<?php /** * REST API Options Controller * * Handles requests to get and update options in the wp_options table. */ namespace Automattic\WooCommerce\Admin\API; defined( 'ABSPATH' ) || exit; /** * Options Controller. * * @deprecated since 6.2.0 * * @extends WC_REST_Data_Controller */ class Options extends \WC_REST_Data_Controller { /** * Endpoint namespace. * * @var string */ protected $namespace = 'wc-admin'; /** * Route base. * * @var string */ protected $rest_base = 'options'; /** * Register routes. */ public function register_routes() { register_rest_route( $this->namespace, '/' . $this->rest_base, array( array( 'methods' => \WP_REST_Server::READABLE, 'callback' => array( $this, 'get_options' ), 'permission_callback' => array( $this, 'get_item_permissions_check' ), ), 'schema' => array( $this, 'get_item_schema' ), ) ); register_rest_route( $this->namespace, '/' . $this->rest_base, array( array( 'methods' => \WP_REST_Server::EDITABLE, 'callback' => array( $this, 'update_options' ), 'permission_callback' => array( $this, 'update_item_permissions_check' ), ), 'schema' => array( $this, 'get_item_schema' ), ) ); } /** * Check if a given request has access to get options. * * @param WP_REST_Request $request Full details about the request. * @return WP_Error|boolean */ public function get_item_permissions_check( $request ) { $params = ( isset( $request['options'] ) && is_string( $request['options'] ) ) ? explode( ',', $request['options'] ) : array(); if ( ! $params ) { return new \WP_Error( 'woocommerce_rest_cannot_view', __( 'You must supply an array of options.', 'woocommerce' ), 500 ); } foreach ( $params as $option ) { if ( ! $this->user_has_permission( $option, $request ) ) { if ( 'production' !== wp_get_environment_type() ) { return new \WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot view these options, please remember to update the option permissions in Options API to allow viewing these options in non-production environments.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) ); } return new \WP_Error( 'woocommerce_rest_cannot_view', __( 'Sorry, you cannot view these options.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) ); } } return true; } /** * Check if the user has permission given an option name. * * @param string $option Option name. * @param WP_REST_Request $request Full details about the request. * @param bool $is_update If the request is to update the option. * @return boolean */ public function user_has_permission( $option, $request, $is_update = false ) { $permissions = $this->get_option_permissions( $request ); if ( isset( $permissions[ $option ] ) ) { return $permissions[ $option ]; } // Don't allow to update options in non-production environments if the option is not whitelisted. This is to force developers to update the option permissions when adding new options. if ( 'production' !== wp_get_environment_type() ) { return false; } wc_deprecated_function( 'Automattic\WooCommerce\Admin\API\Options::' . ( $is_update ? 'update_options' : 'get_options' ), '6.3' ); return current_user_can( 'manage_options' ); } /** * Check if a given request has access to update options. * * @param WP_REST_Request $request Full details about the request. * @return WP_Error|boolean */ public function update_item_permissions_check( $request ) { $params = $request->get_json_params(); if ( ! is_array( $params ) ) { return new \WP_Error( 'woocommerce_rest_cannot_update', __( 'You must supply an array of options and values.', 'woocommerce' ), 500 ); } foreach ( $params as $option_name => $option_value ) { if ( ! $this->user_has_permission( $option_name, $request, true ) ) { return new \WP_Error( 'woocommerce_rest_cannot_update', __( 'Sorry, you cannot manage these options.', 'woocommerce' ), array( 'status' => rest_authorization_required_code() ) ); } } return true; } /** * Get an array of options and respective permissions for the current user. * * @param WP_REST_Request $request Full details about the request. * @return array */ public function get_option_permissions( $request ) { $permissions = self::get_default_option_permissions(); return apply_filters_deprecated( 'woocommerce_rest_api_option_permissions', array( $permissions, $request ), '6.3.0' ); } /** * Get the default available option permissions. * * @return array */ public static function get_default_option_permissions() { $is_woocommerce_admin = \Automattic\WooCommerce\Internal\Admin\Homescreen::is_admin_user(); $woocommerce_permissions = array( 'woocommerce_setup_jetpack_opted_in', 'woocommerce_stripe_settings', 'woocommerce-ppcp-settings', 'woocommerce_ppcp-gateway_setting', 'woocommerce_demo_store', 'woocommerce_demo_store_notice', 'woocommerce_ces_tracks_queue', 'woocommerce_navigation_intro_modal_dismissed', 'woocommerce_shipping_dismissed_timestamp', 'woocommerce_allow_tracking', 'woocommerce_task_list_keep_completed', 'woocommerce_default_homepage_layout', 'woocommerce_setup_jetpack_opted_in', 'woocommerce_no_sales_tax', 'woocommerce_calc_taxes', 'woocommerce_bacs_settings', 'woocommerce_bacs_accounts', 'woocommerce_settings_shipping_recommendations_hidden', 'woocommerce_task_list_dismissed_tasks', 'woocommerce_setting_payments_recommendations_hidden', 'woocommerce_navigation_favorites_tooltip_hidden', 'woocommerce_admin_transient_notices_queue', 'woocommerce_task_list_hidden', 'woocommerce_task_list_complete', 'woocommerce_extended_task_list_hidden', 'woocommerce_ces_shown_for_actions', 'woocommerce_clear_ces_tracks_queue_for_page', 'woocommerce_admin_install_timestamp', 'woocommerce_task_list_tracked_completed_tasks', 'woocommerce_show_marketplace_suggestions', 'woocommerce_task_list_reminder_bar_hidden', 'wc_connect_options', 'woocommerce_admin_created_default_shipping_zones', 'woocommerce_admin_reviewed_default_shipping_zones', 'woocommerce_admin_reviewed_store_location_settings', 'woocommerce_ces_product_feedback_shown', 'woocommerce_marketing_overview_multichannel_banner_dismissed', 'woocommerce_manage_stock', 'woocommerce_dimension_unit', 'woocommerce_weight_unit', 'woocommerce_product_editor_show_feedback_bar', 'woocommerce_single_variation_notice_dismissed', 'woocommerce_product_tour_modal_hidden', 'woocommerce_block_product_tour_shown', 'woocommerce_revenue_report_date_tour_shown', 'woocommerce_orders_report_date_tour_shown', 'woocommerce_show_prepublish_checks_enabled', 'woocommerce_date_type', 'date_format', 'time_format', 'woocommerce_onboarding_profile', 'woocommerce_default_country', 'blogname', 'wcpay_welcome_page_incentives_dismissed', 'wcpay_welcome_page_viewed_timestamp', 'wcpay_welcome_page_exit_survey_more_info_needed_timestamp', 'woocommerce_customize_store_onboarding_tour_hidden', 'woocommerce_customize_store_ai_suggestions', 'woocommerce_admin_customize_store_completed', 'woocommerce_admin_customize_store_completed_theme_id', 'woocommerce_admin_customize_store_survey_completed', 'woocommerce_coming_soon', 'woocommerce_store_pages_only', 'woocommerce_private_link', 'woocommerce_share_key', 'woocommerce_show_lys_tour', // WC Test helper options. 'wc-admin-test-helper-rest-api-filters', 'wc_admin_helper_feature_values', ); $theme_permissions = array( 'theme_mods_' . get_stylesheet() => current_user_can( 'edit_theme_options' ), 'stylesheet' => current_user_can( 'edit_theme_options' ), ); return array_merge( array_fill_keys( $theme_permissions, current_user_can( 'edit_theme_options' ) ), array_fill_keys( $woocommerce_permissions, $is_woocommerce_admin ) ); } /** * Gets an array of options and respective values. * * @param WP_REST_Request $request Full details about the request. * @return array Options object with option values. */ public function get_options( $request ) { $options = array(); if ( empty( $request['options'] ) || ! is_string( $request['options'] ) ) { return $options; } $params = explode( ',', $request['options'] ); foreach ( $params as $option ) { $options[ $option ] = get_option( $option ); } return $options; } /** * Updates an array of objects. * * @param WP_REST_Request $request Full details about the request. * @return array Options object with a boolean if the option was updated. */ public function update_options( $request ) { $params = $request->get_json_params(); $updated = array(); if ( ! is_array( $params ) ) { return array(); } foreach ( $params as $key => $value ) { $updated[ $key ] = update_option( $key, $value ); } return $updated; } /** * Get the schema, conforming to JSON Schema. * * @return array */ public function get_item_schema() { $schema = array( '$schema' => 'http://json-schema.org/draft-04/schema#', 'title' => 'options', 'type' => 'object', 'properties' => array( 'options' => array( 'type' => 'array', 'description' => __( 'Array of options with associated values.', 'woocommerce' ), 'context' => array( 'view' ), 'readonly' => true, ), ), ); return $this->add_additional_fields_schema( $schema ); } }