Skip to:
Content

BuddyPress.org

Ticket #8734: 8734.1.patch

File 8734.1.patch, 6.7 KB (added by dcavins, 2 years ago)

Enable simple site privacy. Prevent access to BP pages, RSS feeds, REST API. Allow access to Registration and Activation screeens.

  • src/bp-core/admin/bp-core-admin-settings.php

    diff --git src/bp-core/admin/bp-core-admin-settings.php src/bp-core/admin/bp-core-admin-settings.php
    index a4ae985c8..3e40d1dad 100644
    function bp_admin_setting_callback_account_deletion() { 
    4747<?php
    4848}
    4949
     50/**
     51 * Enable private site functionality.
     52 *
     53 * @since 11.0.0
     54 *
     55 */
     56function bp_admin_setting_callback_private_site() {
     57?>
     58
     59        <input id="bp-is-private-site" name="bp-is-private-site" type="checkbox" value="1" <?php checked( get_option( 'bp-is-private-site' ) ); ?> />
     60        <label for="bp-is-private-site"><?php _e( 'Require users to be logged in to access BuddyPress content.', 'buddypress' ); ?></label>
     61
     62<?php
     63}
     64
    5065/**
    5166 * Form element to change the active template pack.
    5267 */
  • new file src/bp-core/bp-core-private-site.php

    diff --git src/bp-core/bp-core-private-site.php src/bp-core/bp-core-private-site.php
    new file mode 100644
    index 000000000..04a7e9d48
    - +  
     1<?php
     2/**
     3 * Core private site functions.
     4 *
     5 * @package BuddyPress
     6 * @subpackage PrivateSite
     7 * @since 11.0.0
     8 */
     9
     10// Exit if accessed directly.
     11defined( 'ABSPATH' ) || exit;
     12
     13/**
     14 * Is this site private?
     15 *
     16 * @since 11.0.0
     17 *
     18 * @return bool True if this site is set to private, false otherwise.
     19 */
     20function bp_is_private_site() {
     21        $saved_value = get_option( 'bp-is-private-site' );
     22
     23        /**
     24         * Must a user be logged in to view BuddyPress content?
     25         *
     26         * @since 11.0.0
     27         *
     28         * @param bool $saved_value True if BuddyPress content should be protected.
     29         */
     30        return apply_filters( 'bp_is_private_site', $saved_value );
     31}
     32
     33/**
     34 * Should the user have access to this content?
     35 * Plugins may also prevent access to their content here.
     36 *
     37 * @since 11.0.0
     38 */
     39function bp_private_site_access_protection() {
     40        $user_has_access = true;
     41        $no_access_args  = array();
     42
     43        // Protect BuddyPress content if the site is set to private.
     44        if ( is_buddypress() && ! ( bp_is_register_page() || bp_is_activation_page() ) && bp_is_private_site() && ! is_user_logged_in() ) {
     45                $user_has_access = false;
     46                // The default no_access_args in bp_core_no_access() are good for our use.
     47        }
     48
     49        /**
     50         * Allow plugins to filter whether the current user has access to this content.
     51         *
     52         * Note that if a plugin sets $user_has_access to false, it may also
     53         * want to change the $no_access_args, to avoid problems such as
     54         * logged-in users being redirected to wp-login.php.
     55         *
     56         * @since 11.0.0
     57         *
     58         * @param bool  $user_has_access True if the user has access to the
     59         *                               content, otherwise false.
     60         * @param array $no_access_args  Arguments to be passed to bp_core_no_access() in case
     61         *                               of no access. Note that this value is passed by reference,
     62         *                               so it can be modified by the filter callback.
     63         */
     64        $user_has_access = apply_filters_ref_array( 'bp_private_site_user_has_access', array( $user_has_access, &$no_access_args ) );
     65
     66        // If user doesn't have access, we hand off to bp_core_no_access().
     67        if ( ! $user_has_access ) {
     68                bp_core_no_access( $no_access_args );
     69        }
     70}
     71add_action( 'bp_actions', 'bp_private_site_access_protection' );
     72
     73/**
     74 * Should RSS feeds be enabled?
     75 *
     76 * @since 11.0.0
     77 *
     78 * @param bool   $feed_enabled True if feeds are enabled. Default true.
     79 * @param string $feed_id      The feed identifier.
     80 */
     81function bp_private_site_rss_feed_access_protection( $feed_enabled, $feed_id ) {
     82        if ( bp_is_private_site() && ! is_user_logged_in() ) {
     83                /**
     84                 * Allow plugins to allow specific feeds even when private site is enabled.
     85                 *
     86                 * @since 11.0.0
     87                 *
     88                 * @param bool  $feed_enabled True to allow access to the feed.
     89                 * @param array $feed_id      The feed identifier.
     90                 */
     91                $feed_enabled = apply_filters( 'bp_private_site_rss_feed_access_protection', false, $feed_id );
     92        }
     93        return $feed_enabled;
     94}
     95add_filter( 'bp_activity_enable_feeds', 'bp_private_site_rss_feed_access_protection', 10, 2 );
     96
     97/**
     98 * Prevent REST endpoints from outputting content
     99 * if this is a private site.
     100 *
     101 * @since 11.0.0
     102 */
     103function bp_private_site_rest_api_access_protection() {
     104        $rest_disabled = false;
     105
     106        if ( bp_is_private_site() && ! is_user_logged_in() ) {
     107                /**
     108                 * Allow plugins to allow specific feeds even when private site is enabled.
     109                 *
     110                 * @since 11.0.0
     111                 *
     112                 * @param bool  $rest_disabled True to prevent the registration of the BP REST endpoints.
     113                 */
     114                $rest_disabled = apply_filters( 'bp_private_site_rest_api_access_protection', true );
     115        }
     116
     117        // @TODO: This seems not too great. Is there a general BP REST access check that would be better, or are they all atomic, like `bp_rest_groups_get_items_permissions_check`?
     118        // If they are all atomic, would it make sense to list all of them in an array and add_filters for each, allowing a filter to enable specific filters?
     119        if ( $rest_disabled ) {
     120                remove_action( 'bp_rest_api_init', 'bp_rest', 5 );
     121        }
     122}
     123add_action( 'bp_rest_api_init', 'bp_private_site_rest_api_access_protection', 1 );
     124
  • src/bp-core/classes/class-bp-admin.php

    diff --git src/bp-core/classes/class-bp-admin.php src/bp-core/classes/class-bp-admin.php
    index d7b036b97..624c1e732 100644
    class BP_Admin { 
    466466                add_settings_field( 'bp-disable-account-deletion', __( 'Account Deletion', 'buddypress' ), 'bp_admin_setting_callback_account_deletion', 'buddypress', 'bp_main' );
    467467                register_setting( 'buddypress', 'bp-disable-account-deletion', 'intval' );
    468468
     469                // Enable private site functionality.
     470                add_settings_field( 'bp-is-private-site', __( 'Enable Private Site', 'buddypress' ), 'bp_admin_setting_callback_private_site', 'buddypress', 'bp_main' );
     471                register_setting( 'buddypress', 'bp-is-private-site', 'intval' );
     472
    469473                // Template pack picker.
    470474                add_settings_field( '_bp_theme_package_id', __( 'Template Pack', 'buddypress' ), 'bp_admin_setting_callback_theme_package_id', 'buddypress', 'bp_main', array( 'label_for' => '_bp_theme_package_id' ) );
    471475                register_setting( 'buddypress', '_bp_theme_package_id', 'sanitize_text_field' );
  • src/class-buddypress.php

    diff --git src/class-buddypress.php src/class-buddypress.php
    index 59b5bc17b..cc31a1050 100644
    class BuddyPress { 
    538538                require $this->plugin_dir . 'bp-core/bp-core-customizer-email.php';
    539539                require $this->plugin_dir . 'bp-core/bp-core-rest-api.php';
    540540                require $this->plugin_dir . 'bp-core/bp-core-blocks.php';
     541                require $this->plugin_dir . 'bp-core/bp-core-private-site.php';
    541542
    542543                // Get the list of versions needing their deprecated functions to be loaded.
    543544                $deprecated_functions_versions = bp_get_deprecated_functions_versions();