shortcodes/blocks removed. + * + * @since 3.1.0 + * + * @param bool $restrict_content Whether the post content needs to be restricted to have shortcodes/blocks removed. + * @param string $object_type The object type. + * @param string|null $object_name The object name (if different from the object type like post_type, taxonomy, and setting have). + * @param string|int $id The item ID (if editing). + */ + $restrict_content = (bool) apply_filters( + 'pods_api_process_form_restrict_content', + $restrict_content, + $obj->pod_data['type'], + $obj->pod_data['name'], + $id + ); + + if ( $restrict_content ) { + // Strip shortcodes. + $data['post_content'] = strip_shortcodes( $data['post_content'] ); + + // Allow minimal blocks. + $data['post_content'] = function_exists( 'excerpt_remove_blocks' ) ? excerpt_remove_blocks( $data['post_content'] ) : $data['post_content']; + + // Clean up the content where missing blocks might be. + $data['post_content'] = str_replace( "\n\n\n", "\n", $data['post_content'] ); + } + + $data['post_content'] = trim( $data['post_content'] ); + } + $params = array( 'pod' => $pod, 'id' => $id, diff --git a/classes/PodsAdmin.php b/classes/PodsAdmin.php index 818c10b183..ca6cd29af1 100644 --- a/classes/PodsAdmin.php +++ b/classes/PodsAdmin.php @@ -2886,6 +2886,27 @@ public function admin_advanced() { * Get settings administration view */ public function admin_settings() { + $hide_notice = filter_var( get_option( 'pods_tmp_hide_notice_31', false ), FILTER_VALIDATE_BOOLEAN ); + + if ( ! $hide_notice ) { + if ( + ! empty( $_GET['hide_notice_31'] ) + && ! empty( $_GET['hide_notice_31_nonce'] ) + && wp_verify_nonce( $_GET['hide_notice_31_nonce'], 'hide_notice_31' ) + ) { + update_option( 'pods_tmp_hide_notice_31', 1, 'no' ); + } else { + pods_message( + sprintf( + '⚠️ %s %s', + __( 'You are running an outdated version of Pods. Upgrade to Pods 3.1 to get the most out of Access Rights, security fixes, and future features.', 'pods' ), + esc_url( add_query_arg( [ 'hide_notice_31' => 1, 'hide_notice_31_nonce' => wp_create_nonce( 'hide_notice_31' ) ] ) ), + __( 'Hide this notice', 'pods' ) + ), + 'error' + ); + } + } // Add our custom callouts. add_action( 'pods_admin_after_settings', array( $this, 'admin_manage_callouts' ) ); @@ -3441,7 +3462,14 @@ public function admin_ajax() { $method = (object) array_merge( $defaults, (array) $methods[ $params->method ] ); - if ( true !== $method->custom_nonce && ( ! isset( $params->_wpnonce ) || false === wp_verify_nonce( $params->_wpnonce, 'pods-' . $params->method ) ) ) { + if ( + true !== $method->custom_nonce + && ( + ! is_user_logged_in() + || ! isset( $params->_wpnonce ) + || false === wp_verify_nonce( $params->_wpnonce, 'pods-' . $params->method ) + ) + ) { pods_error( __( 'Unauthorized request', 'pods' ), $this ); } @@ -3454,8 +3482,13 @@ public function admin_ajax() { } // Check permissions (convert to array to support multiple) - if ( ! empty( $method->priv ) && ! pods_is_admin( array( 'pods' ) ) && true !== $method->priv && ! pods_is_admin( $method->priv ) ) { - pods_error( __( 'Access denied', 'pods' ), $this ); + if ( ! empty( $method->priv ) && ! pods_is_admin( array( 'pods' ) ) ) { + if ( true !== $method->priv && pods_is_admin( $method->priv ) ) { + // They have access to the custom priv. + } else { + // They do not have access. + pods_error( __( 'Access denied', 'pods' ), $this ); + } } $params->method = $method->name; diff --git a/classes/PodsData.php b/classes/PodsData.php index 8d706e12c1..083973a174 100644 --- a/classes/PodsData.php +++ b/classes/PodsData.php @@ -742,6 +742,25 @@ public function select( $params ) { */ $results = apply_filters( 'pods_data_select', $results, $params, $this ); + // Clean up data we don't want to work with. + if ( + ( + $this->pod_data + && 'user' === $this->pod_data['type'] + ) + || $wpdb->users === $this->table + ) { + $results = pods_access_bleep_items( $results ); + } elseif ( + ( + $this->pod_data + && 'post_type' === $this->pod_data['type'] + ) + || $wpdb->posts === $this->table + ) { + $results = pods_access_bleep_items( $results ); + } + $this->data = $results; $this->row_number = - 1; @@ -2076,6 +2095,8 @@ public function fetch( $row = null, $explicit_set = true ) { $this->row = false; } else { $current_row_id = $this->row['ID']; + + $this->row = pods_access_bleep_data( $this->row ); } $get_table_data = true; @@ -2150,7 +2171,7 @@ public function fetch( $row = null, $explicit_set = true ) { $this->row['caps'] = $caps; $this->row['allcaps'] = $allcaps; - unset( $this->row['user_pass'] ); + $this->row = pods_access_bleep_data( $this->row ); $current_row_id = $this->row['ID']; } @@ -2248,6 +2269,8 @@ public function fetch( $row = null, $explicit_set = true ) { } }//end if + $this->row = pods_access_bleep_data( $this->row ); + $this->row = apply_filters( 'pods_data_fetch', $this->row, $id, $this->row_number, $this ); return $this->row; diff --git a/classes/PodsField.php b/classes/PodsField.php index c51959f2c6..c970f3fdd4 100644 --- a/classes/PodsField.php +++ b/classes/PodsField.php @@ -282,9 +282,7 @@ public function value( $value = null, $name = null, $options = null, $pod = null * @since 2.0.0 */ public function display( $value = null, $name = null, $options = null, $pod = null, $id = null ) { - - return $value; - + return $this->maybe_sanitize_output( $value, $options ); } /** @@ -774,50 +772,146 @@ public function is_required( $options ) { * @return string */ public function strip_html( $value, $options = null ) { - if ( is_array( $value ) ) { - // @codingStandardsIgnoreLine - $value = @implode( ' ', $value ); - } + foreach ( $value as $k => $v ) { + $value[ $k ] = $this->strip_html( $v, $options ); + } - $value = trim( $value ); + return $value; + } if ( empty( $value ) ) { return $value; } - $options = (array) $options; + if ( $options ) { + $options = ( is_array( $options ) || is_object( $options ) ) ? $options : (array) $options; - // Strip HTML - if ( 1 === (int) pods_v( static::$type . '_allow_html', $options, 0 ) ) { - $allowed_html_tags = ''; - - if ( 0 < strlen( pods_v( static::$type . '_allowed_html_tags', $options ) ) ) { + // Strip HTML + if ( 1 === (int) pods_v( static::$type . '_allow_html', $options, 0 ) ) { $allowed_tags = pods_v( static::$type . '_allowed_html_tags', $options ); - $allowed_tags = trim( str_replace( array( '<', '>', ',' ), ' ', $allowed_tags ) ); - $allowed_tags = explode( ' ', $allowed_tags ); - $allowed_tags = array_unique( array_filter( $allowed_tags ) ); - if ( ! empty( $allowed_tags ) ) { - $allowed_html_tags = '<' . implode( '><', $allowed_tags ) . '>'; + if ( 0 < strlen( $allowed_tags ) ) { + $allowed_tags = trim( str_replace( [ '<', '>', ',' ], ' ', $allowed_tags ) ); + $allowed_tags = explode( ' ', $allowed_tags ); + $allowed_tags = array_unique( array_filter( $allowed_tags ) ); + + if ( ! empty( $allowed_tags ) ) { + $allowed_html_tags = '<' . implode( '><', $allowed_tags ) . '>'; + + $value = strip_tags( $value, $allowed_html_tags ); + } } - } - if ( ! empty( $allowed_html_tags ) ) { - $value = strip_tags( $value, $allowed_html_tags ); + return $this->maybe_sanitize_output( $value, $options ); } - } else { - $value = strip_tags( $value ); } - // Strip shortcodes - if ( 0 === (int) pods_v( static::$type . '_allow_shortcode', $options ) ) { - $value = strip_shortcodes( $value ); + return wp_strip_all_tags( $value ); + } + + /** + * Determine whether the field value needs to be sanitized and sanitize it. + * + * @since 3.1.0 + * + * @param mixed $value The field value. + * @param null|array|Field $options The field options. + * + * @return mixed The sanitized field value if it needs to be sanitized. + */ + public function maybe_sanitize_output( $value, $options = null ) { + // Maybe check for a sanitize output option. + $should_sanitize = null === $options || 1 === (int) pods_v( 'sanitize_output', $options, 1 ); + + /** + * Allow filtering whether to sanitize the field value before output. + * + * @since 3.1.0 + * + * @param bool $should_sanitize Whether the field value should be sanitized. + * @param mixed $value The field value. + * @param null|array|Field $options The field options. + */ + $should_sanitize = apply_filters( 'pods_field_maybe_sanitize_output', $should_sanitize, $value, $options ); + + if ( $should_sanitize ) { + if ( is_string( $value ) ) { + $value = wp_kses_post( $value ); + } elseif ( is_array( $value ) || is_object( $value ) ) { + $value = wp_kses_post_deep( $value ); + } } return $value; } + /** + * Strip shortcodes based on options. + * + * @since 2.8.0 + * + * @param string|array $value The field value. + * @param array|Field|null $options The field options. + * + * @return string The field value. + */ + public function strip_shortcodes( $value, $options = null ) { + if ( is_array( $value ) ) { + foreach ( $value as $k => $v ) { + $value[ $k ] = $this->strip_shortcodes( $v, $options ); + } + + return $value; + } + + if ( empty( $value ) ) { + return $value; + } + + if ( $options ) { + $options = ( is_array( $options ) || is_object( $options ) ) ? $options : (array) $options; + + // Check if we should strip shortcodes. + if ( 1 === (int) pods_v( static::$type . '_allow_shortcode', $options, 0 ) ) { + return $value; + } + } + + return strip_shortcodes( $value ); + } + + /** + * Trim whitespace based on options. + * + * @since 2.8.0 + * + * @param string|array $value The field value. + * @param array|Field|null $options The field options. + * + * @return string The field value. + */ + public function trim_whitespace( $value, $options = null ) { + if ( is_array( $value ) ) { + foreach ( $value as $k => $v ) { + $value[ $k ] = $this->trim_whitespace( $v, $options ); + } + + return $value; + } + + if ( $options ) { + $options = ( is_array( $options ) || is_object( $options ) ) ? $options : (array) $options; + + // Check if we should trim the content. + if ( 0 === (int) pods_v( static::$type . '_trim', $options, 1 ) ) { + return $value; + } + } + + return trim( $value ); + } + /** * Placeholder function to allow var_export() use with classes. * diff --git a/classes/PodsInit.php b/classes/PodsInit.php index a837d1a459..2a916191c3 100644 --- a/classes/PodsInit.php +++ b/classes/PodsInit.php @@ -1168,6 +1168,7 @@ public function setup_content_types( $force = false ) { 'labels' => $ct_labels, 'description' => esc_html( pods_v( 'description', $taxonomy ) ), 'public' => (boolean) pods_v( 'public', $taxonomy, true ), + 'publicly_queryable' => (boolean) pods_v( 'publicly_queryable', $taxonomy, (boolean) pods_v( 'public', $taxonomy, true ) ), 'show_ui' => (boolean) pods_v( 'show_ui', $taxonomy, (boolean) pods_v( 'public', $taxonomy, true ) ), 'show_in_menu' => (boolean) pods_v( 'show_in_menu', $taxonomy, (boolean) pods_v( 'public', $taxonomy, true ) ), 'show_in_nav_menus' => (boolean) pods_v( 'show_in_nav_menus', $taxonomy, (boolean) pods_v( 'public', $taxonomy, true ) ), @@ -2136,14 +2137,24 @@ public function delete_attachment( $_ID ) { * Register widgets for Pods */ public function register_widgets() { + $widgets = []; - $widgets = array( - 'PodsWidgetSingle', - 'PodsWidgetList', - 'PodsWidgetField', - 'PodsWidgetForm', - 'PodsWidgetView', - ); + // Maybe register the display widgets. + if ( pods_can_use_dynamic_feature( 'display' ) ) { + $widgets[] = 'PodsWidgetSingle'; + $widgets[] = 'PodsWidgetList'; + $widgets[] = 'PodsWidgetField'; + } + + // Maybe register the form widget. + if ( pods_can_use_dynamic_feature( 'form' ) ) { + $widgets[] = 'PodsWidgetForm'; + } + + // Maybe register the view widget. + if ( pods_can_use_dynamic_feature( 'view' ) ) { + $widgets[] = 'PodsWidgetView'; + } foreach ( $widgets as $widget ) { if ( ! file_exists( PODS_DIR . 'classes/widgets/' . $widget . '.php' ) ) { diff --git a/classes/PodsUI.php b/classes/PodsUI.php index 47e682b074..356dc4f014 100644 --- a/classes/PodsUI.php +++ b/classes/PodsUI.php @@ -1637,7 +1637,7 @@ public function go() { $this->save(); } $this->edit( ( 'duplicate' === $this->action && ! in_array( $this->action, $this->actions_disabled ) ) ? true : false ); - } elseif ( 'delete' === $this->action && ! in_array( $this->action, $this->actions_disabled ) && false !== wp_verify_nonce( $this->_nonce, 'pods-ui-action-delete' ) ) { + } elseif ( 'delete' === $this->action && ! in_array( $this->action, $this->actions_disabled ) && false !== wp_verify_nonce( $this->_nonce, 'pods-ui-action-delete-' . $this->id ) ) { $this->delete( $this->id ); $this->manage(); } elseif ( 'reorder' === $this->action && ! in_array( $this->action, $this->actions_disabled ) && false !== $this->reorder['on'] ) { @@ -1658,10 +1658,16 @@ public function go() { $this->view(); } else { if ( isset( $this->actions_custom[ $this->action ] ) ) { - $more_args = false; + $use_nonce = false; - if ( is_array( $this->actions_custom[ $this->action ] ) && isset( $this->actions_custom[ $this->action ]['more_args'] ) ) { - $more_args = $this->actions_custom[ $this->action ]['more_args']; + if ( is_array( $this->actions_custom[ $this->action ] ) ) { + $more_args = []; + + if ( ! empty( $this->actions_custom[ $this->action ]['more_args'] ) ) { + $more_args = $this->actions_custom[ $this->action ]['more_args']; + } + + $use_nonce = ! empty( $this->actions_custom[ $this->action ]['nonce'] ) || ! empty( $more_args['nonce'] ); } $row = $this->row; @@ -1670,7 +1676,13 @@ public function go() { $row = $this->get_row(); } - if ( $this->restricted( $this->action, $row ) || ( $more_args && ! empty( $more_args['nonce'] ) && false === wp_verify_nonce( $this->_nonce, 'pods-ui-action-' . $this->action ) ) ) { + if ( + $this->restricted( $this->action, $row ) + || ( + $use_nonce + && false === wp_verify_nonce( $this->_nonce, 'pods-ui-action-' . $this->action . '-' . $this->id ) + ) + ) { return $this->error( sprintf( __( 'Error: You do not have access to this %s.', 'pods' ), $this->item ) ); } elseif ( $more_args && false !== $this->callback_action( true, $this->action, $this->id, $row ) ) { return null; @@ -1875,7 +1887,7 @@ public function form( $create = false, $duplicate = false ) { } $label = $this->do_template( $this->label['edit'] ); - $id = $this->row[ $this->sql['field_id'] ]; + $id = pods_v( $this->sql['field_id'], $this->row ); $vars = array( $this->num_prefix . 'action' . $this->num => $this->action_after['edit'], $this->num_prefix . 'do' . $this->num => 'save', @@ -3478,15 +3490,15 @@ public function filters() { ); if ( $this->view == $view ) { - $label = '' . esc_html( $label ) . ''; + $label = '' . wp_kses_post( $label ) . ''; } else { - $label = '' . esc_html( $label ) . ''; + $label = '' . wp_kses_post( $label ) . ''; } } else { $label = wp_kses_post( $label ); } ?> -
  • +
  • sql['field_id'] ] ) ) { + $field_id = $row[ $this->sql['field_id'] ]; + } + $actions = array(); if ( ! in_array( 'view', $this->actions_disabled ) && ! in_array( 'view', $this->actions_hidden ) ) { $link = pods_query_arg( array( $this->num_prefix . 'action' . $this->num => 'view', - $this->num_prefix . 'id' . $this->num => $row[ $this->sql['field_id'] ], + $this->num_prefix . 'id' . $this->num => $field_id, ), self::$allowed, $this->exclusion() ); @@ -4675,7 +4693,7 @@ public function get_actions( $row ) { $link = pods_query_arg( array( $this->num_prefix . 'action' . $this->num => 'edit', - $this->num_prefix . 'id' . $this->num => $row[ $this->sql['field_id'] ], + $this->num_prefix . 'id' . $this->num => $field_id, ), self::$allowed, $this->exclusion() ); @@ -4690,7 +4708,7 @@ public function get_actions( $row ) { $link = pods_query_arg( array( $this->num_prefix . 'action' . $this->num => 'duplicate', - $this->num_prefix . 'id' . $this->num => $row[ $this->sql['field_id'] ], + $this->num_prefix . 'id' . $this->num => $field_id, ), self::$allowed, $this->exclusion() ); @@ -4705,13 +4723,13 @@ public function get_actions( $row ) { $link = pods_query_arg( array( $this->num_prefix . 'action' . $this->num => 'delete', - $this->num_prefix . 'id' . $this->num => $row[ $this->sql['field_id'] ], - $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-delete' ), + $this->num_prefix . 'id' . $this->num => $field_id, + $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-delete-' . $field_id ), ), self::$allowed, $this->exclusion() ); if ( ! empty( $this->action_links['delete'] ) ) { - $link = add_query_arg( array( $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-delete' ) ), $this->do_template( $this->action_links['delete'], $row ) ); + $link = add_query_arg( array( $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-delete-' . $field_id ) ), $this->do_template( $this->action_links['delete'], $row ) ); } $actions['delete'] = '' . __( 'Delete', 'pods' ) . ''; @@ -4751,8 +4769,8 @@ public function get_actions( $row ) { if ( ! isset( $custom_data['link'] ) ) { $vars = array( $this->num_prefix . 'action' . $this->num => $custom_action, - $this->num_prefix . 'id' . $this->num => $row[ $this->sql['field_id'] ], - $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-' . $custom_action ), + $this->num_prefix . 'id' . $this->num => $field_id, + $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-' . $custom_action . '-' . $field_id ), ); if ( 'toggle' === $custom_action ) { @@ -4763,7 +4781,7 @@ public function get_actions( $row ) { $custom_data['link'] = pods_query_arg( $vars, self::$allowed, $this->exclusion() ); if ( isset( $this->action_links[ $custom_action ] ) && ! empty( $this->action_links[ $custom_action ] ) ) { - $custom_data['link'] = add_query_arg( array( $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-' . $custom_action ) ), $this->do_template( $this->action_links[ $custom_action ], $row ) ); + $custom_data['link'] = add_query_arg( array( $this->num_prefix . '_wpnonce' . $this->num => wp_create_nonce( 'pods-ui-action-' . $custom_action . '-' . $field_id ) ), $this->do_template( $this->action_links[ $custom_action ], $row ) ); } } diff --git a/classes/PodsView.php b/classes/PodsView.php index c0b9d13864..3bba7d3e6f 100644 --- a/classes/PodsView.php +++ b/classes/PodsView.php @@ -25,12 +25,13 @@ private function __construct() { * @param array|null $data (optional) Data to pass on to the template * @param bool|int|array $expires (optional) Time in seconds for the cache to expire, if 0 no expiration. * @param string $cache_mode (optional) Decides the caching method to use for the view. + * @param bool $limited (optional) Whether to limit the view to only the theme directory, defaults to false * * @return bool|mixed|null|string|void * * @since 2.0.0 */ - public static function view( $view, $data = null, $expires = false, $cache_mode = 'cache' ) { + public static function view( $view, $data = null, $expires = false, $cache_mode = 'cache', $limited = false ) { /** * Override the value of $view. For example, using Pods AJAX View. @@ -42,10 +43,11 @@ public static function view( $view, $data = null, $expires = false, $cache_mode * @param array|null $data (optional) Data to pass on to the template * @param bool|int|array $expires (optional) Time in seconds for the cache to expire, if 0 no expiration. * @param string $cache_mode (optional) Decides the caching method to use for the view. + * @param bool $limited (optional) Whether to limit the view to only the theme directory, defaults to false * * @since 2.4.1 */ - $filter_check = apply_filters( 'pods_view_alt_view', null, $view, $data, $expires, $cache_mode ); + $filter_check = apply_filters( 'pods_view_alt_view', null, $view, $data, $expires, $cache_mode, $limited ); if ( null !== $filter_check ) { return $filter_check; @@ -82,7 +84,7 @@ public static function view( $view, $data = null, $expires = false, $cache_mode $view_id = pods_evaluate_tags( $view_id ); } - $view = apply_filters( 'pods_view_inc', $view, $data, $expires, $cache_mode ); + $view = apply_filters( 'pods_view_inc', $view, $data, $expires, $cache_mode, $limited ); $view_key = $view; @@ -126,6 +128,53 @@ public static function view( $view, $data = null, $expires = false, $cache_mode return $output; } + /** + * Get the full path of the view if it exists. + * + * @since 3.1.0 + * + * @param string $view Path of the view file + * @param bool $limited (optional) Whether to limit the view to only the theme directory, defaults to false + * + * @return string|false The full path of the view if it exists. + */ + public static function view_get_path( $view, $limited = false ) { + // Support my-view.php?custom-key=X#hash keying for cache + if ( ! is_array( $view ) ) { + $view_q = explode( '?', $view ); + + if ( 1 < count( $view_q ) ) { + $view = $view_q[0]; + } + + $view_h = explode( '#', $view ); + + if ( 1 < count( $view_h ) ) { + $view = $view_h[0]; + } + } + + $view = apply_filters( 'pods_view_inc', $view, null, false, 'cache', $limited ); + + $view_key = $view; + + if ( is_array( $view_key ) ) { + $view_key = implode( '-', $view_key ) . '.php'; + } + + if ( false !== realpath( $view_key ) ) { + $view_key = realpath( $view_key ); + } + + $view_path = self::locate_template( $view_key, $limited ); + + if ( empty( $view_path ) ) { + return false; + } + + return $view_path; + } + /** * Get the cache key, salted with current Pods version, peppered with md5 if too long * @@ -475,10 +524,11 @@ public static function clear( $key = true, $cache_mode = null, $group = '' ) { * * @param $_view * @param null|array $_data + * @param bool $limited (optional) Whether to limit the view to only the theme directory, defaults to false * * @return bool|mixed|string|void */ - public static function get_template_part( $_view, $_data = null ) { + public static function get_template_part( $_view, $_data = null, $limited = false ) { /* To be reviewed later, should have more checks and restrictions like a whitelist etc. @@ -495,7 +545,7 @@ public static function get_template_part( $_view, $_data = null ) { } */ - $_view = self::locate_template( $_view ); + $_view = self::locate_template( $_view, $limited ); if ( empty( $_view ) ) { return $_view; @@ -515,12 +565,12 @@ public static function get_template_part( $_view, $_data = null ) { /** * @static * - * @param $_view + * @param array|string $_view + * @param bool $limited (optional) Whether to limit the view to only the theme directory, defaults to false * * @return bool|mixed|string|void */ - private static function locate_template( $_view ) { - + private static function locate_template( $_view, $limited = false ) { if ( is_array( $_view ) ) { $_views = array(); @@ -566,7 +616,14 @@ private static function locate_template( $_view ) { // Is the view's file somewhere within the plugin directory tree? // Note: we explicitly whitelist PODS_DIR for the case of symlinks (see issue #2945) - if ( false !== strpos( $_real_view, realpath( WP_PLUGIN_DIR ) ) || false !== strpos( $_real_view, realpath( WPMU_PLUGIN_DIR ) ) || false !== strpos( $_real_view, PODS_DIR ) ) { + if ( + ! $limited + && ( + false !== strpos( $_real_view, realpath( WP_PLUGIN_DIR ) ) + || false !== strpos( $_real_view, realpath( WPMU_PLUGIN_DIR ) ) + || false !== strpos( $_real_view, PODS_DIR ) + ) + ) { if ( file_exists( $_view ) ) { $located = $_view; } else { diff --git a/classes/fields/code.php b/classes/fields/code.php index 52a2625bec..4ee6a9b78b 100644 --- a/classes/fields/code.php +++ b/classes/fields/code.php @@ -92,12 +92,11 @@ public function schema( $options = null ) { * {@inheritdoc} */ public function display( $value = null, $name = null, $options = null, $pod = null, $id = null ) { - if ( 1 === (int) pods_v( static::$type . '_allow_shortcode', $options, 0 ) ) { $value = do_shortcode( $value ); } - return $value; + return $this->maybe_sanitize_output( $value, $options ); } /** diff --git a/classes/fields/datetime.php b/classes/fields/datetime.php index 958cb7422e..fdf5da40ec 100644 --- a/classes/fields/datetime.php +++ b/classes/fields/datetime.php @@ -263,10 +263,7 @@ public function is_empty( $value = null ) { * {@inheritdoc} */ public function display( $value = null, $name = null, $options = null, $pod = null, $id = null ) { - - $value = $this->format_value_display( $value, $options, false ); - - return $value; + return $this->format_value_display( $value, $options, false ); } /** diff --git a/classes/fields/number.php b/classes/fields/number.php index a8517cef68..8ad6a269c6 100644 --- a/classes/fields/number.php +++ b/classes/fields/number.php @@ -183,10 +183,7 @@ public function is_empty( $value = null ) { * {@inheritdoc} */ public function display( $value = null, $name = null, $options = null, $pod = null, $id = null ) { - - $value = $this->format( $value, $name, $options, $pod, $id ); - - return $value; + return $this->format( $value, $name, $options, $pod, $id ); } /** diff --git a/classes/fields/oembed.php b/classes/fields/oembed.php index 44deb8d79a..9d6ab95bce 100644 --- a/classes/fields/oembed.php +++ b/classes/fields/oembed.php @@ -272,7 +272,7 @@ public function strip_html( $value, $options = null ) { } // Strip HTML - $value = strip_tags( $value ); + $value = wp_strip_all_tags( $value ); // Strip shortcodes $value = strip_shortcodes( $value ); diff --git a/classes/fields/pick.php b/classes/fields/pick.php index 1add3bd1d3..e3d714cb0c 100644 --- a/classes/fields/pick.php +++ b/classes/fields/pick.php @@ -2349,8 +2349,8 @@ public function get_object_data( $object_params = null ) { $ids = wp_list_pluck( $ids, $search_data->field_id ); } - if ( $params['limit'] < count( $ids ) ) { - $params['limit'] = count( $ids ); + if ( $params['limit'] < count( (array) $ids ) ) { + $params['limit'] = count( (array) $ids ); } if ( is_array( $ids ) ) { diff --git a/components/Templates/Templates.php b/components/Templates/Templates.php index b163867f90..1401ec4b56 100644 --- a/components/Templates/Templates.php +++ b/components/Templates/Templates.php @@ -491,11 +491,12 @@ public function save_meta( $_null, $post_ID = null, $meta_key = null, $meta_valu * @param string $code Custom template code to use instead * @param object $obj The Pods object * @param bool $deprecated Whether to use deprecated functionality based on old function usage + * @param bool $check_access Whether to check access for Posts that are Password-protected. * * @return mixed|string|void * @since 2.0.0 */ - public static function template( $template_name, $code = null, $obj = null, $deprecated = false ) { + public static function template( $template_name, $code = null, $obj = null, $deprecated = false, $check_access = false ) { if ( ! empty( $obj ) ) { self::$obj =& $obj; @@ -548,16 +549,41 @@ public static function template( $template_name, $code = null, $obj = null, $dep $code = apply_filters( 'pods_templates_pre_template', $code, $template, $obj ); $code = apply_filters( "pods_templates_pre_template_{$slug}", $code, $template, $obj ); + $info = $check_access ? pods_info_from_args( [ 'pods' => $obj ] ) : []; + ob_start(); if ( ! empty( $code ) ) { // Only detail templates need $this->id if ( empty( $obj->id ) ) { while ( $obj->fetch() ) { + $info['item_id'] = $obj->id(); + + // Ensure the post is not password protected. + if ( + $check_access + && ( + pods_access_bypass_post_with_password( $info ) + || pods_access_bypass_private_post( $info ) + ) + ) { + continue; + } + echo self::do_template( $code, $obj ); } } else { - echo self::do_template( $code, $obj ); + $info['item_id'] = $obj->id(); + + if ( + ! $check_access + || ( + ! pods_access_bypass_post_with_password( $info ) + && ! pods_access_bypass_private_post( $info ) + ) + ) { + echo self::do_template( $code, $obj ); + } } } elseif ( $template_name == trim( preg_replace( '/[^a-zA-Z0-9_\-\/]/', '', $template_name ), ' /-' ) ) { $default_templates = array( @@ -570,10 +596,33 @@ public static function template( $template_name, $code = null, $obj = null, $dep if ( empty( $obj->id ) ) { while ( $obj->fetch() ) { + $info['item_id'] = $obj->id(); + + // Ensure the post is not password protected. + if ( + $check_access + && ( + pods_access_bypass_post_with_password( $info ) + || pods_access_bypass_private_post( $info ) + ) + ) { + continue; + } + pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) ); } } else { - pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) ); + $info['item_id'] = $obj->id(); + + if ( + ! $check_access + || ( + ! pods_access_bypass_post_with_password( $info ) + && ! pods_access_bypass_private_post( $info ) + ) + ) { + pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) ); + } } }//end if diff --git a/components/Templates/includes/functions-view_template.php b/components/Templates/includes/functions-view_template.php index 98b9f8a8f6..a69f0e7d1e 100644 --- a/components/Templates/includes/functions-view_template.php +++ b/components/Templates/includes/functions-view_template.php @@ -10,7 +10,6 @@ add_filter( 'pods_templates_do_template', 'frontier_do_shortcode', 25, 1 ); // template shortcode handlers -add_shortcode( 'pod_sub_template', 'frontier_do_subtemplate' ); add_shortcode( 'pod_once_template', 'frontier_template_once_blocks' ); add_shortcode( 'pod_after_template', 'frontier_template_blocks' ); add_shortcode( 'pod_before_template', 'frontier_template_blocks' ); @@ -317,12 +316,14 @@ function frontier_do_subtemplate( $atts, $content ) { $target_id = $entry['term_id']; } - $out .= pods_shortcode( + $out .= pods_shortcode_run_safely( array( 'name' => $field['pick_val'], 'slug' => $target_id, 'index' => $key, - ), $template + ), + $template, + false ); }//end foreach @@ -492,6 +493,10 @@ function frontier_prefilter_template( $code, $template, $pod ) { 'if' => 'pod_if_field', ); + if ( ! shortcode_exists( 'pod_sub_template' ) ) { + add_shortcode( 'pod_sub_template', 'frontier_do_subtemplate' ); + } + $commands = array_merge( $commands, get_option( 'pods_frontier_extra_commands', array() ) ); /** diff --git a/includes/access.php b/includes/access.php new file mode 100644 index 0000000000..08e12a6d4e --- /dev/null +++ b/includes/access.php @@ -0,0 +1,1682 @@ + null, + 'object_name' => null, + 'item_id' => null, + 'pods' => null, + 'pod' => null, + ]; + + $build_pods = false; + $build_pod = false; + + if ( isset( $args['build_pods'] ) ) { + $build_pods = $args['build_pods']; + + unset( $args['build_pods'] ); + } + + if ( isset( $args['build_pod'] ) ) { + $build_pod = $args['build_pod']; + + unset( $args['build_pod'] ); + } + + // Merge in the args with the defaults. + $info = array_merge( $info, $args ); + + $object_type_set = null !== $info['object_type']; + $object_name_set = null !== $info['object_name']; + + // Maybe auto-set the object name from the type if we can. + if ( + $object_type_set + && ! $object_name_set + && in_array( $info['object_type'], [ 'comment', 'media', 'user' ], true ) + ) { + $info['object_name'] = $info['object_type']; + + $object_name_set = true; + } + + // Normalize the Pods info to null if it's not valid. + if ( + $info['pods'] instanceof Pods + && ! $info['pods']->valid() + ) { + $info['pods'] = null; + } + + // Maybe build the Pods object from the info. + if ( + $build_pods + && $object_name_set + && ! $info['pods'] instanceof Pods + ) { + $pods = pods( $info['object_name'], $info['item_id'], true ); + + if ( + $pods instanceof Pods + && $pods->valid() + && ( + empty( $info['object_type'] ) + || $info['object_type'] === $pods->pod_data['type'] + ) + ) { + $info['pods'] = $pods; + + if ( ! is_array( $info['pod'] ) ) { + $info['pod'] = $pods->pod_data; + } + } + } elseif ( + $info['pods'] instanceof Pods + && $info['pods']->valid() + && ! is_array( $info['pod'] ) + ) { + $info['pod'] = $info['pods']->pod_data; + } + + // Maybe build the Pod object from the info. + if ( + $build_pod + && $object_name_set + && ! is_array( $info['pod'] ) + ) { + try { + $pod = pods_api()->load_pod( [ + 'name' => $info['object_name'], + ] ); + } catch ( Exception $e ) { + $pod = null; + } + + if ( + is_array( $pod ) + && ( + empty( $info['object_type'] ) + || $info['object_type'] === $pod['type'] + ) + ) { + $info['pod'] = $pod; + } + } + + if ( is_array( $info['pod'] ) ) { + $info['object_type'] = $info['pod']['type']; + $info['object_name'] = $info['pod']['name']; + } + + return $info; +} + +/** + * Determine whether the current user has access to an object. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * @param int|null $user_id The user ID to check against, set to 0 or null for anonymous access check. + * @param string $access_type The type of access to check for (read, add, edit, delete). + * @param string|null $context The unique slug that can be referenced by hooks for context. + * + * @return bool Whether the current user has access to an object. + */ +function pods_user_can_access_object( array $args, $user_id, $access_type = 'edit', $context = null ) { + $info = pods_info_from_args( $args ); + + if ( null === $user_id ) { + $user_id = 0; + } + + // Check if the user exists. + $user = get_userdata( $user_id ); + + if ( ! $user || is_wp_error( $user ) ) { + // If the user does not exist and it was not anonymous, do not allow access to an invalid user. + if ( 0 < $user_id ) { + return false; + } + + // If the user was 0 to begin with (anonymous) then set up a user object to work with. + $user = new WP_User(); + } + + // Determine if this is a user in WP that has full access. + if ( $user_id && pods_is_admin() ) { + return true; + } + + if ( 'pod' === $info['object_type'] || 'table' === $info['object_type'] ) { + // If no object name is provided, we cannot check access. + if ( empty( $info['object_name'] ) ) { + return false; + } + + // Determine if this user has full content access. + if ( $user->has_cap('pods_content' ) ) { + return true; + } + } + + $capabilities = pods_access_map_capabilities( $info, $user_id ); + + // Unsupported capabilities returned. + if ( null === $capabilities ) { + return false; + } + + /** + * Allow filtering the list of capabilities used for checking access against an object. + * + * @since 3.1.0 + * + * @param array $capabilities The list of capabilities used for checking access against an object. + * @param int $user_id The user ID to check against. + * @param array $info { + * The normalized Pod information referenced. + * + * @type string|null $object_type The object type (if set). + * @type string|null $object_name The object name (if set). + * @type int|string|null $item_id The item ID (if set). + * @type Pods|null $pods The Pods object (if built or provided). + * @type Pod|null $pod The Pod object (if built or provided). + * } + * @param string $access_type The type of access to check for (read, add, edit, delete). + * @param string|null $context The unique slug that can be referenced by hooks for context. + */ + $capabilities = (array) apply_filters( + 'pods_user_can_access_object_get_capabilities', + $capabilities, + $user_id, + $info, + $access_type, + $context + ); + + // No capability mapped, do not allow access. + if ( ! array_key_exists( $access_type, $capabilities ) ) { + return false; + } + + /** + * Allow filtering whether a user has access to an object before the normal capability check runs. + * + * @since 3.1.0 + * + * @param null|bool $can_access Whether a user has access to an object (return null to run normal check). + * @param int $user_id The user ID to check against. + * @param array $info { + * The normalized Pod information referenced. + * + * @type string|null $object_type The object type (if set). + * @type string|null $object_name The object name (if set). + * @type int|string|null $item_id The item ID (if set). + * @type Pods|null $pods The Pods object (if built or provided). + * @type Pod|null $pod The Pod object (if built or provided). + * } + * @param string $access_type The type of access to check for (read, add, edit, delete). + * @param string|null $context The unique slug that can be referenced by hooks for context. + * @param array $capabilities The list of capabilities used for checking access against an object. + */ + $can_access = apply_filters( + 'pods_user_can_access_object_pre_check', + null, + $user_id, + $info, + $access_type, + $context, + $capabilities + ); + + // Check for access override and return that instead. + if ( null !== $can_access ) { + return $can_access; + } + + // If we are allowing all access, null will be set for the capability. + if ( null === $capabilities[ $access_type ] ) { + $can_access = true; + } else { + // Support multiple capability checks ("OR" logic). + $capabilities[ $access_type ] = (array) $capabilities[ $access_type ]; + + $can_access = false; + + foreach ( $capabilities[ $access_type ] as $capability ) { + if ( $info['item_id'] ) { + $can_access = $user->has_cap( $capability, $info['item_id'] ); + } else { + $can_access = $user->has_cap( $capability ); + } + + if ( $can_access ) { + break; + } + } + } + + $is_read_access = 'read' === $access_type; + + // Check for password-protected post. + if ( + $can_access + && 'post_type' === $info['object_type'] + && $info['item_id'] + && ( + ( + $is_read_access + && pods_access_bypass_post_with_password( $info ) + ) + || ( + ! $is_read_access + && post_password_required( $info['item_id'] ) + ) + ) + ) { + $can_access = false; + } + + /** + * Allow filtering whether a user has access to an object after the normal capability check runs. + * + * @since 3.1.0 + * + * @param bool $can_access Whether a user has access to an object. + * @param int $user_id The user ID to check against. + * @param array $info { + * The normalized Pod information referenced. + * + * @type string|null $object_type The object type (if set). + * @type string|null $object_name The object name (if set). + * @type int|string|null $item_id The item ID (if set). + * @type Pods|null $pods The Pods object (if built or provided). + * @type Pod|null $pod The Pod object (if built or provided). + * } + * @param string $access_type The type of access to check for (read, add, edit, delete). + * @param string|null $context The unique slug that can be referenced by hooks for context. + * @param array $capabilities The list of capabilities used for checking access against an object. + */ + return (bool) apply_filters( + 'pods_user_can_access_object', + $can_access, + $user_id, + $info, + $access_type, + $context, + $capabilities + ); +} + +/** + * Determine whether the current user has access to an object. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * @param string $access_type The type of access to check for (read, add, edit, delete). + * @param string|null $context The unique slug that can be referenced by hooks for context. + * + * @return bool Whether the current user has access to an object. + */ +function pods_current_user_can_access_object( array $args, $access_type = 'edit', $context = null ) { + $user_id = null; + + if ( is_user_logged_in() ) { + $user_id = get_current_user_id(); + } + + return pods_user_can_access_object( $args, $user_id, $access_type, $context ); +} + +/** + * Build and map the capabilities that a specific object type/name/ID have in relation to a user ID. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * @param int|null $user_id The user ID accessing the object. + * @param bool $strict Whether to strictly get the capabilities or have the 'read' capability evaluate to null if it's public (defaults to false). + * + * @return array|null The capabilities that a specific object type/name/ID have in relation to a user ID, or null if invalid. + */ +function pods_access_map_capabilities( array $args, $user_id = null, $strict = false ) { + $args['build_pods'] = true; + $args['build_pod'] = true; + + $info = pods_info_from_args( $args ); + + // If no object type or name, we cannot check access. + if ( empty( $info['object_type'] ) || empty( $info['object_name'] ) ) { + return null; + } + + $wp_object = null; + + $capabilities = []; + + if ( 'post_type' === $info['object_type'] ) { + $info['item_id'] = (int) $info['item_id']; + + if ( $info['item_id'] ) { + $capabilities['read'] = 'read_post'; + $capabilities['edit'] = 'edit_post'; + $capabilities['delete'] = 'delete_post'; + } else { + $capabilities['read'] = 'read'; + $capabilities['edit'] = 'edit_posts'; + $capabilities['delete'] = 'delete_posts'; + } + + $capabilities['add'] = 'create_posts'; + $capabilities['read_private'] = 'read_private_posts'; + $capabilities['edit_others'] = 'edit_others_posts'; + $capabilities['delete_others'] = 'delete_others_posts'; + $capabilities['delete_published'] = 'delete_published_posts'; + $capabilities['delete_private'] = 'delete_private_posts'; + + // Maybe map capabilities to the post type. + $wp_object = get_post_type_object( $info['object_name'] ); + + if ( $info['item_id'] ) { + $post = get_post( $info['item_id'] ); + + // If the post was found, do fine-grained access checks. + if ( $post instanceof WP_Post ) { + $status_obj = get_post_status_object( $post->post_status ); + + // Check if the person is allowed to read other posts. + if ( + $user_id + && $post->post_author + && (int) $user_id === (int) $post->post_author + ) { + // This is their own post, they can have access. + $capabilities['read'] = 'read'; + } elseif ( + ! $status_obj + || $status_obj->private + ) { + // This is a private post, check private post capability. + $capabilities['read'] = $capabilities['read_private']; + } + } + } + } elseif ( 'taxonomy' === $info['object_type'] ) { + $info['item_id'] = (int) $info['item_id']; + + $capabilities['read'] = 'read'; + $capabilities['add'] = 'manage_terms'; + $capabilities['edit'] = 'edit_terms'; + $capabilities['delete'] = 'delete_terms'; + + // Maybe map capabilities to the post type. + $wp_object = get_taxonomy( $info['object_name'] ); + } elseif ( 'user' === $info['object_type'] ) { + $info['item_id'] = (int) $info['item_id']; + + $capabilities['read'] = 'list_users'; + $capabilities['add'] = 'create_users'; + $capabilities['edit'] = 'edit_users'; + $capabilities['delete'] = 'delete_users'; + + // If an object ID is provided, check for access for that specific user. + if ( ! empty( $info['item_id'] ) ) { + $capabilities['edit'] = 'edit_user'; + $capabilities['delete'] = 'delete_user'; + } + + // Fake the WP object for the logic below. + $wp_object = (object) [ + 'public' => false, + 'cap' => (object) [], + ]; + } elseif ( 'media' === $info['object_type'] ) { + $info['item_id'] = (int) $info['item_id']; + + $capabilities['read'] = 'read'; + $capabilities['add'] = 'upload_files'; + $capabilities['edit'] = 'upload_files'; + $capabilities['delete'] = 'upload_files'; + + // Fake the WP object for the logic below. + $wp_object = (object) [ + 'public' => false, + 'cap' => (object) [], + ]; + } elseif ( 'comment' === $info['object_type'] ) { + $info['item_id'] = (int) $info['item_id']; + + $capabilities['read'] = 'read'; + $capabilities['add'] = 1 === (int) get_option( 'comment_registration' ) ? 'read' : null; + $capabilities['edit'] = 'moderate_comments'; + $capabilities['delete'] = 'moderate_comments'; + + // If an object ID is provided, check for access for that specific user. + if ( ! empty( $info['item_id'] ) ) { + $capabilities['edit'] = 'edit_comment'; + } + + // Fake the WP object for the logic below. + $wp_object = (object) [ + 'public' => true, + 'cap' => (object) [], + ]; + } elseif ( 'settings' === $info['object_type'] ) { + $capabilities['read'] = 'manage_options'; + $capabilities['edit'] = 'manage_options'; + $capabilities['delete'] = 'manage_options'; + + // Fake the WP object for the logic below. + $wp_object = (object) [ + 'public' => false, + 'cap' => (object) [], + ]; + } elseif ( 'pod' === $info['object_type'] || 'table' === $info['object_type'] ) { + $info['item_id'] = (int) $info['item_id']; + + $capabilities['read'] = 'pods_read_' . $info['object_name']; + $capabilities['add'] = 'pods_add_' . $info['object_name']; + $capabilities['edit'] = 'pods_edit_' . $info['object_name']; + $capabilities['delete'] = 'pods_delete_' . $info['object_name']; + $capabilities['edit_others'] = 'pods_edit_others_' . $info['object_name']; + $capabilities['delete_others'] = 'pods_delete_others_' . $info['object_name']; + + $is_public = false; + + if ( $info['pods'] instanceof Pods && is_array( $info['pod'] ) ) { + // If an object ID is provided, check for access for that specific item. + if ( $info['item_id'] && $info['pods']->exists() ) { + // Check for author field. + $author_field = pods_v( 'author', $info['pod']['fields'] ); + + $author_user_id = $author_field ? (int) $info['pods']->field( $author_field['name'] . '.ID' ) : null; + + // If we have an author field, check if they are the author. + if ( $author_field ) { + if ( $user_id && $author_user_id === $user_id ) { + // This is their own post, they can also have access if have edit access. + $capabilities['read'] = [ + $capabilities['read'], + 'pods_edit_' . $info['object_name'], + ]; + } else { + // This is not their post, check if they have access to others. + $capabilities['edit'] = 'pods_edit_others_' . $info['object_name']; + $capabilities['delete'] = 'pods_delete_others_' . $info['object_name']; + } + } + } + + $is_public = pods_v( 'public', $info['pod'] ); + $is_public = filter_var( $is_public, FILTER_VALIDATE_BOOLEAN ); + + // Fake the WP object for the logic below. + $wp_object = (object) [ + 'public' => $is_public, + 'cap' => (object) [], + ]; + } + + if ( $is_public ) { + $capabilities['read'] = 'read'; + } + } + + // If no post type object is found, we cannot check access. + if ( ! $wp_object ) { + return null; + } + + // Check if there are any capabilities mapped for this type object. + foreach ( $capabilities as $access_type => $capability ) { + if ( $capability ) { + if ( is_array( $capability ) ) { + foreach ( $capability as $k => $cap ) { + if ( isset( $wp_object->cap->{$cap} ) ) { + $capabilities[ $access_type ][ $k ] = $wp_object->cap->{$cap}; + } + } + } elseif ( isset( $wp_object->cap->{$capability} ) ) { + $capabilities[ $access_type ] = $wp_object->cap->{$capability}; + } + } + } + + // If the object is public, allow read for anyone even logged out. + if ( ! $strict && $wp_object->public && 'read' === $capabilities['read'] && ! $user_id ) { + $capabilities['read'] = null; + } + + /** + * Allow filtering the list of capabilities used for checking access against an object type or singular object. + * + * @since 3.1.0 + * + * @param array $capabilities The list of capabilities used for checking access against an object type or singular object. + * @param int $user_id The user ID to check against. + * @param array $info { + * The normalized Pod information referenced. + * + * @type string|null $object_type The object type (if set). + * @type string|null $object_name The object name (if set). + * @type int|string|null $item_id The item ID (if set). + * @type Pods|null $pods The Pods object (if built or provided). + * @type Pod|null $pod The Pod object (if built or provided). + * } + */ + return (array) apply_filters( + 'pods_access_map_capabilities', + $capabilities, + $user_id, + $info + ); +} + +/** + * Determine whether the object type/name is public. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * @param string $context The context we are checking from (defaults to shortcode). + * + * @return bool Whether the object type/name is public. + */ +function pods_is_type_public( array $args, $context = 'shortcode' ) { + $args['build_pod'] = true; + + $info = pods_info_from_args( $args ); + + $is_public = true; + + $pod_has_public = null; + + $is_post_type = 'post_type' === $info['object_type']; + $is_taxonomy = 'taxonomy' === $info['object_type']; + $is_pod = 'pod' === $info['object_type']; + $is_settings_pod = 'settings' === $info['object_type']; + + $is_shortcode_context = 'shortcode' === $context; + + if ( + is_array( $info['pod'] ) + && ( + $is_post_type + || $is_taxonomy + || $is_pod + || $is_settings_pod + ) + ) { + $is_extended = ! empty( $info['pod']['object'] ); + + if ( ! $is_extended ) { + $is_public = pods_v( 'public', $info['pod'] ); + + if ( null !== $is_public ) { + $pod_has_public = true; + + $is_public = filter_var( $is_public, FILTER_VALIDATE_BOOLEAN ); + + if ( $is_post_type || $is_taxonomy ) { + $is_public = $is_public && 1 === (int) pods_v( 'publicly_queryable', $info['pod'], $is_public ); + } + } + } + } + + // Maybe handle looking up the visibility based on the object type. + if ( null === $pod_has_public ) { + if ( $is_post_type ) { + // If no object name is provided, we cannot check if it is public. + if ( empty( $info['object_name'] ) ) { + $is_public = false; + } else { + $post_type_object = get_post_type_object( $info['object_name'] ); + + // Post type not found. + if ( ! $post_type_object ) { + $is_public = false; + } else { + $is_public = $post_type_object->public && $post_type_object->publicly_queryable; + } + } + } elseif ( $is_taxonomy ) { + // If no object name is provided, we cannot check if it is public. + if ( empty( $info['object_name'] ) ) { + $is_public = false; + } else { + $taxonomy_object = get_taxonomy( $info['object_name'] ); + + // Post type not found. + if ( ! $taxonomy_object ) { + $is_public = false; + } else { + $is_public = $taxonomy_object->public && $taxonomy_object->publicly_queryable; + } + } + } elseif ( 'user' === $info['object_type'] ) { + // Users are not public for shortcodes. + if ( $is_shortcode_context ) { + $is_public = false; + } + } elseif ( $is_pod || $is_settings_pod ) { + // Pods need special default handling for shortcodes. + if ( $is_shortcode_context ) { + $first_pods_version = get_option( 'pods_framework_version_first' ); + $first_pods_version = '' === $first_pods_version ? PODS_VERSION : $first_pods_version; + + $is_public = version_compare( $first_pods_version, '3.1.0-a-1', '<' ) ? true : false; + } + } + } + + /** + * Allow filtering whether the object type/name is public. + * + * @since 3.1.0 + * + * @param bool $is_public Whether the object type/name is public. + * @param array $info { + * The normalized Pod information referenced. + * + * @type string|null $object_type The object type (if set). + * @type string|null $object_name The object name (if set). + * @type int|string|null $item_id The item ID (if set). + * @type Pods|null $pods The Pods object (if built or provided). + * @type Pod|null $pod The Pod object (if built or provided). + * } + * @param string|null $context The context we are checking from (shortcode or null). + * @param Pod|null $pod The Pod object if set. + */ + return (bool) apply_filters( + 'pods_is_type_public', + $is_public, + $info, + $context + ); +} + +/** + * Determine whether a post should be bypassed because it it has a password. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * + * @return bool Whether a post should be bypassed because it it has a password. + */ +function pods_access_bypass_post_with_password( array $args ) { + $info = pods_info_from_args( $args ); + + if ( 'post_type' !== $info['object_type'] || ! $info['item_id'] ) { + return false; + } + + $post = get_post( (int) $info['item_id'] ); + + if ( ! $post instanceof WP_Post ) { + return false; + } + + // Bypass posts that have a password required but not provided. + $bypass_post_with_password = post_password_required( $post ); + + /** + * Allow filtering whether a post should be bypassed because it it has a password. + * + * @since 3.1.0 + * + * @param bool $bypass_post_with_password Whether a post should be bypassed because it it has a password. + * @param array $info { + * The normalized Pod information referenced. + * + * @type string|null $object_type The object type (if set). + * @type string|null $object_name The object name (if set). + * @type int|string|null $item_id The item ID (if set). + * @type Pods|null $pods The Pods object (if built or provided). + * @type Pod|null $pod The Pod object (if built or provided). + * } + */ + return (bool) apply_filters( + 'pods_access_bypass_post_with_password', + $bypass_post_with_password, + $info + ); +} + +/** + * Determine whether a post should be bypassed because it is private and capabilities are not met. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * + * @return bool Whether a post should be bypassed because it is private and capabilities are not met. + */ +function pods_access_bypass_private_post( array $args ) { + $info = pods_info_from_args( $args ); + + if ( 'post_type' !== $info['object_type'] || ! $info['item_id'] ) { + return false; + } + + $post = get_post( $info['item_id'] ); + + if ( ! $post instanceof WP_Post ) { + return false; + } + + $status_obj = get_post_status_object( $post->post_status ); + + $bypass_private_post = false; + + if ( + ! is_object( $status_obj ) || + ! empty( $status_obj->internal ) || + ! empty( $status_obj->protected ) + ) { + $is_public = false; + } else { + $is_public = ! empty( $status_obj->publicly_queryable ) || ( ! empty( $status_obj->_builtin ) && ! empty( $status_obj->public ) ); + } + + if ( ! $is_public ) { + $bypass_private_post = ! pods_current_user_can_access_object( $info, 'read' ); + } + + /** + * Allow filtering whether a post should be bypassed because it is private. + * + * @since 3.1.0 + * + * @param bool $bypass_private_post Whether a post should be bypassed because it is private. + * @param array $info { + * The normalized Pod information referenced. + * + * @type string|null $object_type The object type (if set). + * @type string|null $object_name The object name (if set). + * @type int|string|null $item_id The item ID (if set). + * @type Pods|null $pods The Pods object (if built or provided). + * @type Pod|null $pod The Pod object (if built or provided). + * } + */ + return (bool) apply_filters( + 'pods_access_bypass_private_post', + $bypass_private_post, + $info + ); +} + +/** + * Determine whether dynamic features can be used. + * + * @since 3.1.0 + * + * @return bool Whether dynamic features can be used. + */ +function pods_can_use_dynamic_features( $pod = null ) { + if ( defined( 'PODS_DYNAMIC_FEATURES_ALLOW' ) ) { + return PODS_DYNAMIC_FEATURES_ALLOW; + } + + $can_use_dynamic_features = apply_filters( 'pods_access_can_use_dynamic_features', null, $pod ); + + if ( is_bool( $can_use_dynamic_features ) ) { + return $can_use_dynamic_features; + } + + $dynamic_features_allow = true; + + if ( is_array( $pod ) ) { + $dynamic_features_allow = pods_is_type_public( + [ + 'pod' => $pod, + ] + ); + } + + return $dynamic_features_allow; +} + +/** + * Determine whether any or a specific dynamic feature can be used. + * + * @since 3.1.0 + * + * @param string $type The dynamic feature type. + * + * @return bool Whether any or a specific dynamic feature can be used. + */ +function pods_can_use_dynamic_feature( $type ) { + if ( ! pods_can_use_dynamic_features() ) { + return false; + } + + if ( empty( $type ) ) { + return false; + } + + // Handle the constants. + if ( 'view' === $type && defined( 'PODS_SHORTCODE_ALLOW_VIEWS' ) && ! PODS_SHORTCODE_ALLOW_VIEWS ) { + return false; + } + + $can_use_dynamic_feature = apply_filters( 'pods_access_can_use_dynamic_feature', null, $type ); + + if ( is_bool( $can_use_dynamic_feature ) ) { + return $can_use_dynamic_feature; + } + + $dynamic_features_enabled = [ + 'display', + 'form', + ]; + + $constant_dynamic_features_enabled = defined( 'PODS_DYNAMIC_FEATURES_ENABLED' ) ? PODS_DYNAMIC_FEATURES_ENABLED : false; + + if ( false !== $constant_dynamic_features_enabled && ! is_array( $constant_dynamic_features_enabled ) ) { + $constant_dynamic_features_enabled = explode( ',', $constant_dynamic_features_enabled ); + $constant_dynamic_features_enabled = array_filter( $constant_dynamic_features_enabled ); + + $dynamic_features_enabled = $constant_dynamic_features_enabled; + } + + if ( empty( $dynamic_features_enabled ) ) { + return false; + } + + return in_array( $type, $dynamic_features_enabled, true ); +} + +/** + * Determine whether specific dynamic feature is unrestricted. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * + * @param string $type The dynamic feature type. + * @param string $mode The dynamic feature mode (like "add" or "edit" for the form feature). + * + * @return bool Whether specific dynamic feature is unrestricted. + */ +function pods_can_use_dynamic_feature_unrestricted( array $args, $type, $mode = null ) { + if ( ! pods_can_use_dynamic_feature( $type ) ) { + return false; + } + + if ( defined( 'PODS_DYNAMIC_FEATURES_RESTRICT' ) && ! PODS_DYNAMIC_FEATURES_RESTRICT ) { + return true; + } + + $can_use_dynamic_features_unrestricted = apply_filters( 'pods_access_can_use_dynamic_features_unrestricted', null, $args, $type, $mode ); + + if ( is_bool( $can_use_dynamic_features_unrestricted ) ) { + return $can_use_dynamic_features_unrestricted; + } + + $can_use_unrestricted = false; + + $args['build_pod'] = true; + + $info = pods_info_from_args( $args ); + + if ( ! $info['pod'] ) { + $can_use_unrestricted = false; + } else { + $is_public_content_type = pods_is_type_public( $info ); + + $default_restricted_dynamic_features = [ + 'form', + ]; + + if ( ! $is_public_content_type ) { + $default_restricted_dynamic_features[] = 'display'; + } + + $default_restricted_dynamic_features_forms = [ + 'edit', + ]; + + if ( ! $is_public_content_type ) { + $default_restricted_dynamic_features_forms[] = 'add'; + } + + if ( ! empty( $type ) ) { + $restricted_dynamic_features = $default_restricted_dynamic_features; + + if ( defined( 'PODS_DYNAMIC_FEATURES_RESTRICTED' ) && false !== PODS_DYNAMIC_FEATURES_RESTRICTED ) { + $constant_restricted_dynamic_features = PODS_DYNAMIC_FEATURES_RESTRICTED; + + if ( ! is_array( $constant_restricted_dynamic_features ) ) { + $constant_restricted_dynamic_features = explode( ',', $constant_restricted_dynamic_features ); + } + + $restricted_dynamic_features = $constant_restricted_dynamic_features; + } + + $restricted_dynamic_features = array_filter( $restricted_dynamic_features ); + + if ( empty( $restricted_dynamic_features ) ) { + $can_use_unrestricted = true; + } else { + $can_use_unrestricted = ! in_array( $type, $restricted_dynamic_features, true ); + } + + if ( ! $can_use_unrestricted && 'form' === $type && $mode ) { + $restricted_dynamic_features_forms = $default_restricted_dynamic_features_forms; + + if ( defined( 'PODS_DYNAMIC_FEATURES_RESTRICTED_FORMS' ) && false !== PODS_DYNAMIC_FEATURES_RESTRICTED_FORMS ) { + $constant_restricted_dynamic_features_forms = PODS_DYNAMIC_FEATURES_RESTRICTED_FORMS; + + if ( ! is_array( $constant_restricted_dynamic_features_forms ) ) { + $constant_restricted_dynamic_features_forms = explode( ',', $constant_restricted_dynamic_features_forms ); + } + + $restricted_dynamic_features_forms = $constant_restricted_dynamic_features_forms; + } + + $restricted_dynamic_features_forms = array_filter( $restricted_dynamic_features_forms ); + + if ( empty( $restricted_dynamic_features_forms ) ) { + $can_use_unrestricted = true; + } else { + $can_use_unrestricted = ! in_array( $mode, $restricted_dynamic_features_forms, true ); + } + } + } + } + + return $can_use_unrestricted; +} + +/** + * Get the access notice for admin user based on object type and object name. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * + * @param bool $force_message Whether to force the message to show even if messages are hidden by a setting. + * + * @return string The access notice for admin user based on object type and object name. + */ +function pods_get_access_admin_notice( array $args, $force_message = false ) { + $args['build_pod'] = true; + + $info = pods_info_from_args( $args ); + + $identifier_for_html = esc_html( json_encode( [ + 'object_type' => $info['object_type'], + 'object_name' => $info['object_name'], + 'item_id' => $info['item_id'], + ] ) ); + + // Check if constant is hiding all notices. + if ( ! $force_message && defined( 'PODS_ACCESS_HIDE_NOTICES' ) && PODS_ACCESS_HIDE_NOTICES ) { + return ''; + } + + return ''; +} + +/** + * Get the access notice for non-admin user based on object type and object name. + * + * @since 3.1.0 + * + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * @param bool $force_message Whether to force the message to show even if messages are hidden by a setting. + * @param string|null $message A custom message to use for the notice text. + * + * @return string The access notice for non-admin user based on object type and object name. + */ +function pods_get_access_user_notice( array $args, $force_message = false, $message = null ) { + $args['build_pod'] = true; + + $info = pods_info_from_args( $args ); + + $identifier_for_html = esc_html( json_encode( [ + 'object_type' => $info['object_type'], + 'object_name' => $info['object_name'], + 'item_id' => $info['item_id'], + ] ) ); + + // Check for password-protected post. + if ( $info['item_id'] && pods_access_bypass_post_with_password( $info ) ) { + $message = get_the_password_form( $info['item_id'] ); + + return '' . $message; + } + + // Check if constant is hiding all notices. + if ( ! $force_message && defined( 'PODS_ACCESS_HIDE_NOTICES' ) && PODS_ACCESS_HIDE_NOTICES ) { + return ''; + } + + return ''; +} + +/** + * Determine whether a callback can be used. + * + * @since 3.1.0 + * + * @param string|callable $callback The callback to check. + * @param array $params Parameters used by Pods::helper() method. + * + * @return bool Whether the callback can be used. + */ +function pods_access_callback_allowed( $callback, array $params = [] ) { + // Real callables are allowed because they are done through PHP calls. + if ( ! is_string( $callback ) ) { + return true; + } + + if ( ! pods_can_use_dynamic_feature( 'display' ) ) { + return false; + } + + if ( + defined( 'PODS_DISPLAY_CALLBACKS' ) + && ! PODS_DISPLAY_CALLBACKS + ) { + return false; + } + + /** + * Allows changing whether callbacks are allowed to run. + * + * @param bool $allow_callbacks Whether callbacks are allowed to run. + * @param array $params Parameters used by Pods::helper() method. + * + * @since 2.8.0 + */ + $allow_callbacks = (bool) apply_filters( 'pods_helper_allow_callbacks', true, $params ); + + if ( ! $allow_callbacks ) { + return false; + } + + $disallowed = [ + // Regex related. + 'preg_replace', + 'preg_replace_array', + 'preg_replace_callback', + 'preg_replace_callback_array', + 'preg_match', + 'preg_match_all', + // Shell/Eval related. + 'system', + 'exec', + 'passthru', + 'proc_close', + 'proc_get_status', + 'proc_nice', + 'proc_open', + 'proc_terminate', + 'shell_exec', + 'system', + 'eval', + 'create_function', + // File related. + 'popen', + 'include', + 'include_once', + 'require', + 'require_once', + 'file_get_contents', + 'file_put_contents', + 'get_template_part', + // Nonce related. + 'wp_nonce_url', + 'wp_nonce_field', + 'wp_create_nonce', + 'check_admin_referer', + 'check_ajax_referer', + 'wp_verify_nonce', + // PHP related. + 'constant', + 'defined', + 'get_current_user', + 'get_defined_constants', + 'get_defined_functions', + 'get_defined_vars', + 'get_extension_funcs', + 'get_include_path', + 'get_included_files', + 'get_loaded_extensions', + 'get_required_files', + 'get_resources', + 'getenv', + 'getopt', + 'ini_alter', + 'ini_get', + 'ini_get_all', + 'ini_restore', + 'ini_set', + 'php_ini_loaded_file', + 'php_ini_scanned_files', + 'php_sapi_name', + 'php_uname', + 'phpinfo', + 'phpversion', + 'putenv', + // WordPress related. + 'get_userdata', + 'get_currentuserinfo', + 'get_post', + 'get_term', + 'get_comment', + ]; + + $allowed = []; + + if ( defined( 'PODS_DISPLAY_CALLBACKS' ) ) { + $display_callbacks = PODS_DISPLAY_CALLBACKS; + } else { + $display_callbacks = 'restricted'; + } + + if ( '0' === $display_callbacks ) { + return false; + } + + /** + * Allows adjusting the disallowed callbacks as needed. + * + * @param array $disallowed List of callbacks not allowed. + * @param array $params Parameters used by Pods::helper() method. + * + * @since 2.7.0 + */ + $disallowed = apply_filters( 'pods_helper_disallowed_callbacks', $disallowed, $params ); + + /** + * Allows adjusting the allowed callbacks as needed. + * + * @param array $allowed List of callbacks explicitly allowed. + * @param array $params Parameters used by Pods::helper() method. + * + * @since 2.7.0 + */ + $allowed = apply_filters( 'pods_helper_allowed_callbacks', $allowed, $params ); + + // Clean up helper callback (if string). + if ( is_string( $callback ) ) { + $callback = strip_tags( str_replace( array( '`', chr( 96 ) ), "'", $callback ) ); + } + + return ( + ! in_array( $callback, $disallowed, true ) + && ( + empty( $allowed ) + || in_array( $callback, $allowed, true ) + ) + ); +} + +/** + * Get the bleep placeholder text. + * + * @since 3.1.0 + * + * @return string The bleep placeholder text. + */ +function pods_access_bleep_placeholder() { + return '****************'; +} + +/** + * Process the value and bleep it if it needs to be. + * + * @since 3.1.0 + * + * @param string|mixed $value The value to be bleeped. + * + * @return string|mixed The bleeped text if not empty, otherwise the value as it was. + */ +function pods_access_bleep_text( $value ) { + $bleep_text = pods_access_bleep_placeholder(); + + if ( 0 < strlen( (string) $value ) ) { + $value = $bleep_text; + } + + return $value; +} + +/** + * Process the data and bleep anything that needs to be. + * + * @since 3.1.0 + * + * @param array|object $data The data to be bleeped. + * @param array $additional_bleep_properties The additional properties to be bleeped from objects and arrays. + * + * @return array|object The bleeped data. + */ +function pods_access_bleep_data( $data, array $additional_bleep_properties = [] ) { + $bleep_properties = [ + 'user_pass', + 'user_activation_key', + 'post_password', + ]; + + /** + * Allow filtering the additional properties to be bleeped from objects and arrays. + * + * @since 3.1.0 + * + * @param array $additional_bleep_properties The additional properties to be bleeped from objects and arrays. + * @param array|object $data The data to be bleeped. + */ + $additional_bleep_properties = apply_filters( 'pods_access_bleep_properties', $additional_bleep_properties, $data ); + + $bleep_properties = array_merge( $bleep_properties, $additional_bleep_properties ); + + $bleep_text = pods_access_bleep_placeholder(); + + if ( is_object( $data ) ) { + foreach ( $bleep_properties as $bleep_property ) { + if ( isset( $data->{$bleep_property} ) ) { + $data->{$bleep_property} = 0 < strlen( (string) $data->{$bleep_property} ) ? $bleep_text : ''; + } + } + } elseif ( is_array( $data ) ) { + foreach ( $bleep_properties as $bleep_property ) { + if ( isset( $data[ $bleep_property ] ) ) { + $data[ $bleep_property ] = 0 < strlen( (string) $data[ $bleep_property ] ) ? $bleep_text : ''; + } + } + } + + return $data; +} + +/** + * Process the data and bleep anything that needs to be. + * + * @since 3.1.0 + * + * @param array $items The items to be bleeped. + * @param array $additional_bleep_properties The additional properties to be bleeped from objects and arrays. + * + * @return array|object The bleeped data. + */ +function pods_access_bleep_items( array $items, array $additional_bleep_properties = [] ) { + // Call the pods_access_bleep_data() function for all items in the $items array. + return array_map( + static function ( $item ) use ( $additional_bleep_properties ) { + return pods_access_bleep_data( $item, $additional_bleep_properties ); + }, + $items + ); +} + +/** + * Determine whether the SQL fragment is allowed to be used. + * + * @since 3.1.0 + * + * @param string $sql The SQL fragment to check. + * @param string $context The SQL fragment context. + * @param string $type The SQL statement type. + * @param array $args { + * The arguments to use. + * + * @type string|null $object_type The object type. + * @type string|null $object_name The object name. + * @type int|string|null $item_id The item ID. + * @type Pods|null $pods The Pods object. + * @type Pod|null $pod The Pod object. + * @type bool $build_pods Whether to try to build a Pods object from the object type/name/ID (false by default). + * @type bool $build_pod Whether to try to build a Pod object from the object type/name (false by default). + * } + * + * @return bool Whether the SQL fragment is allowed to be used. + */ +function pods_access_sql_fragment_is_allowed( $sql, $context = 'SELECT', array $args = [] ) { + $context = strtoupper( $context ); + + $info = pods_info_from_args( $args ); + + /** + * Allows filtering whether the SQL fragment is allowed to be used. + * + * @since 3.1.0 + * + * @param bool $allowed Whether the SQL fragment is allowed to be used. + * @param string $sql The SQL fragment to check. + * @param string $context The SQL fragment context. + * @param array $info Pod information. + */ + return (bool) apply_filters( 'pods_access_sql_fragment_is_allowed', true, $sql, $context, $info ); +} + +add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_mismatch_parenthesis', 10, 2 ); +add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_unsafe_functions', 10, 2 ); +add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_unsafe_tables', 10, 2 ); +add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_double_hyphens', 10, 2 ); +add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_subqueries', 10, 2 ); +//add_filter( 'pods_access_sql_fragment_is_allowed', 'pods_access_sql_fragment_disallow_post_status', 10, 4 ); + +/** + * Disallow mismatched parenthesis from being used in SQL fragments. + * + * @since 3.1.0 + * + * @param bool $allowed Whether the SQL fragment is allowed to be used. + * @param string $sql The SQL fragment to check. + * + * @return bool Whether the SQL fragment is allowed to be used. + */ +function pods_access_sql_fragment_disallow_mismatch_parenthesis( $allowed, $sql ) { + return ( + $allowed + && substr_count( $sql, '(' ) === substr_count( $sql, ')' ) + ); +} + +/** + * Disallow unsafe functions from being used in SQL fragments. + * + * @since 3.1.0 + * + * @param bool $allowed Whether the SQL fragment is allowed to be used. + * @param string $sql The SQL fragment to check. + * + * @return bool Whether the SQL fragment is allowed to be used. + */ +function pods_access_sql_fragment_disallow_unsafe_functions( $allowed, $sql ) { + if ( ! $allowed ) { + return $allowed; + } + + $unsafe_functions = [ + 'USER', + 'DATABASE', + 'VERSION', + 'FROM_BASE64', + 'TO_BASE64', + 'SLEEP', + 'WAIT_FOR_EXECUTED_GTID_SET', + 'WAIT_UNTIL_SQL_THREAD_AFTER_GTIDS', + 'MASTER_POS_WAIT', + 'SOURCE_POS_WAIT', + 'LOAD_FILE', + ]; + + /** + * Allow filtering the list of unsafe functions to disallow. + * + * @since 3.1.0 + * + * @param array $unsafe_functions The list of unsafe functions to disallow. + * @param string $sql The SQL fragment to check. + */ + $unsafe_functions = (array) apply_filters( 'pods_access_sql_fragment_disallow_unsafe_functions', $unsafe_functions, $sql ); + + $unsafe_functions = array_filter( $unsafe_functions ); + + foreach ( $unsafe_functions as $unsafe_function ) { + if ( 1 === (int) preg_match( '/\s*' . preg_quote( $unsafe_function, '/' ) . '\s*\(/i', $sql ) ) { + return false; + } + } + + return $allowed; +} + +/** + * Disallow unsafe tables from being used in SQL fragments. + * + * @since 3.1.0 + * + * @param bool $allowed Whether the SQL fragment is allowed to be used. + * @param string $sql The SQL fragment to check. + * + * @return bool Whether the SQL fragment is allowed to be used. + */ +function pods_access_sql_fragment_disallow_unsafe_tables( $allowed, $sql ) { + if ( ! $allowed ) { + return $allowed; + } + + $unsafe_tables = [ + 'mysql.', + 'information_schema.', + 'performance_schema.', + 'sys.', + ]; + + /** + * Allow filtering the list of unsafe tables to disallow. + * + * @since 3.1.0 + * + * @param array $unsafe_tables The list of unsafe tables to disallow. + * @param string $sql The SQL fragment to check. + */ + $unsafe_tables = (array) apply_filters( 'pods_access_sql_fragment_disallow_unsafe_tables', $unsafe_tables, $sql ); + + $unsafe_tables = array_filter( $unsafe_tables ); + + foreach ( $unsafe_tables as $unsafe_table ) { + if ( 1 === (int) preg_match( '/\s*' . preg_quote( $unsafe_table, '/' ) . '/i', $sql ) ) { + return false; + } + } + + return $allowed; +} + +/** + * Disallow double hyphens from being used in SQL fragments. + * + * @since 3.1.0 + * + * @param bool $allowed Whether the SQL fragment is allowed to be used. + * @param string $sql The SQL fragment to check. + * + * @return bool Whether the SQL fragment is allowed to be used. + */ +function pods_access_sql_fragment_disallow_double_hyphens( $allowed, $sql ) { + return ( + $allowed + && false === strpos( $sql, '--' ) + ); +} + +/** + * Disallow subqueries from being used in SQL fragments. + * + * @since 3.1.0 + * + * @param bool $allowed Whether the SQL fragment is allowed to be used. + * @param string $sql The SQL fragment to check. + * + * @return bool Whether the SQL fragment is allowed to be used. + */ +function pods_access_sql_fragment_disallow_subqueries( $allowed, $sql ) { + return ( + $allowed + && 0 === (int) preg_match( '/\s*SELECT(\s|\()+/i', $sql ) + ); +} + +/** + * Disallow post_status from being used in the WHERE/HAVING SQL fragment unless they have admin access. + * + * @since 3.1.0 + * + * @param bool $allowed Whether the SQL fragment is allowed to be used. + * @param string $sql The SQL fragment to check. + * @param string $context The SQL fragment context. + * @param array $info Pod information. + * + * @return bool Whether the SQL fragment is allowed to be used. + */ +function pods_access_sql_fragment_disallow_post_status( $allowed, $sql, $context, array $info ) { + if ( 'WHERE' !== $context && 'HAVING' !== $context ) { + return $allowed; + } + + return ( + $allowed + && ( + false === stripos( $sql, 'post_status' ) + || pods_is_admin( 'edit_posts' ) + ) + ); +} + +/** + * Safely unserialize data if it's PHP serialized. + * + * @since 3.1.0 + * + * @param string|mixed $data The data to unserialize. + * + * @return array|string|mixed The unserialized data if it was PHP serialized, otherwise the data as it was. + */ +function pods_maybe_safely_unserialize( $data ) { + // The $options parameter of unserialize() requires PHP 7.0+. + if ( version_compare( PHP_VERSION, '7.0', '<' ) ) { + // Fall back to normal WP function. + return maybe_unserialize( $data ); + } + + // Check if the data is serialized. + if ( is_serialized( $data ) ) { + $data = trim( $data ); + + // Unserialize the data but exclude classes. + return @unserialize( $data, [ 'allowed_classes' => false ] ); + } + + return $data; +} diff --git a/includes/classes.php b/includes/classes.php index b72c69b9ab..54d154167f 100644 --- a/includes/classes.php +++ b/includes/classes.php @@ -218,17 +218,18 @@ function pods_i18n() { * @param string $cache_mode (optional) Specify the caching method to use for the view, available options include * cache, transient, or site-transient * @param bool $return (optional) Whether to return the view or not, defaults to false and will echo it + * @param bool $limited (optional) Whether to limit the view to only the theme directory, defaults to false * * @return string|bool The view output * * @since 2.0.0 * @link https://pods.io/docs/pods-view/ */ -function pods_view( $view, $data = null, $expires = false, $cache_mode = 'cache', $return = false ) { +function pods_view( $view, $data = null, $expires = false, $cache_mode = 'cache', $return = false, $limited = false ) { require_once PODS_DIR . 'classes/PodsView.php'; - $view = PodsView::view( $view, $data, $expires, $cache_mode ); + $view = PodsView::view( $view, $data, $expires, $cache_mode, $limited ); if ( $return ) { return $view; diff --git a/includes/data.php b/includes/data.php index d32ef93536..3a843b3af4 100644 --- a/includes/data.php +++ b/includes/data.php @@ -371,6 +371,7 @@ function pods_v( $var = null, $type = 'get', $default = null, $strict = false, $ $defaults = array( 'casting' => false, 'allowed' => null, + 'source' => null, ); $params = (object) array_merge( $defaults, (array) $params ); @@ -389,6 +390,46 @@ function pods_v( $var = null, $type = 'get', $default = null, $strict = false, $ } } else { $type = strtolower( (string) $type ); + + if ( $params->source ) { + // Using keys for faster isset() checks instead of in_array(). + $disallowed_types = []; + + if ( 'magic-tag' === $params->source ) { + $disallowed_types = [ + 'server' => false, + 'session' => false, + 'global' => false, + 'globals' => false, + 'cookie' => false, + 'constant' => false, + 'option' => false, + 'site-option' => false, + 'transient' => false, + 'site-transient' => false, + 'cache' => false, + 'pods-transient' => false, + 'pods-site-transient' => false, + 'pods-cache' => false, + 'pods-option-cache' => false, + ]; + } + + /** + * Allow filtering the list of disallowed variable types for the source. + * + * @since 2.9.4 + * + * @param array $disallowed_types The list of disallowed variable types for the source. + * @param string $source The source calling pods_v(). + */ + $disallowed_types = apply_filters( "pods_v_disallowed_types_for_source_{$params->source}", $disallowed_types, $params->source ); + + if ( isset( $disallowed_types[ $type ] ) ) { + return $default; + } + } + switch ( $type ) { case 'get': if ( isset( $_GET[ $var ] ) ) { @@ -629,6 +670,8 @@ function pods_v( $var = null, $type = 'get', $default = null, $strict = false, $ case 'globals': if ( isset( $GLOBALS[ $var ] ) ) { $output = $GLOBALS[ $var ]; + + $output = pods_access_bleep_data( $output ); } break; case 'cookie': @@ -642,13 +685,15 @@ function pods_v( $var = null, $type = 'get', $default = null, $strict = false, $ } break; case 'user': + // Prevent deprecation notice from WP. + if ( 'id' === $var ) { + $var = 'ID'; + } + if ( is_user_logged_in() ) { $user = get_userdata( get_current_user_id() ); - // Prevent deprecation notice from WP. - if ( 'id' === $var ) { - $var = 'ID'; - } + $user = pods_access_bleep_data( $user ); if ( isset( $user->{$var} ) ) { $value = $user->{$var}; @@ -667,7 +712,10 @@ function pods_v( $var = null, $type = 'get', $default = null, $strict = false, $ } elseif ( ! is_array( $value ) && 0 < strlen( $value ) ) { $output = $value; } - }//end if + } elseif ( 'ID' === $var ) { + // Return 0 when logged out and calling the ID. + $output = 0; + } break; case 'option': $output = get_option( $var, $default ); @@ -1172,7 +1220,7 @@ function pods_query_arg( $array = null, $allowed = null, $excluded = null, $url $allowed = array_unique( array_merge( $pods_query_args['allowed'], $allowed ) ); $excluded = array_unique( array_merge( $pods_query_args['excluded'], $excluded ) ); - if ( ! isset( $_GET ) ) { + if ( ! isset( $_GET ) || $url ) { $query_args = array(); } else { $query_args = pods_unsanitize( $_GET ); @@ -1298,8 +1346,8 @@ function pods_cast( $value, $cast_from = null ) { * @since 1.8.9 */ function pods_create_slug( $orig, $strict = true ) { - - $str = preg_replace( '/([_ \\/])/', '-', trim( $orig ) ); + $str = remove_accents( $orig ); + $str = preg_replace( '/([_ \\/])/', '-', trim( $str ) ); if ( $strict ) { $str = preg_replace( '/([^0-9a-z\-])/', '', strtolower( $str ) ); @@ -1401,11 +1449,15 @@ function pods_unique_slug( $slug, $column_name, $pod, $pod_id = 0, $id = 0, $obj * @since 1.2.0 */ function pods_clean_name( $orig, $lower = true, $trim_underscores = false ) { + if ( null === $orig ) { + return ''; + } - $str = trim( $orig ); - $str = preg_replace( '/(\s)/', '_', $str ); - $str = preg_replace( '/([^0-9a-zA-Z\-_])/', '', $str ); - $str = preg_replace( '/(_){2,}/', '_', $str ); + $str = trim( (string) $orig ); + $str = remove_accents( $str ); + $str = preg_replace( '/([^0-9a-zA-Z\-_\s])/', '', $str ); + $str = preg_replace( '/(\s_)/', '_', $str ); + $str = preg_replace( '/(\s+)/', '_', $str ); $str = preg_replace( '/(-){2,}/', '-', $str ); if ( $lower ) { @@ -1448,6 +1500,11 @@ function pods_js_name( $orig, $lower = true ) { * @since 2.0.0 */ function pods_absint( $maybeint, $strict = true, $allow_negative = false ) { + if ( is_null( $maybeint ) ) { + $maybeint = 0; + } elseif ( is_bool( $maybeint ) ) { + $maybeint = (int) $maybeint; + } if ( true === $strict && ! is_numeric( trim( $maybeint ) ) ) { return 0; @@ -1815,24 +1872,43 @@ function pods_evaluate_tag( $tag, $args = array() ) { 'prefix', ); + $pods_v_var = ''; + $pods_v_type = 'get'; + if ( in_array( $tag[0], $single_supported, true ) ) { - $value = pods_v( '', $tag[0], null ); + $pods_v_type = $tag[0]; } elseif ( 1 === count( $tag ) ) { - $value = pods_v( $tag[0], 'get', null ); + $pods_v_var = $tag[0]; } elseif ( 2 === count( $tag ) ) { - $value = pods_v( $tag[1], $tag[0], null ); + $pods_v_var = $tag[1]; + $pods_v_type = $tag[0]; } else { // Some magic tags support traversal. - $value = pods_v( array_slice( $tag, 1 ), $tag[0], null ); + $pods_v_var = array_slice( $tag, 1 ); + $pods_v_type = $tag[0]; } + $value = pods_v( $pods_v_var, $pods_v_type, null, false, [ + 'source' => 'magic-tag', + ] ); + if ( $helper ) { if ( ! $pod instanceof Pods ) { $pod = pods(); } + $value = $pod->helper( $helper, $value ); } + /** + * Allow filtering the evaluated tag value. + * + * @since unknown + * + * @param mixed $value The evaluated tag value. + * @param string $tag The evaluated tag name. + * @param null|mixed $fallback The fallback value to use if not set, should already be sanitized. + */ $value = apply_filters( 'pods_evaluate_tag', $value, $tag, $fallback ); if ( is_array( $value ) && 1 === count( $value ) ) { @@ -1944,15 +2020,7 @@ function pods_serial_comma( $value, $field = null, $fields = null, $and = null, return $value; } - // If something happens with table info, and this is a single select relationship, avoid letting user pass through. - if ( isset( $value['user_pass'] ) ) { - unset( $value['user_pass'] ); - - // Since we know this is a single select, just pass display name through as the fallback. - if ( isset( $value['display_name'] ) ) { - $value = array( $value['display_name'] ); - } - } + $value = pods_access_bleep_data( $value ); $original_value = $value; diff --git a/includes/general.php b/includes/general.php index b0a955fff5..a1c02d8e11 100644 --- a/includes/general.php +++ b/includes/general.php @@ -78,10 +78,11 @@ function pods_do_hook( $scope, $name, $args = null, $obj = null ) { * * @param string $message The notice / error message shown * @param string $type Message type + * @param bool $return Whether to return the message. * - * @return void + * @return string|null The message or null if not returning. */ -function pods_message( $message, $type = null ) { +function pods_message( $message, $type = null, $return = false ) { if ( empty( $type ) || ! in_array( $type, array( 'notice', 'error' ), true ) ) { $type = 'notice'; @@ -95,7 +96,15 @@ function pods_message( $message, $type = null ) { $class = 'error'; } - echo '

    ' . $message . '

    '; + $html = '

    ' . $message . '

    '; + + if ( $return ) { + return $html; + } + + echo $html; + + return null; } $GLOBALS['pods_errors'] = array(); @@ -561,8 +570,8 @@ function pods_help( $text, $url = null ) { return; } - if ( 0 < strlen( $url ) ) { - $text .= '

    ' . __( 'Find out more', 'pods' ) . ' »'; + if ( $url && 0 < strlen( $url ) ) { + $text .= '

    ' . esc_html__( 'Find out more', 'pods' ) . ' »'; } echo '' . esc_attr( $text ) . ''; @@ -750,41 +759,187 @@ function pods_doing_shortcode( $bool = null ) { * Shortcode support for use anywhere that support WP Shortcodes. * Will return error message on failure. * + * @since 1.6.7 + * @since 2.7.13 Try/Catch. + * * @param array $tags An associative array of shortcode properties. * @param string $content A string that represents a template override. * * @return string - * @since 1.6.7 - * @since 2.7.13 Try/Catch. */ function pods_shortcode( $tags, $content = null ) { + return pods_shortcode_run_safely( $tags, $content ); +} + +/** + * Shortcode support for use anywhere that support WP Shortcodes. + * Will return error message on failure. + * + * @since 3.1.0 + * + * @param array $tags An associative array of shortcode properties. + * @param string|null $content A string that represents a template override. + * @param bool $check_display_access_rights Whether to check access rights for the embedded content. + * + * @return string + */ +function pods_shortcode_run_safely( array $tags, $content = null, $check_display_access_rights = true ) { pods_doing_shortcode( true ); + + $return_exception = static function() { + return 'exception'; + }; + + add_filter( 'pods_error_mode', $return_exception, 50 ); + add_filter( 'pods_error_exception_fallback_enabled', '__return_false', 50 ); + + $blog_is_switched = false; + + if ( defined( 'PODS_SHORTCODE_ALLOW_BLOG_SWITCHING' ) && PODS_SHORTCODE_ALLOW_BLOG_SWITCHING && is_multisite() ) { + if ( ! empty( $tags['blog_id'] ) && is_numeric( $tags['blog_id'] ) && (int) get_current_blog_id() !== (int) $tags['blog_id'] ) { + switch_to_blog( (int) $tags['blog_id'] ); + + $blog_is_switched = true; + } + } + try { - $return = pods_shortcode_run( $tags, $content ); - } catch ( Exception $exception ) { - $return = $exception->getMessage(); - if ( ! pods_is_debug_display() ) { - // Logs message. - pods_debug( $return ); - $return = ''; + $return = pods_shortcode_run( $tags, $content, $blog_is_switched, $check_display_access_rights ); + } catch ( Exception $throwable ) { + /** + * Allow filtering whether to throw errors for the shortcode. + * + * @since 3.0.9 + * + * @param bool $throw_errors Whether to throw errors for the shortcode. + */ + $throw_errors = apply_filters( 'pods_shortcode_throw_errors', false ); + + if ( $throw_errors ) { + if ( $blog_is_switched ) { + restore_current_blog(); + } + + throw $throwable; } + + $return = ''; + + if ( pods_is_debug_display() ) { + $return = pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Renderer Error', 'pods' ), + esc_html( $throwable->getMessage() ) + ), + 'error', + true + ); + + $return .= '
    ' . esc_html( $throwable->getTraceAsString() ) . '
    '; + } elseif ( + is_user_logged_in() + && ( + is_admin() + || ( + wp_is_json_request() + && did_action( 'rest_api_init' ) + ) + ) + ) { + $return = pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Renderer Error', 'pods' ), + esc_html__( 'There was a problem displaying this content, enable WP_DEBUG in wp-config.php to show more details.', 'pods' ) + ), + 'error', + true + ); + } + } + + if ( $blog_is_switched ) { + restore_current_blog(); } + + remove_filter( 'pods_error_mode', $return_exception, 50 ); + remove_filter( 'pods_error_exception_fallback_enabled', '__return_false', 50 ); + pods_doing_shortcode( false ); + return $return; } +/** + * Wrap the HTML using attributes for the element. + * + * This is used to support Blocks and other elements that use custom attributes like class and anchor. + * + * @since 2.8.9 + * + * @param string $html The HTML to wrap. + * @param array $attributes List of attributes for the element. + * + * @return string The wrapped HTML. + */ +function pods_wrap_html( $html, $attributes = [] ) { + if ( empty( $attributes ) || '' === trim( $html ) ) { + return $html; + } + + $container = []; + + // Handle support for className. + if ( ! empty( $attributes['className'] ) ) { + $container['class'] = trim( $attributes['className'] ); + } + + // Handle align support. + if ( ! empty( $attributes['align'] ) ) { + if ( empty( $container['class'] ) ) { + $container['class'] = ''; + } + + $container['class'] = trim( 'align' . $attributes['align'] . ' ' . $container['class'] ); + } + + // Handle support for anchor. + if ( ! empty( $attributes['anchor'] ) ) { + $container['id'] = $attributes['anchor']; + } + + if ( empty( $container ) ) { + return $html; + } + + ob_start(); + PodsForm::attributes( $container, '_pods_wrap', '_pods_wrap', $attributes ); + $html_attributes = ob_get_clean(); + + return sprintf( '%2$s', $html_attributes, $html ); +} + /** * Shortcode support for use anywhere that support WP Shortcodes. * - * @param array $tags An associative array of shortcode properties. - * @param string $content A string that represents a template override. + * @since 2.7.13 + * + * @param array $tags An associative array of shortcode properties. + * @param string|null $content A string that represents a template override. + * @param bool $blog_is_switched Whether the blog is switched. + * @param bool $check_display_access_rights Whether to check access rights for the embedded content. * * @return string - * @since 2.7.13 */ -function pods_shortcode_run( $tags, $content = null ) { - +function pods_shortcode_run( $tags, $content = null, $blog_is_switched = false, $check_display_access_rights = true ) { if ( defined( 'PODS_DISABLE_SHORTCODE' ) && PODS_DISABLE_SHORTCODE ) { + if ( empty( $tags['field'] ) && pods_is_admin() ) { + return pods_get_access_admin_notice( [ + 'content' => esc_html__( 'Pods dynamic features are disabled.', 'pods' ), + ] ); + } + return ''; } @@ -847,13 +1002,28 @@ function pods_shortcode_run( $tags, $content = null ) { $defaults = array_merge( $default_other_tags, $default_query_tags ); + $original_tags = $tags; + if ( ! empty( $tags ) ) { $tags = array_merge( $defaults, $tags ); } else { $tags = $defaults; } - $tags = apply_filters( 'pods_shortcode', $tags ); + // Bypass custom select if it might be aliasing or selecting data we don't want to work with. + if ( + ! empty( $tags['select'] ) + && is_string( $tags['select'] ) + && ( + false !== stripos( $tags['select'], 'user_pass' ) + || false !== stripos( $tags['select'], 'user_activation_key' ) + || false !== stripos( $tags['select'], 'post_password' ) + ) + ) { + $tags['select'] = null; + } + + $tags = apply_filters( 'pods_shortcode', $tags, $content, $original_tags ); $tags['pagination'] = filter_var( $tags['pagination'], FILTER_VALIDATE_BOOLEAN ); $tags['search'] = filter_var( $tags['search'], FILTER_VALIDATE_BOOLEAN ); @@ -864,18 +1034,55 @@ function pods_shortcode_run( $tags, $content = null ) { } // Allow views only if not targeting a file path (must be within theme) - if ( 0 < strlen( $tags['view'] ) ) { + if ( $tags['view'] && 0 < strlen( (string) $tags['view'] ) ) { $return = ''; - if ( ! file_exists( $tags['view'] ) ) { - $return = pods_view( $tags['view'], null, (int) $tags['expires'], $tags['cache_mode'], true ); + // Confirm the feature is enabled and the file is allowed. + if ( + pods_can_use_dynamic_feature( 'view' ) + && PodsView::view_get_path( $tags['view'], true ) + ) { + $return = pods_view( $tags['view'], null, (int) $tags['expires'], $tags['cache_mode'], true, true ); if ( $tags['shortcodes'] && defined( 'PODS_SHORTCODE_ALLOW_SUB_SHORTCODES' ) && PODS_SHORTCODE_ALLOW_SUB_SHORTCODES ) { $return = do_shortcode( $return ); } + + $return = pods_wrap_html( $return, $tags ); + } + + /** + * Allow customization of shortcode output based on shortcode attributes. + * + * @since 2.7.9 + * + * @param string $return Shortcode output to return. + * @param array $tags Shortcode attributes. + * @param null|Pods $pod Pods object, or null if 'view' context. + * @param string $context The shortcode context (form, field, pods-page, view, or list). + */ + return apply_filters( 'pods_shortcode_output', $return, $tags, null, 'view' ); + } + + $is_form = ! empty( $tags['form'] ); + + // If the feature is disabled then return early. + if ( $is_form && ! pods_can_use_dynamic_feature( 'form' ) ) { + if ( pods_is_admin() ) { + return pods_get_access_admin_notice( [ + 'content' => esc_html__( 'The Pods Form dynamic feature is disabled and this embed will not show.', 'pods' ), + ] ); } - return $return; + return ''; + } elseif ( ! $is_form && ! pods_can_use_dynamic_feature( 'display' ) ) { + if ( empty( $tags['field'] ) && pods_is_admin() ) { + return pods_get_access_admin_notice( [ + 'content' => esc_html__( 'The Pods Display dynamic feature is disabled and this embed will not show.', 'pods' ), + ] ); + } + + return ''; } if ( ! $tags['use_current'] && empty( $tags['name'] ) ) { @@ -908,7 +1115,15 @@ function pods_shortcode_run( $tags, $content = null ) { } if ( ! $tags['use_current'] && empty( $tags['name'] ) ) { - return '

    ' . __( 'Please provide a Pod name', 'pods' ) . '

    '; + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'Please provide a Pod name.', 'pods' ) + ), + 'error', + true + ); } } @@ -925,7 +1140,15 @@ function pods_shortcode_run( $tags, $content = null ) { } if ( empty( $content ) && empty( $tags['pods_page'] ) && empty( $tags['template'] ) && empty( $tags['field'] ) && empty( $tags['form'] ) ) { - return '

    ' . __( 'Please provide either a template or field name', 'pods' ) . '

    '; + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'Please provide either a template or field name.', 'pods' ) + ), + 'error', + true + ); } if ( ! $tags['use_current'] && ! isset( $id ) ) { @@ -969,7 +1192,15 @@ function pods_shortcode_run( $tags, $content = null ) { } if ( empty( $pod ) || ! $pod->valid() ) { - return '

    ' . __( 'Pod not found', 'pods' ) . '

    '; + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'Pod not found.', 'pods' ) + ), + 'error', + true + ); } $found = 0; @@ -977,47 +1208,181 @@ function pods_shortcode_run( $tags, $content = null ) { $is_singular = ( ! empty( $id ) || $tags['use_current'] ); + $return = ''; + + $info = pods_info_from_args( [ + 'item_id' => $is_singular ? $id : null, + 'pods' => $pod, + ] ); + + // Determine if this is is a public content type. + if ( + $check_display_access_rights + ) { + // Check access rights for editor mode and preview of this embed. + if ( ! empty( $tags['_is_editor_mode'] ) || ! empty( $tags['_is_preview'] ) || is_preview() ) { + $check_post_id = ! empty( $tags['_preview_id'] ) ? (int) $tags['_preview_id'] : get_queried_object_id(); + + if ( ! current_user_can( 'publish_post', $check_post_id ) && ! pods_is_admin() ) { + // Stop display and only return the notice. + return empty( $tags['field'] ) ? pods_get_access_user_notice( $info, true, esc_html__( 'You do not have the capability to preview this Pods embed.', 'pods' ) ) : ''; + } + } + + $access_type = 'read'; + + if ( $is_form ) { + $access_type = $is_singular ? 'edit' : 'add'; + } + + if ( + ! pods_is_type_public( $info ) + || ! pods_can_use_dynamic_feature_unrestricted( $info, $is_form ? 'form' : 'display', $access_type ) + ) { + + // Stop handling the display and return the access notice if they do not have access to the private content type. + if ( ! pods_current_user_can_access_object( $info, $access_type, 'shortcode' ) ) { + // Stop display and only return the notice. + return empty( $tags['field'] ) ? pods_get_access_user_notice( $info ) : ''; + } + + // Show the admin-specific notice that this content may not be visible to others since it is not public. + if ( empty( $tags['field'] ) && pods_is_admin() ) { + // Include the notice in the display output to let the admin know and continue the display. + $return .= pods_get_access_admin_notice( $info ); + } + } elseif ( + $check_display_access_rights + && ( + pods_access_bypass_post_with_password( $info ) + || pods_access_bypass_private_post( $info ) + ) + ) { + // Stop display and only return the notice. + return empty( $tags['field'] ) ? pods_get_access_user_notice( $info ) : ''; + } + } + if ( ! $is_singular ) { $params = array(); if ( ! defined( 'PODS_DISABLE_SHORTCODE_SQL' ) || ! PODS_DISABLE_SHORTCODE_SQL ) { - $evaluate_tags_args = array( + $shortcode_allow_evaluate_tags = pods_shortcode_allow_evaluate_tags(); + + $evaluate_tags_args = [ 'sanitize' => true, 'fallback' => '""', 'use_current_pod' => true, - ); + ]; + + if ( $tags['select'] && 0 < strlen( (string) $tags['select'] ) ) { + if ( ! pods_access_sql_fragment_is_allowed( $tags['select'], 'SELECT', $info ) ) { + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'SELECT contains SQL that is not allowed.', 'pods' ) + ), + 'error', + true + ); + } - if ( 0 < strlen( $tags['orderby'] ) ) { - $params['orderby'] = $tags['orderby']; + $params['select'] = $tags['select']; } - if ( 0 < strlen( $tags['where'] ) ) { + if ( $tags['join'] && 0 < strlen( (string) $tags['join'] ) ) { + if ( ! pods_access_sql_fragment_is_allowed( $tags['join'], 'JOIN', $info ) ) { + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'JOIN contains SQL that is not allowed.', 'pods' ) + ), + 'error', + true + ); + } + + $params['join'] = $tags['join']; + } + + if ( $tags['where'] && 0 < strlen( (string) $tags['where'] ) ) { + $tags['where'] = ltrim( $tags['where'], ')' ); + + if ( ! pods_access_sql_fragment_is_allowed( $tags['where'], 'WHERE', $info ) ) { + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'WHERE contains SQL that is not allowed.', 'pods' ) + ), + 'error', + true + ); + } + $params['where'] = $tags['where']; - if ( pods_shortcode_allow_evaluate_tags() ) { + if ( $shortcode_allow_evaluate_tags ) { $params['where'] = pods_evaluate_tags_sql( html_entity_decode( $params['where'] ), $evaluate_tags_args ); } } - if ( 0 < strlen( $tags['having'] ) ) { + if ( $tags['groupby'] && 0 < strlen( (string) $tags['groupby'] ) ) { + if ( ! pods_access_sql_fragment_is_allowed( $tags['groupby'], 'GROUP BY', $info ) ) { + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'GROUP BY contains SQL that is not allowed.', 'pods' ) + ), + 'error', + true + ); + } + + $params['groupby'] = $tags['groupby']; + } + + if ( $tags['having'] && 0 < strlen( (string) $tags['having'] ) ) { + $tags['having'] = ltrim( $tags['having'], ')' ); + + if ( ! pods_access_sql_fragment_is_allowed( $tags['having'], 'HAVING', $info ) ) { + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'HAVING contains SQL that is not allowed.', 'pods' ) + ), + 'error', + true + ); + } + $params['having'] = $tags['having']; - if ( pods_shortcode_allow_evaluate_tags() ) { + if ( $shortcode_allow_evaluate_tags ) { $params['having'] = pods_evaluate_tags_sql( html_entity_decode( $params['having'] ), $evaluate_tags_args ); } } - if ( 0 < strlen( $tags['groupby'] ) ) { - $params['groupby'] = $tags['groupby']; - } + if ( $tags['orderby'] && 0 < strlen( (string) $tags['orderby'] ) ) { + if ( ! pods_access_sql_fragment_is_allowed( $tags['orderby'], 'ORDER BY', $info ) ) { + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'ORDER BY contains SQL that is not allowed.', 'pods' ) + ), + 'error', + true + ); + } - if ( 0 < strlen( $tags['select'] ) ) { - $params['select'] = $tags['select']; - } - if ( 0 < strlen( $tags['join'] ) ) { - $params['join'] = $tags['join']; + $params['orderby'] = $tags['orderby']; } - }//end if + } // Load filters and return HTML for later use. if ( false !== $tags['filters'] ) { @@ -1063,69 +1428,162 @@ function pods_shortcode_run( $tags, $content = null ) { $pod->find( $params ); - $found = $pod->total(); + $found = $pod->total_found(); }//end if }//end if - if ( ! empty( $tags['form'] ) ) { + // Handle form output. + if ( $is_form ) { if ( 'user' === $pod->pod ) { - if ( false !== strpos( $tags['fields'], '_capabilities' ) || false !== strpos( $tags['fields'], '_user_level' ) ) { + if ( + false !== strpos( $tags['fields'], '_capabilities' ) + || false !== strpos( $tags['fields'], '_capabilities' ) + || false !== strpos( $tags['fields'], 'role' ) + ) { // Further hardening of User-based forms - return ''; + return pods_get_access_user_notice( $info, false, __( 'You cannot edit role or capabilities for users with Pods', 'pods' ) ); } elseif ( $is_singular && ( ! defined( 'PODS_SHORTCODE_ALLOW_USER_EDIT' ) || ! PODS_SHORTCODE_ALLOW_USER_EDIT ) ) { // Only explicitly allow user edit forms - return ''; + return pods_get_access_user_notice( $info, false, __( 'Edit user profile forms have been disabled on this site.', 'pods' ) ); } } - return $pod->form( $tags['fields'], $tags['label'], $tags['thank_you'] ); - } elseif ( ! empty( $tags['field'] ) ) { + $form_params = [ + 'fields' => $tags['fields'], + 'label' => $tags['label'], + 'thank_you' => $tags['thank_you'], + // We already checked the access so we can bypass this. + 'check_access' => false, + ]; + + $return .= $pod->form( $form_params ); + + $return = pods_wrap_html( $return, $tags ); + + /** + * Allow customization of shortcode output based on shortcode attributes. + * + * @since 2.7.9 + * + * @param string $return Shortcode output to return. + * @param array $tags Shortcode attributes. + * @param null|Pods $pod Pods object, or null if 'view' context. + * @param string $context The shortcode context (form, field, pods-page, view, or list). + */ + return apply_filters( 'pods_shortcode_output', $return, $tags, $pod, 'form' ); + } + + // Handle field output. + if ( ! empty( $tags['field'] ) ) { if ( $tags['template'] || $content ) { - $return = ''; $related = $pod->field( $tags['field'], array( 'output' => 'find' ) ); if ( $related instanceof Pods && $related->valid() ) { // Content is null by default. - $return .= $related->template( $tags['template'], $content ); + $return_output = $related->template( $tags['template'], $content ); + + if ( null !== $return_output ) { + $return .= $return_output; + } } } elseif ( empty( $tags['helper'] ) ) { - $return = $pod->display( $tags['field'] ); + $return_output = $pod->display( $tags['field'] ); + + if ( null !== $return_output ) { + $return .= $return_output; + } else { + $return = ''; + } } else { - $return = $pod->helper( $tags['helper'], $pod->field( $tags['field'] ), $tags['field'] ); + $return_output = $pod->helper( $tags['helper'], $pod->field( $tags['field'] ), $tags['field'] ); + + if ( null !== $return_output ) { + $return .= $return_output; + } else { + $return = ''; + } } if ( $tags['shortcodes'] && defined( 'PODS_SHORTCODE_ALLOW_SUB_SHORTCODES' ) && PODS_SHORTCODE_ALLOW_SUB_SHORTCODES ) { $return = do_shortcode( $return ); } - return $return; - } elseif ( ! empty( $tags['pods_page'] ) && class_exists( 'Pods_Pages' ) ) { + $return = pods_wrap_html( $return, $tags ); + + /** + * Allow customization of shortcode output based on shortcode attributes. + * + * @since 2.7.9 + * + * @param string $return Shortcode output to return. + * @param array $tags Shortcode attributes. + * @param null|Pods $pod Pods object, or null if 'view' context. + * @param string $context The shortcode context (form, field, pods-page, view, or list). + */ + return apply_filters( 'pods_shortcode_output', $return, $tags, $pod, 'field' ); + } + + // Handle Pods Page output. + if ( ! empty( $tags['pods_page'] ) && class_exists( 'Pods_Pages' ) ) { $pods_page = Pods_Pages::exists( $tags['pods_page'] ); if ( empty( $pods_page ) ) { - return '

    Pods Page not found

    '; + return pods_message( + sprintf( + '%1$s: %2$s', + esc_html__( 'Pods Embed Error', 'pods' ), + esc_html__( 'Pods Page not found.', 'pods' ) + ), + 'error', + true + ); } - $return = Pods_Pages::content( true, $pods_page ); + $return .= Pods_Pages::content( true, $pods_page ); if ( $tags['shortcodes'] && defined( 'PODS_SHORTCODE_ALLOW_SUB_SHORTCODES' ) && PODS_SHORTCODE_ALLOW_SUB_SHORTCODES ) { $return = do_shortcode( $return ); } - return $return; + $return = pods_wrap_html( $return, $tags ); + + /** + * Allow customization of shortcode output based on shortcode attributes. + * + * @since 2.7.9 + * + * @param string $return Shortcode output to return. + * @param array $tags Shortcode attributes. + * @param null|Pods $pod Pods object, or null if 'view' context. + * @param string $context The shortcode context (form, field, pods-page, view, or list). + */ + return apply_filters( 'pods_shortcode_output', $return, $tags, $pod, 'pods-page' ); }//end if $pagination = false; // Only handle pagination on non-singular shortcodes where items were found. - if ( ! $is_singular && 0 < $found && $tags['pagination'] ) { - $pagination = array( + if ( + ! $is_singular + && 0 < $found + && ( + empty( $params['limit'] ) + || ( + 0 < $params['limit'] + && $params['limit'] < $found + ) + ) + && true === $tags['pagination'] + ) { + $pagination_params = array( 'label' => pods_v( 'pagination_label', $tags, null ), 'type' => pods_v( 'pagination_type', $tags, null ), ); // Remove empty params. - $pagination = array_filter( $pagination ); + $pagination_params = array_filter( $pagination_params ); + + $pagination = $pod->pagination( $pagination_params ); } ob_start(); @@ -1134,45 +1592,49 @@ function pods_shortcode_run( $tags, $content = null ) { echo $filters; } - if ( false !== $pagination && in_array( $tags['pagination_location'], array( 'before', 'both', ), true ) ) { - echo $pod->pagination( $pagination ); + if ( $pagination && in_array( $tags['pagination_location'], [ 'before', 'both' ], true ) ) { + // phpcs:ignore + echo $pagination; } - $content = $pod->template( $tags['template'], $content ); + $content = $pod->template( $tags['template'], $content, false, true ); - if ( empty( $content ) && ! empty( $tags['not_found'] ) ) { + if ( '' === trim( $content ) && ! empty( $tags['not_found'] ) ) { $content = $pod->do_magic_tags( $tags['not_found'] ); } // phpcs:ignore echo $content; - if ( false !== $pagination && in_array( $tags['pagination_location'], array( 'after', 'both', ), true ) ) { - echo $pod->pagination( $pagination ); + if ( $pagination && in_array( $tags['pagination_location'], [ 'after', 'both' ], true ) ) { + // phpcs:ignore + echo $pagination; } if ( $filters && 'after' === $tags['filters_location'] ) { + // phpcs:ignore echo $filters; } - $return = ob_get_clean(); + $return .= ob_get_clean(); if ( $tags['shortcodes'] && defined( 'PODS_SHORTCODE_ALLOW_SUB_SHORTCODES' ) && PODS_SHORTCODE_ALLOW_SUB_SHORTCODES ) { $return = do_shortcode( $return ); } + $return = pods_wrap_html( $return, $tags ); + /** * Allow customization of shortcode output based on shortcode attributes. * * @since 2.7.9 * - * @param string $return Shortcode output to return. - * @param array $tags Shortcode attributes. - * @param Pods $pod Pods object. + * @param string $return Shortcode output to return. + * @param array $tags Shortcode attributes. + * @param null|Pods $pod Pods object, or null if 'view' context. + * @param string $context The shortcode context (form, field, pods-page, view, or list). */ - $return = apply_filters( 'pods_shortcode_output', $return, $tags, $pod ); - - return $return; + return apply_filters( 'pods_shortcode_output', $return, $tags, $pod, 'list' ); } /** @@ -1463,7 +1925,7 @@ function pods_permission( $options ) { } if ( ! $permission && 1 === (int) pods_v( 'restrict_role', $options, 0 ) ) { - $roles = maybe_unserialize( pods_v( 'roles_allowed', $options ) ); + $roles = pods_maybe_safely_unserialize( pods_v( 'roles_allowed', $options ) ); if ( ! is_array( $roles ) ) { $roles = explode( ',', $roles ); @@ -1481,7 +1943,7 @@ function pods_permission( $options ) { } if ( ! $permission && 1 === (int) pods_v( 'restrict_capability', $options, 0 ) ) { - $capabilities = maybe_unserialize( pods_v( 'capability_allowed', $options ) ); + $capabilities = pods_maybe_safely_unserialize( pods_v( 'capability_allowed', $options ) ); if ( ! is_array( $capabilities ) ) { $capabilities = explode( ',', $capabilities ); diff --git a/init.php b/init.php index 0db54b0fc0..d38f219ee7 100644 --- a/init.php +++ b/init.php @@ -3,7 +3,7 @@ Plugin Name: Pods - Custom Content Types and Fields Plugin URI: https://pods.io/ Description: Pods is a framework for creating, managing, and deploying customized content types and fields -Version: 2.7.31 +Version: 2.7.31.1 Author: Pods Framework Team Author URI: https://pods.io/about/ Text Domain: pods @@ -37,7 +37,7 @@ add_action( 'init', 'pods_deactivate_pods_ui' ); } else { // Current version - define( 'PODS_VERSION', '2.7.31' ); + define( 'PODS_VERSION', '2.7.31.1' ); // Version tracking between DB updates themselves define( 'PODS_DB_VERSION', '2.3.5' ); @@ -71,6 +71,7 @@ } else { global $pods, $pods_init, $pods_form; + require_once PODS_DIR . 'includes/access.php'; require_once PODS_DIR . 'includes/classes.php'; require_once PODS_DIR . 'includes/data.php'; require_once PODS_DIR . 'includes/general.php'; diff --git a/package.json b/package.json index 42e6e9a9c7..c2dfb25ff4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pods", - "version": "2.7.31", + "version": "2.7.31.1", "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.", "author": "Pods Foundation, Inc", "homepage": "https://pods.io/", diff --git a/readme.txt b/readme.txt index 0629988903..6d20eccf87 100644 --- a/readme.txt +++ b/readme.txt @@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields, Requires at least: 4.5 Tested up to: 5.8 Requires PHP: 5.3 -Stable tag: 2.7.31 +Stable tag: 2.7.31.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -190,6 +190,25 @@ We are also available through our [Live Slack Chat](https://pods.io/chat/) to he == Changelog == += 2.7.31.1 - February 21st, 2024 = + +*Security Release* + +While this release is meant to be as backwards compatible as possible, some aspects of security hardening may require manual intervention by site owners and their developers. There were no known reports and no known attempts to take advantage of the issues resolved by this release except where noted. + +Read more about [How access rights work with Pods](https://docs.pods.io/displaying-pods/access-rights-in-pods/) for more details including new filters/snippets that can provide limited access. + +Upgrade now to Pods 3.1 to get the full benefits of the new Access Rights feature with additional customization settings available. + +* Security hardening: Introduced new access checks and additional fine-grained control over dynamic features across any place in Pods that allows embedding content or forms. This only applies to usage through Pods Blocks or Shortcodes. Using PHP will continue to expect you are handling this on your own unless you pass the appropriate arguments to the corresponding Pods methods. (@sc0ttkclark) +* Security hardening: Prevent using the Pods Views Block / Shortcode to embed any files outside of the current theme. Props to the Nex Team / Wordfence for responsibly reporting this. (@sc0ttkclark) +* Security hardening: Prevent output of `user_pass`, `user_activation_key`, and `post_password` through Pods dynamic features / PHP. These values will be set in Pods references to `****************` if they were not-empty so you can still do conditional checks as normal. While Scott was already aware of this in pre-planned security release work, additional props go to the Nex Team / Wordfence for responsibly reporting this too. (@sc0ttkclark) +* Security hardening: Prevent more unsavory PHP display callbacks from being used with magic tags in addition to those already prevented. Props to the Nex Team / Wordfence for responsibly reporting this. (@sc0ttkclark) +* Security hardening: All SQL fragments used by Dynamic Features are checked for disallowed usage like subqueries. (@sc0ttkclark) +* Feature: Pods Display > The Display-related Pods Blocks and Shortcodes have additional checks that limit access to content based on the user viewing it. For Post Types that are non-public, they must have access to the `read` capability from that post type as a normal user. For displaying content from Users, they must have access to `list_users` capability to view that. [Read more about how access rights work with Pods](https://docs.pods.io/displaying-pods/access-rights-in-pods/) (@sc0ttkclark) +* Feature: Pods Forms > The Pods Form Block and Form Shortcode have additional checks that limit access to creating/editing content based on the user submitting the form. For Post Types that are non-public, they must have access to the 'create' capability from that post type as a normal user. Forms that submit to the Users pod, now require that the submitter must have access to the `create_users` or `edit_users` capability to create or edit that user. [Read more about how access rights work with Pods](https://docs.pods.io/displaying-pods/access-rights-in-pods/) (@sc0ttkclark) +* Feature: Pods Forms > When a user has access to create or edit content through a Pods form for a post type, the `post_content` field is cleaned based on the level of access they have to prevent inserting unintentional shortcodes or blocks. (@sc0ttkclark) + = 2.7.31 - September 23rd, 2021 = * Pods 2.8 is coming on October 11th! Check out the [Pods 2.8 Field Guide](https://pods.io/2021/02/11/pods-2-8-beta-1-released-and-the-field-guide-to-pods-2-8/) for more information. diff --git a/sql/update-1.x.php b/sql/update-1.x.php index 33bf734cc9..7e406f845b 100644 --- a/sql/update-1.x.php +++ b/sql/update-1.x.php @@ -241,7 +241,7 @@ if ( version_compare( $old_version, '1.7.5', '<' ) ) { if ( empty( $pods_roles ) && ! is_array( $pods_roles ) ) { - $pods_roles = @unserialize( get_option( 'pods_roles' ) ); + $pods_roles = pods_maybe_safely_unserialize( get_option( 'pods_roles' ) ); if ( ! is_array( $pods_roles ) ) { $pods_roles = array(); diff --git a/sql/upgrade/PodsUpgrade_2_0_0.php b/sql/upgrade/PodsUpgrade_2_0_0.php index 8653ce229c..858db63e68 100644 --- a/sql/upgrade/PodsUpgrade_2_0_0.php +++ b/sql/upgrade/PodsUpgrade_2_0_0.php @@ -756,7 +756,7 @@ public function migrate_roles() { $old_roles = get_option( 'pods_roles' ); if ( ! is_array( $old_roles ) && ! empty( $old_roles ) ) { - $old_roles = @unserialize( $old_roles ); + $old_roles = pods_maybe_safely_unserialize( $old_roles ); } if ( ! is_array( $old_roles ) ) { diff --git a/ui/admin/components-admin.php b/ui/admin/components-admin.php index a7627dfb16..edd7e6924c 100644 --- a/ui/admin/components-admin.php +++ b/ui/admin/components-admin.php @@ -1,3 +1,9 @@ +

    diff --git a/ui/admin/help.php b/ui/admin/help.php index d3fcae74ca..2f209ac9b7 100644 --- a/ui/admin/help.php +++ b/ui/admin/help.php @@ -1,3 +1,9 @@ +

    diff --git a/ui/admin/postbox-header.php b/ui/admin/postbox-header.php index 893f1d69bd..fa99dd4720 100644 --- a/ui/admin/postbox-header.php +++ b/ui/admin/postbox-header.php @@ -1,4 +1,9 @@
    diff --git a/ui/admin/setup-add.php b/ui/admin/setup-add.php index f82bb69d2c..d84b9316f0 100644 --- a/ui/admin/setup-add.php +++ b/ui/admin/setup-add.php @@ -1,4 +1,9 @@