HEX
Server: nginx
System: Linux pool195-106-36.bur.atomicsites.net 6.12.57+deb12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.57-1~bpo12+1 (2025-11-17) x86_64
User: (0)
PHP: 8.3.32
Disabled: pcntl_fork
Upload Files
File: /wordpress/plugins/jetpack/latest/extensions/blocks/premium-content/_inc/access-check.php
<?php
/**
 * Determine access to premium content.
 *
 * @package Automattic\Jetpack\Extensions\Premium_Content
 */

namespace Automattic\Jetpack\Extensions\Premium_Content;

use Automattic\Jetpack\Extensions\Premium_Content\Subscription_Service\Abstract_Token_Subscription_Service;
use Automattic\Jetpack\Extensions\Premium_Content\Subscription_Service\WPCOM_Online_Subscription_Service;

require_once __DIR__ . '/subscription-service/include.php';

/**
 * Determines if the memberships module is set up.
 *
 * @return bool Whether the memberships module is set up.
 */
function membership_checks() {
	// If Jetpack is not yet configured, don't show anything ...
	if ( ! class_exists( '\Jetpack_Memberships' ) ) {
		return false;
	}
	// if stripe not connected don't show anything...
	if ( ! \Jetpack_Memberships::has_connected_account() ) {
		return false;
	}
	return true;
}

/**
 * Determines if the site has a plan that supports the
 * Premium Content block.
 *
 * @return bool
 */
function required_plan_checks() {
	$availability = \Jetpack_Gutenberg::get_cached_availability();
	$slug         = 'premium-content/container';
	return ( isset( $availability[ $slug ] ) && $availability[ $slug ]['available'] );
}

/**
 * Determines if the block should be rendered. Returns true
 * if the block passes all required checks, or if the user is
 * an editor.
 *
 * @return bool Whether the block should be rendered.
 */
function pre_render_checks() {
	return ( current_user_can_edit() || membership_checks() );
}

/**
 * Determines whether the current user can edit.
 *
 * @return bool Whether the user can edit.
 */
function current_user_can_edit() {
	$user = wp_get_current_user();

	return 0 !== $user->ID && current_user_can( 'edit_post', get_the_ID() );
}

/**
 * Mint and persist a fresh premium-content session cookie for the current visitor.
 *
 * When the WPCOM Memberships filter returns authoritative subscriptions for a logged-in
 * visitor but no JWT cookie is present (e.g. the previous one expired or was cleared),
 * we wrap those subscriptions in a JWT signed with the site's Jetpack blog token and
 * persist it as the standard `wp-jp-premium-content-session` cookie. Subsequent requests
 * within the cookie TTL take the fast cached path instead of the WPCOM round-trip.
 *
 * Returns the minted JWT so callers can act on it; returns null when no token should be
 * minted because there are no subscriptions, a valid cookie already exists, or the
 * signing key is unavailable. The cookie itself is set on a best-effort basis: if headers
 * have already been sent, the token is still returned so the caller can decide what to do.
 *
 * @param object $paywall                   Subscription service (provides the signing key).
 * @param int    $user_id                   User id the subscriptions belong to (WPCOM id when available, otherwise local).
 * @param array  $abbreviated_subscriptions Subscriptions after `abbreviate_subscriptions()`.
 * @return string|null The encoded JWT, or null when no cookie was minted.
 */
function maybe_renew_session_cookie( $paywall, $user_id, $abbreviated_subscriptions ) {
	if ( empty( $abbreviated_subscriptions ) ) {
		return null;
	}
	if ( Abstract_Token_Subscription_Service::has_token_from_cookie() ) {
		$session_cookie_name = Abstract_Token_Subscription_Service::JWT_AUTH_TOKEN_COOKIE_NAME;
		$existing_payload    = null;
		if ( isset( $_COOKIE[ $session_cookie_name ] ) ) {
			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
			$existing_payload = $paywall->decode_token( $_COOKIE[ $session_cookie_name ] );
		}
		if ( ! empty( $existing_payload ) ) {
			return null;
		}
	}

	$key = $paywall->get_key();
	if ( ! $key ) {
		return null;
	}

	$payload_subscriptions = array();
	foreach ( $abbreviated_subscriptions as $pid => $sub ) {
		$sub                           = (array) $sub;
		$payload_subscriptions[ $pid ] = array(
			'status'     => 'active',
			'end_date'   => $sub['end_date'] ?? gmdate( 'Y-m-d H:i:s', time() + MONTH_IN_SECONDS ),
			'product_id' => (int) $pid,
		);
		if ( ! empty( $sub['is_comp'] ) ) {
			$payload_subscriptions[ $pid ]['is_comp'] = true;
		}
	}

	$token = JWT::encode(
		array(
			'user_id'       => $user_id,
			'blog_sub'      => 'active',
			'subscriptions' => $payload_subscriptions,
		),
		$key
	);

	if ( ! ( defined( 'TESTING_IN_JETPACK' ) && TESTING_IN_JETPACK ) && ! headers_sent() ) {
		// phpcs:ignore Jetpack.Functions.SetCookie.FoundNonHTTPOnlyFalse
		setcookie( Abstract_Token_Subscription_Service::JWT_AUTH_TOKEN_COOKIE_NAME, $token, strtotime( '+1 month' ), '/', '', is_ssl(), false );
	}

	// Reflect the cookie in the current request so the render path (and any later code in
	// this request) reads the freshly minted token instead of re-querying the filter.
	$_COOKIE[ Abstract_Token_Subscription_Service::JWT_AUTH_TOKEN_COOKIE_NAME ] = $token;

	return $token;
}

/**
 * Resolve the current logged-in visitor's subscriptions from the authoritative
 * WordPress.com Memberships filter.
 *
 * Translates the local user id to the WordPress.com user id (via the `wpcom_user_id`
 * user_meta populated by Jetpack SSO) and queries the filter with the paywall's
 * WordPress.com blog id (not get_current_blog_id(), which is the independent local id
 * on Atomic/WoA). Shared by the access decision and the cookie self-heal.
 *
 * @param object $paywall Subscription service (provides the WordPress.com blog id).
 * @return array{0:int,1:array,2:array} [ user_id (WPCOM id when available, otherwise local), raw_subscriptions, abbreviated_subscriptions ].
 */
function get_subscriptions_for_logged_in_user( $paywall ) {
	$local_user_id = wp_get_current_user()->ID;
	$wpcom_user_id = (int) get_user_meta( $local_user_id, 'wpcom_user_id', true );
	$user_id       = $wpcom_user_id > 0 ? $wpcom_user_id : $local_user_id;
	$site_id       = $paywall->get_site_id();

	/**
	 * Filter the subscriptions attached to a specific user on a given site.
	 *
	 * @since 9.4.0
	 *
	 * @param array $subscriptions Array of subscriptions.
	 * @param int   $user_id The user's ID.
	 * @param int   $site_id ID of the current site.
	 */
	$raw_subscriptions         = apply_filters( 'earn_get_user_subscriptions_for_site_id', array(), $user_id, $site_id );
	$abbreviated_subscriptions = WPCOM_Online_Subscription_Service::abbreviate_subscriptions( $raw_subscriptions );

	return array( $user_id, $raw_subscriptions, $abbreviated_subscriptions );
}

/**
 * Pre-warm the premium-content session cookie before output starts.
 *
 * `current_visitor_can_access()` runs during `the_content`, by which point headers are
 * already sent and `setcookie()` is a no-op. This `template_redirect` callback runs earlier —
 * after the main query resolves but before the template renders — so the self-heal cookie can
 * actually persist for subsequent requests. It does work only on front-end page views that
 * contain the block, for logged-in visitors who do not already have a valid cookie.
 *
 * @return void
 */
function prewarm_premium_content_session_cookie() {
	if ( ! is_user_logged_in() ) {
		return;
	}

	// Front-end page views only — skip admin, REST, feeds and cron.
	if ( is_admin() || is_feed() || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) || ( defined( 'DOING_CRON' ) && DOING_CRON ) ) {
		return;
	}

	// Only on singular content that actually contains the block, so we never pay the filter
	// round-trip on unrelated pages.
	$queried = get_queried_object();
	if ( ! ( $queried instanceof \WP_Post ) || ! has_block( 'premium-content/container', $queried ) ) {
		return;
	}

	// Editors/authors of this post already bypass gating in current_visitor_can_access(), so
	// there is no cookie to pre-warm for them — skip the Memberships filter round-trip.
	if ( current_user_can( 'edit_post', $queried->ID ) ) {
		return;
	}

	$paywall = subscription_service();

	// Already have a valid cached session? Nothing to heal — and don't query the filter.
	$existing_payload = $paywall->decode_token( $paywall->get_and_set_token_from_request() );
	if ( ! empty( $existing_payload ) ) {
		return;
	}

	list( $user_id, , $abbreviated_subscriptions ) = get_subscriptions_for_logged_in_user( $paywall );
	maybe_renew_session_cookie( $paywall, $user_id, $abbreviated_subscriptions );
}

/**
 * Determines if the current user can view the protected content of the given block.
 *
 * @param array  $attributes Block attributes.
 * @param object $block Block to check.
 *
 * @return bool Whether the use can view the content.
 */
function current_visitor_can_access( $attributes, $block ) {
	/**
	 * If the current WordPress install has as signed in user
	 * they can see the content.
	 */

	if ( current_user_can_edit() ) {
		return true;
	}

	$selected_plan_ids = array();

	if ( isset( $attributes['selectedPlanIds'] ) ) {
		$selected_plan_ids = $attributes['selectedPlanIds'];
	} elseif ( isset( $attributes['selectedPlanId'] ) ) {
		$selected_plan_ids = array( $attributes['selectedPlanId'] );
	}

	if ( isset( $block ) && ! empty( $block->context['premium-content/planId'] ) ) {
		$selected_plan_ids = array( $block->context['premium-content/planId'] );
	} elseif ( isset( $block ) && ! empty( $block->context['premium-content/planIds'] ) ) {
		$selected_plan_ids = $block->context['premium-content/planIds'];
	}

	if ( empty( $selected_plan_ids ) ) {
		return false;
	}

	$can_view     = false;
	$paywall      = subscription_service();
	$access_level = Abstract_Token_Subscription_Service::POST_ACCESS_LEVEL_PAID_SUBSCRIBERS; // Only paid subscribers should be granted access to the premium content
	$tier_ids     = \Jetpack_Memberships::get_all_newsletter_plan_ids();
	$tier_ids     = array_intersect( $tier_ids, $selected_plan_ids );
	if ( ! empty( $tier_ids ) ) {
		// If the selected plan is a tier, we want to check directly if user has a higher "tier".
		// This is to prevent situation where the user upgrades and lose access to premium-gated content

		$subscriptions = array();

		// Cookie/token first (fast cached path, no WPCOM round-trip). Also covers anonymous
		// visitors arriving via a `?token=` magic link, which takes precedence over the cookie.
		$token   = $paywall->get_and_set_token_from_request();
		$payload = $paywall->decode_token( $token );
		if ( ! empty( $payload ) ) {
			$subscriptions = (array) $payload['subscriptions'];
		}

		// No valid cookie yet, but logged in: consult the authoritative WPCOM filter. This is
		// the first-visit / expired-cookie path; the template_redirect pre-warm hook mints the
		// cookie for subsequent requests. Keeps CM-584 fixed (expired cookie still grants access).
		if ( empty( $subscriptions ) && is_user_logged_in() ) {
			list( , , $subscriptions ) = get_subscriptions_for_logged_in_user( $paywall );
		}

		foreach ( $tier_ids as $tier_id ) {
			$can_view = ! $paywall->maybe_gate_access_for_user_if_tier( $tier_id, $subscriptions );
			if ( $can_view ) {
				break;
			}
		}

		// Refresh-before-deny for the tier path. If the tier check denied access but the
		// token already references a subscription whose product_id maps to one of the
		// requested tiers, the most likely cause is a stale end_date from a renewal —
		// attempt a single refresh against the WordPress.com token-refresh endpoint and
		// re-check with the fresh subscriptions. Mirrors the same gate inside
		// visitor_can_view_content() for the non-tier path.
		if (
			! $can_view
			&& method_exists( $paywall, 'token_has_matching_product' )
			&& $paywall->token_has_matching_product( $tier_ids, $subscriptions )
		) {
			$fresh_payload = $paywall->refresh_token_payload();
			if ( ! empty( $fresh_payload ) ) {
				$subscriptions = isset( $fresh_payload['subscriptions'] ) ? (array) $fresh_payload['subscriptions'] : array();
				foreach ( $tier_ids as $tier_id ) {
					$can_view = ! $paywall->maybe_gate_access_for_user_if_tier( $tier_id, $subscriptions );
					if ( $can_view ) {
						break;
					}
				}
			}
		}
	}

	$non_tier_ids = array_diff( $selected_plan_ids, $tier_ids );
	if ( ! $can_view ) {
		// For selected plans that are not tiers, we want to check if the user has any of the selected plans.
		$can_view = $paywall->visitor_can_view_content( $non_tier_ids, $access_level );
	}

	if ( $can_view ) {
		/**
		 * Fires when a visitor can view protected content on a site.
		 *
		 * @since 9.4.0
		 */
		do_action( 'jetpack_earn_remove_cache_headers' );
	}

	return $can_view;
}