MU WPCOM: Prevent site owner from editing user's account-level fields (2nd try) (#42177)

* MU WPCOM: Prevent site owner from editing user's account-level fields

* changelog

* Use php to inject script

* Rename the function to is_user_connected

* Ignore super admin

* Change to use is_network_admin

Author: arthur791004

projects/packages/jetpack-mu-wpcom/changelog/feat-disable-account-fields-on-edit-user

@@ -0,0 +1,4 @@
+Significance: minor
+Type: changed
+
+MU WPCOM: Prevent site owner from editing user's account-level fields

projects/packages/jetpack-mu-wpcom/src/class-jetpack-mu-wpcom.php

@@ -171,6 +171,7 @@ public static function load_wpcom_user_features() {
 		require_once __DIR__ . '/features/wpcom-profile-settings/profile-settings-notices.php';
 		require_once __DIR__ . '/features/wpcom-sidebar-notice/wpcom-sidebar-notice.php';
 		require_once __DIR__ . '/features/wpcom-themes/wpcom-themes.php';
+		require_once __DIR__ . '/features/wpcom-user-edit/wpcom-user-edit.php';
 
 		// Only load the Calypsoify and Masterbar features on WoA sites.
 		if ( class_exists( '\Automattic\Jetpack\Status\Host' ) && ( new \Automattic\Jetpack\Status\Host() )->is_woa_site() ) {

projects/packages/jetpack-mu-wpcom/src/features/wpcom-profile-settings/profile-settings-link-to-wpcom.php

@@ -7,18 +7,7 @@
 
 use Automattic\Jetpack\Jetpack_Mu_Wpcom;
 
-/**
- * Check if the site is a WordPress.com Atomic site.
- *
- * @return bool
- */
-function is_woa_site() {
-	if ( ! class_exists( 'Automattic\Jetpack\Status\Host' ) ) {
-		return false;
-	}
-	$host = new Automattic\Jetpack\Status\Host();
-	return $host->is_woa_site();
-}
+require_once __DIR__ . '/../../utils.php';
 
 /**
  * Adds a link to the WordPress.com profile settings page.

projects/packages/jetpack-mu-wpcom/src/features/wpcom-user-edit/wpcom-user-edit.php

@@ -0,0 +1,77 @@
+<?php
+/**
+ * Prevent the site owner from editing user's account-level fields.
+ *
+ * @package automattic/jetpack-mu-wpcom
+ */
+
+namespace Automattic\Jetpack\Jetpack_Mu_Wpcom;
+
+require_once __DIR__ . '/../../utils.php';
+
+/**
+ * Disable the account-level fields of the connected users to prevent the site owner from editing them.
+ */
+function wpcom_disable_account_level_fields_if_needed() {
+	// Bail if editing from network.
+	if ( is_network_admin() ) {
+		return;
+	}
+
+	$user_id = ! empty( $_REQUEST['user_id'] ) ? absint( sanitize_text_field( wp_unslash( $_REQUEST['user_id'] ) ) ) : 0; // // phpcs:ignore WordPress.Security.NonceVerification
+
+	// Do nothing if the user is not connected to WordPress.com.
+	if ( ! $user_id || ! is_user_connected( $user_id ) ) {
+		return;
+	}
+
+	?>
+		<script type="text/javascript">
+			document.addEventListener( 'DOMContentLoaded', function() {
+				const fields = [
+					/** Language */
+					{ selector: '#locale' },
+					/** First Name */
+					{ selector: '#first_name' },
+					/** Last Name */
+					{ selector: '#last_name' },
+					/** Nickname */
+					{ selector: '#nickname' },
+					/** Display name */
+					{ selector: '#display_name' },
+					/** Website */
+					{ selector: '#url' },
+					/** Biographical Info */
+					{ selector: '#description', tagName: 'p' },
+					/** Email */
+					{ selector: '#email' },
+				];
+
+				for ( let i = 0; i < fields.length; i++ ) {
+					const field = fields[i];
+					const element = document.querySelector( field.selector );
+					if ( ! element ) {
+						continue;
+					}
+
+					if ( element.tagName === 'INPUT' ) {
+						element.readOnly = true;
+					} else {
+						element.disabled = true;
+					}
+
+					/**
+					 * Append the description to indicate the field cannot be changed.
+					 */
+					const tagName = field.tagName ? field.tagName : 'span';
+					const description = document.createElement( tagName );
+					description.className = 'description';
+					// Use the `Tab` for spacing to align with other fields.
+					description.innerHTML = "\t<?php echo esc_html__( 'It cannot be changed.', 'jetpack-mu-wpcom' ); ?>";
+					element.parentNode.appendChild( description );
+				}
+			} );
+		</script>
+	<?php
+}
+add_action( 'admin_print_footer_scripts-user-edit.php', __NAMESPACE__ . '\wpcom_disable_account_level_fields_if_needed' );

projects/packages/jetpack-mu-wpcom/src/utils.php

@@ -154,3 +154,30 @@ function get_wpcom_blog_id() {
 
 	return false;
 }
+
+/**
+ * Check if the site is a WordPress.com Atomic site.
+ *
+ * @return bool
+ */
+function is_woa_site() {
+	if ( ! class_exists( 'Automattic\Jetpack\Status\Host' ) ) {
+		return false;
+	}
+	$host = new Automattic\Jetpack\Status\Host();
+	return $host->is_woa_site();
+}
+
+/**
+ * Whether the current user is connected to WordPress.com.
+ *
+ * @param int $user_id the user identifier. Default is the current user.
+ * @return bool Boolean is the user connected?
+ */
+function is_user_connected( $user_id ) {
+	if ( defined( 'IS_WPCOM' ) && IS_WPCOM ) {
+		return true;
+	}
+
+	return ( new Connection_Manager( 'jetpack' ) )->is_user_connected( $user_id );
+}

projects/plugins/mu-wpcom-plugin/changelog/feat-disable-account-fields-on-edit-user

@@ -0,0 +1,4 @@
+Significance: minor
+Type: changed
+
+MU WPCOM: Prevent site owner from editing user's account-level fields

projects/plugins/wpcomsh/changelog/feat-disable-account-fields-on-edit-user

@@ -0,0 +1,4 @@
+Significance: minor
+Type: changed
+
+MU WPCOM: Prevent site owner from editing user's account-level fields