2015-05-16 02:03:24 +00:00
< ? php
/**
2015-11-03 13:53:50 +00:00
* WooCommerce Admin API Keys Class
2015-05-16 02:03:24 +00:00
*
2018-02-05 19:45:12 +00:00
* @ package WooCommerce\Admin
* @ version 2.4 . 0
2015-05-16 02:03:24 +00:00
*/
2018-02-10 06:38:33 +00:00
defined ( 'ABSPATH' ) || exit ;
2015-05-16 02:03:24 +00:00
/**
2015-11-03 12:28:01 +00:00
* WC_Admin_API_Keys .
2015-05-16 02:03:24 +00:00
*/
class WC_Admin_API_Keys {
/**
2015-11-03 12:28:01 +00:00
* Initialize the API Keys admin actions .
2015-05-16 02:03:24 +00:00
*/
public function __construct () {
2015-05-18 18:23:05 +00:00
add_action ( 'admin_init' , array ( $this , 'actions' ) );
2018-02-05 19:45:12 +00:00
add_action ( 'woocommerce_settings_page_init' , array ( $this , 'screen_option' ) );
2018-07-04 19:07:17 +00:00
add_filter ( 'woocommerce_save_settings_advanced_keys' , array ( $this , 'allow_save_settings' ) );
}
/**
* Check if should allow save settings .
* This prevents " Your settings have been saved. " notices on the table list .
*
* @ param bool $allow If allow save settings .
* @ return bool
*/
public function allow_save_settings ( $allow ) {
if ( ! isset ( $_GET [ 'create-key' ], $_GET [ 'edit-key' ] ) ) { // WPCS: input var okay, CSRF ok.
return false ;
}
return $allow ;
2015-05-18 18:23:05 +00:00
}
2015-05-16 02:03:24 +00:00
2015-05-18 18:23:05 +00:00
/**
2015-11-03 12:28:01 +00:00
* Check if is API Keys settings page .
2018-02-10 06:38:33 +00:00
*
2015-05-18 18:23:05 +00:00
* @ return bool
*/
private function is_api_keys_settings_page () {
2018-04-12 15:59:42 +00:00
return isset ( $_GET [ 'page' ], $_GET [ 'tab' ], $_GET [ 'section' ] ) && 'wc-settings' === $_GET [ 'page' ] && 'advanced' === $_GET [ 'tab' ] && 'keys' === $_GET [ 'section' ]; // WPCS: input var okay, CSRF ok.
2015-05-16 02:03:24 +00:00
}
/**
2015-11-03 12:28:01 +00:00
* Page output .
2015-05-16 02:03:24 +00:00
*/
public static function page_output () {
2018-02-10 06:38:33 +00:00
// Hide the save button.
2015-05-16 02:03:24 +00:00
$GLOBALS [ 'hide_save_button' ] = true ;
if ( isset ( $_GET [ 'create-key' ] ) || isset ( $_GET [ 'edit-key' ] ) ) {
2018-02-10 06:38:33 +00:00
$key_id = isset ( $_GET [ 'edit-key' ] ) ? absint ( $_GET [ 'edit-key' ] ) : 0 ; // WPCS: input var okay, CSRF ok.
2015-05-18 18:23:05 +00:00
$key_data = self :: get_key_data ( $key_id );
2018-10-17 23:00:51 +00:00
$user_id = ( int ) $key_data [ 'user_id' ];
2015-05-18 18:23:05 +00:00
2018-10-17 23:00:51 +00:00
if ( $key_id && $user_id && ! current_user_can ( 'edit_user' , $user_id ) ) {
if ( get_current_user_id () !== $user_id ) {
wp_die ( esc_html__ ( 'You do not have permission to edit this API Key' , 'woocommerce' ) );
}
}
include dirname ( __FILE__ ) . '/settings/views/html-keys-edit.php' ;
2015-05-16 02:03:24 +00:00
} else {
self :: table_list_output ();
}
}
2018-02-05 19:45:12 +00:00
/**
* Add screen option .
*/
public function screen_option () {
2018-02-05 19:50:16 +00:00
global $keys_table_list ;
2018-02-10 06:38:33 +00:00
if ( ! isset ( $_GET [ 'create-key' ] ) && ! isset ( $_GET [ 'edit-key' ] ) && $this -> is_api_keys_settings_page () ) { // WPCS: input var okay, CSRF ok.
2018-02-05 19:50:16 +00:00
$keys_table_list = new WC_Admin_API_Keys_Table_List ();
// Add screen option.
2018-03-05 18:59:17 +00:00
add_screen_option (
2019-12-20 18:25:23 +00:00
'per_page' ,
array (
2018-03-05 18:59:17 +00:00
'default' => 10 ,
'option' => 'woocommerce_keys_per_page' ,
)
);
2018-02-05 19:45:12 +00:00
}
}
2015-05-16 02:03:24 +00:00
/**
2015-11-03 12:28:01 +00:00
* Table list output .
2015-05-16 02:03:24 +00:00
*/
private static function table_list_output () {
2018-02-05 19:50:16 +00:00
global $wpdb , $keys_table_list ;
2017-03-17 22:49:19 +00:00
2019-11-13 21:48:17 +00:00
echo '<h2 class="wc-table-list-header">' . esc_html__ ( 'REST API' , 'woocommerce' ) . ' <a href="' . esc_url ( admin_url ( 'admin.php?page=wc-settings&tab=advanced§ion=keys&create-key=1' ) ) . '" class="add-new-h2">' . esc_html__ ( 'Add key' , 'woocommerce' ) . '</a></h2>' ;
2015-05-16 02:03:24 +00:00
2018-02-10 06:38:33 +00:00
// Get the API keys count.
2017-03-17 22:49:19 +00:00
$count = $wpdb -> get_var ( " SELECT COUNT(key_id) FROM { $wpdb -> prefix } woocommerce_api_keys WHERE 1 = 1; " );
if ( absint ( $count ) && $count > 0 ) {
$keys_table_list -> prepare_items ();
2015-05-16 02:03:24 +00:00
2017-03-17 22:49:19 +00:00
echo '<input type="hidden" name="page" value="wc-settings" />' ;
2018-07-04 18:30:08 +00:00
echo '<input type="hidden" name="tab" value="advanced" />' ;
2017-03-17 22:49:19 +00:00
echo '<input type="hidden" name="section" value="keys" />' ;
2015-05-16 02:03:24 +00:00
2017-03-17 22:49:19 +00:00
$keys_table_list -> views ();
$keys_table_list -> search_box ( __ ( 'Search key' , 'woocommerce' ), 'key' );
$keys_table_list -> display ();
} else {
2017-04-27 11:23:16 +00:00
echo '<div class="woocommerce-BlankState woocommerce-BlankState--api">' ;
2017-03-17 22:49:19 +00:00
?>
2018-02-10 06:38:33 +00:00
< h2 class = " woocommerce-BlankState-message " >< ? php esc_html_e ( 'The WooCommerce REST API allows external apps to view and manage store data. Access is granted only to those with valid API keys.' , 'woocommerce' ); ?> </h2>
2018-04-12 15:59:42 +00:00
< a class = " woocommerce-BlankState-cta button-primary button " href = " <?php echo esc_url( admin_url( 'admin.php?page=wc-settings&tab=advanced§ion=keys&create-key=1' ) ); ?> " >< ? php esc_html_e ( 'Create an API key' , 'woocommerce' ); ?> </a>
2018-02-10 06:38:33 +00:00
< style type = " text/css " > #posts-filter .wp-list-table, #posts-filter .tablenav.top, .tablenav.bottom .actions { display: none; }</style>
< ? php
2017-03-17 22:49:19 +00:00
}
2015-05-16 02:03:24 +00:00
}
2015-05-16 03:09:29 +00:00
/**
2015-11-03 12:28:01 +00:00
* Get key data .
2015-05-16 03:09:29 +00:00
*
2018-02-10 06:38:33 +00:00
* @ param int $key_id API Key ID .
2015-05-16 03:09:29 +00:00
* @ return array
*/
private static function get_key_data ( $key_id ) {
global $wpdb ;
$empty = array (
2015-07-16 18:42:00 +00:00
'key_id' => 0 ,
'user_id' => '' ,
'description' => '' ,
'permissions' => '' ,
'truncated_key' => '' ,
2016-08-27 01:46:45 +00:00
'last_access' => '' ,
2015-05-16 03:09:29 +00:00
);
2018-02-10 07:18:22 +00:00
if ( 0 === $key_id ) {
2015-05-16 03:09:29 +00:00
return $empty ;
}
2018-03-05 18:59:17 +00:00
$key = $wpdb -> get_row (
$wpdb -> prepare (
" SELECT key_id, user_id, description, permissions, truncated_key, last_access
FROM { $wpdb -> prefix } woocommerce_api_keys
WHERE key_id = % d " ,
$key_id
2019-12-20 18:25:23 +00:00
),
ARRAY_A
2018-03-05 18:59:17 +00:00
);
2015-05-16 03:09:29 +00:00
if ( is_null ( $key ) ) {
return $empty ;
}
return $key ;
}
2015-05-18 18:23:05 +00:00
/**
2015-11-03 12:28:01 +00:00
* API Keys admin actions .
2015-05-18 18:23:05 +00:00
*/
public function actions () {
if ( $this -> is_api_keys_settings_page () ) {
2018-02-10 07:18:22 +00:00
// Revoke key.
2018-07-04 19:09:04 +00:00
if ( isset ( $_REQUEST [ 'revoke-key' ] ) ) { // WPCS: input var okay, CSRF ok.
2015-05-18 18:46:16 +00:00
$this -> revoke_key ();
}
2018-02-10 07:18:22 +00:00
// Bulk actions.
2018-07-04 19:09:04 +00:00
if ( isset ( $_REQUEST [ 'action' ] ) && isset ( $_REQUEST [ 'key' ] ) ) { // WPCS: input var okay, CSRF ok.
2015-05-18 19:12:47 +00:00
$this -> bulk_actions ();
2015-05-18 18:23:05 +00:00
}
}
}
/**
* Notices .
*/
public static function notices () {
2018-07-04 19:24:27 +00:00
if ( isset ( $_GET [ 'revoked' ] ) ) { // WPCS: input var okay, CSRF ok.
$revoked = absint ( $_GET [ 'revoked' ] ); // WPCS: input var okay, CSRF ok.
/* translators: %d: count */
WC_Admin_Settings :: add_message ( sprintf ( _n ( '%d API key permanently revoked.' , '%d API keys permanently revoked.' , $revoked , 'woocommerce' ), $revoked ) );
2015-05-18 18:23:05 +00:00
}
}
2015-05-18 18:46:16 +00:00
/**
2015-11-03 12:28:01 +00:00
* Revoke key .
2015-05-18 18:46:16 +00:00
*/
private function revoke_key () {
2018-10-17 23:00:51 +00:00
global $wpdb ;
2018-02-10 07:18:22 +00:00
check_admin_referer ( 'revoke' );
2018-07-04 19:09:04 +00:00
if ( isset ( $_REQUEST [ 'revoke-key' ] ) ) { // WPCS: input var okay, CSRF ok.
2018-10-17 23:00:51 +00:00
$key_id = absint ( $_REQUEST [ 'revoke-key' ] ); // WPCS: input var okay, CSRF ok.
$user_id = ( int ) $wpdb -> get_var ( $wpdb -> prepare ( " SELECT user_id FROM { $wpdb -> prefix } woocommerce_api_keys WHERE key_id = %d " , $key_id ) );
2015-05-18 18:46:16 +00:00
2018-10-17 23:00:51 +00:00
if ( $key_id && $user_id && ( current_user_can ( 'edit_user' , $user_id ) || get_current_user_id () === $user_id ) ) {
2018-02-10 07:18:22 +00:00
$this -> remove_key ( $key_id );
2018-10-17 23:00:51 +00:00
} else {
wp_die ( esc_html__ ( 'You do not have permission to revoke this API Key' , 'woocommerce' ) );
2018-02-10 07:18:22 +00:00
}
}
2015-05-18 18:46:16 +00:00
2018-07-04 19:24:27 +00:00
wp_safe_redirect ( esc_url_raw ( add_query_arg ( array ( 'revoked' => 1 ), admin_url ( 'admin.php?page=wc-settings&tab=advanced§ion=keys' ) ) ) );
2015-05-18 18:46:16 +00:00
exit ();
}
2015-05-18 19:12:47 +00:00
/**
2015-11-03 12:28:01 +00:00
* Bulk actions .
2015-05-18 19:12:47 +00:00
*/
private function bulk_actions () {
2018-02-10 07:18:22 +00:00
check_admin_referer ( 'woocommerce-settings' );
if ( ! current_user_can ( 'manage_woocommerce' ) ) {
wp_die ( esc_html__ ( 'You do not have permission to edit API Keys' , 'woocommerce' ) );
2015-05-18 19:12:47 +00:00
}
2018-07-04 19:09:04 +00:00
if ( isset ( $_REQUEST [ 'action' ] ) ) { // WPCS: input var okay, CSRF ok.
$action = sanitize_text_field ( wp_unslash ( $_REQUEST [ 'action' ] ) ); // WPCS: input var okay, CSRF ok.
$keys = isset ( $_REQUEST [ 'key' ] ) ? array_map ( 'absint' , ( array ) $_REQUEST [ 'key' ] ) : array (); // WPCS: input var okay, CSRF ok.
2015-05-18 19:12:47 +00:00
2018-02-10 07:18:22 +00:00
if ( 'revoke' === $action ) {
$this -> bulk_revoke_key ( $keys );
}
2015-05-18 19:12:47 +00:00
}
}
/**
2015-11-03 12:28:01 +00:00
* Bulk revoke key .
2015-05-18 19:12:47 +00:00
*
2018-02-10 07:18:22 +00:00
* @ param array $keys API Keys .
2015-05-18 19:12:47 +00:00
*/
private function bulk_revoke_key ( $keys ) {
2018-10-17 23:00:51 +00:00
if ( ! current_user_can ( 'remove_users' ) ) {
wp_die ( esc_html__ ( 'You do not have permission to revoke API Keys' , 'woocommerce' ) );
}
2018-07-04 19:24:27 +00:00
$qty = 0 ;
2015-05-18 19:12:47 +00:00
foreach ( $keys as $key_id ) {
2018-07-04 19:24:27 +00:00
$result = $this -> remove_key ( $key_id );
if ( $result ) {
$qty ++ ;
}
2015-05-18 19:12:47 +00:00
}
2018-07-04 19:24:27 +00:00
// Redirect to webhooks page.
wp_safe_redirect ( esc_url_raw ( add_query_arg ( array ( 'revoked' => $qty ), admin_url ( 'admin.php?page=wc-settings&tab=advanced§ion=keys' ) ) ) );
exit ();
2015-05-18 19:12:47 +00:00
}
/**
2015-11-03 12:28:01 +00:00
* Remove key .
2015-05-18 19:12:47 +00:00
*
2018-02-10 07:18:22 +00:00
* @ param int $key_id API Key ID .
2015-05-18 19:12:47 +00:00
* @ return bool
*/
private function remove_key ( $key_id ) {
global $wpdb ;
$delete = $wpdb -> delete ( $wpdb -> prefix . 'woocommerce_api_keys' , array ( 'key_id' => $key_id ), array ( '%d' ) );
return $delete ;
}
2015-05-16 02:03:24 +00:00
}
new WC_Admin_API_Keys ();