Merge remote-tracking branch 'upstream/master' into validate-grant-types

Author: tfrommen

admin.php

@@ -69,6 +69,10 @@ public static function load() {
 				self::handle_regenerate();
 				break;
 
+			case 'approve':
+				self::handle_approve();
+				break;
+
 			default:
 				global $wp_list_table;
 
@@ -86,6 +90,7 @@ public static function dispatch() {
 			case 'add':
 			case 'edit':
 			case 'delete':
+			case 'approve':
 				break;
 
 			default:
@@ -116,6 +121,8 @@ class="add-new-h2"><?php echo esc_html_x( 'Add New', 'application', 'rest_oauth2
 			<?php
 			if ( ! empty( $_GET['deleted'] ) ) {
 				echo '<div id="message" class="updated"><p>' . esc_html__( 'Deleted application.', 'rest_oauth2' ) . '</p></div>';
+			} elseif ( ! empty( $_GET['approved'] ) ) {
+				echo '<div id="message" class="updated"><p>' . esc_html__( 'Approved application.', 'rest_oauth2' ) . '</p></div>';
 			}
 			?>
 
@@ -480,6 +487,39 @@ public static function handle_delete() {
 		exit;
 	}
 
+	/**
+	 * Approve the client.
+	 */
+	public static function handle_approve() {
+		if ( empty( $_GET['id'] ) ) {
+			return;
+		}
+
+		$id = absint( $_GET['id'] );
+		check_admin_referer( 'rest-oauth2-approve:' . $id );
+
+		if ( ! current_user_can( 'publish_post', $id ) ) {
+			wp_die(
+				'<h1>' . __( 'Cheatin&#8217; uh?', 'rest_oauth2' ) . '</h1>' .
+				'<p>' . __( 'You are not allowed to approve this application.', 'rest_oauth2' ) . '</p>',
+				403
+			);
+		}
+
+		$client = Client::get_by_post_id( $id );
+		if ( is_wp_error( $client ) ) {
+			wp_die( $client );
+		}
+
+		$did_approve = $client->approve();
+		if ( is_wp_error( $did_approve ) ) {
+			wp_die( $did_approve );
+		}
+
+		wp_safe_redirect( self::get_urL( 'approved=1' ) );
+		exit;
+	}
+
 	/**
 	 * Regenerate the client secret.
 	 */

inc/admin/class-admin.php

@@ -102,8 +102,37 @@ protected function column_name( $item ) {
 			'edit'   => sprintf( '<a href="%s">%s</a>', esc_url( $edit_link ), esc_html__( 'Edit', 'rest_oauth2' ) ),
 			'delete' => sprintf( '<a href="%s">%s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'rest_oauth2' ) ),
 		];
+
+		$post_type_object = get_post_type_object( $item->post_type );
+		if ( current_user_can( $post_type_object->cap->publish_posts ) && $item->post_status !== 'publish' ) {
+			$publish_link = add_query_arg(
+				[
+					'page' => 'rest-oauth2-apps',
+					'action' => 'approve',
+					'id' => $item->ID,
+				],
+				admin_url( 'users.php' )
+			);
+			$publish_link = wp_nonce_url( $publish_link, 'rest-oauth2-approve:' . $item->ID );
+			$actions['app-approve'] = sprintf(
+				'<a href="%s">%s</a>',
+				esc_url( $publish_link ),
+				esc_html__( 'Approve', 'rest_oauth2' )
+			);
+		}
+
 		$action_html = $this->row_actions( $actions );
 
+		// Get suffixes for draft, etc
+		ob_start();
+		_post_states( $item );
+		$title = sprintf(
+			'<strong><a href="%s">%s</a>%s</strong>',
+			$edit_link,
+			$title,
+			ob_get_clean()
+		);
+
 		return $title . ' ' . $action_html;
 	}
 

inc/admin/class-listtable.php

@@ -0,0 +1,115 @@
+<?php
+/**
+ * Administration UI and utilities
+ */
+
+namespace WP\OAuth2\Admin\Profile;
+
+use WP\OAuth2\Tokens\Access_Token;
+use WP_User;
+
+/**
+ * Bootstrap actions for the profile screen.
+ */
+function bootstrap() {
+	add_action( 'personal_options', __NAMESPACE__ . '\\render_profile_section', 50 );
+	add_action( 'all_admin_notices', __NAMESPACE__ . '\\output_profile_messages' );
+	add_action( 'personal_options_update',  __NAMESPACE__ . '\\handle_revocation', 10, 1 );
+	add_action( 'edit_user_profile_update', __NAMESPACE__ . '\\handle_revocation', 10, 1 );
+}
+
+/**
+ * Render current tokens for a user.
+ *
+ * @param WP_User $user User whose profile is being rendered.
+ */
+function render_profile_section( WP_User $user ) {
+	$tokens = Access_Token::get_for_user( $user );
+	?>
+		<table class="form-table">
+			<tbody>
+			<tr>
+				<th scope="row"><?php _e( 'Authorized Applications', 'rest_oauth1' ) ?></th>
+				<td>
+					<?php if ( ! empty( $tokens ) ): ?>
+						<table class="widefat">
+							<thead>
+							<tr>
+								<th style="padding-left:10px;"><?php esc_html_e( 'Application Name', 'rest_oauth1' ); ?></th>
+								<th></th>
+							</tr>
+							</thead>
+							<tbody>
+							<?php foreach ( $tokens as $token ): ?>
+								<?php
+								/** @var Access_Token $token */
+								$client = $token->get_client();
+								?>
+								<tr>
+									<td><?php echo $client->get_name() ?></td>
+									<td><button class="button" name="oauth2_revoke" value="<?php echo esc_attr( $token->get_key() ) ?>"><?php esc_html_e( 'Revoke', 'rest_oauth1' ) ?></button>
+								</tr>
+
+							<?php endforeach ?>
+							</tbody>
+						</table>
+					<?php else: ?>
+						<p class="description"><?php esc_html_e( 'No applications authorized.', 'rest_oauth1' ) ?></p>
+					<?php endif ?>
+				</td>
+			</tr>
+			</tbody>
+		</table>
+	<?php
+}
+
+/**
+ * Output messages based on previous actions.
+ */
+function output_profile_messages() {
+	global $pagenow;
+	if ( $pagenow !== 'profile.php' && $pagenow !== 'user-edit.php' ) {
+		return;
+	}
+
+	if ( ! empty( $_GET['oauth2_revoked'] ) ) {
+		echo '<div id="message" class="updated"><p>' . __( 'Token revoked.', 'oauth2' ) . '</p></div>';
+	}
+	if ( ! empty( $_GET['oauth2_revocation_failed'] ) ) {
+		echo '<div id="message" class="updated"><p>' . __( 'Unable to revoke token.', 'oauth2' ) . '</p></div>';
+	}
+}
+
+/**
+ * Handle a revocation.
+ *
+ * @param int $user_id
+ */
+function handle_revocation( $user_id ) {
+	if ( empty( $_POST['oauth2_revoke'] ) ) {
+		return;
+	}
+
+	$key = wp_unslash( $_POST['oauth2_revoke'] );
+	$token = Access_Token::get_by_id( $key );
+	if ( empty( $token ) ) {
+		var_dump( $key, $token );
+		wp_safe_redirect( add_query_arg( 'oauth2_revocation_failed', true, get_edit_user_link( $user_id ) ) );
+		exit;
+	}
+
+	// Check it's for the right user.
+	if ( $token->get_user_id() !== $user_id ) {
+		wp_die();
+	}
+
+	$result = $token->revoke();
+	if ( is_wp_error( $result ) ) {
+		wp_safe_redirect( add_query_arg( 'oauth2_revocation_failed', true, get_edit_user_link( $user_id ) ) );
+		exit;
+	}
+
+	// Success, redirect and tell the user.
+	wp_safe_redirect( add_query_arg( 'oauth2_revoked', $key, get_edit_user_link( $user_id ) ) );
+	exit;
+}

inc/admin/profile/namespace.php

@@ -423,6 +423,20 @@ public function delete() {
 		return (bool) wp_delete_post( $this->get_post_id(), true );
 	}
 
+	/**
+	 * Approve a client.
+	 *
+	 * @return bool|WP_Error True if client was updated, error otherwise.
+	 */
+	public function approve() {
+		$data = array(
+			'ID' => $this->get_post_id(),
+			'post_status' => 'publish',
+		);
+		$result = wp_update_post( wp_slash( $data ), true );
+		return is_wp_error( $result ) ? $result : true;
+	}
+
 	/**
 	 * Register the underlying post type.
 	 */
@@ -431,8 +445,13 @@ public static function register_type() {
 			'public'          => false,
 			'hierarchical'    => true,
 			'capability_type' => array(
-				'client',
-				'clients',
+				'oauth2_client',
+				'oauth2_clients',
+			),
+			'capabilities'    => array(
+				'edit_posts'        => 'edit_users',
+				'edit_others_posts' => 'edit_users',
+				'publish_posts'     => 'edit_users',
 			),
 			'supports'        => array(
 				'title',