diff --git a/readme.txt b/readme.txt
index 8d54ed84e802aaf8aa743e4c5dd76a165e95afff..cf16fda2c9ff0fc2193691b0f6a2a06f09cb14dd 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,10 +1,10 @@
=== WP Print Friendly ===
-Contributors: ethitter, thinkoomph
+Contributors: ethitter, stevenkword, thinkoomph
Donate link: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
Tags: print, template, printer, printable
Requires at least: 3.1
Tested up to: 3.5
-Stable tag: 0.5.2
+Stable tag: 0.5.3
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -59,6 +59,11 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an
== Changelog ==
+= 0.5.3 =
+* Creates is_protected() method to determine if the print page should be visible to the current user
+* Correct security vulnerability allowing both private and password protected posts from being accessed through the print page
+* Remove print_url links from the content when the current user does not have the necessary capabilities to view the print page
+
= 0.5.2 =
* Revert change in is_print() method made in version 0.5 as it breaks the method when no page number is specified. See [https://github.com/ethitter/WP-Print-Friendly/issues/2](https://github.com/ethitter/WP-Print-Friendly/issues/2).
@@ -174,4 +179,4 @@ This release expands the plugin's page rewrite rules to accomodate permalink str
This release fixes bug that displayed post links automatically on the wrong post types.
= 0.4 =
-This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
\ No newline at end of file
+This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
diff --git a/wp-print-friendly.php b/wp-print-friendly.php
index 8551331137a4a37dbcd60dbab6183cf332319d26..700f8073a0dc144dbea7626fc93b2d5a8f0858db 100644
--- a/wp-print-friendly.php
+++ b/wp-print-friendly.php
@@ -3,8 +3,8 @@
Plugin Name: WP Print Friendly
Plugin URI: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
Description: Extends WordPress' template system to support printer-friendly templates. Works with permalink structures to support nice URLs.
-Author: Erick Hitter & Oomph, Inc.
-Version: 0.5.2
+Author: Erick Hitter, Steven K Word & Oomph, Inc.
+Version: 0.5.3
Author URI: http://www.thinkoomph.com/
This program is free software; you can redistribute it and/or modify
@@ -80,6 +80,7 @@ class wp_print_friendly {
add_action( 'admin_menu', array( $this, 'action_admin_menu' ) );
add_filter( 'request', array( $this, 'filter_request' ) );
add_action( 'pre_get_posts', array( $this, 'action_pre_get_posts' ) );
+ add_action( 'wp', array( $this, 'action_wp' ) );
add_filter( 'template_include', array( $this, 'filter_template_include' ) );
add_filter( 'redirect_canonical', array( $this, 'filter_redirect_canonical' ) );
add_filter( 'body_class', array( $this, 'filter_body_class' ) );
@@ -161,6 +162,23 @@ class wp_print_friendly {
update_option( $this->notice_key, 1 );
}
+ /**
+ * Determine if the print page should be visible to the current user
+ *
+ * @uses current_user_can, post_password_required
+ * @global $wp_query, $post
+ * @return bool
+ */
+ public function is_protected() {
+ global $post;
+
+ // If the global $post object is not set OR BOTH the current user is NOT an admin AND the post is private
+ $private = ( ! isset( $post ) || ( ! current_user_can( 'read_private_posts' ) && 'private' == $post->post_status ) ) ? true : false;
+
+ // If the password is required OR if the current user does not have the capability to view private posts
+ return post_password_required() || true === $private;
+ }
+
/**
* Determine if print template is being requested.
*
@@ -273,15 +291,34 @@ class wp_print_friendly {
return $query;
}
+ /**
+ * Throw a 404 if the print page should not be visible to the user
+ *
+ * @action wp
+ * @global $wp_query
+ * @uses $this::is_print, $this::is_protected
+ * @return null
+ */
+ function action_wp() {
+ global $wp_query;
+
+ if( $this->is_print() && $this->is_protected() ) {
+ $wp_query->set_404();
+ status_header( 404 );
+ nocache_headers();
+ }
+ }
+
/**
* Filter template include to return print template if requested.
*
* @param string $template
* @filter template_include
+ * @uses this::is_protected
* @return string
*/
public function filter_template_include( $template ) {
- if ( $this->is_print() && ( $print_template = $this->template_chooser() ) )
+ if ( $this->is_print() && ! $this->is_protected() && ( $print_template = $this->template_chooser() ) )
$template = $print_template[ 'path' ];
return $template;
@@ -350,7 +387,7 @@ class wp_print_friendly {
* Filter the content if automatic inclusion is selected.
*
* @param string $content
- * @uses $this::get_options, $post, $this::print_url, get_query_var, apply_filters
+ * @uses $this::get_options, $post, $this::print_url, $this::is_protected, get_query_var, apply_filters
* @filter the_content
* @return string
*/
@@ -359,6 +396,10 @@ class wp_print_friendly {
global $post;
+ // Do not display the print_url link if the print page is not be accessible to the user
+ if( $this->is_protected() )
+ return $content;
+
if ( is_array( $options ) && array_key_exists( 'auto', $options ) && $options[ 'auto' ] == true && in_array( $post->post_type, $options[ 'post_types' ] ) && ! $this->is_print() ) {
extract( $options );
@@ -928,4 +969,4 @@ if ( ! function_exists( 'is_print' ) ) {
return $wpf->is_print();
}
}
-?>
\ No newline at end of file
+?>