WordPress.org

Make WordPress Core

Changeset 23805


Ignore:
Timestamp:
03/27/13 08:43:11 (13 months ago)
Author:
azaozz
Message:

Logged out warnings: add fallback text dialog for:

  • The login page has "X-Frame-Options: DENY" header.
  • Cross-domain when displaying on the front-end on multisite with domain mapping.
  • The site forces ssl login but not ssl admin.

Add onbeforeunload prompt to counter (frame-busting) JS redirects. Move the JS and CSS into separate files. See #23295.

Location:
trunk
Files:
4 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/css/wp-admin.css

    r23769 r23805  
    72927292} 
    72937293 
     7294body.interim-login { 
     7295    height: auto; 
     7296} 
     7297 
    72947298.interim-login #login { 
    72957299    padding: 0; 
    7296     width: 300px; 
     7300    margin: 25px auto 20px; 
    72977301} 
    72987302 
  • trunk/wp-includes/default-filters.php

    r23554 r23805  
    296296 
    297297// Check if the user is logged out 
    298 add_action( 'admin_init', 'wp_auth_check_load' ); 
     298add_action( 'init', 'wp_auth_check_load' ); 
    299299 
    300300unset($filter, $action); 
  • trunk/wp-includes/functions.php

    r23738 r23805  
    38883888 
    38893889/** 
    3890  * Load the auth check, for monitoring whether the user is still logged in 
     3890 * Load the auth check for monitoring whether the user is still logged in. 
     3891 * Can be disabled with remove_action( 'init', 'wp_auth_check_load' ); 
    38913892 * 
    38923893 * @since 3.6.0 
     
    38953896 */ 
    38963897function wp_auth_check_load() { 
    3897     wp_enqueue_script( 'heartbeat' ); 
    3898     add_filter( 'heartbeat_received', 'wp_auth_check', 10, 2 ); 
    3899     add_filter( 'heartbeat_nopriv_received', 'wp_auth_check', 10, 2 ); 
    3900  
    3901     if ( is_admin() ) 
    3902         add_action( 'admin_print_footer_scripts', 'wp_auth_check_js' ); 
    3903     elseif ( is_user_logged_in() ) 
    3904         add_action( 'wp_print_footer_scripts', 'wp_auth_check_js' ); 
    3905 } 
    3906  
    3907 /** 
    3908  * Output the JS that shows the wp-login iframe when the user is no longer logged in 
    3909  */ 
    3910 function wp_auth_check_js() { 
     3898    global $pagenow; 
     3899 
     3900    // Don't load for these types of requests 
     3901    if ( defined('XMLRPC_REQUEST') || defined('IFRAME_REQUEST') || 'wp-login.php' == $pagenow ) 
     3902        return; 
     3903 
     3904    if ( is_admin() || is_user_logged_in() ) { 
     3905        if ( defined('DOING_AJAX') ) { 
     3906            add_filter( 'heartbeat_received', 'wp_auth_check', 10, 2 ); 
     3907            add_filter( 'heartbeat_nopriv_received', 'wp_auth_check', 10, 2 ); 
     3908        } else { 
     3909            wp_enqueue_style( 'wp-auth-check' ); 
     3910            wp_enqueue_script( 'wp-auth-check' ); 
     3911 
     3912            if ( is_admin() ) 
     3913                add_action( 'admin_print_footer_scripts', 'wp_auth_check_html', 5 ); 
     3914            else 
     3915                add_action( 'wp_print_footer_scripts', 'wp_auth_check_html', 5 ); 
     3916        } 
     3917    } 
     3918} 
     3919 
     3920/** 
     3921 * Output the HTML that shows the wp-login dialog when the user is no longer logged in 
     3922 */ 
     3923function wp_auth_check_html() { 
     3924    $login_url = wp_login_url(); 
     3925    $current_domain = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST']; 
     3926    $same_domain = ( strpos( $login_url, $current_domain ) === 0 ); 
     3927     
     3928    // Let plugins change this if they know better. 
     3929    $same_domain = apply_filters( 'wp_auth_check_same_domain', $same_domain ); 
     3930    $wrap_class = $same_domain ? 'hidden' : 'hidden fallback'; 
     3931 
    39113932    ?> 
    3912     <script type="text/javascript"> 
    3913     (function($){ 
    3914     $( document ).on( 'heartbeat-tick.wp-auth-check', function( e, data ) { 
    3915         var wrap = $('#wp-auth-check-notice-wrap'); 
    3916  
    3917         if ( data['wp-auth-check-html'] && ! wrap.length ) { 
    3918             $('body').append( data['wp-auth-check-html'] ); 
    3919         } else if ( !data['wp-auth-check-html'] && wrap.length && ! wrap.data('logged-in') ) { 
    3920             wrap.remove(); 
    3921         } 
    3922     }).on( 'heartbeat-send.wp-auth-check', function( e, data ) { 
    3923         data['wp-auth-check'] = 1; 
    3924     }); 
    3925     }(jQuery)); 
    3926     </script> 
     3933    <div id="wp-auth-check-wrap" class="<?php echo $wrap_class; ?>"> 
     3934    <div id="wp-auth-check-bg"></div> 
     3935    <div id="wp-auth-check"> 
     3936    <?php 
     3937 
     3938    if ( $same_domain ) { 
     3939        ?> 
     3940        <div id="wp-auth-check-form" data-src="<?php echo esc_url( add_query_arg( array( 'interim-login' => 1 ), $login_url ) ); ?>"></div> 
     3941        <?php 
     3942    } 
     3943 
     3944    ?> 
     3945    <div class="wp-auth-fallback"> 
     3946        <p><b class="wp-auth-fallback-expired" tabindex="0"><?php _e('Session expired'); ?></b></p> 
     3947        <p><a href="<?php echo esc_url( $login_url ); ?>" target="_blank"><?php _e('Please log in again.'); ?></a> 
     3948        <?php _e('The login page will open in a new window. After logging in you can close it and return to this page.'); ?></p> 
     3949    </div> 
     3950    <p class="wp-auth-check-close"><a href="#" class="button button-primary"><?php _e('Close'); ?></a></p> 
     3951    </div> 
     3952    </div> 
    39273953    <?php 
    39283954} 
     
    39413967        return $response; 
    39423968 
    3943     return array_merge( $response, array( 
    3944         'wp-auth-check-html' => '<div id="wp-auth-check-notice-wrap"> 
    3945 <style type="text/css" scoped> 
    3946 #wp-auth-check { 
    3947     position: fixed; 
    3948     height: 90%; 
    3949     left: 50%; 
    3950     max-height: 415px; 
    3951     overflow: auto; 
    3952     top: 35px; 
    3953     width: 300px; 
    3954     margin: 0 0 0 -160px; 
    3955     padding: 12px 20px; 
    3956     border: 1px solid #ddd; 
    3957     background-color: #fbfbfb; 
    3958     -webkit-border-radius: 3px; 
    3959     border-radius: 3px; 
    3960     z-index: 1000000000; 
    3961 } 
    3962 #wp-auth-check-form { 
    3963     background: url("' . admin_url('/images/wpspin_light-2x.gif') . '") no-repeat center center; 
    3964     background-size: 16px 16px; 
    3965 } 
    3966 #wp-auth-check-form iframe { 
    3967     height: 100%; 
    3968     overflow: hidden; 
    3969 } 
    3970 #wp-auth-check a.wp-auth-check-close { 
    3971     position: absolute; 
    3972     right: 8px; 
    3973     top: 8px; 
    3974     width: 24px; 
    3975     height: 24px; 
    3976     background: url("' . includes_url('images/uploader-icons.png') . '") no-repeat scroll -95px center transparent; 
    3977 } 
    3978 #wp-auth-check h3 { 
    3979     margin: 0 0 12px; 
    3980     padding: 0; 
    3981     font-size: 1.25em; 
    3982 } 
    3983 @media print, 
    3984   (-o-min-device-pixel-ratio: 5/4), 
    3985   (-webkit-min-device-pixel-ratio: 1.25), 
    3986   (min-resolution: 120dpi) { 
    3987     #wp-auth-check a.wp-auth-check-close { 
    3988         background-image: url("' . includes_url('images/uploader-icons-2x.png') . '"); 
    3989         background-size: 134px 15px; 
    3990     } 
    3991 } 
    3992 </style> 
    3993 <div id="wp-auth-check" tabindex="0"> 
    3994 <h3>' .  __('Session expired') . '</h3> 
    3995 <a href="#" class="wp-auth-check-close"><span class="screen-reader-text">' . __('close') . '</span></a> 
    3996 <div id="wp-auth-check-form"> 
    3997     <iframe src="' . esc_url( add_query_arg( array( 'interim-login' => 1 ), wp_login_url() ) ) . '" frameborder="0"></iframe> 
    3998 </div> 
    3999 </div> 
    4000 <script type="text/javascript"> 
    4001 (function($){ 
    4002 var el, wrap = $("#wp-auth-check-notice-wrap"); 
    4003 el = $("#wp-auth-check").focus().find("a.wp-auth-check-close").on("click", function(e){ 
    4004     el.fadeOut(200, function(){ wrap.remove(); }); 
    4005     e.preventDefault(); 
    4006 }); 
    4007 $("#wp-auth-check-form iframe").load(function(){ 
    4008     var height; 
    4009     try { height = $(this.contentWindow.document).find("#login").height(); } catch(er){} 
    4010     if ( height ) { 
    4011         $("#wp-auth-check").css("max-height", height + 40 + "px"); 
    4012         $(this).css("height", height + 5 + "px"); 
    4013         if ( height < 200 ) { 
    4014             wrap.data("logged-in", true); 
    4015             setTimeout( function(){ wrap.fadeOut(200, function(){ wrap.remove(); }); }, 5000 ); 
    4016         } 
    4017     } 
    4018 }); 
    4019 }(jQuery)); 
    4020 </script> 
    4021 </div>' ) ); 
     3969    return array_merge( $response, array( 'wp-auth-check' => '1' ) ); 
    40223970} 
    40233971 
  • trunk/wp-includes/script-loader.php

    r23769 r23805  
    113113        apply_filters( 'heartbeat_settings', array() ) 
    114114    ); 
     115 
     116    $scripts->add( 'wp-auth-check', "/wp-includes/js/wp-auth-check$suffix.js", array('heartbeat'), false, 1 ); 
     117    did_action( 'init' ) && $scripts->localize( 'wp-auth-check', 'authcheckL10n', array( 
     118        'beforeunload' => __('Your session has expired. You can log in again from this page or go to the login page.'), 
     119    ) ); 
    115120 
    116121    $scripts->add( 'wp-lists', "/wp-includes/js/wp-lists$suffix.js", array( 'wp-ajax-response', 'jquery-color' ), false, 1 ); 
     
    544549    $styles->add( 'media-views', "/wp-includes/css/media-views$suffix.css", array( 'buttons' ) ); 
    545550    $styles->add( 'buttons', "/wp-includes/css/buttons$suffix.css" ); 
     551    $styles->add( 'wp-auth-check', "/wp-includes/css/wp-auth-check$suffix.css" ); 
    546552 
    547553    $styles->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelementplayer$suffix.css" ); 
  • trunk/wp-login.php

    r23691 r23805  
    4949 
    5050    // Shake it! 
    51     $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' ); 
     51    $shake_error_codes = array( 'interim_login_error', 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' ); 
    5252    $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes ); 
    5353 
    54     if ( ! $interim_login && $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) ) 
     54    if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) ) 
    5555        add_action( 'login_head', 'wp_shake_js', 12 ); 
    5656 
     
    101101        $login_header_url = '#'; 
    102102        $classes[] = 'interim-login'; 
     103        ?> 
     104        <style type="text/css">html{background-color: transparent;}</style> 
     105        <?php 
     106 
     107        if ( 'success' ===  $interim_login ) 
     108            $classes[] = 'interim-login-success'; 
    103109    } 
    104110 
     
    625631        if ( $interim_login ) { 
    626632            $message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; 
     633            $interim_login = 'success'; 
    627634            login_header( '', $message ); ?> 
    628635            </div> 
     
    649656 
    650657    $errors = $user; 
    651     // Clear errors if loggedout or interim_login is set. 
    652     if ( !empty($_GET['loggedout']) || $reauth || $interim_login ) 
     658    // Clear errors if loggedout is set. 
     659    if ( !empty($_GET['loggedout']) || $reauth ) 
    653660        $errors = new WP_Error(); 
    654661 
     
    657664        $errors->add('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress.")); 
    658665 
    659     // Some parts of this script use the main login form to display a message 
    660     if      ( isset($_GET['loggedout']) && true == $_GET['loggedout'] ) 
    661         $errors->add('loggedout', __('You are now logged out.'), 'message'); 
    662     elseif  ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) 
    663         $errors->add('registerdisabled', __('User registration is currently not allowed.')); 
    664     elseif  ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] ) 
    665         $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message'); 
    666     elseif  ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] ) 
    667         $errors->add('newpass', __('Check your e-mail for your new password.'), 'message'); 
    668     elseif  ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ) 
    669         $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message'); 
    670     elseif  ( $interim_login ) 
    671         $errors->add('expired', __('Please log in again. You will not move away from this page.'), 'message'); 
    672     elseif ( strpos( $redirect_to, 'about.php?updated' ) ) 
    673         $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' ); 
     666    // Clear most errors if interim login 
     667    if ( $interim_login ) { 
     668        $error_code = $errors->get_error_code(); 
     669        $errors = new WP_Error(); 
     670 
     671        if ( $error_code ) { 
     672            if ( in_array( $error_code, array( 'empty_password', 'empty_username', 'invalid_username', 'incorrect_password' ) ) ) 
     673                $errors->add('interim_login_error', __('<strong>ERROR</strong>: Invalid username or password.')); 
     674            else 
     675                $errors->add('interim_login_error_other', sprintf( __( '<strong>ERROR</strong>: Please contact the site administrator or try to <a href="%s" target="_blank">log in from a new window</a>.' ), wp_login_url() ) ); 
     676        } else { 
     677            $errors->add('expired', __('Session expired. Please log in again. You will not move away from this page.'), 'message'); 
     678        } 
     679    } else { 
     680        // Some parts of this script use the main login form to display a message 
     681        if      ( isset($_GET['loggedout']) && true == $_GET['loggedout'] ) 
     682            $errors->add('loggedout', __('You are now logged out.'), 'message'); 
     683        elseif  ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) 
     684            $errors->add('registerdisabled', __('User registration is currently not allowed.')); 
     685        elseif  ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] ) 
     686            $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message'); 
     687        elseif  ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] ) 
     688            $errors->add('newpass', __('Check your e-mail for your new password.'), 'message'); 
     689        elseif  ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ) 
     690            $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message'); 
     691        elseif ( strpos( $redirect_to, 'about.php?updated' ) ) 
     692            $errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' ); 
     693    } 
    674694 
    675695    // Clear any stale cookies. 
Note: See TracChangeset for help on using the changeset viewer.