|
1 <?php |
|
2 |
|
3 require_once(dirname(__FILE__).'/cache.php'); |
|
4 require_once(dirname(__FILE__).'/const.php'); |
|
5 |
|
6 // ----------------------------------------------------------------------------- |
|
7 // the ExecPhp_Runtime class handles the execution of PHP code during |
|
8 // access to the articles content or widget including checks against |
|
9 // the exec_php / edit_others_php capability or plugin options respectivly |
|
10 // ----------------------------------------------------------------------------- |
|
11 |
|
12 if (!class_exists('ExecPhp_Runtime')) : |
|
13 class ExecPhp_Runtime |
|
14 { |
|
15 var $m_cache = NULL; |
|
16 |
|
17 // --------------------------------------------------------------------------- |
|
18 // init |
|
19 // --------------------------------------------------------------------------- |
|
20 |
|
21 function ExecPhp_Runtime(&$cache) |
|
22 { |
|
23 $this->m_cache =& $cache; |
|
24 |
|
25 add_filter('the_content', array(&$this, 'filter_user_content'), 1); |
|
26 add_filter('the_content_rss', array(&$this, 'filter_user_content'), 1); |
|
27 add_filter('the_excerpt', array(&$this, 'filter_user_content'), 1); |
|
28 add_filter('the_excerpt_rss', array(&$this, 'filter_user_content'), 1); |
|
29 add_filter('widget_text', array(&$this, 'filter_widget_content'), 1); |
|
30 add_filter('user_has_cap', array(&$this, 'filter_user_has_cap'), 10, 3); |
|
31 } |
|
32 |
|
33 // --------------------------------------------------------------------------- |
|
34 // tools |
|
35 // --------------------------------------------------------------------------- |
|
36 |
|
37 function eval_php($content) |
|
38 { |
|
39 // to be compatible with older PHP4 installations |
|
40 // don't use fancy ob_XXX shortcut functions |
|
41 ob_start(); |
|
42 eval("?>$content<?php "); |
|
43 $output = ob_get_contents(); |
|
44 ob_end_clean(); |
|
45 return $output; |
|
46 } |
|
47 |
|
48 // --------------------------------------------------------------------------- |
|
49 // hooks |
|
50 // --------------------------------------------------------------------------- |
|
51 |
|
52 function filter_user_content($content) |
|
53 { |
|
54 global $post; |
|
55 |
|
56 // check whether the article author is allowed to execute PHP code |
|
57 if (!isset($post) || !isset($post->post_author)) |
|
58 return $content; |
|
59 $poster = new WP_User($post->post_author); |
|
60 if (!$poster->has_cap(ExecPhp_CAPABILITY_EXECUTE_ARTICLES)) |
|
61 return $content; |
|
62 return $this->eval_php($content); |
|
63 } |
|
64 |
|
65 function filter_widget_content($content) |
|
66 { |
|
67 // check whether the admin has configured widget support |
|
68 $option =& $this->m_cache->get_option(); |
|
69 if (!$option->get_widget_support()) |
|
70 return $content; |
|
71 |
|
72 return $this->eval_php($content); |
|
73 } |
|
74 |
|
75 function filter_user_has_cap($allcaps, $caps, $args) |
|
76 { |
|
77 // $allcaps = Capabilities the user currently has |
|
78 // $caps = Primitive capabilities being tested / requested |
|
79 // $args = array with: |
|
80 // $args[0] = original meta capability requested |
|
81 // $args[1] = user being tested |
|
82 // See code for assumptions |
|
83 |
|
84 // This handler is only set up to deal with the edit_others_pages |
|
85 // or edit_others_posts capability. Ignore all other calls into here. |
|
86 $pages_request = in_array('edit_others_pages', $caps); |
|
87 $posts_request = in_array('edit_others_posts', $caps); |
|
88 if ((!$pages_request && !$posts_request) |
|
89 || ($pages_request && $posts_request) |
|
90 || !$args[0] || !$args[1] || $args[1] == 0) |
|
91 return $allcaps; |
|
92 |
|
93 global $post; |
|
94 if (!isset($post)) |
|
95 return $allcaps; |
|
96 $poster = new WP_User($post->post_author); |
|
97 if (!$poster->has_cap(ExecPhp_CAPABILITY_EXECUTE_ARTICLES)) |
|
98 return $allcaps; |
|
99 |
|
100 $editor_has_edit_others_php = (in_array(ExecPhp_CAPABILITY_EDIT_OTHERS_PHP, $allcaps) |
|
101 && $allcaps[ExecPhp_CAPABILITY_EDIT_OTHERS_PHP]); |
|
102 if ($editor_has_edit_others_php) |
|
103 return $allcaps; |
|
104 |
|
105 // article may contain PHP code due to the original posters capabilities |
|
106 // but the editor is not allowed to edit others PHP code, so filter out |
|
107 // requested edit_others_xxx settings from the allowed caps |
|
108 if ($pages_request) |
|
109 unset($allcaps['edit_others_pages']); |
|
110 if ($posts_request) |
|
111 unset($allcaps['edit_others_posts']); |
|
112 return $allcaps; |
|
113 } |
|
114 } |
|
115 endif; |
|
116 |
|
117 ?> |