From 96333fb352942082f9a7225b3b1f4c0f3eb1337f Mon Sep 17 00:00:00 2001
From: Joan Rodas <joan@sirvelia.com>
Date: Thu, 21 Apr 2022 19:17:58 +0200
Subject: [PATCH 1/3] Fix protected variable Endpoints

---
 PluboRoutes/Endpoint/Endpoint.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PluboRoutes/Endpoint/Endpoint.php b/PluboRoutes/Endpoint/Endpoint.php
index a63b54b..889ab11 100644
--- a/PluboRoutes/Endpoint/Endpoint.php
+++ b/PluboRoutes/Endpoint/Endpoint.php
@@ -40,7 +40,7 @@ abstract class Endpoint implements EndpointInterface
      *
      * @var string
      */
-    private $method;
+    protected $method;
 
     /**
      * Constructor.

From e4fa0ac46d5b33d1ecaadcf08dd32e3bdd334230 Mon Sep 17 00:00:00 2001
From: Joan Rodas <joan@sirvelia.com>
Date: Wed, 4 May 2022 22:28:55 +0200
Subject: [PATCH 2/3] Add permission callback + Fix roles and capabilities

---
 PluboRoutes/Route/Route.php     | 15 +++++++++++++--
 PluboRoutes/RoutesProcessor.php | 20 ++++++++++++++++++--
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/PluboRoutes/Route/Route.php b/PluboRoutes/Route/Route.php
index f2ea7f8..433fcdd 100644
--- a/PluboRoutes/Route/Route.php
+++ b/PluboRoutes/Route/Route.php
@@ -144,7 +144,7 @@ public function hasRolesCallback()
      */
     public function getRoles()
     {
-        $roles = $this->config['allowed_roles'] ?? [];
+        $roles = $this->config['allowed_roles'] ?? false;
         return $roles;
     }
 
@@ -166,10 +166,21 @@ public function hasCapabilitiesCallback()
      */
     public function getCapabilities()
     {
-        $capabilities = $this->config['allowed_caps'] ?? [];
+        $capabilities = $this->config['allowed_caps'] ?? false;
         return $capabilities;
     }
 
+    /**
+     * Get the permission callback.
+     *
+     * @return boolean
+     */
+    public function getPermissionCallback()
+    {
+        $permission_callback = $this->config['permission_callback'] ?? false;
+        return ($permission_callback && is_callable($permission_callback));
+    }
+
     /**
      * Check if route has basic auth.
      *
diff --git a/PluboRoutes/RoutesProcessor.php b/PluboRoutes/RoutesProcessor.php
index af902a5..cc70d96 100644
--- a/PluboRoutes/RoutesProcessor.php
+++ b/PluboRoutes/RoutesProcessor.php
@@ -178,6 +178,7 @@ public function doRouteActions()
 
     private function executeRouteHook()
     {
+        $this->checkPermissionCallback();
         $user = wp_get_current_user();
         if ($this->checkLoggedIn($user)) {
             $this->checkRoles($user);
@@ -187,6 +188,18 @@ private function executeRouteHook()
         do_action($this->matched_route->getAction(), $this->matched_args);
     }
 
+    private function checkPermissionCallback()
+    {
+        $permission_callback = $this->matched_route->getPermissionCallback();
+        if (!$permission_callback) {
+            return;
+        }
+        $has_access = call_user_func($permission_callback, $this->matched_args);
+        if (!$has_access) {
+            $this->forbidAccess();
+        }
+    }
+
     private function checkLoggedIn($user)
     {
         $is_logged_in = $user->exists();
@@ -203,7 +216,7 @@ private function checkRoles($user)
         if ($this->matched_route->hasRolesCallback()) {
             $allowed_roles = call_user_func($allowed_roles, $this->matched_args);
         }
-        if ($allowed_roles && !array_intersect((array)$user->roles, (array)$allowed_roles)) {
+        if ($allowed_roles !== false && !array_intersect((array)$user->roles, (array)$allowed_roles)) {
             $this->forbidAccess();
         }
     }
@@ -211,7 +224,10 @@ private function checkRoles($user)
     private function checkCapabilities($user)
     {
         $allowed_caps = $this->getAllowedCapabilities();
-        $is_allowed = $allowed_caps ? false : true;
+        if($allowed_caps === false) {
+            return;
+        }
+        $is_allowed = false;
         foreach ((array)$allowed_caps as $allowed_cap) {
             if ($user->has_cap($allowed_cap)) {
                 $is_allowed = true;

From 332b3076d6188f19dc6ae3be24c7631085ddab29 Mon Sep 17 00:00:00 2001
From: Joan Rodas <joan@sirvelia.com>
Date: Wed, 4 May 2022 23:10:42 +0200
Subject: [PATCH 3/3] Fix permission callback

---
 PluboRoutes/Route/Route.php     | 2 +-
 PluboRoutes/RoutesProcessor.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/PluboRoutes/Route/Route.php b/PluboRoutes/Route/Route.php
index 433fcdd..d023bb5 100644
--- a/PluboRoutes/Route/Route.php
+++ b/PluboRoutes/Route/Route.php
@@ -178,7 +178,7 @@ public function getCapabilities()
     public function getPermissionCallback()
     {
         $permission_callback = $this->config['permission_callback'] ?? false;
-        return ($permission_callback && is_callable($permission_callback));
+        return $permission_callback;
     }
 
     /**
diff --git a/PluboRoutes/RoutesProcessor.php b/PluboRoutes/RoutesProcessor.php
index cc70d96..273b120 100644
--- a/PluboRoutes/RoutesProcessor.php
+++ b/PluboRoutes/RoutesProcessor.php
@@ -191,7 +191,7 @@ private function executeRouteHook()
     private function checkPermissionCallback()
     {
         $permission_callback = $this->matched_route->getPermissionCallback();
-        if (!$permission_callback) {
+        if (!$permission_callback || !is_callable($permission_callback)) {
             return;
         }
         $has_access = call_user_func($permission_callback, $this->matched_args);