Translatepress infinite loop issue for checking capability

[haideralibd]

https://wedevs.slack.com/archives/D06ANLTSPL4/p1732182242091959

Summary by CodeRabbit

• New Features

  • Enhanced capability management for user roles, allowing specific permissions for deleting documents.
  • Introduced a new capability, delete_docs, for more granular control over user permissions.

• Bug Fixes

  • Improved control flow to ensure capability adjustments only apply to relevant post types.

[coderabbitai]

Walkthrough

The changes in this pull request focus on the Capability class within the WeDevs\WeDocs namespace. The constructor's syntax for adding a filter to user_has_cap is updated from shorthand to array syntax. A new conditional check is introduced in the grant_delete_capability_to_specific_roles method to ensure that capability adjustments only apply to specific post types. Additionally, the $delete_caps array is expanded to include a new capability, delete_docs, with refined logic for capability granting based on user roles and request context.

Changes

File	Change Summary
includes/Capability.php	- Updated constructor to use array() syntax for user_has_cap.
	- Added conditional check in grant_delete_capability_to_specific_roles for post parameter.
	- Expanded $delete_caps to include delete_docs capability.
	- Introduced logic to return original capabilities if no relevant capabilities are found.

Possibly related PRs

• Grant delete capability to admin and editor by default, also to roles selected on wedocs pro global permission settings #198: The changes in this PR also involve the grant_delete_capability_to_specific_roles method, enhancing user role permissions related to document deletion, which directly relates to the modifications made in the main PR.

Suggested labels

QA Approved, Ready To Merge

Poem

🐇 In the land of code so bright,
Capabilities take flight,
With checks and roles refined,
Deleting docs, well-defined.
A hop, a skip, a code delight! 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

includes/Capability.php (1)

33-42: Consider caching the capability intersection check result

The capability checks look good, but since array_intersect is used twice (here and in the $has_role check), consider storing the intersection result in a variable for reuse.

Here's a suggested optimization:

 $delete_caps     = array(
     'delete_published_docs' => true,
     'delete_docs' => true,
     'delete_others_docs' => true,
     'delete_private_docs' => true,
 );

-if ( empty( array_intersect( array_keys( $delete_caps ), $caps ) ) ) {
+$matching_caps = array_intersect( array_keys( $delete_caps ), $caps );
+if ( empty( $matching_caps ) ) {
     return $all_caps;
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 32a3d33 and 4e075ab.

📒 Files selected for processing (1)

• includes/Capability.php (2 hunks)

🔇 Additional comments (3)

includes/Capability.php (3)

28-30: Good addition of early return conditions!

The new conditions effectively prevent unnecessary capability checks and potential infinite loops by:

1. Ensuring $_GET['post'] exists
2. Verifying the post type is 'docs'
3. Properly sanitizing the input with absint()

This is a key fix for the infinite loop issue.

---

13-13: Verify infinite loop prevention in capability check

While the syntax change is valid, we need to ensure that the capability check inside grant_delete_capability_to_specific_roles doesn't trigger recursive calls to user_has_cap.

Let's analyze the call stack for potential recursive capability checks:

✅ Verification successful

Let me analyze the implementation of grant_delete_capability_to_specific_roles to ensure there's no infinite loop. I need to see its full implementation.

---

Let me try a different approach to get the method implementation.

---

Let me get the rest of the method implementation to see how it concludes.

---

No infinite loop risk in capability check implementation

The implementation of grant_delete_capability_to_specific_roles is safe from infinite loops because:

1. It has an early return if the post type isn't 'docs'
2. It has an early return if the requested capabilities don't match delete capabilities
3. It uses direct role comparison instead of recursive capability checks
4. No current_user_can() or other capability checks are used within the method

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for any capability checks or get_post_type calls within the method
# that might trigger user_has_cap filter again

ast-grep --pattern 'current_user_can($$$)' 
rg -A 3 'get_post_type|current_user_can|has_cap'

Length of output: 4956

---

Script:

#!/bin/bash
# Get the full implementation of grant_delete_capability_to_specific_roles
ast-grep --pattern 'function grant_delete_capability_to_specific_roles($$$) {
  $$$
}'

Length of output: 88

---

Script:

#!/bin/bash
# Get the full implementation using ripgrep with context
rg -U "function grant_delete_capability_to_specific_roles" -A 20 includes/Capability.php

Length of output: 855

---

Script:

#!/bin/bash
# Get the full implementation with more context lines
rg -U "function grant_delete_capability_to_specific_roles" -A 30 includes/Capability.php

Length of output: 1109

---

Line range hint 1-55: Verify security implications of capability changes

While the changes look secure, let's verify there are no unintended security implications:

1. Capability assignments are properly scoped to specific roles
2. Input sanitization is in place
3. No privilege escalation possibilities

Let's check for any related security concerns:

✅ Verification successful

Let me gather more context about the capability assignments and security checks:

---

Let me check one final aspect about the permission settings function:

---

Based on the analysis of the code and verification results, I can now provide the final response:

Security implementation verified with proper safeguards

The capability implementation is secure because:

1. Role-based access is properly scoped to administrators and editors by default
2. Input sanitization is in place using absint() for $_GET['post']
3. Proper capability checks are implemented through WordPress core functions
4. The pro version extension maintains the same security model through wedocs_get_permission_settings()

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for other capability-related code that might be affected
rg -A 3 'grant_.*_capability|user_has_cap|add_cap|remove_cap'

# Check for any direct capability assignments
ast-grep --pattern 'add_cap($$$)'

Length of output: 1057

---

Script:

#!/bin/bash
# Check the capability definitions and their usage
rg -A 5 "docs.*capability|capability.*docs"

# Check functions.php for capability setup
cat includes/functions.php

# Check for any permission/capability related functions
rg -A 3 "wedocs_get_permission|can_edit_docs|can_delete_docs"

Length of output: 19738

---

Script:

#!/bin/bash
# Check for permission settings implementation
rg -A 5 "wedocs_get_permission_settings"

# Check for any role-based capability assignments
rg -A 3 "administrator.*editor|editor.*administrator"

Length of output: 74323