Tag: post-management

How To Restrict User to Self Posts in WordPress

I recently had to work with a third-party integration that used the WordPress REST API to interact with a website. We use this tool internally to move data around from other integrations, and finally into WordPress.

One of the things that I was worried about was the fact that this plugin would then have full access to the website, which is a private site. We only wanted to use it to post and then update WordPress posts, but there was always the concern that if the third party were to be hacked, then someone could read all of our posts on the private site through the REST API.

My solution was to hook into user_has_cap so that the user that was set up for the plugin to integrate with, through an application password, would only have access to read and edit its own posts. A bonus is that we wanted to be able to change the author of a post so that it would show up as specific users or project owners. That meant the authorized plugin user would also need access to these posts after the author was changed–so to get past that I scoured each post revision, and if the plugin user was the author of a revision it was also allowed access.

Finally, to make sure no other published posts were readable, I hooked into posts_results to set any post that didn’t meat the above criteria were marked as private. Below is a cleaned up version of that as an example if anyone else needs this type of functionality–feel free to use it as a starting point:

<?php
/**
 * Restricts post capabilities for a specific user.
 *
 * @param bool[]   $allcaps The current user capabilities.
 * @param string[] $caps    The requested capabilities.
 * @param array    $args {
 *     Arguments that accompany the requested capability check.
 *
 *     @type string    $0 Requested capability.
 *     @type int       $1 Concerned user ID.
 *     @type mixed  ...$2 Optional second and further parameters, typically object ID.
 * }
 * @param WP_User  $user    The user object.
 *
 * @return bool[] The modified user capabilities.
 */
function emrikol_restrict_post_capabilities( array $allcaps, array $caps, array $args, WP_User $user ): array {
	$post_id = isset( $args[2] ) ? absint( $args[2] ) : false;

	if ( false === $post_id || ! get_post( $post_id ) ) {
		return $allcaps;
	}

	if ( 'restricted' === get_user_meta( $user->ID, 'emrikol_restricted_post_capabilities', true ) ) {
		$allowed_caps  = array( 'read', 'read_private_posts', 'read_post', 'edit_post', 'delete_post', 'edit_others_posts', 'delete_others_posts' );
		$requested_cap = isset( $caps[0] ) ? $caps[0] : '';

		if ( in_array( $requested_cap, $allowed_caps, true ) ) {
			if ( emrikol_user_is_author_or_revision_author( $user->ID, $post_id ) ) {
				$allcaps[ $requested_cap ] = true;
			} else {
				$allcaps[ $requested_cap ] = false;
			}
		}
	}

	return $allcaps;
}
add_filter( 'user_has_cap', 'emrikol_restrict_post_capabilities', 10, 4 );

/**
 * Restricts the public posts results based on the query.
 *
 * @param WP_Post[] $posts  The array of posts returned by the query.
 * @param WP_Query  $query  The WP_Query instance (passed by reference).
 *
 * @return array           The filtered array of posts.
 */
function emrikol_restrict_public_posts_results( array $posts, WP_Query $query ): array {
	if ( ! is_admin() && $query->is_main_query() ) {
		$current_user = wp_get_current_user();

		if ( 'restricted' === get_user_meta( $user->ID, 'emrikol_restricted_post_capabilities', true ) ) {
			foreach ( $posts as $key => $post ) {
				if ( ! emrikol_user_is_author_or_revision_author( $current_user->ID, $post->ID ) ) {
					$posts[ $key ]->post_status = 'private';
				}
			}
		}
	}

	return $posts;
}
add_filter( 'posts_results', 'emrikol_restrict_public_posts_results', 10, 2 );

/**
 * Checks if the user is the author of the post or the author of a revision.
 *
 * @param int $user_id The ID of the user.
 * @param int $post_id The ID of the post.
 *
 * @return bool True if the user is the author or revision author, false otherwise.
 */
function emrikol_user_is_author_or_revision_author( int $user_id, int $post_id ): bool {
	$post_author_id = (int) get_post_field( 'post_author', $post_id );

	if ( $user_id === $post_author_id ) {
		return true;
	}

	$revisions = wp_get_post_revisions( $post_id );

	foreach ( $revisions as $revision ) {
		if ( $user_id === $revision->post_author ) {
			return true;
		}
	}

	return false;
}
Code language: PHP (php)

July 26, 2024

iOS Reminders to Habitica To Do’s via IFTTT
After digging around for a while trying to see how I could link up iOS’s Reminders with Habitica‘s To Do’s to help keep me organized, I finally found an easy way through IFTTT.

This works easily because Habitica offers a wonderful API💥

Specifically we’re looking at the “Create a new task belonging to the user” API endpoint:

https://habitica.com/api/v3/tasks/user

With this, we’ll need to make a POST request with some special headers to authenticate and then a body payload made of JSON:

Headers:
```
X-Client: my-user-id-IFTTTiOSRemindersSync
X-API-User: my-user-id
X-API-Key: my-api-keyCode language: HTTP (http)
```
Body:
```
{
	"text": "{{Title}}",
	"type": "todo",
	"notes": "{{Notes}} (Imported from iOS Reminders via IFTTT)"
}Code language: JSON / JSON with Comments (json)
```
From here, IFTTT will fill in the title, notes, and ship it off to Habitica for me to check off for some sweet XP!
October 29, 2021

Quick Tip: Get Size of Revisions in WordPress

One thing that you might not think of when watching the size of a large WordPress site grow, is unnecessary data in the database. With the introduction of the block editor years ago, there has been a large increase in the number of revisions a post makes when being edited.

This can create a lot of revisions in the database if you’re not setting a limit.

If you’d like to do a quick and dirty audit of your revision data, you can use a very ugly SQL query like this:

SELECT COUNT( ID ) as revision_count, ( SUM( CHAR_LENGTH( ID ) ) + SUM( CHAR_LENGTH( post_author ) ) + SUM( CHAR_LENGTH( post_date ) ) + SUM( CHAR_LENGTH( post_date_gmt ) ) + SUM( CHAR_LENGTH( post_content ) ) + SUM( CHAR_LENGTH( post_title ) ) + SUM( CHAR_LENGTH( post_excerpt ) ) + SUM( CHAR_LENGTH( post_status ) ) + SUM( CHAR_LENGTH( comment_status ) ) + SUM( CHAR_LENGTH( ping_status ) ) + SUM( CHAR_LENGTH( post_password ) ) + SUM( CHAR_LENGTH( post_name ) ) + SUM( CHAR_LENGTH( to_ping ) ) + SUM( CHAR_LENGTH( pinged ) ) + SUM( CHAR_LENGTH( post_modified ) ) + SUM( CHAR_LENGTH( post_modified_gmt ) ) + SUM( CHAR_LENGTH( post_content_filtered ) ) + SUM( CHAR_LENGTH( post_parent ) ) + SUM( CHAR_LENGTH( guid ) ) + SUM( CHAR_LENGTH( menu_order ) ) + SUM( CHAR_LENGTH( post_type ) ) + SUM( CHAR_LENGTH( post_mime_type ) ) + SUM( CHAR_LENGTH( comment_count ) ) ) as post_size FROM wp_posts WHERE post_type='revision' GROUP BY post_type ORDER BY revision_count DESC;Code language: JavaScript (javascript)

This will give you the number of revisions you have, and the approximate amount of data its using in the database:

revision_count	post_size
441419	2842450412

You can see now a very large WordPress site can amass a lot of unnecessary data in its database over a number of years. 2.8 Gigabytes of revisions is a lot of stuff if you’re never going to use them again.

September 30, 2021

Deleting Old Post Revisions in WordPress with WP-CLI

Recently I’ve been working with a client who’s site we’re going to soon be migrating. To help with any downtime, we’ve been looking at reducing their database size, which is something around 50-60 gigabytes. After looking through the database, one easy win would be to purge as many post revisions as possible, since their wp_posts table was about 50% revisions 😱

We couldn’t just mass delete anything with a revision post type though, because the client had some specific needs:

Keep all revisions for posts from the last 12 months.
Keep all revisions that were made after the post was published.
Keep a backup of all revisions deleted.

To do this, I crafted a custom WP-CLI command to purge these revisions. I’ve accidentally deleted the final version of the script, since it was only a one-run thing, but here’s an earlier version that could be a good starting point for anyone else that has a similar need to prune revisions:

/**
 * WP-CLI command that deletes pre-publish post revisions for posts older than 12 months.
 *
 * @subcommand prune-revisions [--live] [--verbose]
 */
public function prune_revisions( $args, $assoc_args ) {
	global $wpdb;

	$live    = (bool) $assoc_args[ 'live' ];
	$verbose = (bool) $assoc_args[ 'verbose' ];
	$offset  = 0;
	$limit   = 500;
	$count   = 0;
	$deletes = 0;

	if ( $live ) {
		$output_file = sanitize_file_name( sprintf( 'prune-revisions-backup_%d_%d.csv', get_bloginfo( 'name' ), current_time( 'timestamp', true ) ) );
		$handle      = fopen( $output_file, 'wb' );

		if ( false === $handle ) {
			WP_CLI::error( sprintf( 'Error opening %s for writing!', $output_file ) );
		}

		// Headers.
		$csv_headers = array(
			'ID',
			'post_author',
			'post_date',
			'post_date_gmt',
			'post_content',
			'post_title',
			'post_excerpt',
			'post_status',
			'comment_status',
			'ping_status',
			'post_password',
			'post_name',
			'to_ping',
			'pinged',
			'post_modified',
			'post_modified_gmt',
			'post_content_filtered',
			'post_parent',
			'guid',
			'menu_order',
			'post_type',
			'post_mime_type',
			'comment_count',
			'filter',
		);

		fputcsv(
			$handle,
			$csv_headers
		);
	}

	$count_sql      = 'SELECT COUNT(ID) FROM ' . $wpdb->posts . ' WHERE post_type = "revision"';
	$revision_count = (int) $wpdb->get_row( $count_sql, ARRAY_N )[0];
	$progress       = \WP_CLI\Utils\make_progress_bar( sprintf( 'Checking %s revisions', number_format( $revision_count ) ), $revision_count );

	do {
		$sql       = $wpdb->prepare( 'SELECT ID FROM ' . $wpdb->posts . ' WHERE post_type = "revision" LIMIT %d,%d', $offset, $limit );
		$revisions = $wpdb->get_results( $sql );

		foreach ( $revisions as $revision ) {
			$count++;
			$post_parent_id = wp_get_post_parent_id( $revision->ID );

			// Fail on either 0 or false.
			if ( false == $post_parent_id ) {
				WP_CLI::warning( sprintf( 'Revision %d does not have a parent!  Skipping!', $revision->ID ) );
				continue;
			}

			$revision_modified   = get_post_modified_time( 'U', false, $revision->ID );
			$parent_publish_time = get_post_time( 'U', false, $post_parent_id );

			if ( $parent_publish_time < current_time( 'timestamp') - ( MONTH_IN_SECONDS * 12 ) ) {
				// Post is older than 12 months, safe to delete pre-publish revisions.
				if ( $revision_modified < $parent_publish_time ) {
					if ( $live ) {
						// We're doing it live!
						WP_CLI::log( sprintf( 'Deleting revision %d for post %d. (%d%% done)', $revision->ID, $post_parent_id, ( $count / $revision_count ) * 100 ) );

						// Backup data!
						$output = [];
						$data   = get_post( $revision->ID );

						// Validate the field is set, just in case.  IDK how it couldn't be.
						foreach ( $csv_headers as $field ) {
							$output = isset( $data->$field ) ? $data->$field : '';
						}

						fputcsv( $handle, $output );

						$did_delete = wp_delete_post_revision( $revision->ID );

						// Something went wrong while deleting the revision?
						if ( false === $did_delete || is_wp_error( $did_delete ) ) {
							WP_CLI::warning( sprintf( 'Revision %d for post %d DID NOT DELETE! wp_delete_post_revision returned:', $revision->ID, $post_parent_id ) );
						}
						$deletes++;

						// Pause after lots of db modifications.
						if ( 0 === $deletes % 50 ) {
							if ( $verbose ) {
								WP_CLI::log( sprintf( 'Current Deletes: %d', $deletes ) );
							}
							sleep( 1 );
						}
					} else {
						// Not live, just output info.
						WP_CLI::log( sprintf( 'Will delete revision %d for post %d.', $revision->ID, $post_parent_id ) );
					}
				} else {
					// Revision is after the post has been published.
					if ( $verbose ) {
						WP_CLI::log( sprintf( 'Post-Publish: Will NOT delete Revision %d for post %d.', $revision->ID, $post_parent_id ) );
					}
				}
			} else {
				// Post is too new to prune.
				if ( $verbose ) {
					WP_CLI::log( sprintf( 'Too-New: Will NOT delete Revision %d for post %d.', $revision->ID, $post_parent_id ) );
				}
			}
		}

		// Pause after lots of db reads.
		if ( 0 === $count % 5000 ) {
			if ( $verbose ) {
				WP_CLI::log( sprintf( 'Current Count: %d', $count ) );
			}
			sleep( 1 );
		}

		// Free up memory.
		$this->stop_the_insanity();

		// Paginate.
		if ( count( $revisions ) ) {
			$offset += $limit;
			$progress->tick( $limit );
		} else {
			WP_CLI::warning( 'Possible MySQL Error, retrying in 10 seconds!' );
			sleep( 10 );
		}

	} while ( $count < $revision_count );

	$progress->finish();

	if ( $live ) {
		fclose( $handle );
		WP_CLI::success( sprintf( 'Deleted %d revisions', $deleted ) );
	} else {
		WP_CLI::success( sprintf( 'Processed %d revisions', $revision_count ) );
	}
}Code language: PHP (php)

May 22, 2020

WordPress Post Meta and JSON

…or how I stopped worrying and learned to love the slashes.

Post Meta in WordPress is a great tool to store random bits of data associated with your posts. But did you know that it comes with its own set of problems?

Have you ever tried storing a JSON string inside of post meta?

update_post_meta( 878, 'dumb_meta', wp_json_encode( [ 'HTML Link' => '<a href="https://derrick.blog/">My Blarg</a>' ] ) );Code language: PHP (php)

Only to find out that the JSON has been destroyed?

get_post_meta( 878, 'dumb_meta', true );
// string(61) "{"HTML Link":"<a href="https://derrick.blog/">My Blarg!</a>"}"Code language: JavaScript (javascript)

This is because WordPress passes the meta value through wp_unslash() before storing it in the database. This causes the already existing escaped/slashes data inside the JSON string to be destroyed:

wp_json_encode( [ 'HTML Link' => '<a href="https://derrick.blog/">My Blarg!</a>' ] );
// string(67) "{"HTML Link":"<a href=\"https:\/\/derrick.blog\/\">My Blarg!<\/a>"}"Code language: HTML, XML (xml)

Luckily, there’s a quick solution to this. You can pass your data through wp_slash() to double-encode it, so that when wp_unslash() does its job, it only unslashes a single iteration of slashes, leaving your JSON string safe:

update_post_meta( 878, 'dumb_meta', wp_slash( wp_json_encode( [ 'HTML Link' => '<a href="https://derrick.blog/">My Blarg!</a>' ] ) ) );Code language: PHP (php)

get_post_meta( 878, 'dumb_meta', true );
// string(67) "{"HTML Link":"<a href=\"https:\/\/derrick.blog\/\">My Blarg!<\/a>"}"Code language: JavaScript (javascript)

February 28, 2019

Logging Post Status Transitions in WordPress

Last week an interesting issue came up for a client. Somehow a few posts were moved from Published to Draft. Unfortunately, post status isn’t stored in revisions so it’s unlikely we’ll ever know who or how it happened. Luckily there’s a simple solution I found to log all post status transitions in post meta:

add_action( 'transition_post_status', 'log_post_transition', 10, 3 );
function log_post_transition( $new_status, $old_status, $post ) {
if ( 'post' === $post-&gt;post_type ) {
$current_user = wp_get_current_user();
add_post_meta( $post-&gt;ID, '_post_status_log', sprintf( '%s %d, %s-&gt;%s', current_time( 'mysql' ), $current_user-&gt;ID, $old_status, $new_status ), false );
}
}Code language: PHP (php)

September 20, 2017