Added access control constants.

sybrew · May 28, 2020 · c32f302 · c32f302
1 parent 54e34ab
commit c32f302
Show file tree

Hide file tree

Showing 24 changed files with 199 additions and 203 deletions.
diff --git a/bootstrap/define.php b/bootstrap/define.php
@@ -63,12 +63,31 @@
 /**
  * The user role required to access the extension overview page.
  *
+ * == WARNING ==
+ * When this constant is used incorrectly, you can expose your site to
+ * unforeseen security risks. We assume the role supplied here is lower than the webmaster's;
+ * for example, in a WPMU environment. However, proceed with caution.
+ *
  * @since 2.0.0
  * @param string
  */
 defined( 'TSF_EXTENSION_MANAGER_MAIN_ADMIN_ROLE' )
 	or define( 'TSF_EXTENSION_MANAGER_MAIN_ADMIN_ROLE', 'manage_options' );
 
+/**
+ * The user role required to access the extension settings.
+ *
+ * == WARNING ==
+ * When this constant is used incorrectly, you can expose your site to
+ * unforeseen security risks. We assume the role supplied here is lower than the webmaster's;
+ * for example, in a WPMU environment. However, proceed with caution.
+ *
+ * @since 2.4.0
+ * @param string
+ */
+defined( 'TSF_EXTENSION_MANAGER_EXTENSION_ADMIN_ROLE' )
+	or define( 'TSF_EXTENSION_MANAGER_EXTENSION_ADMIN_ROLE', 'manage_options' );
+
 /**
  * The API version to use.
  *

diff --git a/bootstrap/update.php b/bootstrap/update.php
@@ -272,7 +272,7 @@ function _clear_update_cache() {
  *
  * @since 2.0.0
  * @since 2.0.2 Added more cache, because some sites disable transients completely...
- * @since 2.3.2 Can now fetch required (and available) locale files.
+ * @since 2.4.0 Can now fetch required (and available) locale files.
  * @access private
  * @see WP Core \wp_update_plugins()
  * @staticvar $runtimecache.

diff --git a/extensions/essentials/articles/trunk/inc/classes/front.class.php b/extensions/essentials/articles/trunk/inc/classes/front.class.php
@@ -486,82 +486,29 @@ private function get_article_image() {
 	 */
 	private function get_article_image_params() {
 
-		$id = $this->get_current_id();
-
 		$min_width = $this->is_amp() ? 1200 : 696;
 
-		if ( version_compare( THE_SEO_FRAMEWORK_VERSION, '4.0.0', '>=' ) ) {
-
-			$images = [];
-
-			// TODO: Do we want to take images from the content? Users have complained about this...
-			// ... We'd have to implement (and revoke) a filter, however.
-			foreach ( \the_seo_framework()->get_image_details( null, false, 'schema', true ) as $image ) {
-
-				if ( ! $image['url'] ) continue;
-
-				if ( $image['width'] && $image['width'] >= $min_width ) {
-					$images[] = [
-						'@type'  => 'ImageObject',
-						'url'    => $image['url'],
-						'width'  => $image['width'],
-						'height' => $image['height'],
-					];
-				} else {
-					$images[] = $image['url'];
-				}
-			}
-
-			return count( $images ) > 1 ? $images : reset( $images );
-		} else {
-			if ( $url = \the_seo_framework()->get_social_image_url_from_post_meta( $id, true ) ) {
-
-				//* TSF 2.9+
-				$dimensions = \the_seo_framework()->image_dimensions;
-
-				$d = ! empty( $dimensions[ $id ] ) ? $dimensions[ $id ] : false;
-				if ( $d ) {
-					$w = $d['width'];
-					$h = $d['height'];
-				} else {
-					$w = 0;
-					$h = 0;
-				}
-
-				if ( ! $w ) {
-					return $url;
-				} elseif ( $w >= $min_width ) {
-					return [
-						'@type'  => 'ImageObject',
-						'url'    => $url,
-						'width'  => $w,
-						'height' => $h,
-					];
-				}
-			}
-
-			//* Don't use `\the_seo_framework()->get_image_from_post_thumbnail` because it will overwrite vars.
-			if ( $_img_id = \get_post_thumbnail_id( $id ) ) {
+		$images = [];
 
-				$_src = \wp_get_attachment_image_src( $_img_id, 'full', false );
+		// TODO: Do we want to take images from the content? Users have complained about this...
+		// ... We'd have to implement (and revoke) a filter, however.
+		foreach ( \the_seo_framework()->get_image_details( null, false, 'schema', true ) as $image ) {
 
-				if ( is_array( $_src ) && count( $_src ) >= 3 ) {
-					$url = $_src[0];
-					$w   = $_src[1];
-					$h   = $_src[2];
+			if ( ! $image['url'] ) continue;
 
-					if ( $w >= $min_width )
-						return [
-							'@type'  => 'ImageObject',
-							'url'    => $url,
-							'width'  => $w,
-							'height' => $h,
-						];
-				}
+			if ( $image['width'] && $image['width'] >= $min_width ) {
+				$images[] = [
+					'@type'  => 'ImageObject',
+					'url'    => $image['url'],
+					'width'  => $image['width'],
+					'height' => $image['height'],
+				];
+			} else {
+				$images[] = $image['url'];
 			}
 		}
 
-		return [];
+		return count( $images ) > 1 ? $images : reset( $images );
 	}
 
 	/**

diff --git a/extensions/premium/local/trunk/inc/classes/admin.class.php b/extensions/premium/local/trunk/inc/classes/admin.class.php
@@ -92,12 +92,13 @@ private function load_admin_actions() {
 	 * Initializes extension menu.
 	 *
 	 * @since 1.0.0
+	 * @since 1.1.7 The extension access level is now controlled via another constant.
 	 * @uses \the_seo_framework()->load_options variable. Applies filters 'the_seo_framework_load_options'
-	 * @uses \tsf_extension_manager()->can_do_settings()
+	 * @uses \TSF_Extension_Manager\can_do_extension_settings()
 	 * @access private
 	 */
 	public function _init_menu() {
-		if ( \tsf_extension_manager()->can_do_settings() && \the_seo_framework()->load_options )
+		if ( \TSF_Extension_Manager\can_do_extension_settings() && \the_seo_framework()->load_options )
 			\add_action( 'admin_menu', [ $this, '_add_menu_link' ], 20 );
 	}
 
@@ -116,7 +117,7 @@ public function _add_menu_link() {
 			'parent_slug' => \the_seo_framework()->seo_settings_page_slug,
 			'page_title'  => 'Local',
 			'menu_title'  => 'Local',
-			'capability'  => 'manage_options',
+			'capability'  => TSF_EXTENSION_MANAGER_EXTENSION_ADMIN_ROLE,
 			'menu_slug'   => $this->local_page_slug,
 			'callback'    => [ $this, '_output_local_settings_page' ],
 		];

diff --git a/extensions/premium/local/trunk/inc/classes/settings.class.php b/extensions/premium/local/trunk/inc/classes/settings.class.php
@@ -297,6 +297,7 @@ private function init_tsfem_ui() {
 	 * Also registers TSF scripts, for TT (tooltip) support.
 	 *
 	 * @since 1.1.3
+	 * @since 1.1.7 The extension access level for nonce generation now controlled via another constant.
 	 * @access private
 	 * @internal
 	 *
@@ -332,7 +333,8 @@ public function _register_local_scripts( $scripts ) {
 				'l10n'     => [
 					'name' => 'tsfem_e_localL10n',
 					'data' => [
-						'nonce' => \wp_create_nonce( 'tsfem-e-local-ajax-nonce' ),
+						// This won't ever run when the user can't. But, sanity.
+						'nonce' => \TSF_Extension_Manager\can_do_extension_settings() ? \wp_create_nonce( 'tsfem-e-local-ajax-nonce' ) : '',
 						'i18n'  => [
 							'fixForm'       => \esc_html__( 'Please correct the form fields before validating the markup.', 'the-seo-framework-extension-manager' ),
 							'testNewWindow' => \esc_html__( 'The markup tester will be opened in a new window.', 'the-seo-framework-extension-manager' ),

diff --git a/extensions/premium/local/trunk/inc/traits/secure-post.trait.php b/extensions/premium/local/trunk/inc/traits/secure-post.trait.php
@@ -237,13 +237,14 @@ private function get_registered_iterator_callbacks() {
 	 * Prepares AJAX form validation checks.
 	 *
 	 * @since 1.0.0
+	 * @since 1.1.7 The extension access level is now controlled via another constant.
 	 * @see $this->send_ajax_form_json_validation()
 	 * @access private
 	 */
 	public function _prepare_ajax_form_json_validation() {
 
 		if ( \wp_doing_ajax() ) :
-			if ( \tsf_extension_manager()->can_do_settings() ) :
+			if ( \TSF_Extension_Manager\can_do_extension_settings() ) :
 				if ( \check_ajax_referer( 'tsfem-e-local-ajax-nonce', 'nonce', false ) ) {
 					$this->send_ajax_form_json_validation();
 				}

diff --git a/extensions/premium/local/trunk/local.php b/extensions/premium/local/trunk/local.php
@@ -9,7 +9,7 @@
  * Extension Name: Local
  * Extension URI: https://theseoframework.com/extensions/local/
  * Extension Description: The Local extension lets you set up important local business information for search engines to consume.
- * Extension Version: 1.1.6
+ * Extension Version: 1.1.7
  * Extension Author: Sybre Waaijer
  * Extension Author URI: https://cyberwire.nl/
  * Extension License: GPLv3
@@ -41,7 +41,7 @@
  * @since 1.0.0
  * NOTE: The presence does NOT guarantee the extension is loaded!!!
  */
-define( 'TSFEM_E_LOCAL_VERSION', '1.1.6' );
+define( 'TSFEM_E_LOCAL_VERSION', '1.1.7' );
 
 /**
  * The extension database version.

diff --git a/extensions/premium/local/trunk/readme.md b/extensions/premium/local/trunk/readme.md
@@ -126,6 +126,12 @@ Also, when department URLs are filled in, then each specific department's data w
 
 ## Changelog
 
+### 1.1.7
+
+[tsfep-release time="-1"]
+
+* **Changed:** This extension's admin access can now be controlled via the global constant `TSF_EXTENSION_MANAGER_EXTENSION_ADMIN_ROLE`.
+
 ### 1.1.6
 
 [tsfep-release time="May 15th, 2020"]

diff --git a/extensions/premium/monitor/trunk/inc/classes/admin.class.php b/extensions/premium/monitor/trunk/inc/classes/admin.class.php
@@ -216,13 +216,14 @@ private function construct() {
 	 * Initializes extension menu.
 	 *
 	 * @since 1.0.0
+	 * @since 1.2.6 The extension access level is now controlled via another constant.
 	 * @uses \the_seo_framework()->load_options variable. Applies filters 'the_seo_framework_load_options'
-	 * @uses \tsf_extension_manager()->can_do_settings()
+	 * @uses \TSF_Extension_Manager\can_do_extension_settings()
 	 * @access private
 	 */
 	public function _init_menu() {
 
-		if ( \tsf_extension_manager()->can_do_settings() && \the_seo_framework()->load_options )
+		if ( \TSF_Extension_Manager\can_do_extension_settings() && \the_seo_framework()->load_options )
 			\add_action( 'admin_menu', [ $this, '_add_menu_link' ], 100 );
 	}
 
@@ -241,7 +242,7 @@ public function _add_menu_link() {
 			'parent_slug' => \the_seo_framework()->seo_settings_page_slug,
 			'page_title'  => 'Monitor',
 			'menu_title'  => 'Monitor',
-			'capability'  => 'manage_options',
+			'capability'  => TSF_EXTENSION_MANAGER_EXTENSION_ADMIN_ROLE,
 			'menu_slug'   => $this->monitor_page_slug,
 			'callback'    => [ $this, '_init_monitor_page' ],
 		];
@@ -370,6 +371,7 @@ public function _handle_update_post() {
 	 * nonce can or has been been verified.
 	 *
 	 * @since 1.0.0
+	 * @since 1.2.6 The extension access level is now controlled via another constant.
 	 * @staticvar bool $validated Determines whether the nonce has already been verified.
 	 *
 	 * @param string $key        The nonce action used for caching.
@@ -383,7 +385,7 @@ protected function handle_update_nonce( $key = 'default', $check_post = true ) {
 		if ( isset( $validated[ $key ] ) )
 			return $validated[ $key ];
 
-		if ( ! \tsf_extension_manager()->can_do_settings() )
+		if ( ! \TSF_Extension_Manager\can_do_extension_settings() )
 			return $validated[ $key ] = false;
 
 		if ( $check_post ) {
@@ -416,15 +418,16 @@ protected function handle_update_nonce( $key = 'default', $check_post = true ) {
 	 * Updates settings.
 	 *
 	 * @since 1.1.0
+	 * @since 1.2.6 The extension access level is now controlled via another constant.
 	 * @access private
 	 */
 	public function _wp_ajax_update_settings() {
 
 		if ( \wp_doing_ajax() ) :
-			$tsfem = \tsf_extension_manager();
-			if ( $tsfem->can_do_settings() ) :
+			if ( \TSF_Extension_Manager\can_do_extension_settings() ) :
+				$tsfem  = \tsf_extension_manager();
 				$option = '';
-				$send = [];
+				$send   = [];
 				if ( \check_ajax_referer( 'tsfem-e-monitor-ajax-nonce', 'nonce', false ) ) {
 					//= Option is cleaned and requires unpacking.
 					$option = isset( $_POST['option'] ) ? $tsfem->s_ajax_string( $_POST['option'] ) : ''; // Sanitization, input var OK.
@@ -463,13 +466,14 @@ public function _wp_ajax_update_settings() {
 	 * Fetches Monitor Data through AJAX and echos the output through AJAX response.
 	 *
 	 * @since 1.0.0
+	 * @since 1.2.6 The extension access level is now controlled via another constant.
 	 * @TODO update to newer ajax handler.
 	 * @access private
 	 */
 	public function _wp_ajax_fetch_data() {
 
 		if ( \wp_doing_ajax() ) :
-			if ( \tsf_extension_manager()->can_do_settings() ) :
+			if ( \TSF_Extension_Manager\can_do_extension_settings() ) :
 
 				$timeout = null;
 
@@ -549,13 +553,14 @@ public function _wp_ajax_fetch_data() {
 	 * Requests Monitor to crawl the site and echos the output through AJAX response.
 	 *
 	 * @since 1.0.0
+	 * @since 1.2.6 The extension access level is now controlled via another constant.
 	 * @TODO update to newer ajax handler.
 	 * @access private
 	 */
 	public function _wp_ajax_request_crawl() {
 
 		if ( \wp_doing_ajax() ) :
-			if ( \tsf_extension_manager()->can_do_settings() ) :
+			if ( \TSF_Extension_Manager\can_do_extension_settings() ) :
 
 				$timeout = null;
 
@@ -631,13 +636,13 @@ public function _wp_ajax_request_crawl() {
 	 * Returns required fix fields through AJAX request.
 	 *
 	 * @since 1.0.0
+	 * @since 1.2.6 The extension access level is now controlled via another constant.
 	 * @access private
 	 */
 	public function _wp_ajax_get_requires_fix() {
 
 		if ( \wp_doing_ajax() ) {
-			if ( \tsf_extension_manager()->can_do_settings() ) {
-
+			if ( \TSF_Extension_Manager\can_do_extension_settings() ) {
 				$send = [];
 				if ( \check_ajax_referer( 'tsfem-e-monitor-ajax-nonce', 'nonce', false ) ) {
 					//* Initialize menu hooks.
@@ -710,7 +715,8 @@ public function _register_monitor_scripts( $scripts ) {
 				'l10n'     => [
 					'name' => 'tsfem_e_monitorL10n',
 					'data' => [
-						'nonce'                => \wp_create_nonce( 'tsfem-e-monitor-ajax-nonce' ),
+						// This won't ever run when the user can't. But, sanity.
+						'nonce'                => \TSF_Extension_Manager\can_do_extension_settings() ? \wp_create_nonce( 'tsfem-e-monitor-ajax-nonce' ) : '',
 						'remote_data_timeout'  => $this->get_remote_data_timeout(),
 						'remote_crawl_timeout' => $this->get_remote_crawl_timeout(),
 					],

diff --git a/extensions/premium/monitor/trunk/monitor.php b/extensions/premium/monitor/trunk/monitor.php
@@ -9,7 +9,7 @@
  * Extension Name: Monitor
  * Extension URI: https://theseoframework.com/extensions/monitor/
  * Extension Description: The Monitor extension keeps track of your website's SEO optimizations and statistics.
- * Extension Version: 1.2.5
+ * Extension Version: 1.2.6
  * Extension Author: Sybre Waaijer
  * Extension Author URI: https://cyberwire.nl/
  * Extension License: GPLv3
@@ -41,7 +41,7 @@
  * @since 1.0.0
  * NOTE: The presence does NOT guarantee the extension is loaded!!!
  */
-define( 'TSFEM_E_MONITOR_VERSION', '1.2.5' );
+define( 'TSFEM_E_MONITOR_VERSION', '1.2.6' );
 
 /**
  * The extension file, absolute unix path.

diff --git a/extensions/premium/monitor/trunk/readme.md b/extensions/premium/monitor/trunk/readme.md
@@ -83,6 +83,12 @@ If you just initiated a crawl request, you might receive outdated or incorrect d
 
 *Because Monitor is a heavily dependent two-part system, these changes are annotated through Extension and API nodes.*
 
+### 1.2.6
+
+[tsfep-release time="-1"]
+
+* **Changed:** This extension's admin access can now be controlled via the global constant `TSF_EXTENSION_MANAGER_EXTENSION_ADMIN_ROLE`.
+
 ### 1.2.5
 
 [tsfep-release time="May 15th, 2020"]