FileMaster

Edit File: controller.php

<?php
class OsController {

protected $params,
	  $files,
	$layout                        = 'admin',
	$views_folder                  = LATEPOINT_VIEWS_ABSPATH_SHARED,
	$return_format                 = 'html',
	$extra_css_classes             = [ 'latepoint' ];
	public array $fields_to_update = [];

// if an action can only be accessed by a backend user, we need to define capabilities that are required
	public array $controller_capabilities = [ 'settings__edit' ];  // default for controller
	public array $action_capabilities     = []; // per action

public array $action_access = [
		'customer' => [],
		'public'   => [],
	];

public $vars;
	public $route_name;

function __construct() {
		$this->params = $this->get_params();
		$this->files  = $this->get_files();
		$this->set_layout( $this->layout );
		$this->vars['page_header']   = __( 'Bookings', 'latepoint' );
		$this->vars['breadcrumbs'][] = array(
			'label' => __( 'Dashboard', 'latepoint' ),
			'link'  => OsRouterHelper::build_link( [ 'dashboard', 'index' ] ),
		);

$this->load_settings();
		$this->vars['logged_in_customer'] = OsAuthHelper::get_logged_in_customer();
	}

public function check_nonce( $action, $custom_nonce = '' ) {
		$nonce = ! empty( $custom_nonce ) ? $custom_nonce : $this->params['_wpnonce'];
		if ( ! wp_verify_nonce( $nonce, $action ) ) {
			if ( $this->get_return_format() == 'json' ) {
				$this->send_json(
					array(
						'status'  => LATEPOINT_STATUS_ERROR,
						'message' => __( 'Invalid Request', 'latepoint' ),
					) 
				);
			} else {
				wp_die();
			}
		}
	}

public function can_current_user_access_action( string $action ): bool {
		if ( in_array( $action, $this->action_access['public'] ) ) {
			// public route
			$can = true;
		} elseif ( in_array( $action, $this->action_access['customer'] ) && OsAuthHelper::get_current_user()->customer ) {
			// customer route & customer is logged in
			$can = true;
		} else {
			// backend route, check for capabilities
			$can = OsAuthHelper::get_current_user()->has_capability( $this->get_capabilities_required_for_action( $action ) );
		}

/**
		 * Determines if a currently logged in user can access controller's action
		 *
		 * @since 4.7.0
		 * @hook latepoint_can_current_user_access_action
		 *
		 * @param {bool} $can Decision true|false
		 * @param {string} $action Name of the action that is being called
		 * @param {LatePoint\Misc\User} $current_user Currently logged in latepoint user
		 * @returns {bool} Decision true|false
		 */
		return apply_filters( 'latepoint_can_current_user_access_action', $can, $action, OsAuthHelper::get_current_user() );
	}

public function get_capabilities_required_for_action( $action ) {
		return OsRolesHelper::get_capabilities_required_for_controller_action( get_class( $this ), $action );
	}

function generate_css_class( $view_name ) {
		$class_name_filtered = strtolower( preg_replace( '/^Os(\w+)Controller/i', '$1', static::class ) );
		return "latepoint-view-{$class_name_filtered}-{$view_name}";
	}

protected function load_settings() {
	}

public function access_not_allowed() {
		$this->format_render( __FUNCTION__, [], [], true );
		exit();
	}

function format_render( $view_name, $extra_vars = array(), $json_return_vars = array(), $from_shared_folder = false ) {
		echo $this->format_render_return( $view_name, $extra_vars, $json_return_vars, $from_shared_folder );
	}

// You can pass array to $view_name, ['json_view_name' => ..., 'html_view_name' => ...]
	function format_render_return( $view_name, $extra_vars = array(), $json_return_vars = array(), $from_shared_folder = false ) {
		$html = '';
		if ( $this->get_return_format() == 'json' ) {
			if ( is_array( $view_name ) ) {
				$view_name = $view_name['json_view_name'];
			}
			$response_html = $this->render( $this->get_view_uri( $view_name, $from_shared_folder ), 'none', $extra_vars );
			$this->send_json(
				array_merge(
					array(
						'status'  => LATEPOINT_STATUS_SUCCESS,
						'message' => $response_html,
					),
					$json_return_vars 
				) 
			);
		} else {
			if ( is_array( $view_name ) ) {
				$view_name = $view_name['html_view_name'];
			}
			$this->extra_css_classes[]       = $this->generate_css_class( $view_name );
			$this->vars['extra_css_classes'] = $this->extra_css_classes;
			$html                            = $this->render( $this->get_view_uri( $view_name, $from_shared_folder ), $this->get_layout(), $extra_vars );
		}
		return $html;
	}

function set_layout( $layout = 'admin' ) {
		if ( isset( $this->params['layout'] ) ) {
			$this->layout = $this->params['layout'];
		} else {
			$this->layout = $layout;
		}
	}

function get_layout() {
		return $this->layout;
	}

function set_return_format( $format = 'html' ) {
		$this->return_format = $format;
	}

function get_return_format() {
		return $this->return_format;
	}

function send_json( $data, $status_code = null ) {
		if ( ! empty( $this->fields_to_update ) ) {
			$data['fields_to_update'] = $this->fields_to_update;
		}
		wp_send_json( $data, $status_code );
	}

private function get_safe_layout_path( $layout ) {
		// 1. Remove any path separators and null bytes
		$layout = str_replace( [ '/', '\\', "\0" ], '', $layout );

// 2. Remove any dots to prevent directory traversal
		$layout = str_replace( '.', '', $layout );

// 3. Only allow alphanumeric, underscore, and hyphen
		$layout = preg_replace( '/[^a-zA-Z0-9_-]/', '', $layout );

// 4. Construct the full path
		$layout_file = $this->add_extension( $layout, '.php' );
		$full_path   = LATEPOINT_VIEWS_LAYOUTS_ABSPATH . $layout_file;

// 5. Use realpath to resolve any remaining traversal attempts
		$real_path = realpath( $full_path );
		$base_path = realpath( LATEPOINT_VIEWS_LAYOUTS_ABSPATH );

// 6. Ensure the resolved path is within the layouts directory
		if ( $real_path && $base_path && strpos( $real_path, $base_path ) === 0 ) {
			return $real_path;
		}

return false;
	}

// render view and if needed layout, when layout is rendered - view variable is passed to a layout file
	function render( $view, $layout = 'none', $extra_vars = array() ) {
		$this->vars['route_name'] = $this->route_name;
		extract( $extra_vars );
		extract( $this->vars );
		ob_start();
		if ( $layout != 'none' ) {
			$layout_path = $this->get_safe_layout_path( $layout );
			// rendering layout, view variable will be passed and used in layout file
			if ( $layout_path ) {
				include $layout_path;
			} else {
				__( 'Invalid layout', 'latepoint' );
			}
		} else {
			include $this->add_extension( $view, '.php' );
		}
		$response_html = ob_get_clean();
		return $response_html;
	}

/*
	Adds extension to a file string if its missing
	*/
	function add_extension( $string = '', $extension = '.php' ) {
		if ( substr( $string, -strlen( $extension ) ) === $extension ) {
			return $string;
		} else {
			return $string . $extension;
		}
	}

function get_files() {
		return OsParamsHelper::get_files();
	}

function get_params() {
		return OsParamsHelper::get_params();
	}
}

Back