#31 Based on user it will allows to generate api access

wpeventmanager · Mar 25, 2021 · da02bd5 · da02bd5
1 parent 586691e
commit da02bd5
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 13 deletions.
diff --git a/admin/templates/html-keys-edit.php b/admin/templates/html-keys-edit.php
@@ -67,19 +67,22 @@
 				</th>
 				<td class="forminp">
 					<?php
-					$curent_user_id = get_current_user_id();
-					$user_id        = ! empty( $key_data['user_id'] ) ? absint( $key_data['user_id'] ) : $curent_user_id;
-					$user           = get_user_by( 'id', $user_id );
-					$user_string    = sprintf(
-						/* translators: 1: user display name 2: user ID 3: user email */
-						esc_html__( '%1$s (#%2$s - %3$s)', 'wp-event-manager-rest-api' ),
-						$user->display_name,
-						absint( $user->ID ),
-						$user->user_email
-					);
+
+					$all_users = get_users( );
+
+					$user_id        = ! empty( $key_data['user_id'] ) ? absint( $key_data['user_id'] ) : '';
+
 					?>
 					<select class="event-manager-select-chosen" id="key_user" data-placeholder="<?php esc_attr_e( 'Search for a user&hellip;', 'wp-event-manager-rest-api' ); ?>" data-allow_clear="true">
-						<option value="<?php echo esc_attr( $user_id ); ?>" selected="selected"><?php echo htmlspecialchars( wp_kses_post( $user_string ) ); // htmlspecialchars to prevent XSS when rendered by chosen. ?></option>
+						<?php
+												// Array of WP_User objects.
+						foreach ( $all_users as $user ) { ?>
+						   <option value="<?php echo esc_attr( $user->ID ); ?>"  <?php if($user->ID == $user_id )  echo 'selected="selected"';?>><?php echo $user->user_email; // htmlspecialchars to prevent XSS when rendered by chosen. ?></option>
+						   <?php
+						}
+
+						?>
+
 					</select>
 					<p class="description"><?php _e('Name of the owner of the Key.
 ','wp-event-manager-rest-api');?></p> 

diff --git a/includes/rest-api/wpem-rest-crud-controller.php b/includes/rest-api/wpem-rest-crud-controller.php
@@ -42,6 +42,8 @@ protected function get_object( $id ) {
 		return new WP_Error( 'invalid-method', sprintf( __( "Method '%s' not implemented. Must be overridden in subclass.", 'wp-event-manager-rest-api' ), __METHOD__ ), array( 'status' => 405 ) );
 	}
 
+
+
 	/**
 	 * Check if a given request has access to read an item.
 	 *

diff --git a/includes/rest-api/wpem-rest-posts-conroller.php b/includes/rest-api/wpem-rest-posts-conroller.php
@@ -57,6 +57,7 @@ public function get_items_permissions_check( $request ) {
 			return new WP_Error( 'wpem_rest_cannot_view', __( 'Sorry, you cannot list resources.', 'wp-event-manager-rest-api' ), array( 'status' => rest_authorization_required_code() ) );
 		}
 
+
 		return true;
 	}
 

diff --git a/wpem-rest-api-functions.php b/wpem-rest-api-functions.php
@@ -37,7 +37,7 @@ function wpem_rest_prepare_date_response( $date, $utc = true ) {
 function wpem_rest_check_post_permissions( $post_type, $context = 'read', $object_id = 0 ) {
     global $wpdb;
 	$contexts = array(
-		'read'   => 'read_private_posts',
+		'read'   => 'read',
 		'create' => 'publish_posts',
 		'edit'   => 'edit_post',
 		'delete' => 'delete_post',
@@ -51,8 +51,18 @@ function wpem_rest_check_post_permissions( $post_type, $context = 'read', $objec
 		$cap              = $contexts[ $context ];
 
 		$post_type_object = get_post_type_object( $post_type );
-
 		$permission       = current_user_can( $post_type_object->cap->$cap, $object_id );
+
+        //check each and every post id 
+        if($object_id != 0){
+
+            $author_id = get_post_field ('post_author', $object_id);
+            $current_user_id =  get_current_user_id();
+            if($author_id != $current_user_id)
+                return false;
+
+        }
+
 	}
 
 	return apply_filters( 'wpem_rest_check_permissions', $permission, $context, $object_id, $post_type );