Merge pull request #1228 from equalizedigital/release/1.31.1

Release v1.31.1

Author: pattonwebz

accessibility-checker.php

@@ -10,7 +10,7 @@
  * Plugin Name:       Accessibility Checker
  * Plugin URI:        https://a11ychecker.com
  * Description:       Audit and check your website for accessibility before you hit publish. In-post accessibility scanner and guidance.
- * Version:           1.31.0
+ * Version:           1.31.1
  * Requires PHP:      7.4
  * Author:            Equalize Digital
  * Author URI:        https://equalizedigital.com
@@ -36,7 +36,7 @@
 
 // Current plugin version.
 if ( ! defined( 'EDAC_VERSION' ) ) {
-	define( 'EDAC_VERSION', '1.31.0' );
+	define( 'EDAC_VERSION', '1.31.1' );
 }
 
 // Current database version.

admin/class-ajax.php

@@ -47,28 +47,26 @@ public function init_hooks() {
 	 *  - '-1' means that nonce could not be varified
 	 *  - '-2' means that the post ID was not specified
 	 *  - '-3' means that there isn't any summary data to return
+	 *  - '-5' means that the user does not have permission to view this information for this post
 	 */
 	public function summary() {
 
 		// nonce security.
 		if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_REQUEST['nonce'] ) ), 'ajax-nonce' ) ) {
-
-			$error = new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
 		}
 
 		if ( ! isset( $_REQUEST['post_id'] ) ) {
+			wp_send_json_error( new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) ) );
+		}
 
-			$error = new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+		if ( ! current_user_can( 'edit_post', (int) $_REQUEST['post_id'] ) ) {
+			wp_send_json_error( new \WP_Error( '-5', __( 'You do not have permission to view this information for this post.', 'accessibility-checker' ) ) );
 		}
 
 		$html            = [];
 		$html['content'] = '';
 
-
 		$post_id                   = (int) $_REQUEST['post_id'];
 		$summary                   = ( new Summary_Generator( $post_id ) )->generate_summary();
 		$simplified_summary_text   = '';
@@ -126,25 +124,25 @@ public function summary() {
 				'edac-summary-errors',
 				$summary['errors'],
 				/* translators: %s: Number of errors */
-					sprintf( _n( '%s Error', '%s Errors', $summary['errors'], 'accessibility-checker' ), $summary['errors'] )
+				sprintf( _n( '%s Error', '%s Errors', $summary['errors'], 'accessibility-checker' ), $summary['errors'] )
 			) . '
 				' . edac_generate_summary_stat(
 				'edac-summary-contrast',
 				$summary['contrast_errors'],
 				/* translators: %s: Number of contrast errors */
-					sprintf( _n( '%s Contrast Error', '%s Contrast Errors', $summary['contrast_errors'], 'accessibility-checker' ), $summary['contrast_errors'] )
+				sprintf( _n( '%s Contrast Error', '%s Contrast Errors', $summary['contrast_errors'], 'accessibility-checker' ), $summary['contrast_errors'] )
 			) . '
 				' . edac_generate_summary_stat(
 				'edac-summary-warnings',
 				$summary['warnings'],
 				/* translators: %s: Number of warnings */
-					sprintf( _n( '%s Warning', '%s Warnings', $summary['warnings'], 'accessibility-checker' ), $summary['warnings'] )
+				sprintf( _n( '%s Warning', '%s Warnings', $summary['warnings'], 'accessibility-checker' ), $summary['warnings'] )
 			) . '
 				' . edac_generate_summary_stat(
 				'edac-summary-ignored',
 				$summary['ignored'],
 				/* translators: %s: Number of ignored items */
-					sprintf( _n( '%s Ignored Item', '%s Ignored Items', $summary['ignored'], 'accessibility-checker' ), $summary['ignored'] )
+				sprintf( _n( '%s Ignored Item', '%s Ignored Items', $summary['ignored'], 'accessibility-checker' ), $summary['ignored'] )
 			) . '
 
 		</ul>
@@ -181,10 +179,7 @@ public function summary() {
 		$html['content'] .= '</small></div>' . PHP_EOL;
 
 		if ( ! $html ) {
-
-			$error = new \WP_Error( '-3', __( 'No summary to return', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-3', __( 'No summary to return', 'accessibility-checker' ) ) );
 		}
 
 		wp_send_json_success( wp_json_encode( $html ) );
@@ -199,22 +194,20 @@ public function summary() {
 	 *  - '-2' means that the post ID was not specified
 	 *  - '-3' means that the table name is not valid
 	 *  - '-4' means that there isn't any details to return
+	 *  - '-5' means that the user does not have permission to view this information for this post
 	 */
 	public function details() {
 
-		// nonce security.
 		if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_REQUEST['nonce'] ) ), 'ajax-nonce' ) ) {
-
-			$error = new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
 		}
 
 		if ( ! isset( $_REQUEST['post_id'] ) ) {
+			wp_send_json_error( new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) ) );
+		}
 
-			$error = new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+		if ( ! current_user_can( 'edit_post', (int) $_REQUEST['post_id'] ) ) {
+			wp_send_json_error( new \WP_Error( '-5', __( 'You do not have permission to view this information for this post.', 'accessibility-checker' ) ) );
 		}
 
 		$html = '';
@@ -225,10 +218,7 @@ public function details() {
 
 		// Send error if table name is not valid.
 		if ( ! $table_name ) {
-
-			$error = new \WP_Error( '-3', __( 'Invalid table name', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-3', __( 'Invalid table name', 'accessibility-checker' ) ) );
 		}
 
 		$rules = edac_register_rules();
@@ -567,10 +557,7 @@ function ( $a, $b ) {
 		}
 
 		if ( ! $html ) {
-
-			$error = new \WP_Error( '-4', __( 'No details to return', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-4', __( 'No details to return', 'accessibility-checker' ) ) );
 		}
 
 		wp_send_json_success( wp_json_encode( $html ) );
@@ -584,22 +571,20 @@ function ( $a, $b ) {
 	 *  - '-1' means that nonce could not be varified
 	 *  - '-2' means that the post ID was not specified
 	 *  - '-3' means that there isn't any readability data to return
+	 *  - '-5' means that the user does not have permission to view this information for this post
 	 */
 	public function readability() {
 
-		// nonce security.
 		if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_REQUEST['nonce'] ) ), 'ajax-nonce' ) ) {
-
-			$error = new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
 		}
 
 		if ( ! isset( $_REQUEST['post_id'] ) ) {
+			wp_send_json_error( new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) ) );
+		}
 
-			$error = new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+		if ( ! current_user_can( 'edit_post', (int) $_REQUEST['post_id'] ) ) {
+			wp_send_json_error( new \WP_Error( '-5', __( 'You do not have permission to view this information for this post.', 'accessibility-checker' ) ) );
 		}
 
 		$post_id                     = (int) $_REQUEST['post_id'];
@@ -706,10 +691,7 @@ public function readability() {
 		$html .= '<span class="dashicons dashicons-info"></span><a href="' . esc_url( edac_link_wrapper( 'https://a11ychecker.com/help3265', 'wordpress-general', 'content-analysis', false ) ) . '" target="_blank">Learn more about improving readability and simplified summary requirements</a>';
 
 		if ( ! $html ) {
-
-			$error = new \WP_Error( '-3', __( 'No readability data to return', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-3', __( 'No readability data to return', 'accessibility-checker' ) ) );
 		}
 
 		wp_send_json_success( wp_json_encode( $html ) );
@@ -727,32 +709,29 @@ public function add_ignore() {
 
 		// nonce security.
 		if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'ajax-nonce' ) ) {
-
-			$error = new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
 		}
 
 		global $wpdb;
-		$table_name            = $wpdb->prefix . 'accessibility_checker';
-				$raw_ids       = isset( $_REQUEST['ids'] ) ? (array) wp_unslash( $_REQUEST['ids'] ) : []; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitization handled below.
-		$ids                   = array_map(
+		$table_name           = $wpdb->prefix . 'accessibility_checker';
+		$raw_ids              = isset( $_REQUEST['ids'] ) ? (array) wp_unslash( $_REQUEST['ids'] ) : []; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitization handled below.
+		$ids                  = array_map(
 			function ( $value ) {
 				return (int) $value;
 			},
 			$raw_ids
 		); // Sanitizing array elements to integers.
-				$action        = isset( $_REQUEST['ignore_action'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['ignore_action'] ) ) : '';
-				$type          = isset( $_REQUEST['ignore_type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['ignore_type'] ) ) : '';
-		$siteid                = get_current_blog_id();
-		$ignre                 = ( 'enable' === $action ) ? 1 : 0;
-		$ignre_user            = ( 'enable' === $action ) ? get_current_user_id() : null;
-		$ignre_user_info       = ( 'enable' === $action ) ? get_userdata( $ignre_user ) : '';
-		$ignre_username        = ( 'enable' === $action ) ? $ignre_user_info->user_login : '';
-		$ignre_date            = ( 'enable' === $action ) ? gmdate( 'Y-m-d H:i:s' ) : null;
-		$ignre_date_formatted  = ( 'enable' === $action ) ? gmdate( 'F j, Y g:i a', strtotime( $ignre_date ) ) : '';
-				$ignre_comment = ( 'enable' === $action && isset( $_REQUEST['comment'] ) ) ? sanitize_textarea_field( wp_unslash( $_REQUEST['comment'] ) ) : null;
-				$ignore_global = ( 'enable' === $action && isset( $_REQUEST['ignore_global'] ) ) ? sanitize_textarea_field( wp_unslash( $_REQUEST['ignore_global'] ) ) : 0;
+		$action               = isset( $_REQUEST['ignore_action'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['ignore_action'] ) ) : '';
+		$type                 = isset( $_REQUEST['ignore_type'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['ignore_type'] ) ) : '';
+		$siteid               = get_current_blog_id();
+		$ignre                = ( 'enable' === $action ) ? 1 : 0;
+		$ignre_user           = ( 'enable' === $action ) ? get_current_user_id() : null;
+		$ignre_user_info      = ( 'enable' === $action ) ? get_userdata( $ignre_user ) : '';
+		$ignre_username       = ( 'enable' === $action ) ? $ignre_user_info->user_login : '';
+		$ignre_date           = ( 'enable' === $action ) ? gmdate( 'Y-m-d H:i:s' ) : null;
+		$ignre_date_formatted = ( 'enable' === $action ) ? gmdate( 'F j, Y g:i a', strtotime( $ignre_date ) ) : '';
+		$ignre_comment        = ( 'enable' === $action && isset( $_REQUEST['comment'] ) ) ? sanitize_textarea_field( wp_unslash( $_REQUEST['comment'] ) ) : null;
+		$ignore_global        = ( 'enable' === $action && isset( $_REQUEST['ignore_global'] ) ) ? sanitize_textarea_field( wp_unslash( $_REQUEST['ignore_global'] ) ) : 0;
 
 		// If largeBatch is set and 'true', we need to perform an update using the 'object'
 		// instead of IDs. It is a much less efficient query than by IDs - but many IDs run
@@ -764,8 +743,7 @@ function ( $value ) {
 			$object = $wpdb->get_var( $wpdb->prepare( 'SELECT object FROM %i WHERE id = %d', $table_name, $first_id ) );
 
 			if ( ! $object ) {
-				$error = new \WP_Error( '-2', __( 'No ignore data to return', 'accessibility-checker' ) );
-				wp_send_json_error( $error );
+				wp_send_json_error( new \WP_Error( '-2', __( 'No ignore data to return', 'accessibility-checker' ) ) );
 			}
 			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching -- Safe variable used for table name, caching not required for one time operation.
 			$wpdb->query( $wpdb->prepare( 'UPDATE %i SET ignre = %d, ignre_user = %d, ignre_date = %s, ignre_comment = %s, ignre_global = %d WHERE siteid = %d and object = %s', $table_name, $ignre, $ignre_user, $ignre_date, $ignre_comment, $ignore_global, $siteid, $object ) );
@@ -786,10 +764,7 @@ function ( $value ) {
 		];
 
 		if ( ! $data ) {
-
-			$error = new \WP_Error( '-2', __( 'No ignore data to return', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-2', __( 'No ignore data to return', 'accessibility-checker' ) ) );
 		}
 		wp_send_json_success( wp_json_encode( $data ) );
 	}
@@ -802,37 +777,33 @@ function ( $value ) {
 	 *  - '-1' means that nonce could not be varified
 	 *  - '-2' means that the post ID was not specified
 	 *  - '-3' means that the summary was not specified
+	 *  - '-5' means that the user does not have permission to view this information for this post
 	 */
 	public function simplified_summary() {
 
 			// nonce security.
 		if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_key( wp_unslash( $_REQUEST['nonce'] ) ), 'ajax-nonce' ) ) {
-
-			$error = new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
 		}
 
 		if ( ! isset( $_REQUEST['post_id'] ) ) {
-
-			$error = new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-2', __( 'The post ID was not set', 'accessibility-checker' ) ) );
 		}
 
 		if ( ! isset( $_REQUEST['summary'] ) ) {
+			wp_send_json_error( new \WP_Error( '-3', __( 'The summary was not set', 'accessibility-checker' ) ) );
+		}
 
-			$error = new \WP_Error( '-3', __( 'The summary was not set', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+		if ( ! current_user_can( 'edit_post', (int) $_REQUEST['post_id'] ) ) {
+			wp_send_json_error( new \WP_Error( '-5', __( 'You do not have permission to edit this post.', 'accessibility-checker' ) ) );
 		}
 
-			$post_id = (int) $_REQUEST['post_id'];
-			update_post_meta(
-				$post_id,
-				'_edac_simplified_summary',
-				sanitize_text_field( wp_unslash( $_REQUEST['summary'] ) )
-			);
+		$post_id = (int) $_REQUEST['post_id'];
+		update_post_meta(
+			$post_id,
+			'_edac_simplified_summary',
+			sanitize_text_field( wp_unslash( $_REQUEST['summary'] ) )
+		);
 
 		$edac_simplified_summary = get_post_meta( $post_id, '_edac_simplified_summary', $single = true );
 		$simplified_summary      = $edac_simplified_summary ? $edac_simplified_summary : '';

admin/class-frontend-highlight.php

@@ -74,9 +74,8 @@ public function get_issues( $post_id ) {
 	 */
 	public function ajax() {
 
-		if ( ! check_ajax_referer( 'ajax-nonce', 'nonce', false ) ) {
-			$error = new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
+		if ( ! check_ajax_referer( 'frontend-highlighter', 'nonce', false ) ) {
+			wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
 		}
 
 		if ( ! isset( $_REQUEST['post_id'] ) ) {
@@ -85,11 +84,31 @@ public function ajax() {
 		}
 
 		$post_id = isset( $_REQUEST['post_id'] ) ? (int) $_REQUEST['post_id'] : 0;
+		$post    = get_post( $post_id );
+		if ( ! $post ) {
+			wp_send_json_error( new \WP_Error( '-4', __( 'Post not found', 'accessibility-checker' ) ) );
+		}
+
+		// Check if the user has permission to view this post.
+		if ( is_user_logged_in() ) {
+			// For authenticated users, use read_post capability.
+			if ( ! current_user_can( 'read_post', $post_id ) ) {
+				wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
+			}
+		} elseif ( apply_filters( 'edac_filter_frontend_highlighter_visibility', false ) ) {
+			// For unauthenticated users, only allow access to publicly viewable posts.
+			if ( ! is_post_publicly_viewable( $post ) ) {
+				wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
+			}
+		} else {
+			// Shouldn't ever reach this point but error just in case.
+			wp_send_json_error( new \WP_Error( '-1', __( 'Permission Denied', 'accessibility-checker' ) ) );
+		}
+
 		$results = $this->get_issues( $post_id );
 
 		if ( ! $results ) {
-			$error = new \WP_Error( '-3', __( 'Issue query returned no results', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
+			wp_send_json_error( new \WP_Error( '-3', __( 'Issue query returned no results', 'accessibility-checker' ) ) );
 		}
 
 		$rules = edac_register_rules();
@@ -133,10 +152,7 @@ public function ajax() {
 		}
 
 		if ( ! $issues ) {
-
-			$error = new \WP_Error( '-5', __( 'Object query returned no results', 'accessibility-checker' ) );
-			wp_send_json_error( $error );
-
+			wp_send_json_error( new \WP_Error( '-5', __( 'Object query returned no results', 'accessibility-checker' ) ) );
 		}
 
 		// if we have fixes then create fields for each of the groups.

admin/opt-in/class-email-opt-in.php

@@ -146,6 +146,16 @@ public static function render_form(): void {
 					</div>
 				</div>
 				<div class="_button-wrapper _full_width edac-mt-3 edac-mb-3">
+					<small>
+						<?php
+						printf(
+						/* translators: 1: link to privacy policy page. 2: link close tag. */
+							esc_html__( 'By subscribing, you consent to receive emails in accordance with our %1$sPrivacy Policy%2$s.', 'accessibility-checker' ),
+							'<a href="' . esc_url( edac_link_wrapper( 'https://equalizedigital.com/privacy-policy/', 'email_newsletter', 'privacy', false ) ) . '" target="_blank">',
+							'</a>'
+						);
+						?>
+					</small>
 					<button id="_form_1_submit" class="_submit button button-primary" type="submit">
 						Subscribe
 					</button>

includes/classes/class-enqueue-frontend.php

@@ -100,8 +100,8 @@ public static function maybe_enqueue_frontend_highlighter() {
 				'edacFrontendHighlighterApp',
 				[
 					'postID'           => $post_id,
-					'nonce'            => wp_create_nonce( 'ajax-nonce' ),
-					'restNonce'        => wp_create_nonce( 'wp_rest' ),
+					'nonce'            => wp_create_nonce( 'frontend-highlighter' ),
+					'restNonce'        => is_user_logged_in() ? wp_create_nonce( 'wp_rest' ) : '',
 					'userCanFix'       => current_user_can( apply_filters( 'edac_filter_settings_capability', 'manage_options' ) ),
 					'userCanEdit'      => current_user_can( 'edit_post', $post_id ),
 					'edacUrl'          => esc_url_raw( get_site_url() ),