Changeset 8605 for trunk/src/bp-groups/bp-groups-actions.php

Timestamp:

07/12/2014 01:26:36 AM (11 years ago)

Author:

boonebgorges

Message:

Overhaul access and visibility control for group tabs

Previously, access control to group tabs was handled in two ways:

• for BP_Group_Extension tabs, the 'enable_nav_item' and 'visibility' provided some control over access to plugin developers, though it was inconsistent, buggy, and difficult to implement properly
• for tabs provided by bp-groups, access to the tabs of non-public groups was controlled directly in the BP_Groups_Component::setup_globals() method

Aside from being unclear for developers, this technique for controlling access
was also inflexible. For non-public groups, tab access was hardcoded and
handled before BP_Group_Extension plugins even had a chance to load. As a
result, it was essentially impossible to add public tabs to non-public groups
(among other non-standard customizations).

The current changeset comprises a number of changes that make tab access more
consistent and flexible:

• Access control is moved to the new bp_groups_group_access_protection() function. This function has the necessary filters to customize access protection in arbitrary ways. And because it loads at 'bp_actions' - just before the page begins to render - all extensions have had a chance to load and register themselves with the desired access settings.
• The 'visibility' and 'enable_nav_item' properties of BP_Group_Extension are phased out in favor of 'access' and 'show_tab' params. 'access' controls who can visit the tab, while 'show_tab' controls who can see the item in the navigation. These new properties have intelligent defaults (based on the privacy level of the group), but can be overridden with a number of custom settings: 'admin', 'mod', 'member', 'loggedin', 'anyone', or 'noone'. Backward compatibility is maintained, so that existing BP_Group_Extension plugins that use enable_nav_item or visibility will continue to work as before.

Fixes #4785

Props boonebgorges, dcavins, imath

File:

• trunk/src/bp-groups/bp-groups-actions.php (modified) (1 diff)

trunk/src/bp-groups/bp-groups-actions.php

@@ -14 +14 @@
 // Exit if accessed directly
 if ( !defined( 'ABSPATH' ) ) exit;
+
+/**
+ * Protect access to single groups.
+ *
+ * @since BuddyPress (2.1.0)
+ */
+function bp_groups_group_access_protection() {
+    if ( ! bp_is_group() ) {
+        return;
+    }
+
+    $current_group   = groups_get_current_group();
+    $user_has_access = $current_group->user_has_access;
+    $no_access_args  = array();
+
+    if ( ! $user_has_access && 'hidden' !== $current_group->status ) {
+        // Always allow access to home and request-membership
+        if ( bp_is_current_action( 'home' ) || bp_is_current_action( 'request-membership' ) ) {
+            $user_has_access = true;
+
+        // User doesn't have access, so set up redirect args
+        } else if ( is_user_logged_in() ) {
+            $no_access_args = array(
+                'message'  => __( 'You do not have access to this group.', 'buddypress' ),
+                'root'     => bp_get_group_permalink( $current_group ) . 'home/',
+                'redirect' => false
+            );
+        }
+    }
+
+    // Protect the admin tab from non-admins
+    if ( bp_is_current_action( 'admin' ) && ! bp_is_item_admin() ) {
+        $user_has_access = false;
+        $no_access_args  = array(
+            'message'  => __( 'You are not an admin of this group.', 'buddypress' ),
+            'root'     => bp_get_group_permalink( $current_group ),
+            'redirect' => false
+        );
+    }
+
+    /**
+     * Allow plugins to filter whether the current user has access to this group content.
+     *
+     * Note that if a plugin sets $user_has_access to false, it may also
+     * want to change the $no_access_args, to avoid problems such as
+     * logged-in users being redirected to wp-login.php.
+     *
+     * @since BuddyPress (2.1.0)
+     *
+     * @param bool $user_has_access True if the user has access to the
+     *        content, otherwise false.
+     * @param array $no_access_args Arguments to be passed to
+     *        bp_core_no_access() in case of no access. Note that this
+     *        value is passed by reference, so it can be modified by the
+     *        filter callback.
+     */
+    $user_has_access = apply_filters_ref_array( 'bp_group_user_has_access', array( $user_has_access, &$no_access_args ) );
+
+    // If user has access, we return rather than redirect
+    if ( $user_has_access ) {
+        return;
+    }
+
+    // Hidden groups should return a 404 for non-members.
+    // Unset the current group so that you're not redirected
+    // to the default group tab
+    if ( 'hidden' == $current_group->status ) {
+        buddypress()->groups->current_group = 0;
+        buddypress()->is_single_item        = false;
+        bp_do_404();
+        return;
+    } else {
+        bp_core_no_access( $no_access_args );
+    }
+
+}
+add_action( 'bp_actions', 'bp_groups_group_access_protection' );
 
 /**