Current File : //var/www/pn/wp-content/plugins/user-role-editor/includes/classes/protect-admin.php
<?php
/*
* Main class of User Role Editor WordPress plugin
* Author: Vladimir Garagulya
* Author email: support@role-editor.com
* Author URI: https://www.role-editor.com
* License: GPL v2+
*
*/
class URE_Protect_Admin {
private $lib = null;
private $user_to_check = null; // cached list of user IDs, who has Administrator role
public function __construct() {
global $pagenow;
$this->lib = URE_Lib::get_instance();
$this->user_to_check = array();
// Exclude administrator role from edit list.
add_filter('editable_roles', array($this, 'exclude_admin_role'));
if (in_array($pagenow, array('users.php', 'user-edit.php'))) {
// prohibit any actions with user who has Administrator role
add_filter('user_has_cap', array($this, 'not_edit_admin'), 10, 3);
}
// exclude users with 'Administrator' role from users list
add_action('pre_user_query', array($this, 'exclude_administrators'));
// do not show 'Administrator (s)' view above users list
add_filter('views_users', array($this, 'exclude_admins_view'));
}
// end of __construct()
// apply protection to the user edit pages only
protected function is_protection_applicable() {
global $pagenow;
$result = false;
$pages_to_block = array('profile.php', 'users.php', 'user-new.php', 'user-edit.php');
if (in_array($pagenow, $pages_to_block)) {
$result = true;
}
return $result;
}
// end of is_protection_applicable()
/**
* exclude administrator role from the roles list
*
* @param string $roles
* @return array
*/
public function exclude_admin_role( $roles ) {
if ( $this->is_protection_applicable() && isset( $roles['administrator'] ) ) {
unset( $roles['administrator'] );
}
return $roles;
}
// end of exclude_admin_role()
/**
* Check if user has "Administrator" role assigned
*
* @global wpdb $wpdb
* @param int $user_id
* @return boolean returns true is user has Role "Administrator"
*/
private function has_administrator_role($user_id) {
global $wpdb;
if (empty($user_id) || !is_numeric($user_id)) {
return false;
}
$meta_key = $wpdb->prefix .'capabilities';
$query = $wpdb->prepare(
"SELECT count(*)
FROM {$wpdb->usermeta}
WHERE user_id=%d AND meta_key=%s AND meta_value LIKE %s",
array($user_id, $meta_key, '%"administrator"%') );
$has_admin_role = $wpdb->get_var($query);
if ($has_admin_role > 0) {
$result = true;
} else {
$result = false;
}
// cache checking result for the future use
$this->user_to_check[$user_id] = $result;
return $result;
}
// end of has_administrator_role()
/**
* We have two vulnerable queries with user id at admin interface, which should be processed
* 1st: http://blogdomain.com/wp-admin/user-edit.php?user_id=ID&wp_http_referer=%2Fwp-admin%2Fusers.php
* 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
* If put Administrator user ID into such request, user with lower capabilities (if he has 'edit_users')
* can edit, delete admin record
* This function removes 'edit_users' or 'delete_users' or 'remove_users' capability from current user capabilities,
* if request sent against a user with 'administrator' role
*
* @param array $allcaps
* @param type $caps
* @param string $name
* @return array
*/
public function not_edit_admin($allcaps, $caps, $name) {
if (is_array($caps) & count($caps)>0) {
// 1st element of this array not always has index 0. Use workaround to extract it.
$caps_v = array_values($caps);
$cap = $caps_v[0];
} else {
$cap = $caps;
}
$checked_caps = array('edit_users', 'delete_users', 'remove_users');
if (!in_array($cap, $checked_caps)) {
return $allcaps;
}
$user_keys = array('user_id', 'user');
foreach ($user_keys as $user_key) {
$access_deny = false;
$user_id = (int) $this->lib->get_request_var($user_key, 'get', 'int');
if (empty($user_id)) { // check the next key
continue;
}
if ($user_id == 1) { // built-in WordPress Admin
$access_deny = true;
} else {
if (!isset($this->user_to_check[$user_id])) {
// check if user_id has Administrator role
$access_deny = $this->has_administrator_role($user_id);
} else {
// user_id was checked already, get result from cash
$access_deny = $this->user_to_check[$user_id];
}
}
if ($access_deny && isset($allcaps[$cap])) {
unset($allcaps[$cap]);
}
break;
}
return $allcaps;
}
// end of not_edit_admin()
/**
* add where criteria to exclude users with 'Administrator' role from users list
*
* @global wpdb $wpdb
* @param type $user_query
*/
public function exclude_administrators($user_query) {
global $wpdb;
if (!$this->is_protection_applicable()) { // block the user edit stuff only
return;
}
// get user_id of users with 'Administrator' role
$current_user_id = get_current_user_id();
$meta_key = $wpdb->prefix . 'capabilities';
$query = $wpdb->prepare(
"SELECT user_id
FROM {$wpdb->usermeta}
WHERE user_id!=%d AND meta_key=%s AND meta_value like %s",
array($current_user_id, $meta_key, '%"administrator"%'));
$ids_arr = $wpdb->get_col($query);
if (is_array($ids_arr) && count($ids_arr) > 0) {
$ids = implode(',', $ids_arr);
$user_query->query_where .= " AND ( $wpdb->users.ID NOT IN ( $ids ) )";
}
}
// end of exclude_administrators()
private function extract_view_quantity($text) {
$match = array();
$result = preg_match('#\((.*?)\)#', $text, $match);
if ($result) {
$quantity = $match[1];
} else {
$quantity = 0;
}
return $quantity;
}
// end of extract_view_quantity()
private function extract_int($str_val) {
$str_val1 = str_replace(',', '', $str_val); // remove ',' from numbers like '2,015'
$int_val = (int) preg_replace('/[^\-\d]*(\-?\d*).*/','$1', $str_val1); // extract numeric value strings like from '2015 bla-bla'
return $int_val;
}
// end of extract_int()
/*
* Exclude view of users with Administrator role
*
*/
public function exclude_admins_view($views) {
if (!isset($views['administrator'])) {
return $views;
}
if (isset($views['all'])) {
// Decrease quant of all users for a quant of hidden admins
$admins_orig_s = $this->extract_view_quantity($views['administrator']);
$admins_int = $this->extract_int($admins_orig_s);
$all_orig_s = $this->extract_view_quantity($views['all']);
$all_orig_int = $this->extract_int($all_orig_s);
$all_new_int = $all_orig_int - $admins_int;
$all_new_s = number_format_i18n($all_new_int);
$views['all'] = str_replace($all_orig_s, $all_new_s, $views['all']);
}
unset($views['administrator']);
return $views;
}
// end of exclude_admins_view()
}
// end of URE_Protect_Admin class
Mini Shell