WordPress.org

Make WordPress Core

Changeset 52398


Ignore:
Timestamp:
12/21/2021 02:43:18 AM (4 weeks ago)
Author:
hellofromTonya
Message:

Application Passwords: Show HTTPS required message without filtering when not enabled or not in local environment.

When add_filter( 'wp_is_application_passwords_available', '__return_false' ) exists, HTTPS requirement message is shown even if HTTPS is enabled on the site. This happens because wp_is_application_passwords_available_for_user() first invokes wp_is_application_passwords_available() which is filterable. The situation could happen if the 'wp_is_application_passwords_available_for_user' filter returns false.

To fix this, the check for HTTPS (or if in a 'local' environment) is moved to a new function called wp_is_application_passwords_supported(). Then the return from this function is used as an OR condition for the Application Passwords section and for displaying the HTTPS required message.

Tests are included for both wp_is_application_passwords_supported() and wp_is_application_passwords_available().

Follow-up to [51980], [51988].

Props davidbinda, SergeyBiryukov, ocean90, felipeelia, costdev, hellofromTonya.
Fixes #53658.

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/user-edit.php

    r51988 r52398  
    734734    </table>
    735735
     736<?php if ( wp_is_application_passwords_available_for_user( $user_id ) || ! wp_is_application_passwords_supported() ) : // phpcs:disable Generic.WhiteSpace.ScopeIndent ?>
    736737    <div class="application-passwords hide-if-no-js" id="application-passwords-section">
    737738        <h2><?php _e( 'Application Passwords' ); ?></h2>
     
    797798            ?>
    798799        </div>
    799         <?php else : ?>
     800        <?php elseif ( ! wp_is_application_passwords_supported() ) : ?>
    800801            <p><?php _e( 'The application password feature requires HTTPS, which is not enabled on this site.' ); ?></p>
    801802            <p>
     
    810811        <?php endif; ?>
    811812    </div>
     813<?php endif; // phpcs:enable Generic.WhiteSpace.ScopeIndent ?>
    812814
    813815        <?php
  • trunk/src/wp-includes/load.php

    r52352 r52398  
    192192    static $current_env = '';
    193193
    194     if ( $current_env ) {
     194    if ( ! defined( 'WP_RUN_CORE_TESTS' ) && $current_env ) {
    195195        return $current_env;
    196196    }
  • trunk/src/wp-includes/user.php

    r52352 r52398  
    46594659
    46604660/**
     4661 * Checks if Application Passwords is supported.
     4662 *
     4663 * Application Passwords is supported only by sites using SSL or local environments
     4664 * but may be made available using the {@see 'wp_is_application_passwords_available'} filter.
     4665 *
     4666 * @since 5.9.0
     4667 *
     4668 * @return bool
     4669 */
     4670function wp_is_application_passwords_supported() {
     4671    return is_ssl() || 'local' === wp_get_environment_type();
     4672}
     4673
     4674/**
    46614675 * Checks if Application Passwords is globally available.
    46624676 *
    46634677 * By default, Application Passwords is available to all sites using SSL or to local environments.
    4664  * Use {@see 'wp_is_application_passwords_available'} to adjust its availability.
     4678 * Use the {@see 'wp_is_application_passwords_available'} filter to adjust its availability.
    46654679 *
    46664680 * @since 5.6.0
     
    46694683 */
    46704684function wp_is_application_passwords_available() {
    4671     $available = is_ssl() || 'local' === wp_get_environment_type();
    4672 
    46734685    /**
    46744686     * Filters whether Application Passwords is available.
     
    46784690     * @param bool $available True if available, false otherwise.
    46794691     */
    4680     return apply_filters( 'wp_is_application_passwords_available', $available );
     4692    return apply_filters( 'wp_is_application_passwords_available', wp_is_application_passwords_supported() );
    46814693}
    46824694
  • trunk/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php

    r51657 r52398  
    948948
    949949    /**
     950     * @ticket 53658
     951     *
     952     * @covers ::wp_is_application_passwords_supported
     953     */
     954    public function test_wp_is_application_passwords_supported_with_https_only() {
     955        $_SERVER['HTTPS'] = 'on';
     956        $this->assertTrue( wp_is_application_passwords_supported() );
     957    }
     958
     959    /**
     960     * @ticket 53658
     961     *
     962     * @covers ::wp_is_application_passwords_supported
     963     */
     964    public function test_wp_is_application_passwords_supported_with_local_environment_only() {
     965        putenv( 'WP_ENVIRONMENT_TYPE=local' );
     966
     967        $actual = wp_is_application_passwords_supported();
     968
     969        // Revert to default behaviour so that other tests are not affected.
     970        putenv( 'WP_ENVIRONMENT_TYPE' );
     971
     972        $this->assertTrue( $actual );
     973    }
     974
     975    /**
     976     * @dataProvider data_wp_is_application_passwords_available
     977     *
     978     * @ticket 53658
     979     *
     980     * @covers ::wp_is_application_passwords_available
     981     *
     982     * @param bool|string $expected The expected value.
     983     * @param string|null $callback Optional. The callback for the `wp_is_application_passwords_available` hook.
     984     *                              Default: null.
     985     */
     986    public function test_wp_is_application_passwords_available( $expected, $callback = null ) {
     987        remove_filter( 'wp_is_application_passwords_available', '__return_true' );
     988
     989        if ( $callback ) {
     990            add_filter( 'wp_is_application_passwords_available', $callback );
     991        }
     992
     993        if ( 'default' === $expected ) {
     994            putenv( 'WP_ENVIRONMENT_TYPE=local' );
     995            $expected = wp_is_application_passwords_supported();
     996        }
     997
     998        $actual = wp_is_application_passwords_available();
     999
     1000        if ( 'default' === $expected ) {
     1001            // Revert to default behaviour so that other tests are not affected.
     1002            putenv( 'WP_ENVIRONMENT_TYPE' );
     1003        }
     1004
     1005        $this->assertSame( $expected, $actual );
     1006    }
     1007
     1008    /**
     1009     * Data provider.
     1010     *
     1011     * @return array
     1012     */
     1013    public function data_wp_is_application_passwords_available() {
     1014        return array(
     1015            'availability not forced'   => array(
     1016                'expected' => 'default',
     1017            ),
     1018            'availability forced true'  => array(
     1019                'expected' => true,
     1020                'callback' => '__return_true',
     1021            ),
     1022            'availability forced false' => array(
     1023                'expected' => false,
     1024                'callback' => '__return_false',
     1025            ),
     1026        );
     1027    }
     1028
     1029    /**
    9501030     * Sets up a REST API request to be authenticated using an App Password.
    9511031     *
  • trunk/tests/qunit/fixtures/wp-api-generated.js

    r52376 r52398  
    1919        "wp-block-editor/v1"
    2020    ],
    21     "authentication": [],
     21    "authentication": {
     22        "application-passwords": {
     23            "endpoints": {
     24                "authorization": "http://example.org/wp-admin/authorize-application.php"
     25            }
     26        }
     27    },
    2228    "routes": {
    2329        "/": {
Note: See TracChangeset for help on using the changeset viewer.