Tweak logged in user authentication checks

GravityPDF · Aug 30, 2024 · 94f586a · 94f586a
1 parent c721a04
commit 94f586a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 14 deletions.
diff --git a/src/Model/Model_PDF.php b/src/Model/Model_PDF.php
@@ -457,7 +457,7 @@ public function middle_conditional( $action, $entry, $settings ) {
 	}
 
 	/**
-	 * Check the "Restrict Logged Out User" global setting and validate it against the current user
+	 * If the owner is restricted and the user is not logged in, prompt to log in
 	 *
 	 * @param boolean|object $action
 	 * @param array          $entry    The Gravity Forms Entry
@@ -473,7 +473,7 @@ public function middle_owner_restriction( $action, $entry, $settings ) {
 		/* ensure another middleware filter hasn't already done validation */
 		if ( ! is_wp_error( $action ) ) {
 			/* get the setting */
-			$owner_restriction = ( isset( $settings['restrict_owner'] ) ) ? $settings['restrict_owner'] : 'No';
+			$owner_restriction = $settings['restrict_owner'] ?? 'No';
 
 			if ( $owner_restriction === 'Yes' && ! is_user_logged_in() ) {
 
@@ -666,7 +666,10 @@ public function middle_auth_logged_out_user( $action, $entry, $settings ) {
 	}
 
 	/**
-	 * Check the "User Restriction" global setting and validate it against the current user
+	 * Verify the logged-in user can view the PDF
+	 *
+	 * If owner restrictions are enabled, check if the user as correct capability to view
+	 * If owner restrictions are disabled, check if the user is the entry owner
 	 *
 	 * @param boolean|object $action
 	 * @param array          $entry    The Gravity Forms Entry
@@ -680,15 +683,18 @@ public function middle_user_capability( $action, $entry, $settings ) {
 
 		if ( ! is_wp_error( $action ) ) {
 			/* check if the user is logged in but is not the current owner */
-			if ( is_user_logged_in() &&
-				 ( ( $this->options->get_option( 'limit_to_admin', 'No' ) === 'Yes' ) || ( $this->is_current_pdf_owner( $entry, 'logged_in' ) === false ) )
+			$owner_restriction = $settings['restrict_owner'] ?? 'No';
+
+			if (
+				is_user_logged_in() &&
+				! $this->can_user_view_pdf_with_capabilities() &&
+				(
+					$owner_restriction === 'Yes' ||
+					$this->is_current_pdf_owner( $entry, 'logged_in' ) === false
+				)
 			) {
-				$access = $this->can_user_view_pdf_with_capabilities();
 
-				/* throw error if no access granted */
-				if ( ! $access ) {
-					return new WP_Error( 'access_denied', esc_html__( 'You do not have access to view this PDF.', 'gravity-forms-pdf-extended' ) );
-				}
+				return new WP_Error( 'access_denied', esc_html__( 'You do not have access to view this PDF.', 'gravity-forms-pdf-extended' ) );
 			}
 		}
 

diff --git a/tests/phpunit/unit-tests/test-pdf.php b/tests/phpunit/unit-tests/test-pdf.php
@@ -638,7 +638,7 @@ public function test_middle_auth_logged_out_user() {
 	}
 
 	/**
-	 * Check if our logged in user has access to our PDF
+	 * Check if our logged-in user has access to our PDF
 	 *
 	 * @since 4.0
 	 */
@@ -648,7 +648,6 @@ public function test_middle_user_capability() {
 
 		/* create subscriber and test access */
 		$user_id = $this->factory->user->create();
-		$this->assertIsInt( $user_id );
 		wp_set_current_user( $user_id );
 
 		/* get the results */
@@ -657,14 +656,23 @@ public function test_middle_user_capability() {
 		$this->assertTrue( is_wp_error( $results ) );
 		$this->assertEquals( 'access_denied', $results->get_error_code() );
 
+		/* make subscriber owner of the entry and test access */
+		$this->assertTrue( $this->model->middle_user_capability( true, [ 'id' => 0,  'created_by' => $user_id ], [ 'id' => '', ] ) );
+
+		/* make subscriber owner, but turn on the owner restrict setting and test access */
+		$results = $this->model->middle_user_capability( true, [ 'id' => 0,  'created_by' => $user_id ], [ 'id' => '', 'restrict_owner' => 'Yes' ] );
+
+		$this->assertTrue( is_wp_error( $results ) );
+		$this->assertEquals( 'access_denied', $results->get_error_code() );
+
 		/* Elevate user to administrator */
 		$user = wp_get_current_user();
 		$user->remove_role( 'subscriber' );
 		$user->add_role( 'administrator' );
 
-		$this->assertTrue( $this->model->middle_user_capability( true, [ 'id' => 0, 'created_by' => 0 ], [ 'id' => '', ] ) );
+		$this->assertTrue( $this->model->middle_user_capability( true, [ 'id' => 0, 'created_by' => 0 ], [ 'id' => '', 'restrict_owner' => 'Yes'  ] ) );
 
-		/* Remove elevated user privilages and set the default capability 'gravityforms_view_entries' */
+		/* Remove elevated user privileges and set the default capability 'gravityforms_view_entries' */
 		$user->remove_role( 'administrator' );
 		$user->add_role( 'subscriber' );