| 1 | <?php |
| 2 | /** |
| 3 | * Core private site functions. |
| 4 | * |
| 5 | * @package BuddyPress |
| 6 | * @subpackage PrivateSite |
| 7 | * @since 11.0.0 |
| 8 | */ |
| 9 | |
| 10 | // Exit if accessed directly. |
| 11 | defined( 'ABSPATH' ) || exit; |
| 12 | |
| 13 | /** |
| 14 | * Is this site private? |
| 15 | * |
| 16 | * @since 11.0.0 |
| 17 | * |
| 18 | * @return bool True if this site is set to private, false otherwise. |
| 19 | */ |
| 20 | function bp_is_private_site() { |
| 21 | $saved_value = get_option( 'bp-is-private-site' ); |
| 22 | |
| 23 | /** |
| 24 | * Must a user be logged in to view BuddyPress content? |
| 25 | * |
| 26 | * @since 11.0.0 |
| 27 | * |
| 28 | * @param bool $saved_value True if BuddyPress content should be protected. |
| 29 | */ |
| 30 | return apply_filters( 'bp_is_private_site', $saved_value ); |
| 31 | } |
| 32 | |
| 33 | /** |
| 34 | * Should the user have access to this content? |
| 35 | * Plugins may also prevent access to their content here. |
| 36 | * |
| 37 | * @since 11.0.0 |
| 38 | */ |
| 39 | function bp_private_site_access_protection() { |
| 40 | $user_has_access = true; |
| 41 | $no_access_args = array(); |
| 42 | |
| 43 | // Protect BuddyPress content if the site is set to private. |
| 44 | if ( is_buddypress() && ! ( bp_is_register_page() || bp_is_activation_page() ) && bp_is_private_site() && ! is_user_logged_in() ) { |
| 45 | $user_has_access = false; |
| 46 | // The default no_access_args in bp_core_no_access() are good for our use. |
| 47 | } |
| 48 | |
| 49 | /** |
| 50 | * Allow plugins to filter whether the current user has access to this content. |
| 51 | * |
| 52 | * Note that if a plugin sets $user_has_access to false, it may also |
| 53 | * want to change the $no_access_args, to avoid problems such as |
| 54 | * logged-in users being redirected to wp-login.php. |
| 55 | * |
| 56 | * @since 11.0.0 |
| 57 | * |
| 58 | * @param bool $user_has_access True if the user has access to the |
| 59 | * content, otherwise false. |
| 60 | * @param array $no_access_args Arguments to be passed to bp_core_no_access() in case |
| 61 | * of no access. Note that this value is passed by reference, |
| 62 | * so it can be modified by the filter callback. |
| 63 | */ |
| 64 | $user_has_access = apply_filters_ref_array( 'bp_private_site_user_has_access', array( $user_has_access, &$no_access_args ) ); |
| 65 | |
| 66 | // If user doesn't have access, we hand off to bp_core_no_access(). |
| 67 | if ( ! $user_has_access ) { |
| 68 | bp_core_no_access( $no_access_args ); |
| 69 | } |
| 70 | } |
| 71 | add_action( 'bp_actions', 'bp_private_site_access_protection' ); |
| 72 | |
| 73 | /** |
| 74 | * Should RSS feeds be enabled? |
| 75 | * |
| 76 | * @since 11.0.0 |
| 77 | * |
| 78 | * @param bool $feed_enabled True if feeds are enabled. Default true. |
| 79 | * @param string $feed_id The feed identifier. |
| 80 | */ |
| 81 | function bp_private_site_rss_feed_access_protection( $feed_enabled, $feed_id ) { |
| 82 | if ( bp_is_private_site() && ! is_user_logged_in() ) { |
| 83 | /** |
| 84 | * Allow plugins to allow specific feeds even when private site is enabled. |
| 85 | * |
| 86 | * @since 11.0.0 |
| 87 | * |
| 88 | * @param bool $feed_enabled True to allow access to the feed. |
| 89 | * @param array $feed_id The feed identifier. |
| 90 | */ |
| 91 | $feed_enabled = apply_filters( 'bp_private_site_rss_feed_access_protection', false, $feed_id ); |
| 92 | } |
| 93 | return $feed_enabled; |
| 94 | } |
| 95 | add_filter( 'bp_activity_enable_feeds', 'bp_private_site_rss_feed_access_protection', 10, 2 ); |
| 96 | |
| 97 | /** |
| 98 | * Prevent REST endpoints from outputting content |
| 99 | * if this is a private site. |
| 100 | * |
| 101 | * @since 11.0.0 |
| 102 | */ |
| 103 | function bp_private_site_rest_api_access_protection() { |
| 104 | $rest_disabled = false; |
| 105 | |
| 106 | if ( bp_is_private_site() && ! is_user_logged_in() ) { |
| 107 | /** |
| 108 | * Allow plugins to allow specific feeds even when private site is enabled. |
| 109 | * |
| 110 | * @since 11.0.0 |
| 111 | * |
| 112 | * @param bool $rest_disabled True to prevent the registration of the BP REST endpoints. |
| 113 | */ |
| 114 | $rest_disabled = apply_filters( 'bp_private_site_rest_api_access_protection', true ); |
| 115 | } |
| 116 | |
| 117 | // @TODO: This seems not too great. Is there a general BP REST access check that would be better, or are they all atomic, like `bp_rest_groups_get_items_permissions_check`? |
| 118 | // If they are all atomic, would it make sense to list all of them in an array and add_filters for each, allowing a filter to enable specific filters? |
| 119 | if ( $rest_disabled ) { |
| 120 | remove_action( 'bp_rest_api_init', 'bp_rest', 5 ); |
| 121 | } |
| 122 | } |
| 123 | add_action( 'bp_rest_api_init', 'bp_private_site_rest_api_access_protection', 1 ); |
| 124 | |