sections = $sections; $this->fields = $fields; } /** * Register the settings and all fields. */ function settings_init() : void { // Register a new setting this page. register_setting( 'cf7dtx_settings', 'cf7dtx_settings' ); foreach( $this->sections as $section_id => $section ){ // Register a new section. add_settings_section( $section_id, $section['title'], [$this, 'render_section'], 'cf7dtx_settings', ); } /* Register All The Fields. */ foreach( $this->fields as $field ) { // Register a new field in the main section. add_settings_field( $field['id'], /* ID for the field. Only used internally. To set the HTML ID attribute, use $args['label_for']. */ $field['label'], /* Label for the field. */ [$this, 'render_field'], /* The name of the callback function. */ 'cf7dtx_settings', /* The menu page on which to display this field. */ $field['section'], /* The section of the settings page in which to show the box. */ [ 'label_for' => $field['id'], /* The ID of the field. */ 'class' => 'cf7dtx_row', /* The class of the field. */ 'field' => $field, /* Custom data for the field. */ ] ); } } /** * Add a subpage to the WordPress Settings menu. */ function options_page() : void { add_submenu_page( 'wpcf7', /* Parent Menu Slug */ 'Contact Form 7 - Dynamic Text Extension', /* Page Title */ 'Dynamic Text Extension', /* Menu Title */ $this->capability, /* Capability */ 'cf7dtx_settings', /* Menu Slug */ [$this, 'render_options_page'], /* Callback */ ); } /** * Render the settings page. */ function render_options_page() : void { // check user capabilities if ( ! current_user_can( $this->capability ) ) { return; } if( isset( $_GET['dismiss-access-keys-notice'] )){ wpcf7dtx_set_update_access_scan_check_status('notice_dismissed'); ?>

render_back_to_settings_button(); ?>

handle_save_allows(); ?>

render_allow_keys_submission($r); ?>
num_forms_to_scan, $offset ); ?>

render_scan_results($results); ?>

Scan Forms for Post Meta and User Data Keys

>

'cf7dtx_settings[' . $field['id'] . ']', 'textarea_rows' => 5, ) ); break; } case "email": { ?>

sections[$args['id']]['description']; ?>

'.__('Scan complete. No keys detected.', 'contact-form-7-dynamic-text-extension').'

'; $this->render_back_to_settings_button(); return; } // Check if we need to scan another batch if( $results['forms_scanned'] === $this->num_forms_to_scan ){ $offset = isset( $_GET['offset'] ) ? $_GET['offset'] : 0; $next_offset = $offset + $this->num_forms_to_scan; echo '

'; echo sprintf( __( '%1$s forms scanned. There may be more forms to scan.', 'contact-form-7-dynamic-text-extension' ), $results['forms_scanned'], ); echo ' '; echo ''.sprintf( __( 'Scan %1$s more forms', 'contact-form-7-dynamic-text-extension' ), $this->num_forms_to_scan ).''; echo '

'; } $settings = wpcf7dtx_get_settings(); $already_allowed_meta_keys = wpcf7dtx_parse_allowed_keys(wpcf7dtx_array_has_key('post_meta_allow_keys', $settings)); $already_allowed_user_keys = wpcf7dtx_parse_allowed_keys(wpcf7dtx_array_has_key('user_data_allow_keys', $settings)); // Check the results ahead of time to see if all of the keys are already in the allow list - if so, nothing to do $forms = $results['forms']; $all_keys_allowed = true; foreach( $forms as $form_id => $r ){ if( count($r['meta_keys'])){ foreach( $r['meta_keys'] as $key ){ if( !in_array( $key, $already_allowed_meta_keys ) ){ $all_keys_allowed = false; break; } } if( $all_keys_allowed === false ) break; } if( count($r['user_keys'])){ foreach( $r['user_keys'] as $key ){ if( !in_array( $key, $already_allowed_user_keys ) ){ $all_keys_allowed = false; break; } } if( $all_keys_allowed === false ) break; } } if( $all_keys_allowed ){ wpcf7dtx_set_update_access_scan_check_status( 'intervention_completed' ); } ?>

$r ){ ?>

View form

Meta Keys

User Data Keys

render_back_to_settings_button(); ?>
$val ){ if( str_starts_with( $key, 'dtx_meta_key' ) ){ $parts = explode( '/', $key); $meta_keys[] = $parts[1]; } else if( str_starts_with( $key, 'dtx_user_key' )){ $parts = explode( '/', $key); $user_keys[] = $parts[1]; } } // Add those keys in options $settings = wpcf7dtx_get_settings(); // Meta Data if( count( $meta_keys ) ){ // Get already saved values $post_meta_allow_keys = isset( $settings['post_meta_allow_keys'] ) ? wpcf7dtx_parse_allowed_keys($settings['post_meta_allow_keys']) : []; // Merge with new values $new = array_unique( array_merge( $post_meta_allow_keys, $meta_keys )); $settings['post_meta_allow_keys'] = implode( PHP_EOL, $new ); } // User Data if( count( $user_keys ) ){ // Get already saved values $user_data_allow_keys = isset( $settings['user_data_allow_keys'] ) ? wpcf7dtx_parse_allowed_keys($settings['user_data_allow_keys']) : []; // Merge with new values $new = array_unique( array_merge( $user_data_allow_keys, $user_keys )); $settings['user_data_allow_keys'] = implode( PHP_EOL, $new ); } // Update with new settings wpcf7dtx_update_settings( $settings ); // Mark as intervention complete wpcf7dtx_set_update_access_scan_check_status( 'intervention_completed' ); return [ 'user' => $user_keys, 'meta' => $meta_keys, ]; } function render_allow_keys_submission( $r ){ ?>

:

:

render_back_to_settings_button(); } function render_back_to_settings_button(){ ?> « [ 'title' => __('Post Meta Access', 'contact-form-7-dynamic-text-extension'), 'description' => __('Control which post metadata the CF7 DTX shortcodes (CF7_get_custom_field) can access. By default, all metadata is protected, so you can open up access through these settings. Keep in mind that users with Contributor+ credentials can add shortcodes and therefore access this data, so make sure not to expose anything sensitive.'). ' '. __('More Information', 'contact-form-7-dynamic-text-extension' ).'', ], 'user_data_access' => [ 'title' => __('User Data Access', 'contact-form-7-dynamic-text-extension'), 'description' => __('Control which user data the CF7 DTX shortcodes (CF7_get_current_user) can access. By default, all user data is protected, so you can open up access through these settings. Keep in mind that users with Contributor+ credentials can add shortcodes and therefore access this data, so make sure not to expose anything sensitive.'). ' '. __('More Information', 'contact-form-7-dynamic-text-extension' ).'', ], ]; /** * Array of fields that should be displayed in the settings page. * * @var array $fields */ $fields = [ [ 'id' => 'post_meta_allow_keys', 'label' => __('Meta Key Allow List', 'contact-form-7-dynamic-text-extension'), 'description' => __('Allow access to these specific post metadata keys. Enter one per line.', 'contact-form-7-dynamic-text-extension'), 'type' => 'textarea', 'section' => 'post_meta_access', ], [ 'id' => 'post_meta_allow_all', 'label' => __('Allow Access to All Post Metadata', 'contact-form-7-dynamic-text-extension'), 'description' => __('**Use with caution.** Should only be enabled if all authorized users with editor privileges (Contributor+) are trusted and should have access to this data. All metadata from any post (including custom post types) will be accessible via the CF7_get_custom_field shortcode. If in doubt, use the Allow List to allow only specific keys.', 'contact-form-7-dynamic-text-extension'), 'type' => 'select', 'options' => [ 'disabled' => __( 'Disabled - Only Allow Access to Meta Key Allow List', 'contact-form-7-dynamic-text-extension' ), 'enabled' => __( 'Enabled - Allow Access to All Post Metadata', 'contact-form-7-dynamic-text-extension' ), ], 'section' => 'post_meta_access', ], [ 'id' => 'user_data_allow_keys', 'label' => __('User Data Key Allow List', 'contact-form-7-dynamic-text-extension'), 'description' => __('Allow access to these specific user data keys. Enter one per line.', 'contact-form-7-dynamic-text-extension'), 'type' => 'textarea', 'section' => 'user_data_access', ], [ 'id' => 'user_data_allow_all', 'label' => __('Allow Access to All User Data', 'contact-form-7-dynamic-text-extension'), 'description' => __('**Use with caution.** Should only be enabled if all authorized users with editor privileges (Contributor+) are trusted and should have access to this data. All of the current user\'s data fields will be accessible via the CF7_get_current_user shortcode. If in doubt, use the Allow List to allow only specific keys.', 'contact-form-7-dynamic-text-extension'), 'type' => 'select', 'options' => [ 'disabled' => __( 'Disabled - Only Allow Access to User Data Key Allow List', 'contact-form-7-dynamic-text-extension' ), 'enabled' => __( 'Enabled - Allow Access to User Data', 'contact-form-7-dynamic-text-extension' ), ], 'section' => 'user_data_access', ], ]; new CF7DTX_Plugin_Settings($sections, $fields); function wpcf7dtx_get_admin_scan_screen_url($offset=0){ $path = 'admin.php?page=cf7dtx_settings&scan-meta-keys'; if( $offset ){ $path.= '&offset='.$offset; } return admin_url($path); } function wpcf7dtx_get_admin_settings_screen_url(){ return admin_url('admin.php?page=cf7dtx_settings'); } /** * Search all CF7 forms for */ function wpcf7dtx_scan_forms_for_access_keys( $num, $offset=0){ $found = [ 'forms' => [], ]; $forms = []; if( function_exists('wpcf7_contact_form') ){ $cf7forms = get_posts([ 'post_type' => 'wpcf7_contact_form', // 'numberposts' => $numposts, // sanity check 'posts_per_page' => $num, 'offset' => $offset, ]); $found['forms_scanned'] = count($cf7forms); // Loop through forms foreach( $cf7forms as $form ){ // Search for the custom fields shortcode if( str_contains($form->post_content, 'CF7_get_custom_field') || str_contains($form->post_content, 'CF7_get_current_user') ){ $cf7 = wpcf7_contact_form( $form->ID ); $forms[$form->ID] = [ 'title' => $cf7->title(), 'meta_keys' => [], 'user_keys' => [], 'admin_url' => admin_url( "admin.php?page=wpcf7&post={$form->ID}&action=edit" ), ]; $tags = $cf7->scan_form_tags(); // Check each tag foreach( $tags as $tag ){ // Find dynamic tags if( str_starts_with( $tag->type, 'dynamic' ) ){ // Check each value foreach( $tag->values as $val ){ // Find CF7_get_custom_field if( str_starts_with( $val, 'CF7_get_custom_field' )){ // Parse out the shortcode atts $atts = shortcode_parse_atts($val); if( $atts ){ // Grab the meta key $meta_key = $atts['key']; // Add meta key to the list if( $meta_key ){ $forms[$form->ID]['meta_keys'][] = $meta_key; } } } // Find CF7_get_current_user if( str_starts_with( $val, 'CF7_get_current_user' )){ // Parse out the shortcode atts $atts = shortcode_parse_atts($val); if( $atts ){ // Grab user data key $key = $atts['key']; if( $key ){ $forms[$form->ID]['user_keys'][] = $key; } } } } } } } } } $found['forms'] = $forms; return $found; }