Merge branch 'master' of github.com:ethitter/WP-Print-Friendly into develop

f67e300e · Erick Hitter · 446a52bf · 26d9563e · f67e300e · f67e300e
Commit f67e300e authored 12 years ago by Erick Hitter
--- a/readme.txt
+++ b/readme.txt
 === WP Print Friendly ===
-Contributors: ethitter, thinkoomph
+Contributors: ethitter, stevenkword, thinkoomph
 Donate link: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
 Tags: print, template, printer, printable
 Requires at least: 3.1
 Tested up to: 3.5
-Stable tag: 0.5.2
+Stable tag: 0.5.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html

@@ -59,6 +59,11 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an

 == Changelog ==

+= 0.5.3 =
+* Creates is_protected() method to determine if the print page should be visible to the current user
+* Correct security vulnerability allowing both private and password protected posts from being accessed through the print page
+* Remove print_url links from the content when the current user does not have the necessary capabilities to view the print page
+
 = 0.5.2 =
 * Revert change in is_print() method made in version 0.5 as it breaks the method when no page number is specified. See [https://github.com/ethitter/WP-Print-Friendly/issues/2](https://github.com/ethitter/WP-Print-Friendly/issues/2).

@@ -174,4 +179,4 @@ This release expands the plugin's page rewrite rules to accomodate permalink str
 This release fixes bug that displayed post links automatically on the wrong post types.

 = 0.4 =
-This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
\ No newline at end of file
+This release addresses numerous bugs reported by the community, including print templates for child pages. All admin text, save the plugin's name, are now ready for translation. Templates are now completely customizable, and new template functions are included.
--- a/wp-print-friendly.php
+++ b/wp-print-friendly.php
@@ -3,8 +3,8 @@
 Plugin Name: WP Print Friendly
 Plugin URI: http://www.thinkoomph.com/plugins-modules/wp-print-friendly/
 Description: Extends WordPress' template system to support printer-friendly templates. Works with permalink structures to support nice URLs.
-Author: Erick Hitter & Oomph, Inc.
-Version: 0.5.2
+Author: Erick Hitter, Steven K Word & Oomph, Inc.
+Version: 0.5.3
 Author URI: http://www.thinkoomph.com/

 This program is free software; you can redistribute it and/or modify
@@ -80,6 +80,7 @@ class wp_print_friendly {
 		add_action( 'admin_menu', array( $this, 'action_admin_menu' ) );
 		add_filter( 'request', array( $this, 'filter_request' ) );
 		add_action( 'pre_get_posts', array( $this, 'action_pre_get_posts' ) );
+		add_action( 'wp', array( $this, 'action_wp' ) );
 		add_filter( 'template_include', array( $this, 'filter_template_include' ) );
 		add_filter( 'redirect_canonical', array( $this, 'filter_redirect_canonical' ) );
 		add_filter( 'body_class', array( $this, 'filter_body_class' ) );
@@ -161,6 +162,23 @@ class wp_print_friendly {
 			update_option( $this->notice_key, 1 );
 	}

+	/**
+	 * Determine if the print page should be visible to the current user
+	 *
+	 * @uses current_user_can, post_password_required
+	 * @global $wp_query, $post
+	 * @return bool
+	 */
+	public function is_protected() {
+		global $post;
+
+		// If the global $post object is not set OR BOTH the current user is NOT an admin AND the post is private
+		$private = ( ! isset( $post ) || ( ! current_user_can( 'read_private_posts' ) && 'private' == $post->post_status ) ) ? true : false;
+
+		// If the password is required OR if the current user does not have the capability to view private posts
+		return post_password_required() || true === $private;
+	}
+
 	/**
 	 * Determine if print template is being requested.
 	 *
@@ -274,15 +292,34 @@ class wp_print_friendly {
 		return $query;
 	}

+	/**
+	 * Throw a 404 if the print page should not be visible to the user
+	 *
+	 * @action wp
+	 * @global $wp_query
+	 * @uses $this::is_print, $this::is_protected
+	 * @return null
+	 */
+	function action_wp() {
+		global $wp_query;
+
+		if( $this->is_print() && $this->is_protected() ) {
+			$wp_query->set_404();
+			status_header( 404 );
+			nocache_headers();
+		}
+	}
+
 	/**
 	 * Filter template include to return print template if requested.
 	 *
 	 * @param string $template
 	 * @filter template_include
+	 * @uses this::is_protected
 	 * @return string
 	 */
 	public function filter_template_include( $template ) {
-		if ( $this->is_print() && ( $print_template = $this->template_chooser() ) )
+		if ( $this->is_print() && ! $this->is_protected() && ( $print_template = $this->template_chooser() ) )
 			$template = $print_template[ 'path' ];

 		return $template;
@@ -351,7 +388,7 @@ class wp_print_friendly {
 	 * Filter the content if automatic inclusion is selected.
 	 *
 	 * @param string $content
-	 * @uses $this::get_options, $post, $this::print_url, get_query_var, apply_filters
+	 * @uses $this::get_options, $post, $this::print_url, $this::is_protected, get_query_var, apply_filters
 	 * @filter the_content
 	 * @return string
 	 */
@@ -360,6 +397,10 @@ class wp_print_friendly {

 		global $post;

+		// Do not display the print_url link if the print page is not be accessible to the user
+		if( $this->is_protected() )
+			return $content;
+
 		if ( is_array( $options ) && array_key_exists( 'auto', $options ) && $options[ 'auto' ] == true && in_array( $post->post_type, $options[ 'post_types' ] ) && ! $this->is_print() ) {
 			extract( $options );

@@ -929,4 +970,4 @@ if ( ! function_exists( 'is_print' ) ) {
 		return $wpf->is_print();
 	}
 }
-?>
\ No newline at end of file
+?>