Make WordPress Core


Ignore:
Timestamp:
12/21/2021 02:43:18 AM (3 years ago)
Author:
hellofromTonya
Message:

Application Passwords: Show HTTPS required message without filtering when not enabled or not in local environment.

When add_filter( 'wp_is_application_passwords_available', '__return_false' ) exists, HTTPS requirement message is shown even if HTTPS is enabled on the site. This happens because wp_is_application_passwords_available_for_user() first invokes wp_is_application_passwords_available() which is filterable. The situation could happen if the 'wp_is_application_passwords_available_for_user' filter returns false.

To fix this, the check for HTTPS (or if in a 'local' environment) is moved to a new function called wp_is_application_passwords_supported(). Then the return from this function is used as an OR condition for the Application Passwords section and for displaying the HTTPS required message.

Tests are included for both wp_is_application_passwords_supported() and wp_is_application_passwords_available().

Follow-up to [51980], [51988].

Props davidbinda, SergeyBiryukov, ocean90, felipeelia, costdev, hellofromTonya.
Fixes #53658.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php

    r51657 r52398  
    948948
    949949    /**
     950     * @ticket 53658
     951     *
     952     * @covers ::wp_is_application_passwords_supported
     953     */
     954    public function test_wp_is_application_passwords_supported_with_https_only() {
     955        $_SERVER['HTTPS'] = 'on';
     956        $this->assertTrue( wp_is_application_passwords_supported() );
     957    }
     958
     959    /**
     960     * @ticket 53658
     961     *
     962     * @covers ::wp_is_application_passwords_supported
     963     */
     964    public function test_wp_is_application_passwords_supported_with_local_environment_only() {
     965        putenv( 'WP_ENVIRONMENT_TYPE=local' );
     966
     967        $actual = wp_is_application_passwords_supported();
     968
     969        // Revert to default behaviour so that other tests are not affected.
     970        putenv( 'WP_ENVIRONMENT_TYPE' );
     971
     972        $this->assertTrue( $actual );
     973    }
     974
     975    /**
     976     * @dataProvider data_wp_is_application_passwords_available
     977     *
     978     * @ticket 53658
     979     *
     980     * @covers ::wp_is_application_passwords_available
     981     *
     982     * @param bool|string $expected The expected value.
     983     * @param string|null $callback Optional. The callback for the `wp_is_application_passwords_available` hook.
     984     *                              Default: null.
     985     */
     986    public function test_wp_is_application_passwords_available( $expected, $callback = null ) {
     987        remove_filter( 'wp_is_application_passwords_available', '__return_true' );
     988
     989        if ( $callback ) {
     990            add_filter( 'wp_is_application_passwords_available', $callback );
     991        }
     992
     993        if ( 'default' === $expected ) {
     994            putenv( 'WP_ENVIRONMENT_TYPE=local' );
     995            $expected = wp_is_application_passwords_supported();
     996        }
     997
     998        $actual = wp_is_application_passwords_available();
     999
     1000        if ( 'default' === $expected ) {
     1001            // Revert to default behaviour so that other tests are not affected.
     1002            putenv( 'WP_ENVIRONMENT_TYPE' );
     1003        }
     1004
     1005        $this->assertSame( $expected, $actual );
     1006    }
     1007
     1008    /**
     1009     * Data provider.
     1010     *
     1011     * @return array
     1012     */
     1013    public function data_wp_is_application_passwords_available() {
     1014        return array(
     1015            'availability not forced'   => array(
     1016                'expected' => 'default',
     1017            ),
     1018            'availability forced true'  => array(
     1019                'expected' => true,
     1020                'callback' => '__return_true',
     1021            ),
     1022            'availability forced false' => array(
     1023                'expected' => false,
     1024                'callback' => '__return_false',
     1025            ),
     1026        );
     1027    }
     1028
     1029    /**
    9501030     * Sets up a REST API request to be authenticated using an App Password.
    9511031     *
Note: See TracChangeset for help on using the changeset viewer.