Ticket #8734: 8734.1.patch

src/bp-core/admin/bp-core-admin-settings.php

@@ -47 +47 @@
 <?php
 }
 
+/**
+ * Enable private site functionality.
+ *
+ * @since 11.0.0
+ *
+ */
+function bp_admin_setting_callback_private_site() {
+?>
+
+        <input id="bp-is-private-site" name="bp-is-private-site" type="checkbox" value="1" <?php checked( get_option( 'bp-is-private-site' ) ); ?> />
+        <label for="bp-is-private-site"><?php _e( 'Require users to be logged in to access BuddyPress content.', 'buddypress' ); ?></label>
+
+<?php
+}
+
 /**
  * Form element to change the active template pack.
  */

new file src/bp-core/bp-core-private-site.php

@@ +1 @@
+<?php
+/**
+ * Core private site functions.
+ *
+ * @package BuddyPress
+ * @subpackage PrivateSite
+ * @since 11.0.0
+ */
+
+// Exit if accessed directly.
+defined( 'ABSPATH' ) || exit;
+
+/**
+ * Is this site private?
+ *
+ * @since 11.0.0
+ *
+ * @return bool True if this site is set to private, false otherwise.
+ */
+function bp_is_private_site() {
+        $saved_value = get_option( 'bp-is-private-site' );
+
+        /**
+         * Must a user be logged in to view BuddyPress content?
+         *
+         * @since 11.0.0
+         *
+         * @param bool $saved_value True if BuddyPress content should be protected.
+         */
+        return apply_filters( 'bp_is_private_site', $saved_value );
+}
+
+/**
+ * Should the user have access to this content?
+ * Plugins may also prevent access to their content here.
+ *
+ * @since 11.0.0
+ */
+function bp_private_site_access_protection() {
+        $user_has_access = true;
+        $no_access_args  = array();
+
+        // Protect BuddyPress content if the site is set to private.
+        if ( is_buddypress() && ! ( bp_is_register_page() || bp_is_activation_page() ) && bp_is_private_site() && ! is_user_logged_in() ) {
+                $user_has_access = false;
+                // The default no_access_args in bp_core_no_access() are good for our use.
+        }
+
+        /**
+         * Allow plugins to filter whether the current user has access to this content.
+         *
+         * Note that if a plugin sets $user_has_access to false, it may also
+         * want to change the $no_access_args, to avoid problems such as
+         * logged-in users being redirected to wp-login.php.
+         *
+         * @since 11.0.0
+         *
+         * @param bool  $user_has_access True if the user has access to the
+         *                               content, otherwise false.
+         * @param array $no_access_args  Arguments to be passed to bp_core_no_access() in case
+         *                               of no access. Note that this value is passed by reference,
+         *                               so it can be modified by the filter callback.
+         */
+        $user_has_access = apply_filters_ref_array( 'bp_private_site_user_has_access', array( $user_has_access, &$no_access_args ) );
+
+        // If user doesn't have access, we hand off to bp_core_no_access().
+        if ( ! $user_has_access ) {
+                bp_core_no_access( $no_access_args );
+        }
+}
+add_action( 'bp_actions', 'bp_private_site_access_protection' );
+
+/**
+ * Should RSS feeds be enabled?
+ *
+ * @since 11.0.0
+ *
+ * @param bool   $feed_enabled True if feeds are enabled. Default true.
+ * @param string $feed_id      The feed identifier.
+ */
+function bp_private_site_rss_feed_access_protection( $feed_enabled, $feed_id ) {
+        if ( bp_is_private_site() && ! is_user_logged_in() ) {
+                /**
+                 * Allow plugins to allow specific feeds even when private site is enabled.
+                 *
+                 * @since 11.0.0
+                 *
+                 * @param bool  $feed_enabled True to allow access to the feed.
+                 * @param array $feed_id      The feed identifier.
+                 */
+                $feed_enabled = apply_filters( 'bp_private_site_rss_feed_access_protection', false, $feed_id );
+        }
+        return $feed_enabled;
+}
+add_filter( 'bp_activity_enable_feeds', 'bp_private_site_rss_feed_access_protection', 10, 2 );
+
+/**
+ * Prevent REST endpoints from outputting content
+ * if this is a private site.
+ *
+ * @since 11.0.0
+ */
+function bp_private_site_rest_api_access_protection() {
+        $rest_disabled = false;
+
+        if ( bp_is_private_site() && ! is_user_logged_in() ) {
+                /**
+                 * Allow plugins to allow specific feeds even when private site is enabled.
+                 *
+                 * @since 11.0.0
+                 *
+                 * @param bool  $rest_disabled True to prevent the registration of the BP REST endpoints.
+                 */
+                $rest_disabled = apply_filters( 'bp_private_site_rest_api_access_protection', true );
+        }
+
+        // @TODO: This seems not too great. Is there a general BP REST access check that would be better, or are they all atomic, like `bp_rest_groups_get_items_permissions_check`?
+        // If they are all atomic, would it make sense to list all of them in an array and add_filters for each, allowing a filter to enable specific filters?
+        if ( $rest_disabled ) {
+                remove_action( 'bp_rest_api_init', 'bp_rest', 5 );
+        }
+}
+add_action( 'bp_rest_api_init', 'bp_private_site_rest_api_access_protection', 1 );
+

src/bp-core/classes/class-bp-admin.php

@@ -466 +466 @@
                 add_settings_field( 'bp-disable-account-deletion', __( 'Account Deletion', 'buddypress' ), 'bp_admin_setting_callback_account_deletion', 'buddypress', 'bp_main' );
                 register_setting( 'buddypress', 'bp-disable-account-deletion', 'intval' );
 
+                // Enable private site functionality.
+                add_settings_field( 'bp-is-private-site', __( 'Enable Private Site', 'buddypress' ), 'bp_admin_setting_callback_private_site', 'buddypress', 'bp_main' );
+                register_setting( 'buddypress', 'bp-is-private-site', 'intval' );
+
                 // Template pack picker.
                 add_settings_field( '_bp_theme_package_id', __( 'Template Pack', 'buddypress' ), 'bp_admin_setting_callback_theme_package_id', 'buddypress', 'bp_main', array( 'label_for' => '_bp_theme_package_id' ) );
                 register_setting( 'buddypress', '_bp_theme_package_id', 'sanitize_text_field' );

src/class-buddypress.php

@@ -538 +538 @@
                 require $this->plugin_dir . 'bp-core/bp-core-customizer-email.php';
                 require $this->plugin_dir . 'bp-core/bp-core-rest-api.php';
                 require $this->plugin_dir . 'bp-core/bp-core-blocks.php';
+                require $this->plugin_dir . 'bp-core/bp-core-private-site.php';
 
                 // Get the list of versions needing their deprecated functions to be loaded.
                 $deprecated_functions_versions = bp_get_deprecated_functions_versions();