*/
private $jquery_plugin_instances = array();
/**
* @var null|\YahnisElsts\AdminMenuEditor\WebpackRegistry\WebpackAssetRegistry
*/
private $webpack_registry = null;
/**
* @var ameCustomizationFeatureToggle
*/
private $menu_structure_feature;
function init(){
$this->sitewide_options = true;
//Set some plugin-specific options
if ( empty($this->option_name) ){
$this->option_name = 'ws_menu_editor';
}
$this->defaults = array(
'hide_advanced_settings' => true,
'show_extra_icons' => false,
'custom_menu' => null,
'custom_network_menu' => null,
'first_install_time' => null,
'display_survey_notice' => true,
'plugin_db_version' => 0,
'security_logging_enabled' => false,
'menu_config_scope' => ($this->is_super_plugin() || !is_multisite()) ? 'global' : 'site',
//super_admin, specific_user, or a capability.
'plugin_access' => $this->is_super_plugin() ? 'super_admin' : 'manage_options',
//The ID of the user who is allowed to use this plugin. Only used when plugin_access == specific_user.
'allowed_user_id' => null,
//The user who can see this plugin on the "Plugins" page. By default all admins can see it.
'plugins_page_allowed_user_id' => null,
'show_deprecated_hide_button' => true, //Note: Un-deprecated as of 2015.10.01.
'dashboard_hiding_confirmation_enabled' => true,
//When to show submenu icons.
'submenu_icons_enabled' => 'if_custom', //"never", "if_custom" or "always".
//Enable/disable CSS workaround that helps override menu icons set by other plugins.
'force_custom_dashicons' => true,
//Menu editor UI colour scheme. "Classic" is the old blue/yellow scheme, and "wp-grey" is more WP-like.
'ui_colour_scheme' => 'classic',
//User logins that will show up in the actor list at the top of the editor.
'visible_users' => array(),
//Enable/disable the admin notice that tells the user where the plugin settings menu is.
'show_plugin_menu_notice' => true,
//Where to place menu items that are not part of the last saved menu configuration.
//This usually applies to new items added by other plugins and, in Multisite, items that exist on
//the current site but did not exist on the site where the user last edited the menu configuration.
'unused_item_position' => 'relative', //"relative" or "bottom".
//Permissions for menu items that are not part of the saved menu configuration.
//The default is to leave the permissions unchanged.
'unused_item_permissions' => 'unchanged', //"unchanged" or "match_plugin_access".
//Verbosity level of menu permission errors.
'error_verbosity' => self::VERBOSITY_NORMAL,
//Enable/disable a series of size optimizations for the menu configuration.
//For historical reasons, this is called "compression" in some parts of the code,
//but it's closer to using a more space-efficient format.
'optimize_custom_menu_size' => true,
//Enable/disable menu configuration compression. Enabling it makes the DB row much smaller,
//but adds decompression overhead to very admin page.
'compress_custom_menu' => false,
//Automatically clean up data associated with missing roles and users. Only applies to some settings.
'delete_orphan_actor_settings' => !is_multisite(),
//Make custom menu and page titles translatable with WPML. They will appear in the "Strings" section.
//This only applies to custom (i.e. changed) titles.
'wpml_support_enabled' => true,
//Prevent bbPress from resetting its own roles. This should allow the user to edit bbPress roles
//with any role editing plugin. Disabled by default due to risk of conflicts and the performance impact.
'bbpress_override_enabled' => false,
//Experimental: Allow more than two levels of menus.
'deep_nesting_enabled' => null,
'was_nesting_ever_changed' => false,
//Which modules are active or inactive. Format: ['module-id' => true/false].
'is_active_module' => array(
'highlight-new-menus' => false,
),
);
$this->serialize_with_json = false; //(Don't) store the options in JSON format
//WP 4.3+ uses H1 headings for admin pages. Older versions use H2 instead.
self::$admin_heading_tag = version_compare($GLOBALS['wp_version'], '4.3', '<') ? 'h2' : 'h1';
$this->settings_link = (is_network_admin() ? 'settings.php' : 'options-general.php') . '?page=menu_editor';
$this->magic_hooks = true;
//Run our hooks last (almost). Priority is less than PHP_INT_MAX mostly for defensive programming purposes.
//Old PHP versions have known bugs related to large array keys, and WP might have undiscovered edge cases.
$this->magic_hook_priority = PHP_INT_MAX - 10;
/*
* Menu blacklist. Any menu items that *exactly* match one of the URLs on this list will be ignored.
* They won't show up in the editor or the admin menu, but they will remain accessible (caps permitting).
*
* This is a workaround for plugins that add a menu item and then remove it. Most plugins do this
* to create "Welcome" or "What's New" pages that are accessible but don't appear in the admin menu.
*
* We can't automatically detect menus like that. Here's why:
* 1) Most plugins remove them too late, e.g. in admin_head. By that point, output has already started.
* We need to finalize the list of menu items and their permissions before that.
* 2) It's hard to automatically determine *why* a menu item was removed. We can't distinguish between
* cosmetic changes like the hidden "welcome" items and people removing menus to deny access.
*/
$this->menu_url_blacklist = array(
//WP RSS Aggregator 4.7.7
'index.php?page=wprss-welcome' => true,
//AffiliateWP 1.7.8
'index.php?page=affwp-getting-started' => true,
'index.php?page=affwp-what-is-new' => true,
'index.php?page=affwp-credits' => true,
//BuddyPress 2.3.4
'index.php?page=bp-about' => true,
'index.php?page=bp-credits' => true,
//BuddyBoss 1.5.9
'admin.php?page=buddyboss-platform' => 'submenu',
//DW Question Answer 1.3.8.1
'index.php?page=dwqa-about' => true,
'index.php?page=dwqa-changelog' => true,
'index.php?page=dwqa-credits' => true,
//Ninja Forms 2.9.41
'index.php?page=nf-about' => true,
'index.php?page=nf-changelog' => true,
'index.php?page=nf-getting-started' => true,
'index.php?page=nf-credits' => true,
//All in One SEO Pack 2.3.9.2
'index.php?page=aioseop-about' => true,
//WP Courseware 4.1.2
//'wpcw' => true, //This is commented out due to a bug. The Courseware top level menu and its first submenu
//both have the URL "wpcw", but the top level menu also has some visible, non-blacklisted items. AME would
//still hide the entire menu because the template builder doesn't check if a menu has submenu items.
'admin.php?page=wpcw-course-classroom' => true,
'admin.php?page=wpcw-student' => true,
'admin.php?page=WPCW_showPage_ConvertPage' => true,
'admin.php?page=WPCW_showPage_CourseOrdering' => true,
'admin.php?page=WPCW_showPage_GradeBook' => true,
'admin.php?page=WPCW_showPage_ModifyCourse' => true,
'admin.php?page=WPCW_showPage_ModifyModule' => true,
'admin.php?page=WPCW_showPage_ModifyQuestion' => true,
'admin.php?page=WPCW_showPage_ModifyQuiz' => true,
'admin.php?page=WPCW_showPage_UserCourseAccess' => true,
'admin.php?page=WPCW_showPage_UserProgess' => true,
'admin.php?page=WPCW_showPage_UserProgess_quizAnswers' => true,
//Extended Widget Options
'index.php?page=extended-widget-opts-getting-started' => true,
//Snax
'options-general.php?page=snax-pages-settings' => true,
'options-general.php?page=snax-lists-settings' => true,
'options-general.php?page=snax-quizzes-settings' => true,
'options-general.php?page=snax-polls-settings' => true,
'options-general.php?page=snax-stories-settings' => true,
'options-general.php?page=snax-memes-settings' => true,
'options-general.php?page=snax-audios-settings' => true,
'options-general.php?page=snax-videos-settings' => true,
'options-general.php?page=snax-images-settings' => true,
'options-general.php?page=snax-galleries-settings' => true,
'options-general.php?page=snax-embeds-settings' => true,
'options-general.php?page=snax-voting-settings' => true,
'options-general.php?page=snax-limits-settings' => true,
'options-general.php?page=snax-auth-settings' => true,
'options-general.php?page=snax-moderation-settings' => true,
'options-general.php?page=snax-embedly-settings' => true,
'options-general.php?page=snax-demo-settings' => true,
'index.php?page=snax-about' => true,
'options-general.php?page=snax-collections-settings' => true,
'options-general.php?page=snax-links-settings' => true,
'options-general.php?page=snax-extproduct-settings' => true,
'options-general.php?page=snax-slog-settings' => true,
'options-general.php?page=snax-slog-networks-settings' => true,
'options-general.php?page=snax-slog-locations-settings' => true,
'options-general.php?page=snax-slog-log-settings' => true,
'options-general.php?page=snax-slog-gdpr-settings' => true,
'options-general.php?page=snax-shares-settings' => true,
'options-general.php?page=snax-shares-positions-settings' => true,
//Media Ace
'options-general.php?page=mace-image-bulk-settings' => true,
'options-general.php?page=mace-lazy_load-settings' => true,
'options-general.php?page=mace-watermarks-settings' => true,
'options-general.php?page=mace-hotlink-settings' => true,
'options-general.php?page=mace-gif-settings' => true,
'options-general.php?page=mace-auto-featured-image-settings' => true,
'options-general.php?page=mace-expiry-settings' => true,
'options-general.php?page=mace-video-settings' => true,
'options-general.php?page=mace-gallery-settings' => true,
'options-general.php?page=mace-general-settings' => true,
//"What's Your Reaction"
'options-general.php?page=wyr-fakes-settings' => true,
//WP-Job-Manager 1.34.1
'index.php?page=job-manager-setup' => true,
//Simple Calendar 3.1.33
'index.php?page=simple-calendar_about' => true,
'index.php?page=simple-calendar_credits' => true,
'index.php?page=simple-calendar_translators' => true,
//Stripe For WooCommerce 3.2.12
'wc_stripe' => 'submenu',
//WP Grid Builder 1.5.9
'admin.php?page=wpgb-card-builder' => true,
'admin.php?page=wpgb-grid-settings' => true,
'admin.php?page=wpgb-facet-settings' => true,
//Google Analytics for WordPress by MonsterInsights 8.4.0
'index.php?page=monsterinsights-getting-started' => true,
//WPForms Lite 1.7.8 (and possibly the paid version)
'index.php?page=wpforms-getting-started' => true,
//WPFunnels 2.7.6
'admin.php?page=edit_funnel' => true,
'admin.php?page=email-builder' => true,
//Email Marketing Automation - Mail Mint 1.2.5
'admin.php?page=mint-mail-automation-editor' => true,
//Enable Media Replace 4.1.5
'upload.php?page=enable-media-replace/enable-media-replace.php' => true,
//Elementor 3.26.4
'admin.php?page=elementor-connect' => true,
//Elementor Pro (based on user reports, not verified)
'elementor-pro-notes-proxy' => true,
//Post SMTP 3.1.3
'index.php?page=post-about' => true,
'index.php?page=post-credits' => true,
//Advanced Flat Rate Shipping For WooCommerce 4.4.0 (submitted by the developer)
'admin.php?page=afrsm-pro-get-started' => true,
'admin.php?page=afrsm-pro-edit-shipping' => true,
'admin.php?page=afrsm-wc-shipping-zones' => true,
'admin.php?page=afrsm-pro-import-export' => true,
'admin.php?page=afrsm-page-general-settings' => true,
'admin.php?page=afrsm-page-add-ons' => true,
'admin.php?page=afrsm-pro-dashboard' => true,
'admin.php?page=dots_store' => 'submenu',
//WooCommerce Product Options 2.6.2
'admin.php?page=woocommerce-product-options-setup-wizard' => true,
//WooCommerce Quantity Manager 2.4.3
'admin.php?page=woocommerce-quantity-manager-setup-wizard' => true,
);
//AJAXify hints and warnings
add_action('wp_ajax_ws_ame_hide_hint', array($this, 'ajax_hide_hint'));
add_action(
'wp_ajax_ws_ame_disable_dashboard_hiding_confirmation',
array($this, 'ajax_disable_dashboard_hiding_confirmation')
);
//Retrieve a list of pages via AJAX.
add_action('wp_ajax_ws_ame_get_pages', array($this, 'ajax_get_pages'));
//Get details about a specific page via AJAX.
add_action('wp_ajax_ws_ame_get_page_details', array($this, 'ajax_get_page_details'));
//Make sure we have access to the original, un-mangled request data.
//This is necessary because WordPress will stupidly apply "magic quotes"
//to the request vars even if this PHP misfeature is disabled.
$this->capture_request_vars();
add_action('admin_enqueue_scripts', array($this, 'enqueue_menu_fix_script'), 8);
//Enqueue miscellaneous helper scripts and styles.
add_action('admin_enqueue_scripts', array($this, 'enqueue_helper_scripts'));
add_action('admin_print_styles', array($this, 'enqueue_helper_styles'));
//Make sure our scripts load before other plugins' scripts.
add_action('admin_print_scripts', array($this, 'move_editor_scripts_to_top'));
//User survey
add_action('admin_notices', array($this, 'display_survey_notice'));
//Tell first-time users where they can find the plugin settings page.
add_action('all_admin_notices', array($this, 'display_plugin_menu_notice'));
//Reset plugin access if the only allowed user gets deleted or their ID changes.
add_action('wp_login', array($this, 'maybe_reset_plugin_access'), 10, 2);
//Grant virtual capabilities like "super_user" to users.
add_filter('user_has_cap', array($this, 'grant_virtual_caps_to_user'), 9, 3);
add_filter('user_has_cap', array($this, 'regrant_virtual_caps_to_user'), 200, 1);
add_filter('map_meta_cap', array($this, 'identity_map_meta_cap_for_user'), 200, 3);
//Update caches when the current user changes.
add_action('set_current_user', array($this, 'update_current_user_cache'), 2, 0); //Run before most plugins.
//Clear or refresh per-user caches when the user's roles or capabilities change.
add_action('updated_user_meta', array($this, 'on_user_metadata_changed'), 10, 3);
add_action('deleted_user_meta', array($this, 'on_user_metadata_changed'), 10, 3);
//There's also a "set_user_role" hook, but it's only called by WP_User::set_role and not WP_User::add_role.
//It's also redundant - WP_User::set_role updates user meta, so the above hooks already cover it.
//Multisite: Clear role and capability caches when switching to another site.
add_action('switch_blog', array($this, 'clear_site_specific_caches'), 10, 0);
$this->menu_structure_feature = new ameCustomizationFeatureToggle(
self::ADMIN_MENU_STRUCTURE_COMPONENT,
$this,
'editor',
function () {
return [
__('You will still see the default admin menu content.', 'admin-menu-editor'),
__('Custom admin menu is disabled for your account.', 'admin-menu-editor'),
];
}
);
//"Test Access" feature.
if ( (defined('DOING_AJAX') && DOING_AJAX) || isset($this->get['ame-test-menu-access-as']) ) {
require_once 'access-test-runner.php';
$this->access_test_runner = new ameAccessTestRunner($this, $this->get);
}
//Additional links below the plugin description.
add_filter('plugin_row_meta', array($this, 'add_plugin_row_meta_links'), 10, 2);
//Utility actions. Modules can use them in their templates.
add_action('admin_menu_editor-display_tabs', array($this, 'display_editor_tabs'));
add_action('admin_menu_editor-display_header', array($this, 'display_settings_page_header'));
add_action('admin_menu_editor-display_footer', array($this, 'display_settings_page_footer'));
}
function init_finish() {
parent::init_finish();
$should_save_options = false;
//If we have no stored settings for this version of the plugin, try importing them
//from other versions (i.e. the free or the Pro version).
if ( !$this->load_options() ){
$this->import_settings();
$should_save_options = true;
}
$this->zlib_compression = $this->options['compress_custom_menu'];
//Track first install time.
if ( !isset($this->options['first_install_time']) ) {
$this->options['first_install_time'] = time();
$should_save_options = true;
}
if ( $this->options['plugin_db_version'] < $this->plugin_db_version ) {
/* Put any activation code here. */
$this->options['plugin_db_version'] = $this->plugin_db_version;
$should_save_options = true;
}
if ( $should_save_options ) {
//Skip saving options if the plugin hasn't been fully activated yet.
if ( $this->is_plugin_active($this->plugin_basename) ) {
$this->save_options();
} else {
//Yes, this method can actually run before WP updates the list of active plugins. That means functions
//like is_plugin_active_for_network() will return false. As a result, we can't determine whether
//the plugin has been network-activated yet, so lets skip setting up the default config until
//the next page load.
}
}
//This is here and not in init() because it relies on $options being initialized.
if ( $this->options['security_logging_enabled'] ) {
add_action('admin_notices', array($this, 'display_security_log'));
}
//Compatibility fix for MailPoet 3.
$this->apply_mailpoet_compat_fix();
//bbPress role override.
if ( !empty($this->options['bbpress_override_enabled']) ) {
require_once __DIR__ . '/bbpress-role-override.php';
new ameBBPressRoleOverride();
}
if ( did_action('plugins_loaded') ) {
$this->load_modules();
} else {
add_action('plugins_loaded', array($this, 'load_modules'), 11);
}
}
public function load_modules() {
$this->module_loader_recursion_depth++;
//Load any active modules that haven't been loaded yet.
foreach($this->get_active_modules() as $id => $module) {
//Skip modules that are already loaded or are in the process of being loaded.
if (
array_key_exists($id, $this->loaded_modules)
|| !empty($this->module_load_state[$id])
) {
continue;
}
$this->module_load_state[$id] = self::MODULE_STATE_LOADING;
include ($module['path']);
if ( !empty($module['className']) ) {
$instance = new $module['className']($this);
$this->loaded_modules[$id] = $instance;
} else {
$this->loaded_modules[$id] = true;
}
$this->module_load_state[$id] = self::MODULE_STATE_LOADED;
}
//This final setup step should only run once, after all modules have been loaded.
if ( $this->module_loader_recursion_depth === 1 ) {
$this->are_modules_loaded = true;
//Set up the tabs for the menu editor page. Many tabs are provided by modules.
$firstTabs = array('editor' => 'Admin Menu');
if ( is_network_admin() ) {
//TODO: This could be in extras.php
$firstTabs = array('network-admin-menu' => 'Network Admin Menu');
}
$this->tabs = apply_filters('admin_menu_editor-tabs', $firstTabs);
//The "Settings" tab is always last.
$this->tabs['settings'] = 'Settings';
}
$this->module_loader_recursion_depth--;
}
/**
* @return ameModule[]
*/
public function get_loaded_modules() {
return $this->loaded_modules;
}
/**
* Import settings from a different version of the plugin.
*
* @return bool True if settings were imported successfully, False otherwise
*/
function import_settings(){
$possible_names = array('ws_menu_editor', 'ws_menu_editor_pro');
foreach($possible_names as $option_name){
if ( $this->load_options($option_name) ){
return true;
}
}
return false;
}
/**
* Create a configuration page and load the custom menu
*
* @return void
*/
function hook_admin_menu(){
global $menu, $submenu;
//Compatibility fix for Shopp 1.2.9. This plugin has an "admin_menu" hook (Flow::menu) that adds another
//"admin_menu" hook (AdminFlow::taxonomies) when it runs. Basically, it indirectly modifies the global
//$wp_filters['admin_menu'] array while WordPress is iterating it (nasty!). Due to how PHP arrays are
//implemented and how do_action() works, this second hook is the very last one to run, even after hooks
//with a lower priority.
//The only way we can see the changes made by the second hook is to do the same thing.
static $firstRunSkipped = false;
if ( !$firstRunSkipped && class_exists('Flow') ) {
add_action(current_filter(), array($this, 'hook_admin_menu'), $this->magic_hook_priority + 1);
$firstRunSkipped = true;
return;
}
//The menu editor is only visible to users with the manage_options privilege.
//Or, if the plugin is installed in mu-plugins, only to the site administrator(s).
if ( $this->current_user_can_edit_menu() ){
$this->log_security_note('Current user can edit the admin menu.');
//Determine the current menu editor page tab.
reset($this->tabs);
$this->current_tab = isset($this->get['sub_section']) ? strval($this->get['sub_section']) : key($this->tabs);
$tab_title = '';
if ($this->current_tab !== 'editor' && isset($this->tabs[$this->current_tab])) {
$tab_title = ' - ' . $this->tabs[$this->current_tab];
}
$parent_slug = is_network_admin() ? 'settings.php' : 'options-general.php';
$page = add_submenu_page(
$parent_slug,
apply_filters('admin_menu_editor-self_page_title', 'Menu Editor') . $tab_title,
apply_filters('admin_menu_editor-self_menu_title', 'Menu Editor'),
apply_filters('admin_menu_editor-capability', 'manage_options'),
'menu_editor',
array($this, 'page_menu_editor')
);
//Output our JS & CSS on that page only
add_action("admin_print_scripts-$page", array($this, 'enqueue_scripts'), 1);
add_action("admin_print_styles-$page", array($this, 'enqueue_styles'));
//A special CSS class lets us conditionally style the menu item and its siblings.
ameMenuItem::add_class_to_submenu_item(
$parent_slug,
'menu_editor',
'ws-ame-primary-am-item'
);
//Let modules do something when loading a specific tab but before output starts.
add_action('load-' . $page, array($this, 'trigger_tab_load_event'));
//Notify modules that the menu item has been registered.
do_action('admin_menu_editor-editor_menu_registered');
//Compatibility fix for All In One Event Calendar; see the callback for details.
add_action("admin_print_scripts-$page", array($this, 'dequeue_ai1ec_scripts'));
//Compatibility fix for Participants Database.
add_action("admin_print_scripts-$page", array($this, 'dequeue_pd_scripts'));
//Experimental compatibility fix for Ultimate TinyMCE
add_action("admin_print_scripts-$page", array($this, 'remove_ultimate_tinymce_qtags'));
}
//Compatibility fix for the WooCommerce order count bubble. Must be run before storing or processing $submenu.
$this->apply_woocommerce_order_count_fix();
//Store the "original" menus for later use in the editor
$this->default_wp_menu = $menu;
$this->default_wp_submenu = $submenu;
//Compatibility fix for bbPress.
$this->apply_bbpress_compat_fix();
//Compatibility fix for WooCommerce (woo).
$this->apply_woocommerce_compat_fix();
//Compatibility fix for WordPress Mu Domain Mapping.
$this->apply_wpmu_domain_mapping_fix();
//Compatibility fix for Divi Training.
$this->apply_divi_training_fix();
//As of WP 3.5, the "Links" menu is hidden by default.
if ( !current_user_can('manage_links') ) {
$this->remove_link_manager_menus();
}
//Generate item templates from the default menu.
$templateBuilder = new ameMenuTemplateBuilder();
$this->item_templates = $templateBuilder->build(
$this->default_wp_menu,
$this->default_wp_submenu,
$this->get_menu_url_black_list()
);
//Store the default order for later. It will be used when (re)inserting unused items into the menu.
$this->relative_template_order = $templateBuilder->getRelativeTemplateOrder();
//Add extra templates that are not part of the normal menu.
$this->item_templates = $this->add_special_templates($this->item_templates);
//TODO: It would be nice to add the "Delete Site" item on multisite when on the main site.
//Is there a custom menu to use?
$custom_menu = $this->load_custom_menu();
$has_custom_menu = ($custom_menu !== null) && !empty($custom_menu['tree']);
if ( $has_custom_menu ) {
//Merge in data from the default menu
$custom_menu['tree'] = $this->menu_merge($custom_menu['tree']);
//Save the merged menu for later - the editor page will need it
$this->merged_custom_menu = $custom_menu;
do_action('admin_menu_editor-menu_merged', $this->merged_custom_menu);
}
if (
$has_custom_menu
&& !$this->menu_structure_feature->isCustomizationDisabled()
) {
//Convert our custom menu to the $menu + $submenu structure used by WP.
//Note: This method sets up multiple internal fields and may cause side-effects.
$this->user_cap_cache_enabled = true;
$this->build_custom_wp_menu($this->merged_custom_menu['tree']);
$this->user_cap_cache_enabled = false;
do_action('admin_menu_editor-menu_built', $this->merged_custom_menu, $this);
if ( $this->is_access_test ) {
$this->access_test_runner['wasCustomMenuApplied'] = true;
$this->access_test_runner->setCurrentMenuItem($this->get_current_menu_item());
}
if ( !$this->user_can_access_current_page() ) {
$this->log_security_note('DENY access.');
if ( $this->is_access_test ) {
$this->access_test_runner['userCanAccessCurrentPage'] = false;
}
$message = 'You do not have sufficient permissions to access this admin page.';
if ( ($this->options['error_verbosity'] >= self::VERBOSITY_NORMAL) ) {
$current_item = $this->get_current_menu_item();
if ( isset($current_item, $current_item['access_decision_reason']) ) {
$message .= sprintf(
'Reason: %s
',
htmlentities($current_item['access_decision_reason'])
);
}
}
if ($this->options['security_logging_enabled']
|| ($this->options['error_verbosity'] >= self::VERBOSITY_VERBOSE)
) {
$message .= 'Admin Menu Editor security log
';
$message .= $this->get_formatted_security_log();
}
do_action('admin_page_access_denied');
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- HTML should already be escaped as necessary.
wp_die($message);
} else {
$this->log_security_note('ALLOW access.');
if ( $this->is_access_test ) {
$this->access_test_runner['userCanAccessCurrentPage'] =
($this->access_test_runner['currentMenuItem'] !== null);
}
}
//Replace the admin menu just before it is displayed and restore it afterwards.
//The fact that replace_wp_menu() is attached to the 'submenu_file' hook is incidental;
//there just wasn't any other, more suitable hook available.
$replacementFilter = 'submenu_file';
/* Compatibility workaround for UIPress 3.3.100.
*
* UIPress also replaces the admin menu, but it does so using the 'parent_file' filter
* (conditionally, requires at least one active UIPress template, etc). If we want our
* menu settings to be applied, we need to replace the admin menu *before* UIPress does.
* So let's use the 'parent_file' filter when UIPress is active.
*/
if (
(defined('uip_plugin_path_name') && (uip_plugin_path_name === 'uipress-lite'))
|| $this->is_plugin_active('uipress/uipress.php')
) {
$replacementFilter = 'parent_file';
}
add_filter($replacementFilter, array($this, 'replace_wp_menu'), 1001);
add_action('adminmenu', array($this, 'restore_wp_menu'));
//A compatibility hack for Ozh's Admin Drop Down Menu. Make sure it also sees the modified menu.
$ozh_adminmenu_priority = has_action('in_admin_header', 'wp_ozh_adminmenu');
if ( $ozh_adminmenu_priority !== false ) {
add_action('in_admin_header', array($this, 'replace_wp_menu'), $ozh_adminmenu_priority - 1);
add_action('in_admin_header', array($this, 'restore_wp_menu'), $ozh_adminmenu_priority + 1);
}
} else {
do_action('admin_menu_editor-menu_replacement_skipped');
}
add_action(
'admin_menu_editor-register_hideable_items',
array($this, 'register_hideable_items'),
10,
1
);
add_filter(
'admin_menu_editor-save_hideable_items-admin-menu',
array($this, 'save_hideable_items'),
10,
2
);
}
private $is_menu_url_blacklist_filtered = false;
private function get_menu_url_black_list() {
if ( !$this->is_menu_url_blacklist_filtered ) {
$this->is_menu_url_blacklist_filtered = true; //Set early in case or unexpected recursion.
//Let other plugins add their own blacklisted URLs.
$this->menu_url_blacklist = apply_filters(
'admin_menu_editor-menu_url_blacklist',
$this->menu_url_blacklist
);
}
return $this->menu_url_blacklist;
}
/**
* Replace the current WP menu with our custom one.
*
* @param string $submenu_file Unused. Required because this method is a hook for the 'submenu_file' filter.
* @return string Returns the $submenu_file argument.
*/
public function replace_wp_menu($submenu_file = '') {
global $menu, $submenu;
$this->old_wp_menu = $menu;
$this->old_wp_submenu = $submenu;
// phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited -- Overriding menus is the whole point of this plugin.
$menu = $this->custom_wp_menu;
$submenu = $this->custom_wp_submenu;
// phpcs:enable
$this->user_cap_cache_enabled = true;
$this->filter_global_menu();
$this->user_cap_cache_enabled = false;
do_action('admin_menu_editor-menu_replaced');
return $submenu_file;
}
/**
* Restore the default WordPress menu that was replaced using replace_wp_menu().
*
* @return void
*/
public function restore_wp_menu() {
// phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited
global $menu, $submenu;
$menu = $this->old_wp_menu;
$submenu = $this->old_wp_submenu;
// phpcs:enable
}
/**
* Filter a menu so that it can be handed to _wp_menu_output(). This method basically
* emulates the filtering that WordPress does in /wp-admin/includes/menu.php, with a few
* additions of our own.
*
* - Removes inaccessible items and superfluous separators.
*
* - Sets accessible items to a capability that the user is guaranteed to have to prevent
* _wp_menu_output() from choking on plugin-specific capabilities like "cap1,cap2+not:cap3".
*
* - Adds position-dependent CSS classes.
*
* @global array $menu
* @global array $submenu
*
* @return void
*/
private function filter_global_menu() {
// phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited
global $menu, $submenu;
global $_wp_menu_nopriv; //Caution: Modifying this array could lead to unexpected consequences.
//Remove sub-menus which the user shouldn't be able to access,
//and ensure the rest are visible.
foreach ($submenu as $parent => $items) {
foreach ($items as $index => $data) {
if ( ! $this->current_user_can($data[1]) ) {
unset($submenu[$parent][$index]);
/** @noinspection PhpArrayUsedOnlyForWriteInspection -- It's a global variable used by WP. */
$_wp_submenu_nopriv[$parent][$data[2]] = true;
} else {
//The menu might be set to some kind of special capability that is only valid
//within this plugin and not WP in general. Ensure WP doesn't choke on it.
//(This is safe - we'll double-check the caps when the user tries to access a page.)
$submenu[$parent][$index][1] = 'exist'; //All users have the 'exist' cap.
}
}
if ( empty($submenu[$parent]) ) {
unset($submenu[$parent]);
}
}
//Remove consecutive submenu separators. This can happen if there are separators around a menu item
//that is not accessible to the current user.
foreach ($submenu as $parent => $items) {
$found_separator = false;
foreach ($items as $index => $item) {
//Separator have a dummy #anchor as a URL. See wsMenuEditorExtras::create_submenu_separator().
if (strpos($item[2], '#submenu-separator-') === 0) {
if ( $found_separator ) {
unset($submenu[$parent][$index]);
}
$found_separator = true;
} else {
$found_separator = false;
}
}
}
//Remove menus that have no accessible sub-menus and require privileges that the user does not have.
//Ensure the rest are visible. Run re-parent loop again.
foreach ( $menu as $id => $data ) {
if ( ! $this->current_user_can($data[1]) ) {
$_wp_menu_nopriv[$data[2]] = true;
} else {
$menu[$id][1] = 'exist';
}
//If there is only one submenu and it is has same destination as the parent,
//remove the submenu.
if ( ! empty( $submenu[$data[2]] ) && 1 == count ( $submenu[$data[2]] ) ) {
$subs = $submenu[$data[2]];
$first_sub = array_shift($subs);
if ( $data[2] == $first_sub[2] ) {
unset( $submenu[$data[2]] );
}
}
//If submenu is empty...
if ( empty($submenu[$data[2]]) ) {
// And user doesn't have privs, remove menu.
if ( isset( $_wp_menu_nopriv[$data[2]] ) ) {
unset($menu[$id]);
}
}
}
unset($id, $data, $subs, $first_sub);
//Remove any duplicated separators
$separator_found = false;
foreach ( $menu as $id => $data ) {
if ( 0 == strcmp('wp-menu-separator', $data[4] ) ) {
if ($separator_found) {
unset($menu[$id]);
}
$separator_found = true;
} else {
$separator_found = false;
}
}
unset($id, $data);
//Remove the last menu item if it is a separator.
$last_menu_key = array_keys( $menu );
$last_menu_key = array_pop( $last_menu_key );
if (!empty($menu) && 'wp-menu-separator' == $menu[$last_menu_key][4]) {
unset($menu[$last_menu_key]);
}
unset( $last_menu_key );
//Add display-specific classes like "menu-top-first" and others.
$menu = add_menu_classes($menu);
// phpcs:enable
}
public function get_safe_js_libraries() {
static $libraries = null;
if ( $libraries !== null ) {
return $libraries;
}
//Knockout
$knockout = ScriptDependency::create(
plugins_url('js/knockout.js', $this->plugin_file),
'ame-knockout',
AME_ROOT_DIR . '/js/knockout.js'
);
$deps = [
$knockout,
//Unaliased Knockout library for back-compat; should not be used.
ScriptDependency::create(
$knockout->getUrl(),
'knockout',
$knockout->getAbsoluteFilePath()
),
//Lodash library
ScriptDependency::create(
plugins_url('js/lodash4.min.js', $this->plugin_file),
'ame-lodash',
AME_ROOT_DIR . '/js/lodash4.min.js'
)
//Make sure Lodash doesn't conflict with the copy of Underscore that's bundled with WordPress.
//Revert the "_" variable to its original value and store Lodash in "wsAmeLodash" instead.
->addInlineScript('window.wsAmeLodash = _.noConflict();'),
//Knockout bindings for the jQuery UI sortable functionality.
ScriptDependency::create(
plugins_url('js/knockout-sortable.js', $this->plugin_file),
'ame-knockout-sortable',
AME_ROOT_DIR . '/js/knockout-sortable.js'
)
->addDependencies(
$knockout, 'jquery', 'jquery-ui-sortable',
'jquery-ui-draggable', 'jquery-ui-droppable'
),
//Miscellaneous Knockout extensions.
ScriptDependency::create(
plugins_url('js/free-ko-extensions.js', $this->plugin_file),
'ame-free-ko-extensions',
AME_ROOT_DIR . '/js/free-ko-extensions.js'
)
->addDependencies($knockout),
//Mini utilities for more functional programming.
ScriptDependency::create(
plugins_url('js/mini-func.js', $this->plugin_file),
'ame-mini-functional-lib',
AME_ROOT_DIR . '/js/mini-func.js'
),
];
$libraries = [];
foreach ($deps as $instance) {
$libraries[$instance->getHandle()] = $instance;
}
return $libraries;
}
public function register_base_dependencies() {
static $done = false;
if ( $done ) {
return;
}
$done = true;
foreach($this->get_base_dependencies() as $dependency) {
$dependency->register();
}
//Base styles.
wp_register_auto_versioned_style('menu-editor-base-style', plugins_url('css/menu-editor.css', $this->plugin_file));
if ( function_exists('ws_ame_register_customizable_js_lib') ) {
ws_ame_register_customizable_js_lib($this);
}
//Let extras register their scripts.
do_action('admin_menu_editor-register_scripts', $this);
}
/**
* @return ameBaseScriptDependencies
*/
public function get_base_dependencies(): ameBaseScriptDependencies {
static $deps = null;
if ( $deps !== null ) {
return $deps;
}
$deps = array_merge(
$this->get_jquery_plugins(),
$this->get_safe_js_libraries()
);
//Access editor module.
$accessEditor = ScriptDependency::create(
plugins_url('modules/access-editor/access-editor.js', $this->plugin_file),
'ame-access-editor',
AME_ROOT_DIR . '/modules/access-editor/access-editor.js'
)
->addDependencies('jquery', $deps['ame-lodash']);
$deps[$accessEditor->getHandle()] = $accessEditor;
//Actor manager.
$actorManager = ScriptDependency::create(
plugins_url('js/actor-manager.js', $this->plugin_file),
'ame-actor-manager',
AME_ROOT_DIR . '/js/actor-manager.js'
)
->addDependencies($deps['ame-lodash']);
$deps[$actorManager->getHandle()] = $actorManager;
$actorManager->addLazyJsVariable(
'wsAmeActorData',
function () {
$roles = array();
$wp_roles = ameRoleUtils::get_roles();
foreach ($wp_roles->roles as $role_id => $role) {
//There is at least one plugin that creates a custom role without a "capabilities" key.
//We need to check for that to avoid an "undefined array key" warning.
if ( array_key_exists('capabilities', $role) ) {
//Some plugins use 1, 0, null, or other truthy/falsy values for capability settings.
//AME uses booleans. It helps avoid bugs and it's also what WordPress core does.
$role['capabilities'] = $this->castValuesToBool($role['capabilities']);
} else {
$role['capabilities'] = array();
}
$roles[$role_id] = $role;
}
//Known users.
$users = array();
$current_user = wp_get_current_user();
$logins_to_include = apply_filters('admin_menu_editor-users_to_load', array());
//Always include the current user.
$logins_to_include[] = $current_user->get('user_login');
$logins_to_include = array_unique($logins_to_include);
//Load user details.
foreach ($logins_to_include as $login) {
$user = get_user_by('login', $login);
if ( !empty($user) ) {
$users[$login] = $this->user_to_property_map($user);
}
}
//Compatibility workaround: Get the real roles of the current user even if other plugins corrupt the list.
$users[$current_user->get('user_login')]['roles'] = array_values($this->get_user_roles($current_user));
$suspected_meta_caps = $this->detect_meta_caps($roles, $users);
//The current user has all of the meta caps. That's how we know they're meta caps and not just regular
//capabilities that simply haven't been granted to anyone.
$users[$current_user->get('user_login')]['meta_capabilities'] = $suspected_meta_caps;
//TODO: Include currentUserLogin
return array(
'roles' => $roles,
'users' => $users,
'isMultisite' => is_multisite(),
'capPower' => $this->load_cap_power(),
'suspectedMetaCaps' => $suspected_meta_caps,
);
}
);
//Settings page utilities and fixes.
//This is a separate script because some of it has to run after common.js, which is loaded in the page footer.
$settingsPageUtils = ScriptDependency::create(
plugins_url('js/settings-page-utils.js', $this->plugin_file),
'ame-settings-page-utils',
AME_ROOT_DIR . '/js/settings-page-utils.js'
)
->addDependencies('jquery', $deps['ame-lodash'], 'common')
->setInFooter();
$deps[$settingsPageUtils->getHandle()] = $settingsPageUtils;
$deps = apply_filters('admin_menu_editor-base_scripts', $deps);
$deps = new ameBaseScriptDependencies($deps);
return $deps;
}
/**
* @access private
* @param string[]|null $handles
*/
public function register_jquery_plugins($handles = null) {
if ( $handles === null ) {
$handles = array_keys(self::$jquery_plugins);
}
$plugins = $this->get_jquery_plugins();
foreach ($handles as $handle) {
if ( isset($plugins[$handle]) ) {
$plugins[$handle]->register();
}
}
}
private function get_jquery_plugins() {
if ( empty($this->jquery_plugin_instances) && !empty(self::$jquery_plugins) ) {
foreach (self::$jquery_plugins as $handle => $relativePath) {
$dependency = ScriptDependency::create(
plugins_url($relativePath, $this->plugin_file),
$handle,
AME_ROOT_DIR . '/' . $relativePath
);
$dependency->addDependencies('jquery');
$this->jquery_plugin_instances[$handle] = $dependency;
}
}
return $this->jquery_plugin_instances;
}
/**
* Detect meta capabilities.
* This only works if the current user is an admin. In Multisite, they must be a Super Admin.
*
* @param array $roles
* @param array $users
* @return array [capability => string[]]
*/
private function detect_meta_caps($roles, $users) {
if ( !$this->current_user_can_edit_menu() || !is_super_admin() ) {
return array();
}
//Any capability that's assigned to a role probably isn't a meta capability.
$allRealCaps = ameRoleUtils::get_all_capabilities(true);
//Similarly, capabilities that are directly assigned to users are probably real.
foreach($users as $user) {
$allRealCaps = $allRealCaps + $user['capabilities'];
}
//Role IDs can also be used as capabilities.
foreach($roles as $roleId => $role) {
$allRealCaps[$roleId] = true;
}
//Collect all of the required capabilities from the admin menu.
$menu = $this->get_default_menu();
ameMenu::for_each($menu['tree'], array($this, 'collect_menu_cap'));
//Any capability that's part of the admin menu but not assigned to any role or user
//is probably a meta capability.
$suspectedMetaCaps = array_diff_key($this->caps_used_in_menu, $allRealCaps);
//The current user is an admin and should have access to everything. If they don't have a cap,
//that's probably a non-meta cap that isn't enabled for *anyone*.
$suspectedMetaCaps = array_filter(array_keys($suspectedMetaCaps), 'current_user_can');
//Attempt to map meta caps to real capabilities.
$result = [];
$currentUserId = get_current_user_id();
foreach ($suspectedMetaCaps as $metaCap) {
$caps = map_meta_cap($metaCap, $currentUserId);
if ( is_array($caps) ) {
//Discard the "do_not_allow" cap and the meta cap itself (the latter matters
//for "view_site_health_checks" which is granted via a different filter).
$caps = array_filter($caps, function ($cap) use ($metaCap) {
return ($cap !== 'do_not_allow') && ($cap !== $metaCap);
});
//"view_site_health_checks" is essentially a meta cap, but it's granted via
//the "user_has_cap" filter, so it doesn't show up in the "map_meta_cap()" results.
/** @see wp_maybe_grant_site_health_caps() */
if ( empty($caps) && ($metaCap === 'view_site_health_checks') && !is_multisite() ) {
$caps = ['install_plugins'];
}
$result[$metaCap] = $caps;
}
}
return $result;
}
/**
* @access private
* @param array $item
*/
public function collect_menu_cap($item) {
if ( isset($item['defaults'], $item['defaults']['access_level']) ) {
$this->caps_used_in_menu[$item['defaults']['access_level']] = true;
}
}
/** @noinspection PhpUnusedPrivateMethodInspection */
/**
* Unfinished feature: Detect which roles have which meta capabilities.
*
* Create a temp. user for each role, test which meta caps they have, then cache the results in a site option.
* Put this part in an AJAX request to avoid a massive slowdown (takes several seconds even on a fast PC).
*
* @param array $suspected_meta_caps
* @param string[] $roleIds
* @return array
*/
private function analyse_role_meta_caps($suspected_meta_caps, $roleIds) {
//$start = microtime(true);
$results = array();
$real_current_user = wp_get_current_user();
foreach($roleIds as $role_id) {
$id = wp_insert_user(array(
'role' => $role_id,
'user_login' => wp_slash('ametemp_' . wp_generate_password(14)),
'user_pass' => wp_generate_password(20),
'display_name' => 'Temporary user created by AME',
));
$user = new WP_User($id);
//Some plugins only check the current user and ignore the user ID passed to the "user_has_cap" filter.
//To account for cases like that, we need to also change the current user.
wp_set_current_user($user->ID);
$results[$role_id] = array();
foreach($suspected_meta_caps as $meta_cap => $ignored) {
$results[$role_id][$meta_cap] = $user->has_cap($meta_cap);
}
wp_delete_user($id);
}
//Restore the original user.
wp_set_current_user($real_current_user->ID);
/*$elapsed = microtime(true) - $start;
printf('Meta cap analysis: %.2f ms
', $elapsed * 1000);*/
return $results;
}
/**
* Add the JS required by the editor to the page header
*
* @return void
*/
function enqueue_scripts() {
//Optimization: Remove wp-emoji.js from the plugin page. wpEmoji makes DOM manipulation slow because
//it tracks *all* DOM changes using MutationObserver.
remove_action('admin_print_scripts', 'print_emoji_detection_script');
//Workaround: Suppress a buggy "lets add a 'defer' attribute to all