<?php
namespace um\common;
use WP_User;
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
if ( ! class_exists( 'um\common\Secure' ) ) {
/**
* Class Secure
*
* @package um\common
*
* @since 2.6.8
*/
class Secure {
public function hooks() {
add_action( 'wp', array( $this, 'schedule_events' ) );
add_filter( 'um_get_option_filter__banned_capabilities', array( $this, 'add_default_capabilities' ) );
}
/**
* Add callbacks to Schedule Events.
*
* @since 2.6.8
*/
public function schedule_events() {
if ( ! UM()->options()->get( 'secure_ban_admins_accounts' ) ) {
return;
}
if ( UM()->options()->get( 'secure_notify_admins_banned_accounts' ) ) {
$notification_interval = UM()->options()->get( 'secure_notify_admins_banned_accounts__interval' );
if ( 'instant' === $notification_interval ) {
return;
}
if ( 'hourly' === $notification_interval ) {
add_action( 'um_hourly_scheduled_events', array( $this, 'notify_administrators_hourly' ) );
} elseif ( 'daily' === $notification_interval ) {
add_action( 'um_daily_scheduled_events', array( $this, 'notify_administrators_daily' ) );
}
}
}
/**
* Notify Administrators hourly - Suspicious activities in an hour
*
* @since 2.6.8
*/
public function notify_administrators_hourly() {
$user_ids = get_users(
array(
'fields' => 'ids',
'meta_query' => array(
'relation' => 'AND',
array(
'key' => 'um_user_blocked__timestamp',
'value' => gmdate( 'Y-m-d H:i:s', strtotime( '-1 hour' ) ),
'compare' => '>=',
'type' => 'DATETIME',
),
),
)
);
$this->send_notification( $user_ids );
}
/**
* Notify Administrators daily - Today's suspicious activity
*
* @since 2.6.8
*/
public function notify_administrators_daily() {
$user_ids = get_users(
array(
'fields' => 'ids',
'relation' => 'AND',
'meta_query' => array(
'relation' => 'AND',
array(
'key' => 'um_user_blocked__timestamp',
'value' => gmdate( 'Y-m-d H:i:s', strtotime( '-1 day' ) ),
'compare' => '>=',
'type' => 'DATE',
),
array(
'key' => 'um_user_blocked__timestamp',
'value' => gmdate( 'Y-m-d H:i:s' ),
'compare' => '<=',
'type' => 'DATE',
),
),
)
);
$this->send_notification( $user_ids );
}
public function send_notification( $user_ids ) {
$banned_profile_links = '';
foreach ( $user_ids as $uid ) {
um_fetch_user( $uid );
$banned_profile_links .= UM()->user()->get_profile_link( $uid ) . ' ' . UM()->common()->users()->get_status( $uid ) . '<br />';
}
um_reset_user();
$emails = um_multi_admin_email();
if ( ! empty( $emails ) ) {
foreach ( $emails as $email ) {
UM()->maybe_action_scheduler()->enqueue_async_action(
'um_dispatch_email',
array(
$email,
'suspicious-activity',
array(
'admin' => true,
'tags' => array(
'{banned_profile_links}',
),
'tags_replace' => array(
$banned_profile_links,
),
),
)
);
}
}
}
/**
* Get the banned capabilities list.
*
* @return array
*/
public function get_banned_capabilities_list() {
/**
* Filters the banned capabilities for UM Register forms.
*
* @param {array} $capabilities WordPress Administrative Capabilities.
*
* @return {array} Banned admin capabilities.
*
* @since 2.6.8
* @hook um_secure_register_form_banned_capabilities
*
* @example <caption>Added `read` capability as banned.</caption>
* function my_banned_capabilities( $capabilities ) {
* $capabilities[] = 'read';
* return $capabilities;
* }
* add_filter( 'um_secure_register_form_banned_capabilities', 'my_banned_capabilities' );
*/
$banned_admin_capabilities = apply_filters(
'um_secure_register_form_banned_capabilities',
array(
'create_sites',
'delete_sites',
'manage_network',
'manage_sites',
'manage_network_users',
'manage_network_plugins',
'manage_network_themes',
'manage_network_options',
'upgrade_network',
'setup_network',
'activate_plugins',
'edit_dashboard',
'edit_theme_options',
'export',
'import',
'list_users',
'remove_users',
'switch_themes',
'customize',
'delete_site',
'update_core',
'update_plugins',
'update_themes',
'install_plugins',
'install_themes',
'delete_themes',
'delete_plugins',
'edit_plugins',
'edit_themes',
'edit_files',
'edit_users',
'add_users',
'create_users',
'delete_users',
'level_10',
'manage_options',
'promote_users',
)
);
return $banned_admin_capabilities;
}
/**
* Revoke Caps & Mark rejected as suspicious
*
* @param WP_User $user
*
* @since 2.6.8
*/
public function revoke_caps( $user ) {
$user_agent = '';
if ( isset( $_REQUEST['nonce'], $_REQUEST['action'] ) && 'um_secure_scan_affected_users' === $_REQUEST['action'] && wp_verify_nonce( $_REQUEST['nonce'], 'um-admin-nonce' ) && current_user_can( 'manage_options' ) ) {
$user_agent = __( 'Ultimate Member Scanner', 'ultimate-member' );
} elseif ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) {
$user_agent = sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) );
}
um_fetch_user( $user->ID );
// Capture details.
$captured = array(
'capabilities' => $user->allcaps,
'submitted' => ! empty( UM()->form()->post_form ) ? UM()->form()->post_form : '',
'roles' => $user->roles,
'user_agent' => $user_agent,
'account_status' => UM()->common()->users()->get_status( $user->ID ),
);
update_user_meta( $user->ID, 'um_user_blocked__metadata', $captured );
$user->remove_all_caps();
$user->update_user_level_from_caps();
// Force update of the user status without email notifications.
if ( is_user_logged_in() ) {
UM()->common()->users()->set_status( $user->ID, 'inactive' );
} else {
UM()->common()->users()->set_status( $user->ID, 'rejected' );
}
um_reset_user();
update_user_meta( $user->ID, 'um_user_blocked', 'suspicious_activity' );
update_user_meta( $user->ID, 'um_user_blocked__timestamp', current_time( 'mysql', true ) );
UM()->user()->remove_cache( $user->ID );
}
/**
* Always add default banned capabilities.
*
* @param mixed $option_value
*
* @return mixed
*
* @since 2.6.8
*/
public function add_default_capabilities( $option_value ) {
if ( is_array( $option_value ) ) {
$option_value = array_merge( $option_value, UM()->options()->get_default( 'banned_capabilities' ) );
}
return $option_value;
}
}
}