Ticket #8734: 8734.03.patch

src/bp-activity/bp-activity-functions.php

@@ -3304 +3304 @@
                 $user_id = bp_loggedin_user_id();
         }
 
+        if ( ! bp_current_user_can( 'bp_view', array( 'bp_component' => 'activity' ) ) ) {
+                $retval = false;
+        }
+
         // If activity is from a group, do extra cap checks.
-        if ( bp_is_active( 'groups' ) && buddypress()->groups->id === $activity->component ) {
+        if ( bp_is_active( 'groups' ) && buddypress()->groups->id === $activity->component && bp_current_user_can( 'bp_view', array( 'bp_component' => 'groups' ) ) ) {
                 // Check to see if the user has access to the activity's parent group.
                 $group = groups_get_group( $activity->item_id );
                 if ( $group ) {
@@ -4482 +4486 @@
  * Checks whether an activity feed is enabled.
  *
  * @since 8.0.0
+ * @since 12.0.0 Added bp_current_user_can( 'bp_view' ) check.
  *
  * @param string $feed_id The feed identifier. Possible values are:
  *                        'sitewide', 'personal', 'friends', 'mygroups', 'mentions', 'favorites'.
  */
 function bp_activity_is_feed_enable( $feed_id = '' ) {
+        if ( bp_current_user_can( 'bp_view', array( 'bp_component' => 'activity' ) ) ) {
+                // @TODO: Should we map the feeds to a component, like
+                // $component = 'activity';
+                // switch ( $feed_id ) {
+                //      case 'mygroups':
+                //              $component = 'groups';
+                //              break;
+                //      case 'personal':
+                //      case 'friends':
+                //      case 'mentions':
+                //      case 'favorites':
+                //      default:
+                //              $component = 'members';
+                //              break;
+                // }
+                // $retval = bp_current_user_can( 'bp_view', array( 'bp_component' => $component ) );
+                $retval = true;
+        } else {
+                $retval = false;
+        }
+
         /**
          * Filters if BuddyPress should consider feeds enabled. If disabled, it will return early.
          *
          * @since 1.8.0
          * @since 8.0.0 Adds the `$feed_id` parameter.
          *
-         * @param bool   $value   Defaults to true aka feeds are enabled.
+         * @param bool   $retval  Whether this feed is enabled or not.
          * @param string $feed_id The feed identifier.
          */
-        return (bool) apply_filters( 'bp_activity_enable_feeds', true, $feed_id );
+        return (bool) apply_filters( 'bp_activity_enable_feeds', $retval, $feed_id );
 }

src/bp-core/admin/bp-core-admin-settings.php

@@ -47 +47 @@
 <?php
 }
 
+/**
+ * Enable private site functionality.
+ *
+ * @since 12.0.0
+ *
+ */
+function bp_admin_setting_callback_community_visibility() {
+        $visibility = bp_get_community_visibility( 'all' );
+?>
+        <select name="_bp_community_visibility[global]" id="_bp_community_visibility-global" aria-describedby="_bp_community_visibility_description" autocomplete="off">
+                <option value="anyone" <?php echo selected( $visibility['global'], 'anyone' ); ?>><?php esc_html_e( 'Anyone', 'buddypress' ); ?></option>
+                <option value="members" <?php echo selected( $visibility['global'], 'members' ); ?>><?php esc_html_e( 'Members Only', 'buddypress' ); ?></option>
+        </select>
+
+        <p id="_bp_community_visibility_description" class="description"><?php esc_html_e( 'Choose "Anyone" to allow any visitor access to your community area. Choose "Members Only" to restrict access to your community area to logged-in members only.', 'buddypress' ); ?></p>
+<?php
+}
+
+/**
+ * Sanitize the visibility setting when it is saved.
+ *
+ * @since 12.0.0
+ *
+ * @param mixed $saved_value The value passed to the save function.
+ */
+function bp_admin_sanitize_callback_community_visibility( $saved_value ) {
+        $retval = array();
+
+        // Use the global setting, if it has been passed.
+        $retval['global'] = isset( $saved_value['global'] ) ? $saved_value['global'] : 'anyone';
+        // Ensure the global value is a valid option. Else, assume that the site is open.
+        if ( ! in_array( $retval['global'], array( 'anyone', 'members' ), true ) ) {
+                $retval['global'] = 'anyone';
+        }
+
+        // Keys must be either 'global' or a component ID, but not register or activate.
+        $directory_pages = bp_core_get_directory_pages();
+        foreach ( $directory_pages as $component_id => $component_page ) {
+                if ( in_array( $component_id, array( 'register', 'activate' ), true ) ) {
+                        continue;
+                }
+
+                // Use the global value if a specific value hasn't been set.
+                $component_value = isset( $saved_value[ $component_id ] ) ? $saved_value[ $component_id ] : $retval['global'];
+
+                // Valid values are 'anyone' or 'memebers'.
+                if ( ! in_array( $component_value, array( 'anyone', 'members' ), true ) ) {
+                        $component_value = $retval['global'];
+                }
+                $retval[ $component_id ] = $component_value;
+        }
+
+        return $saved_value;
+}
+
 /**
  * Form element to change the active template pack.
  */

src/bp-core/bp-core-caps.php

@@ -124 +124 @@
  * Map community caps to built in WordPress caps.
  *
  * @since 1.6.0
+ * @since 12.0.0 Added mapping for `bp_view` capability.
  *
  * @see WP_User::has_cap() for description of the arguments passed to the
  *      'map_meta_cap' filter.
@@ -137 +138 @@
  */
 function bp_map_meta_caps( $caps, $cap, $user_id, $args ) {
 
+        switch ( $cap ) {
+                case 'bp_view' :
+                        $caps = array( 'exist' );
+                        if ( ! $user_id ) {
+
+                                // A BuddyPress component ID may be optionally passed with the `bp_view` check.
+                                $component = isset( $args['bp_component'] ) ? $args['bp_component'] : '';
+
+                                if ( 'members' === bp_get_community_visibility( $component ) ) {
+                                        $caps = array( 'do_not_allow' );
+                                }
+                        }
+                        break;
+        }
+
         /**
          * Filters the community caps mapping to be built in WordPress caps.
          *

src/bp-core/bp-core-functions.php

@@ -668 +668 @@
         return $page_id;
 }
 
+/**
+ * Get the component ID corresponding to a directory page ID.
+ *
+ * @since 12.0.0
+ *
+ * @param int $page_id The ID of the directory page associated with the component.
+ * @return int|false The slug representing the component. False if none is found.
+ */
+function bp_core_get_component_from_directory_page_id( $page_id = 0 ) {
+        $bp_pages = bp_core_get_directory_page_ids( 'all' );
+
+        $component = false;
+        foreach ( $bp_pages as $component_id => $p_id) {
+                if ( $page_id === $p_id ) {
+                        $component = $component_id;
+                        break;
+                }
+        }
+
+        return $component;
+}
+
 /**
  * Store the list of BP directory pages in the appropriate meta table.
  *
@@ -969 +991 @@
                 $pages = get_posts(
                         array(
                                 'post__not_in' => array( $post_ID ),
-                                'post_status'  => array( 'publish', 'bp_restricted' ),
+                                'post_status'  => bp_core_get_directory_pages_stati(),
                                 'post_type'    => array( 'buddypress', 'page' ),
                         )
                 );
@@ -4949 +4971 @@
 
         return $navigations;
 }
+
+/**
+ * Get the community visibility value calculated from the
+ * saved visibility setting.
+ *
+ * @since 12.0.0
+ *
+ * @param string $component Whether we want the visibility for a single component
+ *                          or for all components.
+ *
+ * @return arrary|string $retval The calculated visbility settings for the site.
+ */
+function bp_get_community_visibility( $component = 'global' ) {
+        $retval      = 'anyone';
+        $saved_value = (array) get_option( '_bp_community_visibility', array() );
+
+        // If the global value has not been set, we assume that the site is open.
+        if ( ! isset( $saved_value['global'] ) ) {
+                $saved_value['global'] = 'anyone';
+        }
+
+        if ( 'all' === $component ) {
+                // Build the component list.
+                $retval = array(
+                        'global' => $saved_value['global']
+                );
+                $directory_pages = bp_core_get_directory_pages();
+                foreach ( $directory_pages as $component_id => $component_page ) {
+                        if ( in_array( $component_id, array( 'register', 'activate' ), true ) ) {
+                                continue;
+                        }
+                        $retval[ $component_id ] = isset( $saved_value[ $component_id ] ) ? $saved_value[ $component_id ] : $saved_value['global'];
+                }
+        } else {
+                // We are checking a particular component.
+                // Fall back to the global value if not set.
+                $retval = isset( $saved_value[ $component ] ) ? $saved_value[ $component ] : $saved_value['global'];
+        }
+
+        /**
+         * Filter the community visibility value calculated from the
+         * saved visibility setting.
+         *
+         * @since 12.0.0
+         *
+         * @param arrary|string $retval    The calculated visbility settings for the site.
+         * @param string        $component The component value to get the visibility for.
+         */
+        return apply_filters( 'bp_get_community_visibility', $retval, $component );
+}

src/bp-core/classes/class-bp-admin.php

@@ -476 +476 @@
                 add_settings_field( 'bp-disable-account-deletion', __( 'Account Deletion', 'buddypress' ), 'bp_admin_setting_callback_account_deletion', 'buddypress', 'bp_main' );
                 register_setting( 'buddypress', 'bp-disable-account-deletion', 'intval' );
 
+                // Community Visibility
+                add_settings_field( '_bp_community_visibility', __( 'Community Visibility', 'buddypress' ), 'bp_admin_setting_callback_community_visibility', 'buddypress', 'bp_main' );
+                register_setting( 'buddypress', '_bp_community_visibility', 'bp_admin_sanitize_callback_community_visibility' );
+
                 // Template pack picker.
                 add_settings_field( '_bp_theme_package_id', __( 'Template Pack', 'buddypress' ), 'bp_admin_setting_callback_theme_package_id', 'buddypress', 'bp_main', array( 'label_for' => '_bp_theme_package_id' ) );
                 register_setting( 'buddypress', '_bp_theme_package_id', 'sanitize_text_field' );

src/bp-core/classes/class-bp-component.php

@@ -1257 +1257 @@
          *
          * @since 12.0.0
          *
-         * @param  null     $retval A null value to use the regular WP Query.
-         * @param  WP_Query $query  The WP Query object.
+         * @param  null     $posts A null value to use the regular WP Query.
+         * @param  WP_Query $query The WP Query object.
          * @return null|array Null if not displaying a BuddyPress page.
-         *                    An array containing the BuddyPress directory post otherwise.
+         *                    An array containing the BuddyPress directory page otherwise.
          */
-        public function pre_query( $retval = null, $query = null ) {
+        public function pre_query( $posts = null, $query = null ) {
                 remove_filter( 'posts_pre_query', array( $this, 'pre_query' ), 10 );
 
                 $queried_object = $query->get_queried_object();
 
                 if ( $queried_object instanceof WP_Post && 'buddypress' === get_post_type( $queried_object ) ) {
-                        // Only include the queried directory post into returned posts.
-                        $retval = array( $queried_object );
-
-                        // Reset some query flags.
-                        $query->is_home       = false;
-                        $query->is_front_page = false;
-                        $query->is_page       = false;
-                        $query->is_archive    = false;
-                        $query->is_tax        = false;
-
-                        if ( ! is_embed() ) {
-                                $query->is_single = true;
+                        $component = bp_core_get_component_from_directory_page_id( $queried_object->ID );
+                        if ( bp_current_user_can( 'bp_view', array( 'bp_component' => $component ) ) ) {
+                                // Only include the queried directory post into returned posts.
+                                $posts = array( $queried_object );
+
+                                // Reset some query flags.
+                                $query->is_home       = false;
+                                $query->is_front_page = false;
+                                $query->is_page       = false;
+                                $query->is_archive    = false;
+                                $query->is_tax        = false;
+
+                                if ( ! is_embed() ) {
+                                        $query->is_single = true;
+                                }
+                        } else {
+                                // The current user may not access the directory page.
+                                $bp                    = buddypress();
+                                $bp->current_component = 'core';
+
+                                // Unset other BuddyPress URI globals.
+                                foreach ( array( 'current_item', 'current_action', 'action_variables', 'displayed_user' ) as $global ) {
+                                        if ( 'action_variables' === $global ) {
+                                                $bp->{$global} = array();
+                                        } elseif ( 'displayed_user' === $global ) {
+                                                $bp->{$global} = new \stdClass();
+                                        } else {
+                                                $bp->{$global} = '';
+                                        }
+                                }
+
+                                // Reset the post.
+                                $post = (object) array(
+                                        'ID'             => 0,
+                                        'post_type'      => 'buddypress',
+                                        'post_name'      => 'restricted',
+                                        'post_title'     => __( 'Members-only area', 'buddypress' ),
+                                        'post_content'   => bp_buffer_template_part( 'assets/utils/restricted-access-message', null, false ),
+                                        'comment_status' => 'closed',
+                                        'comment_count'  => 0,
+                                );
+
+                                // Reset the queried object.
+                                $query->queried_object    = get_post( $post );
+                                $query->queried_object_id = $query->queried_object->ID;
+
+                                // Reset the posts.
+                                $posts = array( $query->queried_object );
+
+                                // Reset some WP Query properties.
+                                $query->found_posts   = 1;
+                                $query->max_num_pages = 1;
+                                $query->posts         = $posts;
+                                $query->post          = $post;
+                                $query->post_count    = 1;
+                                $query->is_home       = false;
+                                $query->is_front_page = false;
+                                $query->is_page       = false;
+                                $query->is_single     = true;
+                                $query->is_archive    = false;
+                                $query->is_tax        = false;
+
+                                // Make sure no comments are displayed for this page.
+                                add_filter( 'comments_pre_query', 'bp_comments_pre_query', 10, 2 );
                         }
-                }
 
-                return $retval;
+                        return $posts;
+                }
         }
 
         /**

src/bp-core/classes/class-bp-core.php

@@ -397 +397 @@
                 parent::register_post_types();
         }
 
-        /**
-         * Set up the component post statuses.
-         *
-         * @since 12.0.0
-         */
-        public function register_post_statuses() {
-                register_post_status(
-                        'bp_restricted',
-                        array(
-                                'label'    => _x( 'Restricted to members', '`buddypress` post type post status', 'buddypress' ),
-                                'public'   => false,
-                                'internal' => true,
-                        )
-                );
-
-                parent::register_post_statuses();
-        }
-
         /**
          * Parse the WP_Query and eventually set the BP Search mechanism.
          *

new file src/bp-templates/bp-legacy/buddypress/assets/utils/restricted-access-message.php

@@ +1 @@
+<?php
+/**
+ * Message to inform the community is restricted to members.
+ *
+ * @package BuddyPress
+ * @subpackage bp-legacy
+ *
+ * @since 12.0.0
+ */
+
+// Exit if accessed directly.
+if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+}
+?>
+<!-- wp:paragraph {"align":"center"} -->
+<p class="has-text-align-center"><?php esc_html_e( 'This community area is accessible to logged-in members only.', 'buddypress' ); ?></p>
+<!-- /wp:paragraph -->
+
+<!-- wp:columns -->
+<div class="wp-block-columns"><!-- wp:column {"width":"25%"} -->
+<div class="wp-block-column" style="flex-basis:25%"></div>
+<!-- /wp:column -->
+
+<!-- wp:column {"width":"50%"} -->
+<div class="wp-block-column" style="flex-basis:50%"><!-- wp:bp/login-form {"forgotPwdLink":true} /--></div>
+<!-- /wp:column -->
+
+<!-- wp:column {"width":"25%"} -->
+<div class="wp-block-column" style="flex-basis:25%"></div>
+<!-- /wp:column --></div>
+<!-- /wp:columns -->

new file src/bp-templates/bp-nouveau/buddypress/assets/utils/restricted-access-message.php

@@ +1 @@
+<?php
+/**
+ * Message to inform the community is restricted to members.
+ *
+ * @package BuddyPress
+ * @subpackage bp-nouveau
+ *
+ * @since 12.0.0
+ */
+
+// Exit if accessed directly.
+if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+}
+?>
+<!-- wp:paragraph {"align":"center"} -->
+<p class="has-text-align-center"><?php esc_html_e( 'This community area is accessible to logged-in members only.', 'buddypress' ); ?></p>
+<!-- /wp:paragraph -->
+
+<!-- wp:columns -->
+<div class="wp-block-columns"><!-- wp:column {"width":"25%"} -->
+<div class="wp-block-column" style="flex-basis:25%"></div>
+<!-- /wp:column -->
+
+<!-- wp:column {"width":"50%"} -->
+<div class="wp-block-column" style="flex-basis:50%"><!-- wp:bp/login-form {"forgotPwdLink":true} /--></div>
+<!-- /wp:column -->
+
+<!-- wp:column {"width":"25%"} -->
+<div class="wp-block-column" style="flex-basis:25%"></div>
+<!-- /wp:column --></div>
+<!-- /wp:columns -->

new file tests/phpunit/testcases/core/community-visibility.php

@@ +1 @@
+<?php
+/**
+ * @group bp_community_visibility
+ */
+class BP_Tests_BP_Community_Visibility_TestCases extends BP_UnitTestCase {
+        protected $old_user;
+        protected $logged_in_user;
+
+        public function set_up() {
+                parent::set_up();
+                $this->old_user = get_current_user_id();
+                $this->logged_in_user = self::factory()->user->create();
+                $this->set_current_user( $this->logged_in_user );
+
+                // Save a typical setting.
+                $setting = array(
+                        'global' => 'members',
+                );
+                update_option( '_bp_community_visibility', $setting );
+        }
+
+        public function tear_down() {
+                parent::tear_down();
+                $this->set_current_user( $this->old_user );
+                // Reset site to totally open.
+                delete_option( '_bp_community_visibility' );
+        }
+
+        // Test that logged-in user has access to component marked anyone and component marked members
+        public function test_bp_community_visibility_allow_visibility_for_logged_in_user() {
+                $this->assertTrue( bp_user_can( $this->logged_in_user, 'bp_view' ) );
+        }
+
+        // Test that anonymous user does not have access
+        public function test_bp_community_visibility_enforce_visibility_for_anon_user() {
+                $this->assertFalse( bp_user_can( 0, 'bp_view' ) );
+        }
+
+        // Bad component ID should use global setting.
+        public function test_bp_community_visibility_bad_component_id() {
+                $this->assertFalse( bp_user_can( 0, 'bp_view', array( 'bp_component' => 'blerg' ) ) );
+                $this->assertTrue( bp_user_can( $this->logged_in_user, 'bp_view', array( 'bp_component' => 'blerg' ) ) );
+        }
+
+        // No saved setting should be open access for anonymous users and logged in users.
+        public function test_bp_community_visibility_no_saved_setting() {
+                delete_option( '_bp_community_visibility' );
+                // No saved setting should result in the site being open to anyone.
+                $this->assertTrue( bp_user_can( 0, 'bp_view' ) );
+                $this->assertTrue( bp_user_can( $this->logged_in_user, 'bp_view' ) );
+        }
+
+        // Ensure that "anyone" setting allows access to everyone.
+        public function test_bp_community_visibility_access_allowed() {
+                $setting = array(
+                        'global'      => 'anyone',
+                );
+                update_option( '_bp_community_visibility', $setting );
+                $this->assertTrue( bp_user_can( 0, 'bp_view' ) );
+                $this->assertTrue( bp_user_can( $this->logged_in_user, 'bp_view' ) );
+        }
+
+        // Make sure fallback logic works for mixed-up setting values.
+        public function test_bp_community_visibility_fallback_setting() {
+                // Save a partial setting.
+                $setting = array(
+                        'global'      => 'members',
+                        'members'     => 'anyone',
+                );
+                update_option( '_bp_community_visibility', $setting );
+                $this->assertTrue( 'members' === bp_get_community_visibility( 'groups' ) );
+        }
+}