Changeset 3322020

Timestamp:

07/03/2025 09:55:08 PM (9 months ago)

Author:

pattihis

Message:

Version 1.4.3

Location:

simple-photo-feed

Files:

• tags/1.4.3 (added)
• tags/1.4.3/LICENSE.txt (added)
• tags/1.4.3/README.txt (added)
• tags/1.4.3/admin (added)
• tags/1.4.3/admin/class-simple-photo-feed-admin.php (added)
• tags/1.4.3/admin/css (added)
• tags/1.4.3/admin/css/simple-photo-feed-admin.css (added)
• tags/1.4.3/admin/index.php (added)
• tags/1.4.3/admin/js (added)
• tags/1.4.3/admin/js/simple-photo-feed-admin.js (added)
• tags/1.4.3/admin/partials (added)
• tags/1.4.3/admin/partials/simple-photo-feed-admin-display.php (added)
• tags/1.4.3/includes (added)
• tags/1.4.3/includes/class-simple-photo-feed-activator.php (added)
• tags/1.4.3/includes/class-simple-photo-feed-api.php (added)
• tags/1.4.3/includes/class-simple-photo-feed-deactivator.php (added)
• tags/1.4.3/includes/class-simple-photo-feed-i18n.php (added)
• tags/1.4.3/includes/class-simple-photo-feed-loader.php (added)
• tags/1.4.3/includes/class-simple-photo-feed.php (added)
• tags/1.4.3/includes/index.php (added)
• tags/1.4.3/index.php (added)
• tags/1.4.3/languages (added)
• tags/1.4.3/languages/simple-photo-feed.pot (added)
• tags/1.4.3/public (added)
• tags/1.4.3/public/class-simple-photo-feed-public.php (added)
• tags/1.4.3/public/css (added)
• tags/1.4.3/public/css/simple-photo-feed-public.css (added)
• tags/1.4.3/public/index.php (added)
• tags/1.4.3/public/js (added)
• tags/1.4.3/public/js/simple-photo-feed-public.js (added)
• tags/1.4.3/public/partials (added)
• tags/1.4.3/public/partials/simple-photo-feed-public-display.php (added)
• tags/1.4.3/simple-photo-feed.php (added)
• tags/1.4.3/uninstall.php (added)
• trunk/README.txt (modified) (3 diffs)
• trunk/admin/class-simple-photo-feed-admin.php (modified) (6 diffs)
• trunk/admin/partials/simple-photo-feed-admin-display.php (modified) (2 diffs)
• trunk/simple-photo-feed.php (modified) (2 diffs)

simple-photo-feed/trunk/README.txt

@@ -6 +6 @@
 Tested up to: 6.8
 Requires PHP: 7.2
-Stable tag: 1.4.2
+Stable tag: 1.4.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -88 +88 @@
 Of course! "Simple Photo Feed" is compatible with any theme and plugin that follows WordPress coding standards.
 
+= Who can access and use the Plugin? =
+
+Simple Photo Feed includes configurable access control that allows site administrators to choose which user roles can access and configure the plugin. By default, the plugin remains secure and only allows administrators (`manage_options` capability) to access the plugin settings. This ensures that sensitive Instagram API credentials and feed configuration remain protected.
+
 == Screenshots ==
 
@@ -94 +98 @@
 
 == Changelog ==
+
+= 1.4.3 =
+* Added configurable access control - site administrators can now choose which user roles can access the
+plugin settings
+* Default remains administrators only for security
+* Added filter hook `spf_required_capability` for developers to customize access control
 
 = 1.4.2 =

simple-photo-feed/trunk/admin/class-simple-photo-feed-admin.php

@@ -87 +87 @@
 
     /**
+     * Get the required capability for accessing the plugin
+     *
+     * @since  1.4.3
+     * @return string The required capability
+     */
+    public function get_required_capability() {
+        $options    = get_option( 'spf_main_settings', array() );
+        $capability = isset( $options['required_capability'] ) ? $options['required_capability'] : 'manage_options';
+
+        // Ensure the capability is valid and secure.
+        $valid_capabilities = array( 'manage_options', 'edit_posts', 'publish_posts' );
+        if ( ! in_array( $capability, $valid_capabilities, true ) ) {
+            $capability = 'manage_options';
+        }
+
+        /**
+         * Filter the required capability for accessing the plugin
+         *
+         * @since 1.4.3
+         * @param string $capability The required capability
+         */
+        return apply_filters( 'spf_required_capability', $capability );
+    }
+
+    /**
      * Register the admin menu
      *
@@ -95 +120 @@
         add_menu_page(
             __( 'Simple Photo Feed Settings', 'simple-photo-feed' ),
-            __( 'Simple Photo Feed', 'simple-photo-feed' ),
-            'edit_posts',
+            __( 'Photo Feed', 'simple-photo-feed' ),
+            $this->get_required_capability(),
             $this->plugin_name,
             array( $this, 'simple_photo_feed_admin_display' ),
@@ -110 +135 @@
      */
     public function simple_photo_feed_admin_display() {
+        // Handle custom form submission for non-administrators.
+        if ( ! current_user_can( 'manage_options' ) && isset( $_POST['spf_nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['spf_nonce'] ) ), 'spf_save_settings' ) ) {
+            $this->handle_custom_form_submission();
+        }
+
         include_once 'partials/simple-photo-feed-admin-display.php';
+    }
+
+            /**
+     * Handle form submission for non-administrators
+     *
+     * @since  1.4.3
+     */
+    private function handle_custom_form_submission() {
+        $options = get_option( 'spf_main_settings', array() );
+
+        // Only allow updating specific fields for non-administrators.
+        if ( isset( $_POST['spf_main_settings']['cron_time'] ) ) {
+            $options['cron_time'] = sanitize_text_field( wp_unslash( $_POST['spf_main_settings']['cron_time'] ) );
+        }
+
+        if ( isset( $_POST['spf_main_settings']['token'] ) ) {
+            $options['token'] = sanitize_text_field( wp_unslash( $_POST['spf_main_settings']['token'] ) );
+        }
+
+        if ( isset( $_POST['spf_main_settings']['user_id'] ) ) {
+            $options['user_id'] = sanitize_text_field( wp_unslash( $_POST['spf_main_settings']['user_id'] ) );
+        }
+
+        if ( isset( $_POST['spf_main_settings']['auth'] ) ) {
+            $options['auth'] = sanitize_text_field( wp_unslash( $_POST['spf_main_settings']['auth'] ) );
+        }
+
+        // Set the capability based on current user's role.
+        if ( current_user_can( 'edit_posts' ) ) {
+            $options['required_capability'] = 'edit_posts'; // Editors and above.
+        } elseif ( current_user_can( 'publish_posts' ) ) {
+            $options['required_capability'] = 'publish_posts'; // Authors and above.
+        }
+
+        update_option( 'spf_main_settings', $options );
+
+        // Add success message.
+        add_action( 'admin_notices', function() {
+            echo '<div class="notice notice-success is-dismissible"><p>' . esc_html__( 'Settings saved successfully!', 'simple-photo-feed' ) . '</p></div>';
+        });
     }
 
@@ -124 +194 @@
     public function simple_photo_feed_register_settings() {
 
-        register_setting( 'spf_main_settings', 'spf_main_settings' );
+        register_setting( 'spf_main_settings', 'spf_main_settings', array( $this, 'sanitize_settings' ) );
+    }
+
+    /**
+     * Sanitize and validate settings before saving
+     *
+     * @since  1.4.3
+     * @param  array $input The input array from the form.
+     * @return array The sanitized input array.
+     */
+    public function sanitize_settings( $input ) {
+        // Only administrators can modify access control settings.
+        if ( ! current_user_can( 'manage_options' ) ) {
+            // Set the capability based on current user's role.
+            $input['required_capability'] = current_user_can( 'edit_posts' ) ? 'edit_posts' : 'publish_posts';
+        }
+
+        return $input;
     }
 
@@ -201 +288 @@
     public function spf_disconnect_user() {
         $nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : '';
-        if ( ! current_user_can( 'edit_posts' ) || ! wp_verify_nonce( $nonce, 'simple-photo-feed-nonce' ) ) {
+        if ( ! current_user_can( $this->get_required_capability() ) || ! wp_verify_nonce( $nonce, 'simple-photo-feed-nonce' ) ) {
             wp_send_json_error( esc_html__( 'Unauthorized!', 'simple-photo-feed' ), 403 );
             return;
@@ -230 +317 @@
     public function spf_clear_feed_cache() {
         $nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : '';
-        if ( ! current_user_can( 'edit_posts' ) || ! wp_verify_nonce( $nonce, 'simple-photo-feed-nonce' ) ) {
+        if ( ! current_user_can( $this->get_required_capability() ) || ! wp_verify_nonce( $nonce, 'simple-photo-feed-nonce' ) ) {
             wp_send_json_error( esc_html__( 'Unauthorized!', 'simple-photo-feed' ), 403 );
             return;

simple-photo-feed/trunk/admin/partials/simple-photo-feed-admin-display.php

@@ -52 +52 @@
 
     <div class="spf_main_left">
+        <?php if ( current_user_can( 'manage_options' ) ) : ?>
         <form method="post" action="options.php">
             <?php settings_fields( 'spf_main_settings' ); ?>
+        <?php else : ?>
+        <form method="post" action="">
+            <?php wp_nonce_field( 'spf_save_settings', 'spf_nonce' ); ?>
+        <?php endif; ?>
             <?php echo (bool) $options['auth'] ? '' : '<p>' . esc_html__( 'You need an access token for the official Instagram API. Please click the authorize button below to get one or visit our ', 'simple-photo-feed' ) . '<a href="' . esc_url( $uri ) . '" target="_blank">Token Generator</a></p>'; ?>
             <div class="spf-dual-ring hidden" id="spf-loader"></div>
@@ -138 +143 @@
                         </td>
                     </tr>
+                    <?php if ( current_user_can( 'manage_options' ) ) : ?>
+                    <tr>
+                        <th><?php esc_html_e( 'Access Control', 'simple-photo-feed' ); ?></th>
+                        <td>
+                            <select name='spf_main_settings[required_capability]' id='spf_required_capability'>
+                                <option value='manage_options' <?php selected( esc_attr( $options['required_capability'] ?? 'manage_options' ), 'manage_options' ); ?>><?php esc_html_e( 'Administrators only', 'simple-photo-feed' ); ?></option>
+                                <option value='edit_posts' <?php selected( esc_attr( $options['required_capability'] ?? 'manage_options' ), 'edit_posts' ); ?>><?php esc_html_e( 'Editors and above', 'simple-photo-feed' ); ?></option>
+                                <option value='publish_posts' <?php selected( esc_attr( $options['required_capability'] ?? 'manage_options' ), 'publish_posts' ); ?>><?php esc_html_e( 'Authors and above', 'simple-photo-feed' ); ?></option>
+                            </select>
+                            <p class="description"><?php esc_html_e( 'Choose which user roles can access and configure this plugin.', 'simple-photo-feed' ); ?></p>
+                        </td>
+                    </tr>
+                    <?php endif; ?>
                 </tbody>
             </table>

simple-photo-feed/trunk/simple-photo-feed.php

@@ -14 +14 @@
  * Plugin URI:        https://wordpress.org/plugins/simple-photo-feed/
  * Description:       Simple Photo Feed provides an easy way to connect to your Instagram account and display your photos in your WordPress site.
- * Version:           1.4.2
+ * Version:           1.4.3
  * Requires at least: 5.3.0
  * Tested up to:      6.8
@@ -34 +34 @@
  * Current plugin version
  */
-define( 'SPF_VERSION', '1.4.2' );
+define( 'SPF_VERSION', '1.4.3' );
 
 /**