Add capability check to the getCoauthorsMigrationData ajax callback, S-PPA-002

Author: andergmartins

src/core/Capability.php

@@ -0,0 +1,46 @@
+<?php
+/**
+ * @package     MultipleAuthors\
+ * @author      PublishPress <[email protected]>
+ * @copyright   Copyright (C) 2018 PublishPress. All rights reserved.
+ * @license     GPLv2 or later
+ * @since       1.0.0
+ */
+
+namespace MultipleAuthors;
+
+defined('ABSPATH') or die('No direct script access allowed.');
+
+
+abstract class Capability
+{
+    public static function getManageAuthorsCapability()
+    {
+        return apply_filters('pp_multiple_authors_manage_authors_cap', 'ppma_manage_authors');
+    }
+
+    public static function getManageOptionsCapability()
+    {
+        return apply_filters('pp_multiple_authors_manage_settings_cap', 'manage_options');
+    }
+
+    public static function getEditPostAuthorsCapability()
+    {
+        return apply_filters('pp_multiple_authors_edit_post_authors', 'ppma_edit_post_authors');
+    }
+
+    public static function currentUserCanManageSettings()
+    {
+        return current_user_can(self::getManageOptionsCapability());
+    }
+
+    public static function currentUserCanManageAuthors()
+    {
+        return current_user_can(self::getManageAuthorsCapability());
+    }
+
+    public static function currentUserCanEditPostAuthors()
+    {
+        return current_user_can(self::getEditPostAuthorsCapability());
+    }
+}

src/core/Classes/Installer.php

@@ -23,6 +23,7 @@
 
 namespace MultipleAuthors\Classes;
 
+use MultipleAuthors\Capability;
 use MultipleAuthors\Classes\Objects\Author;
 use WP_Role;
 
@@ -323,9 +324,9 @@ public static function createAuthorTermsForPostsWithLegacyCoreAuthors($args = nu
     private static function addDefaultCapabilitiesForAdministrators()
     {
         $role = get_role('administrator');
-        $role->add_cap('ppma_manage_authors');
-        $role->add_cap('manage_options');
-        $role->add_cap('ppma_edit_post_authors');
+        $role->add_cap(Capability::getManageAuthorsCapability());
+        $role->add_cap(Capability::getManageAuthorsCapability());
+        $role->add_cap(Capability::getEditPostAuthorsCapability());
     }
 
     /**

src/modules/multiple-authors/multiple-authors.php

@@ -21,6 +21,7 @@
  * along with PublishPress.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+use MultipleAuthors\Capability;
 use MultipleAuthors\Classes\Admin_Ajax;
 use MultipleAuthors\Classes\Author_Utils;
 use MultipleAuthors\Classes\Installer;
@@ -1695,8 +1696,7 @@ public function handle_maintenance_task()
                 wp_die(esc_html__('Invalid nonce', 'publishpress-authors'));
             }
 
-            $capability = apply_filters('pp_multiple_authors_manage_settings_cap', 'manage_options');
-            if (! current_user_can($capability)) {
+            if (! Capability::currentUserCanManageSettings()) {
                 wp_die(esc_html__('Access denied', 'publishpress-authors'));
             }
 
@@ -2124,6 +2124,10 @@ public function getCoauthorsMigrationData()
                 wp_send_json_error(null, 403);
             }
 
+            if (! Capability::currentUserCanManageSettings()) {
+                wp_send_json_error(null, 403);
+            }
+
             // nonce: migrate_coauthors
             wp_send_json(
                 [
@@ -2470,7 +2474,7 @@ public function coauthorsMigrationNotice()
                 return;
             }
 
-            if (!current_user_can('manage_options')) {
+            if (! Capability::currentUserCanManageSettings()) {
                 return;
             }
 

src/modules/settings/settings.php

@@ -28,6 +28,7 @@
  * along with PublishPress.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+use MultipleAuthors\Capability;
 use MultipleAuthors\Classes\Legacy\Module;
 use MultipleAuthors\Classes\Legacy\Util;
 use MultipleAuthors\Factory;
@@ -98,7 +99,7 @@ public function action_admin_submenu()
                 MA_Multiple_Authors::MENU_SLUG,
                 esc_html__('Multiple Authors Settings', 'publishpress-authors'),
                 esc_html__('Settings', 'publishpress-authors'),
-                apply_filters('pp_multiple_authors_manage_settings_cap', 'manage_options'),
+                Capability::getManageOptionsCapability(),
                 self::MENU_SLUG,
                 [$this, 'options_page_controller'],
                 20
@@ -297,7 +298,7 @@ public function helper_settings_validate_and_save()
                 return false;
             }
 
-            if (!current_user_can('manage_options') || !wp_verify_nonce($_POST['_wpnonce'], 'edit-publishpress-settings')) {
+            if (!Capability::currentUserCanManageSettings() || !wp_verify_nonce($_POST['_wpnonce'], 'edit-publishpress-settings')) {
                 wp_die(__('Cheatin&#8217; uh?'));
             }