Skip to content

Commit

Permalink
Pods 2.7.31.1
Browse files Browse the repository at this point in the history
  • Loading branch information
sc0ttkclark committed Feb 21, 2024
1 parent db11340 commit aa08f03
Show file tree
Hide file tree
Showing 77 changed files with 3,194 additions and 271 deletions.
209 changes: 144 additions & 65 deletions classes/Pods.php
Original file line number Diff line number Diff line change
Expand Up @@ -1594,10 +1594,8 @@ public function field( $name, $single = null, $raw = false ) {
continue;
}

// Bypass pass field.
if ( isset( $item->user_pass ) ) {
unset( $item->user_pass );
}
// Bypass sensitive fields.
$item = pods_access_bleep_data( $item );

// Get Item ID.
$item_id = $item->pod_item_id;
Expand All @@ -1610,6 +1608,10 @@ public function field( $name, $single = null, $raw = false ) {
} elseif ( 'objects' === $params->output ) {
if ( in_array( $object_type, array( 'post_type', 'media' ), true ) ) {
$item = get_post( $item_id );

if ( ! empty( $item ) ) {
$item = pods_access_bleep_data( $item );
}
} elseif ( 'taxonomy' === $object_type ) {
$item = get_term( $item_id, $object );
} elseif ( 'user' === $object_type ) {
Expand All @@ -1628,7 +1630,7 @@ public function field( $name, $single = null, $raw = false ) {
$item->caps = $caps;
$item->allcaps = $allcaps;

unset( $item->user_pass );
$item = pods_access_bleep_data( $item );
}
} elseif ( 'comment' === $object_type ) {
$item = get_comment( $item_id );
Expand Down Expand Up @@ -3727,67 +3729,50 @@ public function helper( $helper, $value = null, $name = null ) {
$params = array_merge( $params, $helper );
}

if ( class_exists( 'Pods_Helpers' ) ) {
$value = Pods_Helpers::helper( $params, $this );
} elseif ( is_callable( $params['helper'] ) ) {
$disallowed = array(
'system',
'exec',
'popen',
'eval',
'preg_replace',
'create_function',
'include',
'include_once',
'require',
'require_once',
);
/**
* Allows changing whether to include the Pods object as the second value to the callback.
*
* @param bool $include_obj Whether to include the Pods object as the second value to the callback.
* @param array $params Parameters used by Pods::helper() method.
*
* @since 2.8.0
*/
$include_obj = (boolean) apply_filters( 'pods_helper_include_obj', false, $params );

$allowed = array();
// Clean up helper callback (if string).
if ( is_string( $params['helper'] ) ) {
$params['helper'] = strip_tags( str_replace( array( '`', chr( 96 ) ), "'", $params['helper'] ) );
}

/**
* Allows adjusting the disallowed callbacks as needed.
*
* @param array $disallowed List of callbacks not allowed.
* @param array $params Parameters used by Pods::helper() method.
*
* @since 2.7.0
*/
$disallowed = apply_filters( 'pods_helper_disallowed_callbacks', $disallowed, $params );
if ( ! pods_access_callback_allowed( $params['helper'], $params ) ) {
return $value;
}

/**
* Allows adjusting the allowed allowed callbacks as needed.
*
* @param array $allowed List of callbacks explicitly allowed.
* @param array $params Parameters used by Pods::helper() method.
*
* @since 2.7.0
*/
$allowed = apply_filters( 'pods_helper_allowed_callbacks', $allowed, $params );
if ( ! is_callable( $params['helper'] ) ) {
if ( ! is_string( $params['helper'] ) ) {
return '';
}

// Clean up helper callback (if string).
if ( is_string( $params['helper'] ) ) {
$params['helper'] = strip_tags( str_replace( array( '`', chr( 96 ) ), "'", $params['helper'] ) );
if ( $include_obj ) {
return apply_filters( $params['helper'], $value, $this );
}

$is_allowed = false;
return apply_filters( $params['helper'], $value );
}

if ( ! empty( $allowed ) ) {
if ( in_array( $params['helper'], $allowed, true ) ) {
$is_allowed = true;
}
} elseif ( ! in_array( $params['helper'], $disallowed, true ) ) {
$is_allowed = true;
try {
if ( $include_obj ) {
return call_user_func( $params['helper'], $value, $this );
}

if ( $is_allowed ) {
$value = call_user_func( $params['helper'], $value );
return call_user_func( $params['helper'], $value );
} catch ( Exception $exception ) {
if ( pods_is_debug_display() ) {
throw $exception;
}
} else {
$value = apply_filters( $params['helper'], $value );
}//end if
}

return $value;
return '';
}

/**
Expand All @@ -3798,13 +3783,14 @@ public function helper( $helper, $value = null, $name = null ) {
* @param string $template_name The template name.
* @param string|null $code Custom template code to use instead.
* @param bool $deprecated Whether to use deprecated functionality based on old function usage.
* @param bool $check_access Whether to check access for Posts that are Password-protected.
*
* @return mixed Template output
*
* @since 2.0.0
* @link https://pods.io/docs/template/
*/
public function template( $template_name, $code = null, $deprecated = false ) {
public function template( $template_name, $code = null, $deprecated = false, $check_access = false ) {

$out = null;

Expand Down Expand Up @@ -3832,18 +3818,43 @@ public function template( $template_name, $code = null, $deprecated = false ) {
*/
$code = apply_filters( "pods_templates_pre_template_{$template_name}", $code, $template_name, $this );

$info = $check_access ? pods_info_from_args( [ 'pods' => $this ] ) : [];

ob_start();

if ( ! empty( $code ) ) {
// Only detail templates need $this->id.
if ( empty( $this->id ) ) {
while ( $this->fetch() ) {
$info['item_id'] = $this->id();

// Ensure the post is not password protected.
if (
$check_access
&& (
pods_access_bypass_post_with_password( $info )
|| pods_access_bypass_private_post( $info )
)
) {
continue;
}

// @codingStandardsIgnoreLine
echo $this->do_magic_tags( $code );
}
} else {
// @codingStandardsIgnoreLine
echo $this->do_magic_tags( $code );
$info['item_id'] = $this->id();

if (
! $check_access
|| (
! pods_access_bypass_post_with_password( $info )
&& ! pods_access_bypass_private_post( $info )
)
) {
// @codingStandardsIgnoreLine
echo $this->do_magic_tags( $code );
}
}
}

Expand All @@ -3869,7 +3880,7 @@ public function template( $template_name, $code = null, $deprecated = false ) {
*/
$out = apply_filters( "pods_templates_post_template_{$template_name}", $out, $code, $template_name, $this );
} elseif ( class_exists( 'Pods_Templates' ) ) {
$out = Pods_Templates::template( $template_name, $code, $this, $deprecated );
$out = Pods_Templates::template( $template_name, $code, $this, $deprecated, $check_access );
} elseif ( trim( preg_replace( '/[^a-zA-Z0-9_\-\/]/', '', $template_name ), ' /-' ) === $template_name ) {
ob_start();

Expand All @@ -3889,10 +3900,33 @@ public function template( $template_name, $code = null, $deprecated = false ) {
// Only detail templates need $this->id.
if ( empty( $this->id ) ) {
while ( $this->fetch() ) {
$info['item_id'] = $this->id();

// Ensure the post is not password protected.
if (
$check_access
&& (
pods_access_bypass_post_with_password( $info )
|| pods_access_bypass_private_post( $info )
)
) {
continue;
}

pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) );
}
} else {
pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) );
$info['item_id'] = $this->id();

if (
! $check_access
|| (
! pods_access_bypass_post_with_password( $info )
&& ! pods_access_bypass_private_post( $info )
)
) {
pods_template_part( $default_templates, compact( array_keys( get_defined_vars() ) ) );
}
}

$out = ob_get_clean();
Expand Down Expand Up @@ -3937,10 +3971,11 @@ public function template( $template_name, $code = null, $deprecated = false ) {
public function form( $params = null, $label = null, $thank_you = null ) {

$defaults = array(
'fields' => $params,
'label' => $label,
'thank_you' => $thank_you,
'fields_only' => false,
'fields' => $params,
'label' => $label,
'thank_you' => $thank_you,
'fields_only' => false,
'check_access' => false,
);

if ( is_array( $params ) ) {
Expand All @@ -3949,6 +3984,50 @@ public function form( $params = null, $label = null, $thank_you = null ) {
$params = $defaults;
}

$access_type = $this->exists() ? 'edit' : 'add';

$return = '';

// Check if the current user has access to the object.
if ( ! empty( $params['check_access'] ) ) {
$dynamic_feature_unrestricted = pods_can_use_dynamic_feature_unrestricted(
[
'pods' => $this,
],
'form',
$access_type
);

if (
! pods_current_user_can_access_object(
[
'pods' => $this,
],
$access_type
)
&& ! $dynamic_feature_unrestricted
) {
// Stop display and only return the notice.
return pods_get_access_user_notice(
[
'pods' => $this,
],
false,
esc_html__( 'You do not have access to this embedded form.', 'pods' )
) ?: '';
}

// Show the admin-specific notice that this content may not be visible to others since it is not public.
if ( ! $dynamic_feature_unrestricted && pods_is_admin() ) {
// Include the notice in the display output to let the admin know and continue the display.
$return .= pods_get_access_admin_notice(
[
'pods' => $this,
]
) ?: '';
}
}

$pod =& $this;

$params = $this->do_hook( 'form_params', $params );
Expand Down Expand Up @@ -4067,7 +4146,7 @@ public function form( $params = null, $label = null, $thank_you = null ) {

pods_view( PODS_DIR . 'ui/front/form.php', compact( array_keys( get_defined_vars() ) ) );

$output = ob_get_clean();
$output = $return . ob_get_clean();

if ( empty( $this->id ) ) {
$this->row_override = array();
Expand Down
Loading

0 comments on commit aa08f03

Please sign in to comment.