Code Coverage
 
Lines
Functions and Methods
Classes and Traits
Total
62.24% covered (warning)
62.24%
89 / 143
31.58% covered (danger)
31.58%
6 / 19
CRAP
0.00% covered (danger)
0.00%
0 / 1
Access_Control
62.24% covered (warning)
62.24%
89 / 143
31.58% covered (danger)
31.58%
6 / 19
351.15
0.00% covered (danger)
0.00%
0 / 1
 set_guid_subscription
0.00% covered (danger)
0.00%
0 / 2
0.00% covered (danger)
0.00%
0 / 1
2
 get_subscription_plan_id
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
2
 instance
100.00% covered (success)
100.00%
3 / 3
100.00% covered (success)
100.00%
1 / 1
2
 jetpack_memberships_available
100.00% covered (success)
100.00%
1 / 1
100.00% covered (success)
100.00%
1 / 1
1
 jetpack_subscriptions_available
25.00% covered (danger)
25.00%
3 / 12
0.00% covered (danger)
0.00%
0 / 1
15.55
 get_default_user_capability_for_post
75.00% covered (warning)
75.00%
3 / 4
0.00% covered (danger)
0.00%
0 / 1
2.06
 build_restriction_details
72.22% covered (warning)
72.22%
13 / 18
0.00% covered (danger)
0.00%
0 / 1
4.34
 check_block_level_access
50.00% covered (danger)
50.00%
7 / 14
0.00% covered (danger)
0.00%
0 / 1
8.12
 get_subscriber_only_restriction_details
0.00% covered (danger)
0.00%
0 / 6
0.00% covered (danger)
0.00%
0 / 1
2
 filter_video_restriction_details
100.00% covered (success)
100.00%
1 / 1
100.00% covered (success)
100.00%
1 / 1
1
 default_video_restriction_details
100.00% covered (success)
100.00%
8 / 8
100.00% covered (success)
100.00%
1 / 1
1
 post_embeds_videopress_guid
80.00% covered (warning)
80.00%
8 / 10
0.00% covered (danger)
0.00%
0 / 1
6.29
 post_content_has_videopress_block
66.67% covered (warning)
66.67%
2 / 3
0.00% covered (danger)
0.00%
0 / 1
2.15
 blocks_contain_videopress_guid
0.00% covered (danger)
0.00%
0 / 8
0.00% covered (danger)
0.00%
0 / 1
90
 post_content_has_videopress_shortcode
84.62% covered (warning)
84.62%
11 / 13
0.00% covered (danger)
0.00%
0 / 1
10.36
 post_content_has_videopress_url
100.00% covered (success)
100.00%
6 / 6
100.00% covered (success)
100.00%
1 / 1
4
 is_current_user_authed_for_video
70.97% covered (warning)
70.97%
22 / 31
0.00% covered (danger)
0.00%
0 / 1
20.51
 filter_is_current_user_authed_for_video
100.00% covered (success)
100.00%
1 / 1
100.00% covered (success)
100.00%
1 / 1
1
 get_videopress_blog_id
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
2
1<?php
2/**
3 * VideoPress Access Control.
4 *
5 * @package automattic/jetpack-videopress
6 */
7
8namespace Automattic\Jetpack\VideoPress;
9
10use Automattic\Jetpack\Extensions\Premium_Content\Subscription_Service\Abstract_Token_Subscription_Service;
11use Automattic\Jetpack\Modules;
12use VIDEOPRESS_PRIVACY;
13use WP_Post;
14
15/**
16 * VideoPress video access control utilities.
17 *
18 * Note: this is also being used on WordPress.com.
19 * Use IS_WPCOM checks for functionality that is specific to WPCOM/Jetpack.
20 */
21class Access_Control {
22
23    /**
24     * Singleton Access_Control instance.
25     *
26     * @var Access_Control
27     **/
28    private static $instance = null;
29
30    /**
31     * Guid to subscription plan, store, for when used inline on a page.
32     *
33     * @var array
34     */
35    private $guids_to_subscriptions = array();
36
37    /**
38     * Set that this guid is controlled by a subscription.
39     *
40     * @param string     $guid            The guid to set.
41     * @param string|int $subscription_id The subscription to set.
42     *
43     * @return Access_Control
44     */
45    public function set_guid_subscription( $guid, $subscription_id ) {
46        $this->guids_to_subscriptions[ $guid ] = $subscription_id;
47        return $this;
48    }
49
50    /**
51     * Get the subscription for a guid.
52     *
53     * @param string $guid The guid to get.
54     *
55     * @return string|int|false
56     */
57    public function get_subscription_plan_id( $guid ) {
58        return $this->guids_to_subscriptions[ $guid ] ?? false;
59    }
60
61    /**
62     * Get the singleton instance.
63     *
64     * @return self
65     */
66    public static function instance() {
67        if ( null === self::$instance ) {
68            self::$instance = new self();
69        }
70
71        return self::$instance;
72    }
73
74    /**
75     * Determines if Jetpack Memberships are available.
76     *
77     * @return bool
78     */
79    private function jetpack_memberships_available() {
80        return class_exists( '\Jetpack_Memberships' );
81    }
82
83    /**
84     * Determines if Jetpack Subscriptions are available.
85     *
86     * @return bool
87     */
88    private function jetpack_subscriptions_available() {
89        $is_module_active = ( new Modules() )->is_active( 'subscriptions' );
90        if ( ! $is_module_active ) {
91            return false;
92        }
93
94        if ( function_exists( '\Automattic\Jetpack\Extensions\Premium_Content\subscription_service' ) ) {
95            return true;
96        }
97
98        if ( ! defined( 'JETPACK__PLUGIN_DIR' ) ) {
99            return false;
100        }
101
102        $subscription_service_file_path = JETPACK__PLUGIN_DIR . 'extensions/blocks/premium-content/_inc/subscription-service/include.php';
103        if ( ! file_exists( $subscription_service_file_path ) ) {
104            return false;
105        }
106
107        require_once $subscription_service_file_path;
108
109        return function_exists( '\Automattic\Jetpack\Extensions\Premium_Content\subscription_service' );
110    }
111
112    /**
113     * Check default user access. By default, subscribers or higher can view videos.
114     *
115     * @param WP_Post $post_to_check The post to check.
116     *
117     * @return bool
118     **/
119    private function get_default_user_capability_for_post( $post_to_check ) {
120        if ( ! isset( $post_to_check->ID ) ) {
121            return false;
122        }
123
124        $default_auth = current_user_can( 'read_post', $post_to_check->ID );
125
126        return $default_auth;
127    }
128
129    /**
130     * Determines if the current user can access restricted content and builds the restriction_details array.
131     *
132     * @param string $guid the video guid.
133     * @param int    $embedded_post_id the post id.
134     * @param int    $selected_plan_id the selected plan id if applicable.
135     *
136     * @return array
137     */
138    private function build_restriction_details( $guid, $embedded_post_id, $selected_plan_id ) {
139        $post_to_check = get_post( $embedded_post_id );
140
141        if ( empty( $post_to_check ) ) {
142            $restriction_details = $this->default_video_restriction_details( false );
143            return $this->filter_video_restriction_details( $restriction_details, $guid, $embedded_post_id, $selected_plan_id );
144        }
145
146        $default_auth        = $this->get_default_user_capability_for_post( $post_to_check );
147        $restriction_details = $this->default_video_restriction_details( $default_auth );
148
149        if ( $this->jetpack_memberships_available() ) {
150            $post_access_level = \Jetpack_Memberships::get_post_access_level( $embedded_post_id );
151            if ( 'everybody' !== $post_access_level ) {
152                $memberships_can_view_post         = \Jetpack_Memberships::user_can_view_post( $embedded_post_id );
153                $restriction_details               = $this->get_subscriber_only_restriction_details( $default_auth );
154                $restriction_details['can_access'] = $memberships_can_view_post;
155            }
156        }
157
158        return $this->check_block_level_access(
159            $restriction_details,
160            $guid,
161            $embedded_post_id,
162            $selected_plan_id
163        );
164    }
165
166    /**
167     * Determines if the current user can access restricted block content and updates the restriction_details array.
168     *
169     * @param array  $restriction_details the restriction details array.
170     * @param string $guid the video guid.
171     * @param int    $embedded_post_id the post id.
172     * @param int    $selected_plan_id the selected plan id if applicable.
173     *
174     * @return array
175     */
176    private function check_block_level_access( $restriction_details, $guid, $embedded_post_id, $selected_plan_id ) {
177        if ( $this->jetpack_subscriptions_available() && $selected_plan_id > 0 ) {
178            $restriction_details = $this->get_subscriber_only_restriction_details( $restriction_details['can_access'] );
179            $paywall             = \Automattic\Jetpack\Extensions\Premium_Content\subscription_service();
180
181            // Only paid subscribers should be granted access to the premium content.
182            $access_level = '';
183            if ( class_exists( Abstract_Token_Subscription_Service::class ) ) {
184                $access_level = Abstract_Token_Subscription_Service::POST_ACCESS_LEVEL_PAID_SUBSCRIBERS;
185            }
186
187            $can_view                          = $paywall->visitor_can_view_content( array( $selected_plan_id ), $access_level );
188            $restriction_details['can_access'] = $can_view || current_user_can( 'edit_post', $embedded_post_id ); // Editors can always view the content.
189        }
190
191        return $this->filter_video_restriction_details(
192            $restriction_details,
193            $guid,
194            $embedded_post_id,
195            $selected_plan_id
196        );
197    }
198
199    /**
200     * Returns the default restriction_details for a video.
201     *
202     * @param bool $default_can_access The default auth.
203     *
204     * @return array
205     **/
206    private function get_subscriber_only_restriction_details( $default_can_access = false ) {
207        return array(
208            'provider'             => 'jetpack_memberships',
209            'title'                => __( 'This video is subscriber-only', 'jetpack-videopress-pkg' ),
210            'unauthorized_message' => __( 'You need to be subscribed to view this video', 'jetpack-videopress-pkg' ),
211            'can_access'           => $default_can_access,
212        );
213    }
214
215    /**
216     * Filters restriction details.
217     *
218     * @param array  $video_restriction_details The restriction details.
219     * @param string $guid The video guid.
220     * @param int    $embedded_post_id The post id.
221     * @param int    $selected_plan_id The selected plan id if applicable.
222     *
223     * @return array
224     */
225    private function filter_video_restriction_details( $video_restriction_details, $guid, $embedded_post_id, $selected_plan_id ) {
226        /**
227         * Filters the video restriction details.
228         *
229         * @param array  $video_restriction_details The restriction details.
230         * @param string $guid The video guid.
231         * @param int    $embedded_post_id The post id.
232         * @param int    $selected_plan_id The selected plan id if applicable.
233         *
234         * @return array
235         */
236        return (array) apply_filters( 'videopress_video_restriction_details', $video_restriction_details, $guid, $embedded_post_id, $selected_plan_id );
237    }
238
239    /**
240     * Returns the default restriction_details for a video.
241     *
242     * @param bool $default_can_access The default auth.
243     *
244     * @return array
245     **/
246    private function default_video_restriction_details( $default_can_access = false ) {
247        $restriction_details = array(
248            'version'              => '1',
249            'provider'             => 'auth',
250            'title'                => __( 'Unauthorized', 'jetpack-videopress-pkg' ),
251            'unauthorized_message' => __( 'Unauthorized', 'jetpack-videopress-pkg' ),
252            'can_access'           => $default_can_access,
253        );
254
255        return $restriction_details;
256    }
257
258    /**
259     * Determines whether a given post actually embeds a given VideoPress GUID.
260     *
261     * Used to prevent the embedded post id â€” which arrives from request input â€” from being
262     * treated as an authorization context when it has no relationship to the requested video.
263     * Matching the attachment id itself is not treated as proof of embedding: attachment ids
264     * are enumerable via the media REST route and would otherwise provide a second path around
265     * this check whenever the attachment has no parent and falls back to the `read` capability.
266     *
267     * @param int    $embedded_post_id The post id claimed as the embedding context.
268     * @param string $guid             The video guid.
269     *
270     * @return bool
271     */
272    private function post_embeds_videopress_guid( $embedded_post_id, $guid ) {
273        $post = get_post( $embedded_post_id );
274        if ( ! $post instanceof WP_Post || empty( $post->post_content ) ) {
275            return false;
276        }
277
278        // If the guid is nowhere in the content, neither the block nor the shortcode scan can match.
279        if ( false === strpos( $post->post_content, $guid ) ) {
280            return false;
281        }
282
283        if ( $this->post_content_has_videopress_block( $post->post_content, $guid ) ) {
284            return true;
285        }
286
287        if ( $this->post_content_has_videopress_shortcode( $post->post_content, $guid ) ) {
288            return true;
289        }
290
291        return $this->post_content_has_videopress_url( $post->post_content, $guid );
292    }
293
294    /**
295     * Walk parsed blocks (including inner blocks) looking for a videopress/video block
296     * whose guid attribute matches.
297     *
298     * @param string $post_content The post content to scan.
299     * @param string $guid         The video guid to match.
300     *
301     * @return bool
302     */
303    private function post_content_has_videopress_block( $post_content, $guid ) {
304        if ( false === strpos( $post_content, 'wp:videopress/video' ) ) {
305            return false;
306        }
307
308        return $this->blocks_contain_videopress_guid( parse_blocks( $post_content ), $guid );
309    }
310
311    /**
312     * Recursively scans a parsed block tree for a videopress/video block whose guid attribute matches.
313     *
314     * @param array  $blocks Parsed blocks (as returned by parse_blocks() or an innerBlocks array).
315     * @param string $guid   The video guid to match.
316     *
317     * @return bool
318     */
319    private function blocks_contain_videopress_guid( $blocks, $guid ) {
320        foreach ( $blocks as $block ) {
321            if (
322                isset( $block['blockName'] ) && 'videopress/video' === $block['blockName']
323                && isset( $block['attrs']['guid'] ) && $block['attrs']['guid'] === $guid
324            ) {
325                return true;
326            }
327
328            if ( ! empty( $block['innerBlocks'] ) && is_array( $block['innerBlocks'] )
329                && $this->blocks_contain_videopress_guid( $block['innerBlocks'], $guid )
330            ) {
331                return true;
332            }
333        }
334
335        return false;
336    }
337
338    /**
339     * Detect a [videopress GUID] or [wpvideo GUID] shortcode whose first positional
340     * argument matches the given guid.
341     *
342     * @param string $post_content The post content to scan.
343     * @param string $guid         The video guid to match.
344     *
345     * @return bool
346     */
347    private function post_content_has_videopress_shortcode( $post_content, $guid ) {
348        if ( false === stripos( $post_content, '[videopress' ) && false === stripos( $post_content, '[wpvideo' ) ) {
349            return false;
350        }
351
352        $pattern = get_shortcode_regex( array( 'videopress', 'wpvideo' ) );
353        $count   = preg_match_all( '/' . $pattern . '/', $post_content, $matches, PREG_SET_ORDER );
354        if ( false === $count || 0 === $count ) {
355            return false;
356        }
357
358        foreach ( $matches as $match ) {
359            $atts = shortcode_parse_atts( $match[3] );
360            if ( ! is_array( $atts ) ) {
361                continue;
362            }
363
364            // Only the positional argument identifies the video; named attributes must not satisfy the binding check.
365            if ( isset( $atts[0] ) && is_string( $atts[0] ) && $atts[0] === $guid ) {
366                return true;
367            }
368        }
369
370        return false;
371    }
372
373    /**
374     * Detect a canonical VideoPress URL referencing the given guid. Covers oEmbed
375     * inserts, core/embed blocks, core/video blocks, and core [video] shortcodes
376     * whose src/mp4 attributes resolve to a VideoPress URL.
377     *
378     * @param string $post_content The post content to scan.
379     * @param string $guid         The video guid to match.
380     *
381     * @return bool
382     */
383    private function post_content_has_videopress_url( $post_content, $guid ) {
384        if ( ! preg_match_all( '#https?://[^\s"\'<>)]+#i', $post_content, $matches ) ) {
385            return false;
386        }
387
388        foreach ( $matches[0] as $url ) {
389            if ( $guid === Utils::extract_videopress_guid_from_url( $url ) ) {
390                return true;
391            }
392        }
393
394        return false;
395    }
396
397    /**
398     * Determines if the current user can view the provided video. Only ever gets fired if site-wide private videos are enabled.
399     *
400     * Filterable for 3rd party plugins.
401     *
402     * @param string $guid             The video id being checked.
403     * @param int    $embedded_post_id The post id the video is embedded in or 0.
404     * @param int    $selected_plan_id The plan id the earn block this video is embedded in has.
405     */
406    public function is_current_user_authed_for_video( $guid, $embedded_post_id, $selected_plan_id = 0 ) {
407        if ( current_user_can( 'upload_files' ) ) {
408            return $this->filter_is_current_user_authed_for_video( true, $guid, $embedded_post_id );
409        }
410
411        $attachment = false;
412        if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
413            $video_info = video_get_info_by_guid( $guid );
414            if ( ! empty( $video_info ) ) {
415                $attachment = get_blog_post( $video_info->blog_id, $video_info->post_id );
416            }
417        } else {
418            $attachment = videopress_get_post_by_guid( $guid );
419        }
420
421        if ( ! $attachment ) {
422            return false;
423        }
424
425        $video_info = video_get_info_by_blogpostid( get_current_blog_id(), $attachment->ID );
426        if ( null === $video_info->guid ) {
427            return false;
428        }
429
430        /*
431         * Default missing privacy_setting to SITE_DEFAULT to avoid an
432         * undefined-property warning and make the site-level fallback explicit.
433         */
434        $privacy_setting = $video_info->privacy_setting ?? VIDEOPRESS_PRIVACY::SITE_DEFAULT;
435
436        $embedded_post_id = (int) $embedded_post_id;
437        if (
438            $embedded_post_id
439            && VIDEOPRESS_PRIVACY::IS_PUBLIC !== $privacy_setting
440            && ! $this->post_embeds_videopress_guid( $embedded_post_id, $guid )
441        ) {
442            $embedded_post_id = 0;
443        }
444
445        $is_user_authed = false;
446
447        // Determine if video is public, private or use site default.
448        switch ( $privacy_setting ) {
449            case VIDEOPRESS_PRIVACY::IS_PUBLIC:
450                $is_user_authed = true;
451                break;
452            case VIDEOPRESS_PRIVACY::IS_PRIVATE:
453                $restriction_details = $this->build_restriction_details( $guid, $embedded_post_id, $selected_plan_id );
454                $is_user_authed      = $restriction_details['can_access'];
455                break;
456            case VIDEOPRESS_PRIVACY::SITE_DEFAULT:
457            default:
458                $is_videopress_private_for_site = Data::get_videopress_videos_private_for_site();
459                $is_user_authed                 = true;
460                if ( $is_videopress_private_for_site ) {
461                    $restriction_details = $this->build_restriction_details( $guid, $embedded_post_id, $selected_plan_id );
462                    $is_user_authed      = $restriction_details['can_access'];
463                }
464        }
465
466        /**
467         * Overrides video view authorization for current user.
468         *
469         * Example of making all videos public:
470         *
471         * function jp_example_override_video_auth( $is_user_authed, $guid ) {
472         *  return true
473         * };
474         * add_filter( 'videopress_is_current_user_authed_for_video', 'jp_example_override_video_auth', 10, 2 );
475         *
476         * @param bool     $is_user_authed   The current user authorization state.
477         * @param string   $guid             The video's unique identifier.
478         * @param int|null $embedded_post_id The post the video is embedded..
479         *
480         * @return bool
481         */
482        return $this->filter_is_current_user_authed_for_video( $is_user_authed, $guid, $embedded_post_id );
483    }
484
485        /**
486         * Overrides video view authorization for current user.
487         *
488         * @param bool     $is_user_authed   The current user authorization state.
489         * @param string   $guid             The video's unique identifier.
490         * @param int|null $embedded_post_id The post the video is embedded..
491         *
492         * @return bool
493         */
494    private function filter_is_current_user_authed_for_video( $is_user_authed, $guid, $embedded_post_id ) {
495        /**
496         * Overrides video view authorization for current user.
497         *
498         * Example of making all videos public:
499         *
500         * function jp_example_override_video_auth( $is_user_authed, $guid ) {
501         *  return true
502         * };
503         * add_filter( 'videopress_is_current_user_authed_for_video', 'jp_example_override_video_auth', 10, 2 );
504         *
505         * @param bool     $is_user_authed   The current user authorization state.
506         * @param string   $guid             The video's unique identifier.
507         * @param int|null $embedded_post_id The post the video is embedded..
508         *
509         * @return bool
510         */
511        return (bool) apply_filters( 'videopress_is_current_user_authed_for_video', $is_user_authed, $guid, $embedded_post_id );
512    }
513
514    /**
515     * Returns the proper blog id depending on Jetpack or WP.com
516     *
517     * @return int the blog id
518     */
519    public function get_videopress_blog_id() {
520        return \Jetpack_Options::get_option( 'id' );
521    }
522}