Merge pull request #53 from publishpress/v2.1.5

V2.1.5

admin/class-list-table_rvy.php

@@ -68,7 +68,9 @@ function do_query( $q = false ) {
 		}
 
 		do_action('revisionary_queue_pre_query');
+		add_filter('posts_clauses', [$this, 'pre_query_filter'], 5, 2);
 		$pre_query = new WP_Query( $qp );
+		remove_filter('posts_clauses', [$this, 'pre_query_filter'], 5, 2);
 		do_action('revisionary_queue_pre_query_done');
 
 		//echo($pre_query->request . '<br /><br />');
@@ -131,7 +133,7 @@ function do_query( $q = false ) {
 		global $wp_query;
 
 		add_filter('presspermit_posts_clauses_intercept', [$this, 'flt_presspermit_posts_clauses_intercept'], 10, 4);
-		add_filter('posts_clauses', [$this, 'parent_filter'], 5, 2);
+		add_filter('posts_clauses', [$this, 'revisions_filter'], 5, 2);
 
 		if (defined('PUBLISHPRESS_MULTIPLE_AUTHORS_VERSION')) {
 			remove_action('pre_get_posts', ['MultipleAuthors\\Classes\\Query', 'action_pre_get_posts']);
@@ -147,7 +149,7 @@ function do_query( $q = false ) {
 		//echo($wp_query->request);
 
 		remove_filter('presspermit_posts_clauses_intercept', [$this, 'flt_presspermit_posts_clauses_intercept'], 10, 4);
-		remove_filter('posts_clauses', [$this, 'parent_filter'], 5, 2);
+		remove_filter('posts_clauses', [$this, 'revisions_filter'], 5, 2);
 
 		return $qr['post_status'];
 	}
@@ -156,7 +158,35 @@ function flt_presspermit_posts_clauses_intercept( $intercept, $clauses, $_wp_que
 		return $clauses;
 	}
 
-	function parent_where_filter($where, $args = []) {
+	function pre_query_where_filter($where, $args = []) {
+		global $wpdb, $current_user;
+
+		if (!current_user_can('administrator') && empty($args['suppress_author_clause'])) {
+			$p = (!empty($args['alias'])) ? $args['alias'] : $wpdb->posts;
+
+			$can_edit_others_types = [];
+			foreach(get_post_types(['public' => true], 'object') as $post_type => $type_obj) {
+				if (agp_user_can($type_obj->cap->edit_others_posts, 0, '', ['skip_revision_allowance' => true])) {
+					$can_edit_others_types[]= $post_type;
+				}
+			}
+
+			$can_edit_others_types = apply_filters('revisionary_queue_edit_others_types', $can_edit_others_types);
+
+			$type_clause = ($can_edit_others_types) ? "OR $p.post_type IN ('" . implode("','", $can_edit_others_types) . "')" : '';
+
+			$where .= $wpdb->prepare(" AND ($p.post_author = %d $type_clause)", $current_user->ID );
+		}
+
+		return $where;
+	}
+
+	function pre_query_filter($clauses, $_wp_query = false) {
+		$clauses['where'] = $this->pre_query_where_filter($clauses['where']);
+		return $clauses;
+	}
+
+	function revisions_where_filter($where, $args = []) {
 		global $wpdb, $current_user;
 
 		$p = (!empty($args['alias'])) ? $args['alias'] : $wpdb->posts;
@@ -166,7 +196,12 @@ function parent_where_filter($where, $args = []) {
 		} else {
 			$post_id_csv = "'" . implode("','", $this->published_post_ids) . "'";
 		}
-		$where .= " AND $p.comment_count IN ($post_id_csv)";
+
+		$own_revision_clause = (empty($_REQUEST['post_author']) || !empty($args['status_count']))
+		? "OR ($p.post_status = 'pending-revision' AND $p.post_author = '$current_user->ID')" 
+		: '';
+
+		$where .= " AND ($p.comment_count IN ($post_id_csv) $own_revision_clause)";
 
 		if (rvy_get_option('revisor_hide_others_revisions') && !current_user_can('administrator') 
 			&& !current_user_can('list_others_revisions') 
@@ -197,8 +232,8 @@ function parent_where_filter($where, $args = []) {
 		return $where;
 	}
 
-	function parent_filter($clauses, $_wp_query = false) {
-		$clauses['where'] = $this->parent_where_filter($clauses['where']);
+	function revisions_filter($clauses, $_wp_query = false) {
+		$clauses['where'] = $this->revisions_where_filter($clauses['where']);
 		return $clauses;
 	}
 
@@ -478,7 +513,7 @@ private function count_revisions($post_type = '', $statuses = '' ) {
 			$type_clause = "AND post_type IN ('" . implode("','", (array) $post_type) . "')";
 		}
 
-		$where = $this->parent_where_filter("post_status IN ('$status_csv') $type_clause", ['status_count' => true]);
+		$where = $this->revisions_where_filter("post_status IN ('$status_csv') $type_clause", ['status_count' => true]);
 
 		$query = "SELECT post_status, COUNT( * ) AS num_posts FROM {$wpdb->posts} WHERE $where";
 		$query .= ' GROUP BY post_status';
@@ -530,7 +565,7 @@ protected function get_views() {
 		$links = [];
 		$links['all'] = '';
 
-		$where = $this->parent_where_filter( 
+		$where = $this->revisions_where_filter( 
 			$wpdb->prepare(
 				"$wpdb->posts.post_status IN ('pending-revision', 'future-revision') AND $wpdb->posts.post_author = '%d'", 
 				$current_user->ID
@@ -554,7 +589,7 @@ protected function get_views() {
 			$links['mine'] = sprintf(__('%sMy Revisions%s(%s)'), "<a href='admin.php?page=revisionary-q&author=$current_user->ID'{$link_class}>", '</a>', "<span class='count'>$my_count</span>");
 		}
 
-		$where = $this->parent_where_filter( 
+		$where = $this->revisions_where_filter( 
 			$wpdb->prepare(
 				"r.post_status IN ('pending-revision', 'future-revision') AND p.post_author = '%d'", 
 				$current_user->ID

front_rvy.php

@@ -159,8 +159,6 @@ function act_template_redirect() {
 
 			$redirect_arg = ( ! empty($_REQUEST['rvy_redirect']) ) ? "&rvy_redirect={$_REQUEST['rvy_redirect']}" : '';
 
-			//if (agp_user_can('read_post', $revision_id)) {	// @todo
-			if (agp_user_can('read_post', $revision_id) || current_user_can('edit_post', $revision_id)) {
 				load_plugin_textdomain('revisionary', false, RVY_FOLDER . '/languages');
 
 				$published_url = ($published_post_id) ? get_permalink($published_post_id) : '';
@@ -179,7 +177,7 @@ function act_template_redirect() {
 					$edit_button = '';
 				}
 
-				if ($can_edit = agp_user_can('edit_post', $revision_id)) {
+				if ($can_edit = agp_user_can('edit_post', rvy_post_id($revision_id), 0, ['skip_revision_allowance' => true])) {
 					if ( in_array( $post->post_status, array( 'pending-revision' ) ) ) {
 						$publish_url = wp_nonce_url( admin_url("admin.php?page=rvy-revisions&revision=$revision_id&action=approve$redirect_arg"), "approve-post_$published_post_id|$revision_id" );
 
@@ -275,7 +273,6 @@ function act_template_redirect() {
 
 					new RvyScheduledHtml( $html, 'wp_head', 99 );  // this should be inserted at the top of <body> instead, but currently no way to do it 
 				}
-			}
 
 			$GLOBALS['revisionary']->skip_revision_allowance = $orig_skip;
 		}

readme.txt

@@ -4,7 +4,7 @@ Tags: revision, access, permissions, cms, user, groups, members, admin, pages, p
 Requires at least: 4.9.7
 Tested up to: 5.3
 Requires PHP: 5.6.20
-Stable Tag: 2.1.4
+Stable Tag: 2.1.5
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 
@@ -62,6 +62,13 @@ For more details about both the free and pro version, see our <a href="https://p
 
 == Changelog ==
 
+= 2.1.5 - 11 Dec 2019 =
+* Compat : PressPermit Pro - Pending revision previews could be viewed by any user (including anonymous) if "Prevent Revisors from viewing others' revisions" disabled (since 2.1.4)
+* Fixed : Contributors had other users' uneditable, unreadable revisions listed in Revision Queue
+* Fixed : Revision Preview - Under some configurations, users with read-only access to revisions had no top bar in revision preview display
+* Fixed : Revision Preview - Under some role configurations, users saw an ineffective "Publish" button in preview top bar
+* Fixed : PHP warning for undefined index 'preview'
+
 = 2.1.4 - 10 Dec 2019 =
 * Fixed : Revision previews were not displayed to Editors under some configurations
 * Feature : Separate settings for "Prevent Revisors from editing others'" and "Prevent Revisors from viewing others'"

revisionary.php

@@ -5,7 +5,7 @@
  * Description: Maintain published content with teamwork and precision using the Revisions model to submit, approve and schedule changes.
  * Author: PublishPress
  * Author URI: https://publishpress.com
- * Version: 2.1.4
+ * Version: 2.1.5
  * Text Domain: revisionary
  * Domain Path: /languages/
  * Min WP Version: 4.9.7
@@ -96,7 +96,7 @@ function($links, $file)
 register_activation_hook(__FILE__, function() 
 	{
 		// mirror to REVISIONARY_VERSION
-		update_option('revisionary_last_version', '2.1.4');
+		update_option('revisionary_last_version', '2.1.5');
 
 		// force this timestamp to be regenerated, in case something went wrong before
 		delete_option( 'rvy_next_rev_publish_gmt' );
@@ -160,7 +160,7 @@ function()
 			return;
 		}
 
-		define('REVISIONARY_VERSION', '2.1.4');
+		define('REVISIONARY_VERSION', '2.1.5');
 
 		if ( ! defined( 'RVY_VERSION' ) ) {
 			define( 'RVY_VERSION', REVISIONARY_VERSION );  // back compat

revisionary_main.php

@@ -529,10 +529,22 @@ function flt_post_map_meta_cap($caps, $cap, $user_id, $args) {
 				if ($type_obj && !empty($type_obj->cap->edit_others_posts)) {
 					$caps = array_diff($caps, [$type_obj->cap->edit_others_posts, 'do_not_allow']);
 
-					if (rvy_is_post_author($post) || !rvy_get_option('revisor_hide_others_revisions') || rvy_is_full_editor($post)) {
+					$check_post = $post;
+
+					if ($post->ID <= 0) {
+						if ($check_id = rvy_detect_post_id()) {
+							$check_post = get_post($check_id);
+						}
+					}
+
+					if (rvy_is_post_author($check_post) || rvy_is_post_author(rvy_post_id($check_post->ID)) || rvy_is_full_editor($post)) {
 						$caps []= 'read';
-					} else {
+
+					} elseif (rvy_get_option('revisor_hide_others_revisions')) {
 						$caps []= 'list_others_revisions';
+
+					} else {
+						$caps []= $type_obj->cap->edit_posts;
 					}
 				}
 			}

rvy_init.php

@@ -14,8 +14,8 @@
 	add_action( 'set_current_user', 'rvy_ajax_handler', 20);
 }
 
-if (!empty($_REQUEST['preview'] && !empty($_REQUEST['post_type']) && empty($_REQUEST['preview_id']))) {
-	add_filter('redirect_canonical', function($redirect, $orig) {return $orig;}, 10, 2);
+if (!empty($_REQUEST['preview']) && !empty($_REQUEST['post_type']) && empty($_REQUEST['preview_id'])) {
+		add_filter('redirect_canonical', '_rvy_no_redirect_filter', 10, 2);
 }
 
 add_action('init', 'rvy_maybe_redirect', 1);
@@ -77,6 +77,16 @@ function rvy_mail_buffer_cron_interval( $schedules ) {
 /*=================== End WP-Cron implementation ====================*/
 
 
+function _rvy_no_redirect_filter($redirect, $orig) {
+	global $current_user, $wpdb;
+
+	if (!empty($current_user->ID) && (empty($wpdb) || empty($wpdb->is_404))) {
+		$redirect = $orig;
+	}
+
+	return $redirect;
+}
+
 function rvy_maybe_redirect() {
 	// temporary provision for 2.0 beta testers
 	if (strpos($_SERVER['REQUEST_URI'], 'page=rvy-moderation')) {
@@ -250,6 +260,8 @@ function rvy_detect_post_id() {
 		$post_id = $_GET['id'];
 	elseif ( ! empty( $_REQUEST['fl_builder_data'] ) && is_array( $_REQUEST['fl_builder_data'] ) && ! empty( $_REQUEST['fl_builder_data']['post_id'] ) )
 		$post_id = $_REQUEST['fl_builder_data']['post_id'];
+	elseif ( ! empty( $_GET['page_id'] ) )
+		$post_id = $_GET['page_id'];
 	else
 		$post_id = 0;