Filter uncanny-automator

automator_save_setting_permissions

Filters setting permissions before saving to modify or validate them.

add_filter( 'automator_save_setting_permissions', $callback, 10, 1 );

Description

Allows developers to modify the permissions required to save Uncanny Automator module settings via the REST API. Filter the returned `WP_Error` object to customize forbidden messages or implement alternative permission checks before settings are saved. This hook is triggered when a REST API request attempts to save module settings.

Usage

add_filter( 'automator_save_setting_permissions', 'your_function_name', 10, 1 );

Parameters

$setting (mixed)
This parameter contains the setting data that is about to be saved.

Return Value

The filtered value.

Examples

<?php
/**
 * Example of using the automator_save_setting_permissions filter to restrict saving of specific automator settings.
 *
 * This example prevents users without the 'manage_options' capability from saving settings related to the 'email_notifications' module.
 *
 * @param bool|WP_Error $setting The current permission status (true if allowed, WP_Error if denied).
 * @return bool|WP_Error The modified permission status.
 */
add_filter( 'automator_save_setting_permissions', 'my_restrict_automator_email_settings', 10, 1 );

function my_restrict_automator_email_settings( $setting ) {
    // If the setting is already a WP_Error, it means permissions were already denied, so return it.
    if ( is_wp_error( $setting ) ) {
        return $setting;
    }

    // Assuming the $setting parameter might contain information about the setting being saved.
    // In a real-world scenario, you'd likely need to inspect the request or context to determine
    // which setting is being saved. For this example, we'll simulate checking for 'email_notifications'.
    // A more robust implementation might pass a specific setting name or identifier to the filter.

    // For demonstration, let's assume a hypothetical scenario where the filter might receive
    // the name of the setting being saved as part of the filter arguments, or you might access
    // global request data to determine this. Since the hook signature only shows $setting,
    // we'll make a simplifying assumption here.

    // In a real plugin, the 'automator_save_setting_permissions' hook might be designed
    // to pass more context. If not, you'd have to rely on global state or other means
    // to identify the specific setting.

    // Let's pretend we can identify the setting being saved by looking at a global variable,
    // or if the $setting itself contained this information (which it doesn't directly from the provided context).
    // For this example, we'll assume we are checking for a hypothetical 'email_notifications_settings' key.
    // In a real scenario, you'd need to understand how Uncanny Automator passes this information.

    // IMPORTANT: The provided context `class-recipe-post-rest-api.php:333`,
    // `actions-conditions.php:881`, `async-actions.php:137` doesn't explicitly show
    // how a specific setting is identified within the `$setting` parameter.
    // For this example, we will simulate a check assuming `$setting` could be an array
    // and we're looking for a key like 'setting_key'.

    // A more realistic approach would involve inspecting the REST API request if this filter
    // is triggered by REST API calls. However, the provided code snippets don't give that detail.

    // Let's imagine for demonstration that the `$setting` could be an array and we're checking for a key.
    // If the actual implementation passes a simpler boolean or a generic object, this part needs adjustment.
    $setting_key_to_restrict = 'email_notifications_settings';

    // Simulate checking if the setting being saved is the one we want to restrict.
    // This is a placeholder. You'll need to adapt this based on how Uncanny Automator
    // actually identifies the setting in the `$setting` parameter.
    $is_restricted_setting = false;
    if ( is_array( $setting ) && isset( $setting['setting_key'] ) && $setting['setting_key'] === $setting_key_to_restrict ) {
        $is_restricted_setting = true;
    }
    // If the $setting parameter is just a boolean, and the hook is intended to allow/deny saving *any* setting
    // based on user capabilities, then this conditional logic would be different.
    // The original code $setting = true; suggests it's a permission gate.

    // If we are targeting a specific setting and the current user doesn't have the capability, deny saving.
    if ( $is_restricted_setting && ! current_user_can( 'manage_options' ) ) {
        return new WP_Error( 'rest_forbidden', 'You do not have the capability to save email notification module settings.', array( 'status' => 403 ) );
    }

    // If the setting is not the restricted one, or the user has the capability, allow saving by returning true.
    // Or if $setting was already true, just pass it through.
    return $setting;
}

Placement

This code should be placed in the functions.php file of your active theme, a custom plugin, or using a code snippets plugin.

Source Code

src/core/automator-post-types/uo-recipe/class-recipe-post-rest-api.php:333
src/api/transports/restful/utilities/traits/trait-permissions.php:66
uncanny-automator-pro/src/core/classes/actions-conditions.php:881
uncanny-automator-pro/src/core/classes/async-actions.php:137

public function save_settings_permissions() {

		if ( ! $this->valid_nonce() ) {
			return false;
		}

		$capability = automator_get_capability();
		// Backward compatibility - allow old filters to override
		$capability = apply_filters_deprecated( 'uap_roles_modify_recipe', array( $capability ), '3.0', 'automator_capability' );
		$capability = apply_filters_deprecated( 'automator_capability_required', array( $capability ), '7.0', 'automator_capability' );

		// Restrict endpoint to only users who have the edit_posts capability.
		if ( ! current_user_can( $capability ) ) {  // phpcs:ignore WordPress.WP.Capabilities.Undetermined -- Dynamic capability from filter.
			return new WP_Error( 'rest_forbidden', 'You do not have the capability to save module settings.', array( 'status' => 403 ) );
		}

		// This is a black-listing approach. You could alternatively do this via white-listing, by returning false here and changing the permissions check.
		$setting = true;
		$setting = apply_filters_deprecated( 'uap_save_setting_permissions', array( $setting ), '3.0', 'automator_save_setting_permissions' );

		return apply_filters( 'automator_save_setting_permissions', $setting );
	}
Scroll to Top