shell bypass 403
UnknownSec Shell
:
/
home
/
innovagencyco
/
public_html
/
statxpress
/
wp-content
/
plugins
/
elementor
/
includes
/ [
drwxr-xr-x
]
upload
mass deface
mass delete
console
info server
name :
user.php
<?php namespace Elementor; use Elementor\Core\Common\Modules\Ajax\Module as Ajax; if ( ! defined( 'ABSPATH' ) ) { exit; // Exit if accessed directly. } /** * Elementor user. * * Elementor user handler class is responsible for checking if the user can edit * with Elementor and displaying different admin notices. * * @since 1.0.0 */ class User { /** * Holds the admin notices key. * * @var string Admin notices key. */ const ADMIN_NOTICES_KEY = 'elementor_admin_notices'; /** * Holds the editor introduction screen key. * * @var string Introduction key. */ const INTRODUCTION_KEY = 'elementor_introduction'; /** * Holds the beta tester key. * * @var string Beta tester key. */ const BETA_TESTER_META_KEY = 'elementor_beta_tester'; /** * Holds the URL of the Beta Tester Opt-in API. * * @since 1.0.0 * * @var string API URL. */ const BETA_TESTER_API_URL = 'https://my.elementor.com/api/v1/beta_tester/'; /** * Holds the dismissed editor notices key. * * @since 3.19.0 * * @var string Editor notices key. */ const DISMISSED_EDITOR_NOTICES_KEY = 'elementor_dismissed_editor_notices'; /** * Init. * * Initialize Elementor user. * * @since 1.0.0 * @access public * @static */ public static function init() { add_action( 'wp_ajax_elementor_set_admin_notice_viewed', [ __CLASS__, 'ajax_set_admin_notice_viewed' ] ); add_action( 'admin_post_elementor_set_admin_notice_viewed', [ __CLASS__, 'ajax_set_admin_notice_viewed' ] ); add_action( 'elementor/ajax/register_actions', [ __CLASS__, 'register_ajax_actions' ] ); } /** * @since 2.1.0 * @access public * @static */ public static function register_ajax_actions( Ajax $ajax ) { $ajax->register_ajax_action( 'introduction_viewed', [ __CLASS__, 'set_introduction_viewed' ] ); $ajax->register_ajax_action( 'beta_tester_signup', [ __CLASS__, 'register_as_beta_tester' ] ); $ajax->register_ajax_action( 'dismissed_editor_notices', [ __CLASS__, 'set_dismissed_editor_notices' ] ); } /** * Is current user can edit. * * Whether the current user can edit the post. * * @since 1.0.0 * @access public * @static * * @param int $post_id Optional. The post ID. Default is `0`. * * @return bool Whether the current user can edit the post. */ public static function is_current_user_can_edit( $post_id = 0 ) { $post = get_post( $post_id ); if ( ! $post ) { return false; } if ( 'trash' === get_post_status( $post->ID ) ) { return false; } if ( ! self::is_current_user_can_edit_post_type( $post->post_type ) ) { return false; } $post_type_object = get_post_type_object( $post->post_type ); if ( ! isset( $post_type_object->cap->edit_post ) ) { return false; } $edit_cap = $post_type_object->cap->edit_post; if ( ! current_user_can( $edit_cap, $post->ID ) ) { return false; } if ( intval( get_option( 'page_for_posts' ) ) === $post->ID ) { return false; } return true; } /** * Is current user can access elementor. * * Whether the current user role is not excluded by Elementor Settings. * * @since 2.1.7 * @access public * @static * * @return bool True if can access, False otherwise. */ public static function is_current_user_in_editing_black_list() { $user = wp_get_current_user(); $exclude_roles = get_option( 'elementor_exclude_user_roles', [] ); $compare_roles = array_intersect( $user->roles, $exclude_roles ); if ( ! empty( $compare_roles ) ) { return false; } return true; } /** * Is current user can edit post type. * * Whether the current user can edit the given post type. * * @since 1.9.0 * @access public * @static * * @param string $post_type the post type slug to check. * * @return bool True if can edit, False otherwise. */ public static function is_current_user_can_edit_post_type( $post_type ) { if ( ! self::is_current_user_in_editing_black_list() ) { return false; } if ( ! Utils::is_post_type_support( $post_type ) ) { return false; } $post_type_object = get_post_type_object( $post_type ); if ( ! current_user_can( $post_type_object->cap->edit_posts ) ) { return false; } return true; } /** * Get user notices. * * Retrieve the list of notices for the current user. * * @since 2.0.0 * @access public * @static * * @return array A list of user notices. */ public static function get_user_notices() { $notices = get_user_meta( get_current_user_id(), self::ADMIN_NOTICES_KEY, true ); return is_array( $notices ) ? $notices : []; } /** * Is admin notice viewed. * * Whether the admin notice was viewed by the current user. * * @since 1.0.0 * @access public * @static * * @param int $notice_id The notice ID. * * @return bool Whether the admin notice was viewed by the user. */ public static function is_user_notice_viewed( $notice_id ) { $notices = self::get_user_notices(); if ( empty( $notices[ $notice_id ] ) ) { return false; } // BC: Handles old structure ( `[ 'notice_id' => 'true' ]` ). if ( 'true' === $notices[ $notice_id ] ) { return true; } return $notices[ $notice_id ]['is_viewed'] ?? false; } /** * Checks whether the current user is allowed to upload JSON files. * * Note: The 'json-upload' capability is managed by the Role Manager as a part of its blacklist restrictions. * In this context, we are negating the user's permission check to use it as a whitelist, allowing uploads. * * @return bool Whether the current user can upload JSON files. */ public static function is_current_user_can_upload_json() { return current_user_can( 'manage_options' ) || ! Plugin::instance()->role_manager->user_can( 'json-upload' ); } public static function is_current_user_can_use_custom_html() { return current_user_can( 'manage_options' ) || ! Plugin::instance()->role_manager->user_can( 'custom-html' ); } /** * Set admin notice as viewed. * * Flag the admin notice as viewed by the current user, using an authenticated ajax request. * * Fired by `wp_ajax_elementor_set_admin_notice_viewed` action. * * @since 1.0.0 * @access public * @static */ public static function ajax_set_admin_notice_viewed() { // phpcs:ignore WordPress.Security.NonceVerification.NoNonceVerification $notice_id = Utils::get_super_global_value( $_REQUEST, 'notice_id' ); if ( ! $notice_id ) { wp_die(); } self::set_user_notice( $notice_id ); if ( ! wp_doing_ajax() ) { wp_safe_redirect( admin_url() ); die; } wp_die(); } /** * @param $notice_id * @param $is_viewed * @param $meta * * @return void */ public static function set_user_notice( $notice_id, $is_viewed = true, $meta = null ) { $notices = self::get_user_notices(); if ( ! is_array( $meta ) ) { $meta = $notices[ $notice_id ]['meta'] ?? []; } $notices[ $notice_id ] = [ 'is_viewed' => $is_viewed, 'meta' => $meta, ]; update_user_meta( get_current_user_id(), self::ADMIN_NOTICES_KEY, $notices ); } /** * @since 2.1.0 * @access public * @static */ public static function set_introduction_viewed( array $data ) { $user_introduction_meta = self::get_introduction_meta(); $user_introduction_meta[ $data['introductionKey'] ] = true; update_user_meta( get_current_user_id(), self::INTRODUCTION_KEY, $user_introduction_meta ); } /** * @throws \Exception */ public static function register_as_beta_tester( array $data ) { if ( ! current_user_can( 'install_plugins' ) ) { throw new \Exception( __( 'You do not have permission to install plugins.', 'elementor' ) ); } update_user_meta( get_current_user_id(), self::BETA_TESTER_META_KEY, true ); $response = wp_safe_remote_post( self::BETA_TESTER_API_URL, [ 'timeout' => 25, 'body' => [ 'api_version' => ELEMENTOR_VERSION, 'site_lang' => get_bloginfo( 'language' ), 'beta_tester_email' => $data['betaTesterEmail'], ], ] ); $response_code = (int) wp_remote_retrieve_response_code( $response ); if ( 200 === $response_code ) { self::set_introduction_viewed( [ 'introductionKey' => Beta_Testers::BETA_TESTER_SIGNUP, ] ); } } /** * @param string $key * * @return array|mixed|string * @since 2.1.0 * @access public * @static */ public static function get_introduction_meta( $key = '' ) { $user_introduction_meta = get_user_meta( get_current_user_id(), self::INTRODUCTION_KEY, true ); if ( ! $user_introduction_meta ) { $user_introduction_meta = []; } if ( $key ) { return empty( $user_introduction_meta[ $key ] ) ? '' : $user_introduction_meta[ $key ]; } return $user_introduction_meta; } /** * Get a user option with default value as fallback. * * @param string $option - Option key. * @param int $user_id - User ID * @param mixed $default - Default fallback value. * * @return mixed */ public static function get_user_option_with_default( $option, $user_id, $default ) { $value = get_user_option( $option, $user_id ); return ( false === $value ) ? $default : $value; } /** * Get dismissed editor notices. * * Retrieve the list of dismissed editor notices for the current user. * * @since 3.19.0 * @access public * @static * * @return array A list of dismissed editor notices. */ public static function get_dismissed_editor_notices() { $notices = get_user_meta( get_current_user_id(), self::DISMISSED_EDITOR_NOTICES_KEY, true ); return is_array( $notices ) ? $notices : []; } /** * Set dismissed editor notices for the current user. * * @since 3.19.0 * @access public * @static * * @param array $data Editor notices. * * @return void */ public static function set_dismissed_editor_notices( array $data ) { $editor_notices = self::get_dismissed_editor_notices(); if ( ! in_array( $data['dismissId'], $editor_notices, true ) ) { $editor_notices[] = $data['dismissId']; update_user_meta( get_current_user_id(), self::DISMISSED_EDITOR_NOTICES_KEY, $editor_notices ); } } }
© 2024 UnknownSec