Make WordPress Core


Ignore:
Timestamp:
12/04/2020 09:46:42 PM (3 years ago)
Author:
helen
Message:

App Passwords: Prevent conflicts when Basic Auth is already used by the site.

Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.

Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.

Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.

Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Reviewed by TimothyBlynJacobs, helen.
Merges [49752] to the 5.6 branch.
Fixes #51939.

Location:
branches/5.6
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.6

  • branches/5.6/src/wp-admin/user-edit.php

    r49573 r49754  
    739739                }
    740740            }
    741             ?>
    742         <div class="create-application-password form-wrap">
    743             <div class="form-field">
    744                 <label for="new_application_password_name"><?php _e( 'New Application Password Name' ); ?></label>
    745                 <input type="text" size="30" id="new_application_password_name" name="new_application_password_name" placeholder="<?php esc_attr_e( 'WordPress App on My Phone' ); ?>" class="input" aria-required="true" aria-describedby="new_application_password_name_desc" />
    746                 <p class="description" id="new_application_password_name_desc"><?php _e( 'Required to create an Application Password, but not to update the user.' ); ?></p>
     741
     742            if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
     743                ?>
     744            <div class="create-application-password form-wrap">
     745                <div class="form-field">
     746                    <label for="new_application_password_name"><?php _e( 'New Application Password Name' ); ?></label>
     747                    <input type="text" size="30" id="new_application_password_name" name="new_application_password_name" placeholder="<?php esc_attr_e( 'WordPress App on My Phone' ); ?>" class="input" aria-required="true" aria-describedby="new_application_password_name_desc" />
     748                    <p class="description" id="new_application_password_name_desc"><?php _e( 'Required to create an Application Password, but not to update the user.' ); ?></p>
     749                </div>
     750
     751                <?php
     752                /**
     753                 * Fires in the create Application Passwords form.
     754                 *
     755                 * @since 5.6.0
     756                 *
     757                 * @param WP_User $profileuser The current WP_User object.
     758                 */
     759                do_action( 'wp_create_application_password_form', $profileuser );
     760                ?>
     761
     762                <?php submit_button( __( 'Add New Application Password' ), 'secondary', 'do_new_application_password' ); ?>
    747763            </div>
    748 
    749             <?php
    750             /**
    751              * Fires in the create Application Passwords form.
    752              *
    753              * @since 5.6.0
    754              *
    755              * @param WP_User $profileuser The current WP_User object.
    756              */
    757             do_action( 'wp_create_application_password_form', $profileuser );
    758             ?>
    759 
    760             <?php submit_button( __( 'Add New Application Password' ), 'secondary', 'do_new_application_password' ); ?>
    761         </div>
     764        <?php } else { ?>
     765            <div class="notice notice-error inline">
     766                <p><?php _e( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ); ?></p>
     767            </div>
     768        <?php } ?>
    762769
    763770        <div class="application-passwords-list-table-wrapper">
Note: See TracChangeset for help on using the changeset viewer.