Make WordPress Core

Changeset 30895


Ignore:
Timestamp:
12/16/2014 12:52:52 PM (10 years ago)
Author:
johnbillion
Message:

Updates to the 'Log out everywhere' implementation.

  • Include a message and a disabled button when you're only logged in at one location.
  • Avoid leaking the session token in HTML.
  • Simplify, simplify, simplify.

Merges [30888] to the 4.1 branch.

Fixes #30264.

Location:
branches/4.1
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/4.1

  • branches/4.1/src/wp-admin/css/common.css

    r30880 r30895  
    12661266.notice p,
    12671267div.updated p,
    1268 div.error p {
     1268div.error p,
     1269.form-table td .notice p {
    12691270    margin: 0.5em 0;
    12701271    padding: 2px;
  • branches/4.1/src/wp-admin/includes/ajax-actions.php

    r30596 r30895  
    27722772function wp_ajax_destroy_sessions() {
    27732773
    2774     if ( empty( $_POST['user_id'] ) ) {
    2775         $user = new WP_Error();
    2776     } else {
    2777         $user = new WP_User( absint( $_POST['user_id'] ) );
    2778 
    2779         if ( ! $user->exists() ) {
    2780             $user = new WP_Error();
    2781         } elseif ( ! current_user_can( 'edit_user', $user->ID ) ) {
    2782             $user = new WP_Error();
    2783         } elseif ( ! check_ajax_referer( sprintf( 'destroy_sessions_%d', $user->ID ), false, false ) ) {
    2784             $user = new WP_Error();
    2785         }
    2786     }
    2787 
    2788     if ( is_wp_error( $user ) ) {
     2774    $user = get_userdata( (int) $_POST['user_id'] );
     2775    if ( $user ) {
     2776        if ( ! current_user_can( 'edit_user', $user->ID ) ) {
     2777            $user = false;
     2778        } elseif ( ! wp_verify_nonce( $_POST['nonce'], 'update-user_' . $user->ID ) ) {
     2779            $user = false;
     2780        }
     2781    }
     2782
     2783    if ( ! $user ) {
    27892784        wp_send_json_error( array(
    27902785            'message' => __( 'Could not log out user sessions. Please try again.' ),
     
    27922787    }
    27932788
    2794     // 'token' is only set if the initiating user is viewing their own profile-editing screen.
    2795     if ( isset( $_POST['token'] ) ) {
    2796         $keep = wp_unslash( $_POST['token'] );
    2797     } else {
    2798         $keep = null;
    2799     }
    2800 
    28012789    $sessions = WP_Session_Tokens::get_instance( $user->ID );
    28022790
    2803     /*
    2804      * If $keep is a string, then the current user is destroying all of their own sessions
    2805      * except the current one. If $keep is not a string, the current user is destroying all
    2806      * of another user's sessions with no exceptions.
    2807      */
    2808     if ( is_string( $keep ) ) {
    2809         $sessions->destroy_others( $keep );
     2791    if ( $user->ID === get_current_user_id() ) {
     2792        $sessions->destroy_others( wp_get_session_token() );
    28102793        $message = __( 'You are now logged out everywhere else.' );
    28112794    } else {
     
    28152798    }
    28162799
    2817     wp_send_json_success( array(
    2818         'message' => $message
    2819     ) );
    2820 
    2821 }
     2800    wp_send_json_success( array( 'message' => $message ) );
     2801}
  • branches/4.1/src/wp-admin/js/user-profile.js

    r30334 r30895  
    1 /* global ajaxurl, pwsL10n, _wpSessionMangager */
     1/* global ajaxurl, pwsL10n */
    22(function($){
    33
     
    126126
    127127    $( '#destroy-sessions' ).on( 'click', function( e ) {
     128        var $this = $(this);
    128129
    129         var $this = $(this);
    130         var data = {
    131             action      : 'destroy-sessions',
    132             _ajax_nonce : _wpSessionMangager.nonce,
    133             user_id     : _wpSessionMangager.user_id,
    134             token       : $(this).data('token')
    135         };
    136 
    137         $.post( ajaxurl, data, function( response ) {
    138 
    139             if ( response.success ) {
    140                 $this.prop( 'disabled', true );
    141                 $this.before( '<div class="updated inline"><p>' + response.data.message + '</p></div>' );
    142             } else {
    143                 $this.before( '<div class="error inline"><p>' + response.data.message + '</p></div>' );
    144             }
    145 
    146         }, 'json' );
     130        wp.ajax.post( 'destroy-sessions', {
     131            nonce: $( '#_wpnonce' ).val(),
     132            user_id: $( '#user_id' ).val()
     133        }).done( function( response ) {
     134            $this.prop( 'disabled', true );
     135            $this.siblings( '.notice' ).remove();
     136            $this.before( '<div class="notice notice-success inline"><p>' + response.message + '</p></div>' );
     137        }).fail( function( response ) {
     138            $this.siblings( '.notice' ).remove();
     139            $this.before( '<div class="notice notice-error inline"><p>' + response.message + '</p></div>' );
     140        });
    147141
    148142        e.preventDefault();
  • branches/4.1/src/wp-admin/user-edit.php

    r30754 r30895  
    2525
    2626wp_enqueue_script('user-profile');
    27 
    28 wp_localize_script(
    29     'user-profile',
    30     '_wpSessionMangager',
    31     array(
    32         'user_id' => $user_id,
    33         'nonce'   => wp_create_nonce( sprintf( 'destroy_sessions_%d', $user_id ) ),
    34     )
    35 );
    3627
    3728$title = IS_PROFILE_PAGE ? __('Profile') : __('Edit User');
     
    494485<?php endif; ?>
    495486
    496 <?php if ( IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 1 ) ) { ?>
     487<?php
     488if ( IS_PROFILE_PAGE && count( $sessions->get_all() ) === 1 ) : ?>
    497489    <tr class="user-sessions-wrap hide-if-no-js">
    498490        <th>&nbsp;</th>
    499491        <td aria-live="assertive">
    500             <div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions" data-token="<?php echo esc_attr( wp_get_session_token() ); ?>"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
     492            <div class="destroy-sessions"><button disabled class="button button-secondary"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
     493            <p class="description">
     494                <?php _e( 'You are only logged in at this location.' ); ?>
     495            </p>
     496        </td>
     497    </tr>
     498<?php elseif ( IS_PROFILE_PAGE && count( $sessions->get_all() ) > 1 ) : ?>
     499    <tr class="user-sessions-wrap hide-if-no-js">
     500        <th>&nbsp;</th>
     501        <td aria-live="assertive">
     502            <div class="destroy-sessions"><button class="button button-secondary" id="destroy-sessions"><?php _e( 'Log Out of All Other Sessions' ); ?></button></div>
    501503            <p class="description">
    502504                <?php _e( 'Left your account logged in at a public computer? Lost your phone? This will log you out everywhere except your current browser.' ); ?>
     
    504506        </td>
    505507    </tr>
    506 <?php } else if ( ! IS_PROFILE_PAGE && ( count( $sessions->get_all() ) > 0 ) ) { ?>
     508<?php elseif ( ! IS_PROFILE_PAGE && $sessions->get_all() ) : ?>
    507509    <tr class="user-sessions-wrap hide-if-no-js">
    508510        <th>&nbsp;</th>
     
    517519        </td>
    518520    </tr>
    519 <?php } ?>
     521<?php endif; ?>
    520522
    521523</table>
  • branches/4.1/src/wp-includes/script-loader.php

    r30892 r30895  
    350350    ) );
    351351
    352     $scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter' ), false, 1 );
     352    $scripts->add( 'user-profile', "/wp-admin/js/user-profile$suffix.js", array( 'jquery', 'password-strength-meter', 'wp-util' ), false, 1 );
    353353    $scripts->add( 'language-chooser', "/wp-admin/js/language-chooser$suffix.js", array( 'jquery' ), false, 1 );
    354354
Note: See TracChangeset for help on using the changeset viewer.