register_admin_menu(); }, 206 ); // After Elementor. add_action( 'admin_head', function () { $this->hide_menu_item(); } ); } /** * Register the admin page (will be removed later from the menu). * * @return void */ protected function register_admin_menu() { add_submenu_page( Settings::PAGE_ID, esc_html__( 'Notes Proxy', 'elementor-pro' ), esc_html__( 'Notes Proxy', 'elementor-pro' ), 'read', static::PAGE_ID ); add_action( 'current_screen', function ( \WP_Screen $current_screen ) { if ( static::PAGE_ID !== $current_screen->id ) { return; } $this->on_page_load(); } ); } /** * Hide the menu item, since it shouldn't be visible to users in the UI. * * @return void */ protected function hide_menu_item() { remove_submenu_page( Settings::PAGE_ID, static::PAGE_ID ); } /** * Run the actual proxy page. * * @return void */ public function on_page_load() { // No need for nonce check since it's not a user action, and it's safe. if ( empty( $_GET['note-id'] ) || ! is_numeric( $_GET['note-id'] ) ) { // phpcs:ignore: WordPress.Security.NonceVerification.Recommended $this->safe_redirect( get_site_url() ); return; } $note = Note::query()->find( (int) $_GET['note-id'] ); // phpcs:ignore: WordPress.Security.NonceVerification.Recommended if ( ! $note ) { $message = esc_html__( 'The note you are looking for was not found.', 'elementor-pro' ); $go_to_dashboard = '' . esc_html__( 'Go to WP Dashboard', 'elementor-pro' ) . ''; $view_site = '' . esc_html__( 'View Site', 'elementor-pro' ) . ''; $this->message_and_die( " {$message}

{$go_to_dashboard}  |  {$view_site} " ); return; } if ( ! current_user_can( Capabilities::READ_NOTES, $note ) ) { $this->message_and_die( esc_html__( 'You are not autorized to view this Note. Please contact your admin.', 'elementor-pro' ) ); return; } $this->redirect_to_note( $note ); } /** * Redirect to a note - Used for testing. * * @param Note $note * * @return void */ protected function redirect_to_note( Note $note ) { $url = $note->get_url( false ); // Note: The URL is safe. // `header()` is used since `wp_safe_redirect()` filters chars like `{}` which are required in this case. header( 'Location:' . $url, true, 302 ); die; } /** * Safe redirect to a page - Used for testing. * * @param string $url * * @return void */ protected function safe_redirect( $url ) { wp_safe_redirect( $url ); die; } /** * Show a message to the user and die - Used for testing. * * @param string $message * * @return void */ protected function message_and_die( $message ) { wp_die( $message ); // phpcs:ignore WordPress.Security.EscapeOutput } }