* @license http://www.gnu.org/licenses/gpl-2.0.html GPL2
* @link http://hawaii.edu/coe/dcdc/wordpress/authorizer/doc/
*/
class WP_Plugin_Authorizer {
/**
* Constructor.
*/
public function __construct() {
// Installation and uninstallation hooks.
register_activation_hook( __FILE__, array( $this, 'activate' ) );
register_deactivation_hook( __FILE__, array( $this, 'deactivate' ) );
// Register filters.
// Custom wp authentication routine using external service.
add_filter( 'authenticate', array( $this, 'custom_authenticate' ), 1, 3 );
// Custom logout action using external service.
add_action( 'wp_logout', array( $this, 'custom_logout' ) );
// Removing this bypasses Wordpress authentication (so if external auth fails,
// no one can log in); with it enabled, it will run if external auth fails.
//remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
// Create settings link on Plugins page
add_filter( 'plugin_action_links_' . plugin_basename( __FILE__ ), array( $this, 'plugin_settings_link' ) );
add_filter( 'network_admin_plugin_action_links_' . plugin_basename( __FILE__ ), array( $this, 'network_admin_plugin_settings_link' ) );
// Modify login page with a custom password url (if option is set).
add_filter( 'lostpassword_url', array( $this, 'custom_lostpassword_url' ) );
// If we have a custom login error, add the filter to show it.
$error = get_option( 'auth_settings_advanced_login_error' );
if ( $error && strlen( $error ) > 0 ) {
add_filter( 'login_errors', array( $this, 'show_advanced_login_error' ) );
}
// Register actions.
// Perform plugin updates if newer version installed.
add_action( 'plugins_loaded', array( $this, 'auth_update_check' ) );
// Update the user meta with this user's failed login attempt.
add_action( 'wp_login_failed', array( $this, 'update_login_failed_count' ) );
// Create menu item in Settings
add_action( 'admin_menu', array( $this, 'add_plugin_page' ) );
// Create options page
add_action( 'admin_init', array( $this, 'page_init' ) );
// Update user role in approved list if it's changed in the WordPress edit user page.
add_action( 'edit_user_profile_update', array( $this, 'edit_user_profile_update_role' ) );
// Enqueue javascript and css on the plugin's options page, the
// dashboard (for the widget), and the network admin.
add_action( 'load-settings_page_authorizer', array( $this, 'load_options_page' ) );
add_action( 'admin_head-index.php', array( $this, 'load_options_page' ) );
add_action( 'load-toplevel_page_authorizer', array( $this, 'load_options_page' ) );
// Add custom css and js to wp-login.php
add_action( 'login_enqueue_scripts', array( $this, 'login_enqueue_scripts_and_styles' ) );
add_action( 'login_footer', array( $this, 'load_login_footer_js' ) );
// Modify login page with external auth links (if enabled; e.g., google or cas)
add_action( 'login_form', array( $this, 'login_form_add_external_service_links' ) );
// Verify current user has access to page they are visiting
add_action( 'parse_request', array( $this, 'restrict_access' ), 1 );
// ajax save options from dashboard widget
add_action( 'wp_ajax_update_auth_user', array( $this, 'ajax_update_auth_user' ) );
// ajax save options from multisite options page
add_action( 'wp_ajax_save_auth_multisite_settings', array( $this, 'ajax_save_auth_multisite_settings' ) );
// ajax save usermeta from options page
add_action( 'wp_ajax_update_auth_usermeta', array( $this, 'ajax_update_auth_usermeta' ) );
// ajax verify google login
add_action( 'wp_ajax_process_google_login', array( $this, 'ajax_process_google_login' ) );
add_action( 'wp_ajax_nopriv_process_google_login', array( $this, 'ajax_process_google_login' ) );
// Add dashboard widget so instructors can add/edit users with access.
// Hint: For Multisite Network Admin Dashboard use wp_network_dashboard_setup instead of wp_dashboard_setup.
add_action( 'wp_dashboard_setup', array( $this, 'add_dashboard_widgets' ) );
// If we have a custom admin message, add the action to show it.
$notice = get_option( 'auth_settings_advanced_admin_notice' );
if ( $notice && strlen( $notice ) > 0 ) {
add_action( 'admin_notices', array( $this, 'show_advanced_admin_notice' ) );
add_action( 'network_admin_notices', array( $this, 'show_advanced_admin_notice' ) );
}
// Load custom javascript for the main site (e.g., for displaying alerts).
add_action( 'wp_enqueue_scripts', array( $this, 'auth_public_scripts' ), 20 );
// If multisite, add network admin options page (global settings for all sites)
if ( is_multisite() ) {
add_action( 'network_admin_menu', array( $this, 'network_admin_menu' ) );
}
// Create login cookie (used by google login)
if ( ! isset( $_COOKIE['login_unique'] ) ) {
setcookie( 'login_unique', $this->get_cookie_value(), time()+1800, '/', defined( COOKIE_DOMAIN ) ? COOKIE_DOMAIN : '' );
}
} // END __construct()
/**
* Plugin activation hook.
* Will also activate the plugin for all sites/blogs if this is a "Network enable."
*
* @return void
*/
public function activate() {
global $wpdb;
// If we're in a multisite environment, run the plugin activation for each site when network enabling
if ( is_multisite() && isset( $_GET['networkwide'] ) && $_GET['networkwide'] == 1 ) {
$old_blog = $wpdb->blogid;
// Get all blog ids
$blogs = wp_get_sites( array( 'limit' => 999999 ) );
foreach ( $blogs as $blog ) {
switch_to_blog( $blog['blog_id'] );
// Set meaningful defaults for other sites in the network.
$this->set_default_options();
// Add current WordPress users to the approved list.
$this->add_wp_users_to_approved_list();
}
switch_to_blog( $old_blog );
} else {
// Set meaningful defaults for this site.
$this->set_default_options();
// Add current WordPress users to the approved list.
$this->add_wp_users_to_approved_list();
}
} // END activate()
/**
* Adds all WordPress users in the current site to the approved list,
* unless they are already in the blocked list. Also removes them
* from the pending list if they are there.
*
* Runs in plugin activation hook.
*
* @return void
*/
private function add_wp_users_to_approved_list() {
// Add current WordPress users to the approved list.
$auth_multisite_settings_access_users_approved = is_multisite() ? get_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved', array() ) : array();
$auth_settings_access_users_pending = $this->get_plugin_option( 'access_users_pending', 'single admin' );
$auth_settings_access_users_approved = $this->get_plugin_option( 'access_users_approved', 'single admin' );
$auth_settings_access_users_blocked = $this->get_plugin_option( 'access_users_blocked', 'single admin' );
$default_role = $this->get_plugin_option( 'access_default_role', 'single admin', 'allow override' );
$updated = false;
foreach ( get_users() as $user ) {
// Skip if user is in blocked list.
if ( $this->in_multi_array( $user->user_email, $auth_settings_access_users_blocked ) ) {
continue;
}
// Skip if user is in multisite approved list.
if ( $this->in_multi_array( $user->user_email, $auth_multisite_settings_access_users_approved ) ) {
continue;
}
// Add to approved list if not there.
if ( ! $this->in_multi_array( $user->user_email, $auth_settings_access_users_approved ) ) {
$approved_user = array(
'email' => $user->user_email,
'role' => count( $user->roles ) > 0 ? $user->roles[0] : $default_role,
'date_added' => date( 'M Y', strtotime( $user->user_registered ) ),
'local_user' => true,
);
array_push( $auth_settings_access_users_approved, $approved_user );
$updated = true;
}
// Remove from pending list if there.
foreach ( $auth_settings_access_users_pending as $key => $pending_user ) {
if ( $pending_user['email'] == $user->user_email ) {
unset( $auth_settings_access_users_pending[$key] );
$updated = true;
}
}
}
if ( $updated ) {
update_option( 'auth_settings_access_users_pending', $auth_settings_access_users_pending );
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
}
}
/**
* Plugin deactivation.
*
* @return void
*/
public function deactivate() {
// Do nothing.
} // END deactivate()
/**
* ***************************
* External Authentication
* ***************************
*/
/**
* Authenticate against an external service.
*
* @param WP_User $user user to authenticate
* @param string $username optional username to authenticate.
* @param string $password optional password to authenticate.
*
* @return WP_User or WP_Error
*/
public function custom_authenticate( $user, $username, $password ) {
// Pass through if already authenticated.
if ( is_a( $user, 'WP_User' ) ) {
return $user;
} else {
$user = null;
}
// If username and password are blank, this isn't a log in attempt
$is_login_attempt = strlen( $username ) > 0 && strlen( $password ) > 0;
// Check to make sure that $username is not locked out due to too
// many invalid login attempts. If it is, tell the user how much
// time remains until they can try again.
$unauthenticated_user = $is_login_attempt ? get_user_by( 'login', $username ) : false;
$unauthenticated_user_is_blocked = false;
if ( $is_login_attempt && $unauthenticated_user !== false ) {
$last_attempt = get_user_meta( $unauthenticated_user->ID, 'auth_settings_advanced_lockouts_time_last_failed', true );
$num_attempts = get_user_meta( $unauthenticated_user->ID, 'auth_settings_advanced_lockouts_failed_attempts', true );
// Also check the auth_blocked user_meta flag (users in blocked list will get this flag)
$unauthenticated_user_is_blocked = get_user_meta( $unauthenticated_user->ID, 'auth_blocked', true ) === 'yes';
} else {
$last_attempt = get_option( 'auth_settings_advanced_lockouts_time_last_failed' );
$num_attempts = get_option( 'auth_settings_advanced_lockouts_failed_attempts' );
}
// Inactive users should be treated like deleted users (we just
// do this to preserve any content they created, but here we should
// pretend they don't exist).
if ( $unauthenticated_user_is_blocked ) {
remove_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
return new WP_Error( 'empty_password', __( 'ERROR: Incorrect username or password.' ) );
}
// Grab plugin settings.
$auth_settings = $this->get_plugin_options( 'single admin', 'allow override' );
// Make sure $last_attempt (time) and $num_attempts are positive integers.
// Note: this addresses resetting them if either is unset from above.
$last_attempt = abs( intval( $last_attempt ) );
$num_attempts = abs( intval( $num_attempts ) );
// Create semantic lockout variables.
$lockouts = $auth_settings['advanced_lockouts'];
$time_since_last_fail = time() - $last_attempt;
$reset_duration = $lockouts['reset_duration'] * 60; // minutes to seconds
$num_attempts_long_lockout = $lockouts['attempts_1'] + $lockouts['attempts_2'];
$num_attempts_short_lockout = $lockouts['attempts_1'];
$seconds_remaining_long_lockout = $lockouts['duration_2'] * 60 - $time_since_last_fail;
$seconds_remaining_short_lockout = $lockouts['duration_1'] * 60 - $time_since_last_fail;
// Check if we need to institute a lockout delay
if ( $is_login_attempt && $time_since_last_fail > $reset_duration ) {
// Enough time has passed since the last invalid attempt and
// now that we can reset the failed attempt count, and let this
// login attempt go through.
$num_attempts = 0; // This does nothing, but include it for semantic meaning.
} elseif ( $is_login_attempt && $num_attempts > $num_attempts_long_lockout && $seconds_remaining_long_lockout > 0 ) {
// Stronger lockout (1st/2nd round of invalid attempts reached)
// Note: set the error code to 'empty_password' so it doesn't
// trigger the wp_login_failed hook, which would continue to
// increment the failed attempt count.
remove_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
return new WP_Error( 'empty_password', sprintf( __( 'ERROR: There have been too many invalid login attempts for the username %1$s. Please wait %3$s before trying again. Lost your password?' ), $username, $seconds_remaining_long_lockout, $this->seconds_as_sentence( $seconds_remaining_long_lockout ), wp_lostpassword_url() ) );
} elseif ( $is_login_attempt && $num_attempts > $num_attempts_short_lockout && $seconds_remaining_short_lockout > 0 ) {
// Normal lockout (1st round of invalid attempts reached)
// Note: set the error code to 'empty_password' so it doesn't
// trigger the wp_login_failed hook, which would continue to
// increment the failed attempt count.
remove_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 );
return new WP_Error( 'empty_password', sprintf( __( 'ERROR: There have been too many invalid login attempts for the username %1$s. Please wait %3$s before trying again. Lost your password?' ), $username, $seconds_remaining_short_lockout, $this->seconds_as_sentence( $seconds_remaining_short_lockout ), wp_lostpassword_url() ) );
}
// Start external authentication.
$externally_authenticated_email = '';
$authenticated_by = '';
// Try Google authentication if it's enabled and we don't have a
// successful login yet.
if ( $auth_settings['google'] === '1' ) {
$result = $this->custom_authenticate_google( $auth_settings );
if ( ! is_wp_error( $result ) ) {
$externally_authenticated_email = $result['email'];
$authenticated_by = $result['authenticated_by'];
}
}
// Try CAS authentication if it's enabled and we don't have a
// successful login yet.
if ( $auth_settings['cas'] === '1' && strlen( $externally_authenticated_email ) === 0 ) {
$result = $this->custom_authenticate_cas( $auth_settings );
if ( ! is_wp_error( $result ) ) {
$externally_authenticated_email = $result['email'];
$authenticated_by = $result['authenticated_by'];
}
}
// Try LDAP authentication if it's enabled and we don't have an
// authenticated user yet.
if ( $auth_settings['ldap'] === '1' && strlen( $externally_authenticated_email ) === 0 ) {
$result = $this->custom_authenticate_ldap( $auth_settings, $username, $password );
if ( ! is_wp_error( $result ) ) {
$externally_authenticated_email = $result['email'];
$authenticated_by = $result['authenticated_by'];
}
}
// Skip to WordPress authentication if we don't have an externally
// authenticated user.
if ( strlen( $externally_authenticated_email ) < 1 ) {
return null;
}
// If we've made it this far, we should have an externally
// authenticated user. The following should be set:
// $externally_authenticated_email
// $authenticated_by
// Get the external user's WordPress account by email address.
$user = get_user_by( 'email', $externally_authenticated_email );
// Check this external user's access against the access lists
// (pending, approved, blocked)
$result = $this->check_user_access( $user, $externally_authenticated_email, $result );
// Fail with message if error.
if ( is_wp_error( $result ) ) {
return $result;
}
// If we created a new user in check_user_access(), log that user in.
if ( get_class( $result ) === 'WP_User' ) {
$user = $result;
}
// We'll track how this user was authenticated in user meta.
if ( $user ) {
update_user_meta( $user->ID, 'authenticated_by', $authenticated_by );
}
// If we haven't exited yet, we have a valid/approved user, so authenticate them.
return $user;
} // END custom_authenticate()
/**
* This function will fail with a wp_die() message to the user if they
* don't have access.
*
* @param WP_User $user User to check
* @param [type] $user_email User's plaintext email (in case current user doesn't have a WP account)
* @param [type] $user_data Array of keys for user email, first_name, last_name, and authenticated_by
* @return WP_Error if there was an error on user creation / adding user to blog
* wp_die() if user does not have access
* null if user has access (success)
*/
private function check_user_access( $user, $user_email, $user_data = array() ) {
// Grab plugin settings.
$auth_settings = $this->get_plugin_options( 'single admin', 'allow override' );
$auth_settings_access_users_pending = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_pending', 'single admin' )
);
$auth_settings_access_users_approved = $this->sanitize_user_list(
array_merge(
$this->get_plugin_option( 'access_users_approved', 'single admin' ),
$this->get_plugin_option( 'access_users_approved', 'multisite admin' )
)
);
// Check our externally authenticated user against the block list.
// If they are blocked, set the relevant user meta field, and show
// them an error screen.
if ( $this->is_email_in_list( $user_email, 'blocked' ) ) {
// If the blocked external user has a WordPress account, change
// its password and mark it as blocked.
if ( $user ) {
// Mark user as blocked (enforce block in this->authenticate()).
update_user_meta( $user->ID, 'auth_blocked', 'yes' );
}
// Notify user about blocked status and return without authenticating them.
$redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : home_url();
$page_title = get_bloginfo( 'name' ) . ' - Access Restricted';
$error_message = apply_filters( 'the_content', $auth_settings['access_blocked_redirect_to_message'] );
$error_message .= '
';
update_option( 'auth_settings_advanced_login_error', $error_message );
wp_die( $error_message, $page_title );
}
// If this externally authenticated user isn't in the approved list
// and login access is set to "All authenticated users," add them
// to the approved list (they'll get an account created below if
// they don't have one yet).
$is_newly_approved_user = false;
if ( ! $this->is_email_in_list( $user_email, 'approved' ) && $auth_settings['access_who_can_login'] === 'external_users' ) {
$is_newly_approved_user = true;
// If this user happens to be in the pending list (rare),
// remove them from pending before adding them to approved.
if ( $this->is_email_in_list( $user_email, 'pending' ) ) {
foreach ( $auth_settings_access_users_pending as $key => $pending_user ) {
if ( $pending_user['email'] === $user_email ) {
unset( $auth_settings_access_users_pending[ $key ] );
update_option( 'auth_settings_access_users_pending', $auth_settings_access_users_pending );
break;
}
}
}
// Add this user to the approved list.
$approved_role = $user && is_array( $user->roles ) && count( $user->roles ) > 0 ? $user->roles[0] : $auth_settings['access_default_role'];
$approved_user = array(
'email' => $user_email,
'role' => $approved_role,
'date_added' => date( "Y-m-d H:i:s" ),
);
array_push( $auth_settings_access_users_approved, $approved_user );
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
}
// Check our externally authenticated user against the approved
// list. If they are approved, log them in (and create their account
// if necessary)
if ( $is_newly_approved_user || $this->is_email_in_list( $user_email, 'approved' ) ) {
$user_info = $is_newly_approved_user ? $approved_user : $this->get_user_info_from_list( $user_email, $auth_settings_access_users_approved );
// If the approved external user does not have a WordPress account, create it
if ( ! $user ) {
// If there's already a user with this username (e.g.,
// johndoe/johndoe@gmail.com exists, and we're trying to add
// johndoe/johndoe@example.com), use the full email address
// as the username.
$username = explode( "@", $user_info['email'] );
$username = $username[0];
if ( get_user_by( 'login', $username ) !== false ) {
$username = $approved_user['email'];
}
$result = wp_insert_user(
array(
'user_login' => strtolower( $username ),
'user_pass' => wp_generate_password(), // random password
'first_name' => array_key_exists( 'first_name', $user_data ) ? $user_data['first_name'] : '',
'last_name' => array_key_exists( 'last_name', $user_data ) ? $user_data['last_name'] : '',
'user_email' => strtolower( $user_info['email'] ),
'user_registered' => date( 'Y-m-d H:i:s' ),
'role' => $user_info['role'],
)
);
// Fail with message if error.
if ( is_wp_error( $result ) || $result == 0 ) {
return $result;
}
// Authenticate as new user
$user = new WP_User( $result );
// Check if this new user has any preassigned usermeta
// values in their approved list entry, and apply them to
// their new WordPress account.
if ( array_key_exists( 'usermeta', $user_info ) && is_array( $user_info['usermeta'] ) ) {
$meta_key = $this->get_plugin_option( 'advanced_usermeta' );
if ( array_key_exists( 'meta_key', $user_info['usermeta'] ) && array_key_exists( 'meta_value', $user_info['usermeta'] ) ) {
// Only update the usermeta if the stored value matches
// the option set in authorizer settings (if they don't
// match it's probably old data).
if ( $meta_key === $user_info['usermeta']['meta_key'] ) {
// Update user's usermeta value for usermeta key stored in authorizer options.
if ( strpos( $meta_key, 'acf___' ) === 0 && class_exists( 'acf' ) ) {
// We have an ACF field value, so use the ACF function to update it.
update_field( str_replace('acf___', '', $meta_key ), $user_info['usermeta']['meta_value'], 'user_' . $user->ID );
} else {
// We have a normal usermeta value, so just update it via the WordPress function.
update_user_meta( $user->ID, $meta_key, $user_info['usermeta']['meta_value'] );
}
}
} elseif ( is_multisite() && count( $user_info['usermeta'] ) > 0 ) {
// Update usermeta for each multisite blog defined for this user.
foreach ( $user_info['usermeta'] as $blog_id => $usermeta ) {
if ( array_key_exists( 'meta_key', $usermeta ) && array_key_exists( 'meta_value', $usermeta ) ) {
// Add this new user to the blog before we create their user meta (this step typically happens below, but we need it to happen early so we can create user meta here).
if ( ! is_user_member_of_blog( $user->ID, $blog_id ) ) {
add_user_to_blog( $blog_id, $user->ID, $user_info['role'] );
}
switch_to_blog( $blog_id );
// Update user's usermeta value for usermeta key stored in authorizer options.
if ( strpos( $meta_key, 'acf___' ) === 0 && class_exists( 'acf' ) ) {
// We have an ACF field value, so use the ACF function to update it.
update_field( str_replace('acf___', '', $meta_key ), $usermeta['meta_value'], 'user_' . $user->ID );
} else {
// We have a normal usermeta value, so just update it via the WordPress function.
update_user_meta( $user->ID, $meta_key, $usermeta['meta_value'] );
}
restore_current_blog();
}
}
}
}
} else {
// Update first/last names of WordPress user from external
// service if that option is set.
if ( ( array_key_exists( 'authenticated_by', $user_data ) && $user_data['authenticated_by'] === 'cas' && array_key_exists( 'cas_attr_update_on_login', $auth_settings ) && $auth_settings['cas_attr_update_on_login'] == 1 ) || ( array_key_exists( 'authenticated_by', $user_data ) && $user_data['authenticated_by'] === 'ldap' && array_key_exists( 'ldap_attr_update_on_login', $auth_settings ) && $auth_settings['ldap_attr_update_on_login'] == 1 ) ) {
if ( array_key_exists( 'first_name', $user_data ) && strlen( $user_data['first_name'] ) > 0 ) {
wp_update_user( array(
'ID' => $user->ID,
'first_name' => $user_data['first_name'],
));
}
if ( array_key_exists( 'last_name', $user_data ) && strlen( $user_data['last_name'] ) > 0 ) {
wp_update_user( array(
'ID' => $user->ID,
'last_name' => $user_data['last_name'],
));
}
}
}
// If this is multisite, add new user to current blog.
if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
$result = add_user_to_blog( get_current_blog_id(), $user->ID, $user_info['role'] );
// Fail with message if error.
if ( is_wp_error( $result ) ) {
return $result;
}
}
// Ensure user has the same role as their entry in the approved list.
// (This is just a precaution, the role should already be set when
// saving admin options in the sanitizing function.)
if ( $user_info && ! array_key_exists( $user_info['role'], $user->roles ) ) {
$user->set_role( $user_info['role'] );
}
return $user;
} elseif ( $user && in_array( 'administrator', $user->roles ) ) {
// User has a WordPress account, but is not in the blocked or approved
// list. If they are an administrator, let them in.
return;
} else {
// User isn't an admin, is not blocked, and is not approved.
// Add them to the pending list and notify them and their instructor.
if ( strlen( $user_email ) > 0 && ! $this->is_email_in_list( $user_email, 'pending' ) ) {
$pending_user = array();
$pending_user['email'] = $user_email;
$pending_user['role'] = $auth_settings['access_default_role'];
$pending_user['date_added'] = '';
array_push( $auth_settings_access_users_pending, $pending_user );
update_option( 'auth_settings_access_users_pending', $auth_settings_access_users_pending );
// Create strings used in the email notification.
$site_name = get_bloginfo( 'name' );
$site_url = get_bloginfo( 'url' );
$authorizer_options_url = $auth_settings['advanced_admin_menu'] === 'settings' ? admin_url( 'options-general.php?page=authorizer' ) : admin_url( '?page=authorizer' );
// Notify instructor about new pending user if that option is set.
foreach ( get_users( array( 'role' => $auth_settings['access_role_receive_pending_emails'] ) ) as $user_recipient ) {
wp_mail(
$user_recipient->user_email,
"Action required: Pending user {$pending_user['email']} at $site_name",
"A new user has tried to access the $site_name site you manage at:\n$site_url\n\n" .
"Please log in to approve or deny their request:\n$authorizer_options_url\n"
);
}
}
// Notify user about pending status and return without authenticating them.
$redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : home_url();
$page_title = get_bloginfo( 'name' ) . ' - Access Pending';
$error_message = apply_filters( 'the_content', $auth_settings['access_pending_redirect_to_message'] );
$error_message .= '
';
update_option( 'auth_settings_advanced_login_error', $error_message );
wp_die( $error_message, $page_title );
}
} // END check_user_access()
/**
* Verify the Google login and set a session token.
*
* Flow: "Sign in with Google" button clicked; JS Google library
* called; JS function signInCallback() fired with results from Google;
* signInCallback() posts code and nonce (via AJAX) to this function;
* This function checks the token using the Google PHP library, and
* saves it to a session variable if it's authentic; control passes
* back to signInCallback(), which will reload the current page
* (wp-login.php) on success; wp-login.php reloads; custom_authenticate
* hooked into authenticate action fires again, and
* custom_authenticate_google() runs to verify the token; once verified
* custom_authenticate proceeds as normal with the google email address
* as a successfully authenticated external user.
*
* @return void, but die with the value to return to the success() function in AJAX call signInCallback()
*/
function ajax_process_google_login() {
$nonce = array_key_exists( 'nonce', $_POST ) ? $_POST['nonce'] : '';
$code = array_key_exists( 'code', $_POST ) ? $_POST['code'] : null;
// Nonce check.
if ( ! wp_verify_nonce( $nonce, 'google_csrf_nonce' ) ) {
return '';
}
// Grab plugin settings.
$auth_settings = $this->get_plugin_options( 'single admin', 'allow override' );
// Build the Google Client.
$client = new Google_Client();
$client->setApplicationName( 'WordPress' );
$client->setClientId( $auth_settings['google_clientid'] );
$client->setClientSecret( $auth_settings['google_clientsecret'] );
$client->setRedirectUri( 'postmessage' );
// Get one time use token (if it doesn't exist, we'll create one below)
session_start();
$token = array_key_exists( 'token', $_SESSION ) ? json_decode( $_SESSION['token'] ) : null;
if ( empty( $token ) ) {
// Exchange the OAuth 2.0 authorization code for user credentials.
$client->authenticate( $code );
$token = json_decode( $client->getAccessToken() );
// Store the token in the session for later use.
$_SESSION['token'] = json_encode( $token );
$response = "Successfully authenticated.";
} else {
$client->setAccessToken( json_encode( $token ) );
$response = 'Already authenticated.';
}
die( $response );
} // END ajax_process_google_login()
/**
* Validate this user's credentials against Google.
*
* @param array $auth_settings Plugin settings
* @return [mixed] Array containing 'email' and 'authenticated_by'
* strings for the successfully authenticated
* user, or WP_Error() object on failure.
*/
private function custom_authenticate_google( $auth_settings ) {
// Get one time use token
session_start();
$token = array_key_exists( 'token', $_SESSION ) ? json_decode( $_SESSION['token'] ) : null;
// No token, so this is not a succesful Google login.
if ( is_null( $token ) ) {
return new WP_Error( 'no_google_login', 'No Google credentials provided.' );
}
// Build the Google Client.
$client = new Google_Client();
$client->setApplicationName( 'WordPress' );
$client->setClientId( $auth_settings['google_clientid'] );
$client->setClientSecret( $auth_settings['google_clientsecret'] );
$client->setRedirectUri( 'postmessage' );
// Verify this is a successful Google authentication
$ticket = $client->verifyIdToken( $token->id_token, $auth_settings['google_clientid'] );
// Invalid ticket, so this in not a successful Google login.
if ( ! $ticket ) {
return new WP_Error( 'invalid_google_login', 'Invalid Google credentials provided.' );
}
// Get email address
$attributes = $ticket->getAttributes();
$email = $attributes['payload']['email'];
return array(
'email' => $email,
'first_name' => '',
'last_name' => '',
'authenticated_by' => 'google',
);
} // END custom_authenticate_google()
/**
* Validate this user's credentials against CAS.
*
* @param array $auth_settings Plugin settings
* @return [mixed] Array containing 'email' and 'authenticated_by'
* strings for the successfully authenticated
* user, or WP_Error() object on failure.
*/
private function custom_authenticate_cas( $auth_settings ) {
// Move on if CAS hasn't been requested here.
if ( empty( $_GET['external'] ) || $_GET['external'] !== 'cas' ) {
return new WP_Error( 'cas_not_available', 'CAS is not enabled.' );
}
// Set the CAS client configuration
phpCAS::client( SAML_VERSION_1_1, $auth_settings['cas_host'], intval( $auth_settings['cas_port'] ), $auth_settings['cas_path'] );
// Update server certificate bundle if it doesn't exist or is older
// than 3 months, then use it to ensure CAS server is legitimate.
$cacert_path = plugin_dir_path( __FILE__ ) . 'inc/cacert.pem';
$time_90_days = 90 * 24 * 60 * 60; // days * hours * minutes * seconds
$time_90_days_ago = time() - $time_90_days;
if ( ! file_exists( $cacert_path ) || filemtime( $cacert_path ) < $time_90_days_ago ) {
$cacert_contents = file_get_contents( 'http://curl.haxx.se/ca/cacert.pem' );
if ( $cacert_contents !== false ) {
file_put_contents( $cacert_path, $cacert_contents );
} else {
return new WP_Error( 'cannot_update_cacert', 'Unable to update outdated server certificates from http://curl.haxx.se/ca/cacert.pem.' );
}
}
phpCAS::setCasServerCACert( $cacert_path );
// Authenticate against CAS
if ( ! phpCAS::isAuthenticated() ) {
phpCAS::forceAuthentication();
die();
}
// Get the TLD from the CAS host for use in matching email addresses
// For example: example.edu is the TLD for authn.example.edu, so user
// 'bob' will have the following email address: bob@example.edu.
$tld = preg_match( '/[^.]*\.[^.]*$/', $auth_settings['cas_host'], $matches ) === 1 ? $matches[0] : '';
// Get username that successfully authenticated against the external service (CAS).
$externally_authenticated_email = strtolower( phpCAS::getUser() ) . '@' . $tld;
// Retrieve the user attributes (e.g., email address, first name, last name) from the CAS server.
$cas_attributes = phpCAS::getAttributes();
// If a CAS attribute has been specified as containing the email address, use that instead.
if ( array_key_exists( 'cas_attr_email', $auth_settings ) && strlen( $auth_settings['cas_attr_email'] ) > 0 && array_key_exists( $auth_settings['cas_attr_email'], $cas_attributes ) && strlen( $cas_attributes[$auth_settings['cas_attr_email']] ) > 0 ) {
$externally_authenticated_email = $cas_attributes[$auth_settings['cas_attr_email']];
}
// Get user first name and last name.
$first_name = array_key_exists( 'cas_attr_first_name', $auth_settings ) && strlen( $auth_settings['cas_attr_first_name'] ) > 0 && array_key_exists( $auth_settings['cas_attr_first_name'], $cas_attributes ) && strlen( $cas_attributes[$auth_settings['cas_attr_first_name']] ) > 0 ? $cas_attributes[$auth_settings['cas_attr_first_name']] : '';
$last_name = array_key_exists( 'cas_attr_last_name', $auth_settings ) && strlen( $auth_settings['cas_attr_last_name'] ) > 0 && array_key_exists( $auth_settings['cas_attr_last_name'], $cas_attributes ) && strlen( $cas_attributes[$auth_settings['cas_attr_last_name']] ) > 0 ? $cas_attributes[$auth_settings['cas_attr_last_name']] : '';
return array(
'email' => $externally_authenticated_email,
'first_name' => $first_name,
'last_name' => $last_name,
'authenticated_by' => 'cas',
);
} // END custom_authenticate_cas()
/**
* Validate this user's credentials against LDAP.
*
* @param array $auth_settings Plugin settings
* @param string $username Attempted username from authenticate action
* @param string $password Attempted password from authenticate action
* @return [mixed] Array containing 'email' and 'authenticated_by'
* strings for the successfully authenticated
* user, or WP_Error() object on failure.
*/
private function custom_authenticate_ldap( $auth_settings, $username, $password ) {
// Get the TLD from the LDAP host for use in matching email addresses
// For example: example.edu is the TLD for ldap.example.edu, so user
// 'bob' will have the following email address: bob@example.edu.
$tld = preg_match( '/[^.]*\.[^.]*$/', $auth_settings['ldap_host'], $matches ) === 1 ? $matches[0] : '';
// remove top level domain if it exists in the username (i.e., if user entered their email)
$username = str_replace( '@' . $tld, '', $username );
// Fail with error message if username or password is blank.
if ( empty( $username ) ) {
return null;
}
if ( empty( $password ) ) {
return new WP_Error( 'empty_password', 'You must provide a password.' );
}
// Make sure php5-ldap extension is installed on server.
if ( ! function_exists( 'ldap_connect' ) ) {
// Note: this error message won't get shown to the user because
// authenticate will fall back to WP auth when this fails.
return new WP_Error( 'ldap_not_installed', 'LDAP logins are disabled because this server does not support them.' );
}
// Authenticate against LDAP using options provided in plugin settings.
$result = false;
$ldap_user_dn = '';
$first_name = '';
$last_name = '';
$email = '';
// Establish LDAP connection.
$ldap = ldap_connect( $auth_settings['ldap_host'], $auth_settings['ldap_port'] );
ldap_set_option( $ldap, LDAP_OPT_PROTOCOL_VERSION, 3 );
if ( $auth_settings['ldap_tls'] == 1 ) {
ldap_start_tls( $ldap );
}
// Set bind credentials; attempt an anonymous bind if not provided.
$bind_rdn = NULL;
$bind_password = NULL;
if ( strlen( $auth_settings['ldap_user'] ) > 0 ) {
$bind_rdn = $auth_settings['ldap_user'];
$bind_password = $this->decrypt( base64_decode( $auth_settings['ldap_password'] ) );
}
// Attempt LDAP bind.
$result = @ldap_bind( $ldap, $bind_rdn, $bind_password );
if ( ! $result ) {
// Can't connect to LDAP, so fall back to WordPress authentication.
return new WP_Error( 'ldap_error', 'Could not authenticate using LDAP.' );
}
// Look up the bind DN (and first/last name) of the user trying to
// log in by performing an LDAP search for the login username in
// the field specified in the LDAP settings. This setup is common.
$ldap_attributes_to_retrieve = array( 'dn' );
if ( array_key_exists( 'ldap_attr_first_name', $auth_settings ) && strlen( $auth_settings['ldap_attr_first_name'] ) > 0 ) {
array_push( $ldap_attributes_to_retrieve, $auth_settings['ldap_attr_first_name'] );
}
if ( array_key_exists( 'ldap_attr_last_name', $auth_settings ) && strlen( $auth_settings['ldap_attr_last_name'] ) > 0 ) {
array_push( $ldap_attributes_to_retrieve, $auth_settings['ldap_attr_last_name'] );
}
if ( array_key_exists( 'ldap_attr_email', $auth_settings ) && strlen( $auth_settings['ldap_attr_email'] ) > 0 ) {
array_push( $ldap_attributes_to_retrieve, $auth_settings['ldap_attr_email'] );
}
$ldap_search = ldap_search(
$ldap,
$auth_settings['ldap_search_base'],
"(" . $auth_settings['ldap_uid'] . "=" . $username . ")",
$ldap_attributes_to_retrieve
);
$ldap_entries = ldap_get_entries( $ldap, $ldap_search );
// If we didn't find any users in ldap, exit with error (rely on default wordpress authentication)
if ( $ldap_entries['count'] < 1 ) {
return new WP_Error( 'no_ldap', 'No LDAP user found.' );
}
// Get the bind dn and first/last names; if there are multiple results returned, just get the last one.
for ( $i = 0; $i < $ldap_entries['count']; $i++ ) {
$ldap_user_dn = $ldap_entries[$i]['dn'];
// Get user first name and last name.
if ( array_key_exists( 'ldap_attr_first_name', $auth_settings ) && strlen( $auth_settings['ldap_attr_first_name'] ) > 0 && array_key_exists( $auth_settings['ldap_attr_first_name'], $ldap_entries[$i] ) && $ldap_entries[$i][$auth_settings['ldap_attr_first_name']]['count'] > 0 && strlen( $ldap_entries[$i][$auth_settings['ldap_attr_first_name']][0] ) > 0 ) {
$first_name = $ldap_entries[$i][$auth_settings['ldap_attr_first_name']][0];
}
if ( array_key_exists( 'ldap_attr_last_name', $auth_settings ) && strlen( $auth_settings['ldap_attr_last_name'] ) > 0 && array_key_exists( $auth_settings['ldap_attr_last_name'], $ldap_entries[$i] ) && $ldap_entries[$i][$auth_settings['ldap_attr_last_name']]['count'] > 0 && strlen( $ldap_entries[$i][$auth_settings['ldap_attr_last_name']][0] ) > 0 ) {
$last_name = $ldap_entries[$i][$auth_settings['ldap_attr_last_name']][0];
}
// Get user email if it is specified in another field.
if ( array_key_exists( 'ldap_attr_email', $auth_settings ) && strlen( $auth_settings['ldap_attr_email'] ) > 0 && array_key_exists( $auth_settings['ldap_attr_email'], $ldap_entries[$i] ) && $ldap_entries[$i][$auth_settings['ldap_attr_email']]['count'] > 0 && strlen( $ldap_entries[$i][$auth_settings['ldap_attr_email']][0] ) > 0 ) {
$email = $ldap_entries[$i][$auth_settings['ldap_attr_email']][0];
}
}
$result = @ldap_bind( $ldap, $ldap_user_dn, $password );
if ( ! $result ) {
// We have a real ldap user, but an invalid password. Pass
// through to wp authentication after failing LDAP (since
// this could be a local account that happens to be the
// same name as an LDAP user).
return new WP_Error( 'using_wp_authentication', 'Moving on to WordPress authentication...' );
}
// User successfully authenticated against LDAP, so set the relevant variables.
$externally_authenticated_email = $username . '@' . $tld;
// If an LDAP attribute has been specified as containing the email address, use that instead.
if ( strlen( $email ) > 0 ) {
$externally_authenticated_email = $email;
}
return array(
'email' => $externally_authenticated_email,
'first_name' => $first_name,
'last_name' => $last_name,
'authenticated_by' => 'ldap',
);
} // END custom_authenticate_ldap()
/**
* Log out of the attached external service.
*
* @return void
*/
public function custom_logout() {
// Grab plugin settings.
$auth_settings = $this->get_plugin_options( 'single admin', 'allow override' );
// Reset option containing old error messages.
delete_option( 'auth_settings_advanced_login_error' );
if ( session_id() == '' ) {
session_start();
}
$current_user_authenticated_by = get_user_meta( get_current_user_id(), 'authenticated_by', true );
// If logged in to CAS, Log out of CAS.
if ( $current_user_authenticated_by === 'cas' && $auth_settings['cas'] === '1' ) {
if ( ! array_key_exists( 'PHPCAS_CLIENT', $GLOBALS ) || ! array_key_exists( 'phpCAS', $_SESSION ) ) {
// Set the CAS client configuration if it hasn't been set already.
phpCAS::client( SAML_VERSION_1_1, $auth_settings['cas_host'], intval( $auth_settings['cas_port'] ), $auth_settings['cas_path'] );
// Restrict logout request origin to the CAS server only (prevent DDOS).
phpCAS::handleLogoutRequests( true, array( $auth_settings['cas_host'] ) );
}
if ( phpCAS::isAuthenticated() ) {
phpCAS::logoutWithRedirectService( get_option( 'siteurl' ) );
}
}
// If session token set, log out of Google.
if ( $current_user_authenticated_by === 'google' && array_key_exists( 'token', $_SESSION ) ) {
$token = json_decode( $_SESSION['token'] )->access_token;
// Build the Google Client.
$client = new Google_Client();
$client->setApplicationName( 'WordPress' );
$client->setClientId( $auth_settings['google_clientid'] );
$client->setClientSecret( $auth_settings['google_clientsecret'] );
$client->setRedirectUri( 'postmessage' );
// Revoke the token
$client->revokeToken( $token );
// Remove the credentials from the user's session.
$_SESSION['token'] = '';
}
} // END custom_logout()
/**
* ***************************
* Access Restriction
* ***************************
*/
/**
* Restrict access to WordPress site based on settings (everyone, logged_in_users).
* Hook: parse_request http://codex.wordpress.org/Plugin_API/Action_Reference/parse_request
*
* @param array $wp WordPress object.
*
* @return void
*/
public function restrict_access( $wp ) {
remove_action( 'parse_request', array( $this, 'restrict_access' ), 1 ); // only need it the first time
// Grab plugin settings.
$auth_settings = $this->get_plugin_options( 'single admin', 'allow override' );
// Grab current user.
$current_user = wp_get_current_user();
$has_access = (
// Always allow access if WordPress is installing
( defined( 'WP_INSTALLING' ) && isset( $_GET['key'] ) ) ||
// Always allow access to admins
( current_user_can( 'create_users' ) ) ||
// Allow access if option is set to 'everyone'
( $auth_settings['access_who_can_view'] == 'everyone' ) ||
// Allow access to approved external users and logged in users if option is set to 'logged_in_users'
( $auth_settings['access_who_can_view'] == 'logged_in_users' && $this->is_user_logged_in_and_blog_user() && $this->is_email_in_list( $current_user->user_email, 'approved' ) )
);
/**
* Developers can use the `authorizer_has_access` filter
* to override restricted access on certain pages. Note that the
* restriction checks happens before WordPress executes any queries, so
* use the global `$wp` variable to investigate what the visitor is
* trying to load.
*
* For example, to unblock an RSS feed, place the following PHP code in
* the theme's functions.php file or in a simple plug-in:
*
* function my_rsa_feed_access_override( $has_access ) {
* global $wp;
* // check query variables to see if this is the feed
* if ( ! empty( $wp->query_vars['feed'] ) )
* $has_access = true;
* return $has_access;
* }
* add_filter( 'authorizer_has_access', 'my_rsa_feed_access_override' );
*/
if ( apply_filters( 'authorizer_has_access', $has_access, $wp ) === true ) {
// Turn off the public notice about browsing anonymously
update_option( 'auth_settings_advanced_public_notice', false );
// We've determined that the current user has access, so simply return to grant access.
return;
}
// We've determined that the current user doesn't have access, so we deal with them now.
// Fringe case: In a multisite, a user of a different blog can
// successfully log in, but they aren't on the 'approved' whitelist
// for this blog. Flag these users, and redirect them to their
// profile page with a message (so we don't get into a redirect
// loop on the wp-login.php page).
if ( is_multisite() && is_user_logged_in() && ! $has_access ) {
$current_user = wp_get_current_user();
// Check user access; block if not, add them to pending list if open, let them through otherwise.
$result = $this->check_user_access( $current_user, $current_user->user_email );
}
// Check to see if the requested page is public. If so, show it.
$current_page_name = property_exists( $wp, 'query_vars' ) && array_key_exists( 'name', $wp->query_vars ) && strlen( $wp->query_vars['name'] ) > 0 ? $wp->query_vars['name'] : '';
if ( ! $current_page_name ) {
// Different WordPress versions store the page slug in different places; look for it elsewhere.
if ( property_exists( $wp, 'query_vars' ) && array_key_exists( 'pagename', $wp->query_vars ) && strlen( $wp->query_vars['pagename'] ) > 0 ) {
$current_page_name = $wp->query_vars['pagename'];
}
}
$current_page_id = empty( $wp->request ) ? 'home' : $this->get_id_from_pagename( $current_page_name );
if ( ! is_array( $auth_settings['access_public_pages'] ) ) {
$auth_settings['access_public_pages'] = array();
}
if ( in_array( $current_page_id, $auth_settings['access_public_pages'] ) ) {
if ( $auth_settings['access_public_warning'] === 'no_warning' ) {
update_option( 'auth_settings_advanced_public_notice', false );
} else {
update_option( 'auth_settings_advanced_public_notice', true );
}
return;
}
// Check to see if any category assigned to the requested page is public. If so, show it.
$current_page_categories = wp_get_post_categories( $current_page_id, array( 'fields' => 'slugs' ) );
foreach( $current_page_categories as $current_page_category ) {
if ( in_array( 'cat_' . $current_page_category, $auth_settings['access_public_pages'] ) ) {
if ( $auth_settings['access_public_warning'] === 'no_warning' ) {
update_option( 'auth_settings_advanced_public_notice', false );
} else {
update_option( 'auth_settings_advanced_public_notice', true );
}
return;
}
}
$current_path = empty( $_SERVER['REQUEST_URI'] ) ? home_url() : $_SERVER['REQUEST_URI'];
if ( $auth_settings['access_redirect'] === 'message' ) {
$page_title = get_bloginfo( 'name' ) . ' - Access Restricted';
$error_message = apply_filters( 'the_content', $auth_settings['access_redirect_to_message'] );
$error_message .= '
get_plugin_options( 'single admin', 'allow override' );
// Get user trying to log in.
// If this isn't a real user, update the global failed attempt
// variables. We'll use these global variables to institute the
// lockouts on nonexistent accounts. We do this so an attacker
// won't be able to determine which accounts are real by which
// accounts get locked out on multiple invalid attempts.
$user = get_user_by( 'login', $username );
if ( $user !== FALSE ) {
$last_attempt = get_user_meta( $user->ID, 'auth_settings_advanced_lockouts_time_last_failed', true );
$num_attempts = get_user_meta( $user->ID, 'auth_settings_advanced_lockouts_failed_attempts', true );
} else {
$last_attempt = get_option( 'auth_settings_advanced_lockouts_time_last_failed' );
$num_attempts = get_option( 'auth_settings_advanced_lockouts_failed_attempts' );
}
// Make sure $last_attempt (time) and $num_attempts are positive integers.
// Note: this addresses resetting them if either is unset from above.
$last_attempt = abs( intval( $last_attempt ) );
$num_attempts = abs( intval( $num_attempts ) );
// Reset the failed attempt count if the time since the last
// failed attempt is greater than the reset duration.
$time_since_last_fail = time() - $last_attempt;
$reset_duration = $auth_settings['advanced_lockouts']['reset_duration'] * 60; // minutes to seconds
if ( $time_since_last_fail > $reset_duration ) {
$num_attempts = 0;
}
// Set last failed time to now and increment last failed count.
if ( $user !== FALSE ) {
update_user_meta( $user->ID, 'auth_settings_advanced_lockouts_time_last_failed', time() );
update_user_meta( $user->ID, 'auth_settings_advanced_lockouts_failed_attempts', $num_attempts + 1 );
} else {
update_option( 'auth_settings_advanced_lockouts_time_last_failed', time() );
update_option( 'auth_settings_advanced_lockouts_failed_attempts', $num_attempts + 1 );
}
} // END update_login_failed_count()
/**
* Overwrite the URL for the lost password link on the login form.
* If we're authenticating against an external service, standard
* WordPress password resets won't work.
*/
function custom_lostpassword_url( $lostpassword_url ) {
// Grab plugin settings.
$auth_settings = $this->get_plugin_options( 'single admin', 'allow override' );
if (
array_key_exists( 'ldap_lostpassword_url', $auth_settings ) &&
filter_var( $auth_settings['ldap_lostpassword_url'], FILTER_VALIDATE_URL )
) {
$lostpassword_url = $auth_settings['ldap_lostpassword_url'];
}
return $lostpassword_url;
} // END custom_lostpassword_url()
/**
* ***************************
* Options page
* ***************************
*/
/**
* Add a link to this plugin's settings page from the WordPress Plugins page.
* Called from "plugin_action_links" filter in __construct() above.
*
* @param array $links array of links in the admin sidebar
*
* @return array of links to show in the admin sidebar.
*/
public function plugin_settings_link( $links ) {
$admin_menu = $this->get_plugin_option( 'advanced_admin_menu' );
$settings_url = $admin_menu === 'settings' ? admin_url( 'options-general.php?page=authorizer' ) : admin_url( 'admin.php?page=authorizer' );
array_unshift( $links, 'Settings' );
return $links;
} // END plugin_settings_link()
/**
* Add a link to this plugin's network settings page from the WordPress Plugins page.
* Called from "network_admin_plugin_action_links" filter in __construct() above.
*
* @param array $links array of links in the network admin sidebar
*
* @return array of links to show in the network admin sidebar.
*/
public function network_admin_plugin_settings_link( $links ) {
$settings_link = 'Network Settings';
array_unshift( $links, $settings_link );
return $links;
} // END network_admin_plugin_settings_link()
/**
* Create the options page under Dashboard > Settings
* Run on action hook: admin_menu
*/
public function add_plugin_page() {
$admin_menu = $this->get_plugin_option( 'advanced_admin_menu' );
if ( $admin_menu === 'settings' ) {
// @see http://codex.wordpress.org/Function_Reference/add_options_page
add_options_page(
'Authorizer', // Page title
'Authorizer', // Menu title
'create_users', // Capability
'authorizer', // Menu slug
array( $this, 'create_admin_page' ) // function
);
} else {
// @see http://codex.wordpress.org/Function_Reference/add_menu_page
add_menu_page(
'Authorizer', // Page title
'Authorizer', // Menu title
'create_users', // Capability
'authorizer', // Menu slug
array( $this, 'create_admin_page' ), // callback
'dashicons-groups', // icon
'99.0018465' // position (decimal is to make overlap with other plugins less likely)
);
}
} // END add_plugin_page()
/**
* Output the HTML for the options page
*/
public function create_admin_page() { ?>
Authorizer Settings
get_bloginfo( 'url' ) );
wp_localize_script( 'authorizer', 'auth_config', $js_auth_config );
wp_enqueue_script(
'jquery.multi-select',
plugins_url( 'inc/jquery.multi-select/js/jquery.multi-select.js', __FILE__ ),
array( 'jquery' ), '1.8', true
);
wp_register_style( 'authorizer-css', plugins_url( 'css/authorizer.css', __FILE__ ), array(), '2.3.2' );
wp_enqueue_style( 'authorizer-css' );
wp_register_style( 'jquery-multi-select-css', plugins_url( 'inc/jquery.multi-select/css/multi-select.css', __FILE__ ), array(), '1.8' );
wp_enqueue_style( 'jquery-multi-select-css' );
add_action( 'admin_notices', array( $this, 'admin_notices' ) ); // Add any notices to the top of the options page.
add_action( 'admin_head', array( $this, 'admin_head' ) ); // Add help documentation to the options page.
} // END load_options_page()
/**
* Show custom admin notice.
* Filter: admin_notice
*/
function show_advanced_admin_notice() {
$notice = get_option( 'auth_settings_advanced_admin_notice' );
delete_option( 'auth_settings_advanced_admin_notice' );
if ( $notice && strlen( $notice ) > 0 ) { ?>
admin_notices
* Description: Check for invalid settings combinations and show a warning message, e.g.:
* if ( cas url inaccessible ) : ?>
*
Can't reach CAS server. Please provide accurate CAS settings if you intend to use it.
You\'re not currently allowed to view this site. Your administrator has been notified, and once he/she has approved your request, you will be able to log in. If you need any other help, please contact your administrator.';
}
if ( ! array_key_exists( 'access_blocked_redirect_to_message', $auth_settings ) ) {
$auth_settings['access_blocked_redirect_to_message'] = '
You\'re not currently allowed to log into this site. If you think this is a mistake, please contact your administrator.
';
}
if ( ! array_key_exists( 'access_should_email_approved_users', $auth_settings ) ) {
$auth_settings['access_should_email_approved_users'] = '';
}
if ( ! array_key_exists( 'access_email_approved_users_subject', $auth_settings ) ) {
$auth_settings['access_email_approved_users_subject'] = 'Welcome to [site_name]!';
}
if ( ! array_key_exists( 'access_email_approved_users_body', $auth_settings ) ) {
$auth_settings['access_email_approved_users_body'] =
'Hello [user_email],' . PHP_EOL .
'Welcome to [site_name]! You now have access to all content on the site. Please visit us here:' . PHP_EOL .
'[site_url]';
}
// Public Access to Private Page Defaults.
if ( ! array_key_exists( 'access_who_can_view', $auth_settings ) ) {
$auth_settings['access_who_can_view'] = 'everyone';
}
if ( ! array_key_exists( 'access_public_pages', $auth_settings ) ) {
$auth_settings['access_public_pages'] = array();
}
if ( ! array_key_exists( 'access_redirect', $auth_settings ) ) {
$auth_settings['access_redirect'] = 'login';
}
if ( ! array_key_exists( 'access_public_warning', $auth_settings ) ) {
$auth_settings['access_public_warning'] = 'no_warning';
}
if ( ! array_key_exists( 'access_redirect_to_message', $auth_settings ) ) {
$auth_settings['access_redirect_to_message'] = '
Notice: You are browsing this site anonymously, and only have access to a portion of its content.
';
}
// External Service Defaults.
if ( ! array_key_exists( 'access_default_role', $auth_settings ) ) {
// Set default role to 'student' if that role exists, 'subscriber' otherwise.
$all_roles = $wp_roles->roles;
$editable_roles = apply_filters( 'editable_roles', $all_roles );
if ( array_key_exists( 'student', $editable_roles ) ) {
$auth_settings['access_default_role'] = 'student';
} else {
$auth_settings['access_default_role'] = 'subscriber';
}
}
if ( ! array_key_exists( 'google', $auth_settings ) ) {
$auth_settings['google'] = '';
}
if ( ! array_key_exists( 'cas', $auth_settings ) ) {
$auth_settings['cas'] = '';
}
if ( ! array_key_exists( 'ldap', $auth_settings ) ) {
$auth_settings['ldap'] = '';
}
if ( ! array_key_exists( 'google_clientid', $auth_settings ) ) {
$auth_settings['google_clientid'] = '';
}
if ( ! array_key_exists( 'google_clientsecret', $auth_settings ) ) {
$auth_settings['google_clientsecret'] = '';
}
if ( ! array_key_exists( 'cas_custom_label', $auth_settings ) ) {
$auth_settings['cas_custom_label'] = 'CAS';
}
if ( ! array_key_exists( 'cas_host', $auth_settings ) ) {
$auth_settings['cas_host'] = '';
}
if ( ! array_key_exists( 'cas_port', $auth_settings ) ) {
$auth_settings['cas_port'] = '';
}
if ( ! array_key_exists( 'cas_path', $auth_settings ) ) {
$auth_settings['cas_path'] = '';
}
if ( ! array_key_exists( 'cas_attr_email', $auth_settings ) ) {
$auth_settings['cas_attr_email'] = '';
}
if ( ! array_key_exists( 'cas_attr_first_name', $auth_settings ) ) {
$auth_settings['cas_attr_first_name'] = '';
}
if ( ! array_key_exists( 'cas_attr_last_name', $auth_settings ) ) {
$auth_settings['cas_attr_last_name'] = '';
}
if ( ! array_key_exists( 'cas_attr_update_on_login', $auth_settings ) ) {
$auth_settings['cas_attr_update_on_login'] = '';
}
if ( ! array_key_exists( 'ldap_host', $auth_settings ) ) {
$auth_settings['ldap_host'] = '';
}
if ( ! array_key_exists( 'ldap_port', $auth_settings ) ) {
$auth_settings['ldap_port'] = '';
}
if ( ! array_key_exists( 'ldap_search_base', $auth_settings ) ) {
$auth_settings['ldap_search_base'] = '';
}
if ( ! array_key_exists( 'ldap_uid', $auth_settings ) ) {
$auth_settings['ldap_uid'] = '';
}
if ( ! array_key_exists( 'ldap_attr_email', $auth_settings ) ) {
$auth_settings['ldap_attr_email'] = '';
}
if ( ! array_key_exists( 'ldap_user', $auth_settings ) ) {
$auth_settings['ldap_user'] = '';
}
if ( ! array_key_exists( 'ldap_password', $auth_settings ) ) {
$auth_settings['ldap_password'] = '';
}
if ( ! array_key_exists( 'ldap_tls', $auth_settings ) ) {
$auth_settings['ldap_tls'] = '1';
}
if ( ! array_key_exists( 'ldap_lostpassword_url', $auth_settings ) ) {
$auth_settings['ldap_lostpassword_url'] = '';
}
if ( ! array_key_exists( 'ldap_attr_first_name', $auth_settings ) ) {
$auth_settings['ldap_attr_first_name'] = '';
}
if ( ! array_key_exists( 'ldap_attr_last_name', $auth_settings ) ) {
$auth_settings['ldap_attr_last_name'] = '';
}
if ( ! array_key_exists( 'ldap_attr_update_on_login', $auth_settings ) ) {
$auth_settings['ldap_attr_update_on_login'] = '';
}
// Advanced defaults.
if ( ! array_key_exists( 'advanced_lockouts', $auth_settings ) ) {
$auth_settings['advanced_lockouts'] = array(
'attempts_1' => 10,
'duration_1' => 1,
'attempts_2' => 10,
'duration_2' => 10,
'reset_duration' => 120,
);
}
if ( ! array_key_exists( 'advanced_hide_wp_login', $auth_settings ) ) {
$auth_settings['advanced_hide_wp_login'] = '';
}
if ( ! array_key_exists( 'advanced_branding', $auth_settings ) ) {
$auth_settings['advanced_branding'] = 'default';
}
if ( ! array_key_exists( 'advanced_admin_menu', $auth_settings ) ) {
$auth_settings['advanced_admin_menu'] = 'top';
}
if ( ! array_key_exists( 'advanced_usermeta', $auth_settings ) ) {
$auth_settings['advanced_usermeta'] = '';
}
if ( ! array_key_exists( 'advanced_override_multisite', $auth_settings ) ) {
$auth_settings['advanced_override_multisite'] = '';
}
// Save default options to database.
update_option( 'auth_settings', $auth_settings );
update_option( 'auth_settings_access_users_pending', $auth_settings_access_users_pending );
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
update_option( 'auth_settings_access_users_blocked', $auth_settings_access_users_blocked );
// Multisite defaults.
if ( is_multisite() ) {
$auth_multisite_settings = get_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings', array() );
if ( $auth_multisite_settings === FALSE ) {
$auth_multisite_settings = array();
}
// Global switch for enabling multisite options.
if ( ! array_key_exists( 'multisite_override', $auth_multisite_settings ) ) {
$auth_multisite_settings['multisite_override'] = '';
}
// Access Lists Defaults.
$auth_multisite_settings_access_users_approved = get_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved' );
if ( $auth_multisite_settings_access_users_approved === FALSE ) {
$auth_multisite_settings_access_users_approved = array();
}
// Login Access Defaults.
if ( ! array_key_exists( 'access_who_can_login', $auth_multisite_settings ) ) {
$auth_multisite_settings['access_who_can_login'] = 'approved_users';
}
// View Access Defaults.
if ( ! array_key_exists( 'access_who_can_view', $auth_multisite_settings ) ) {
$auth_multisite_settings['access_who_can_view'] = 'everyone';
}
// External Service Defaults.
if ( ! array_key_exists( 'access_default_role', $auth_multisite_settings ) ) {
// Set default role to 'student' if that role exists, 'subscriber' otherwise.
$all_roles = $wp_roles->roles;
$editable_roles = apply_filters( 'editable_roles', $all_roles );
if ( array_key_exists( 'student', $editable_roles ) ) {
$auth_multisite_settings['access_default_role'] = 'student';
} else {
$auth_multisite_settings['access_default_role'] = 'subscriber';
}
}
if ( ! array_key_exists( 'google', $auth_multisite_settings ) ) {
$auth_multisite_settings['google'] = '';
}
if ( ! array_key_exists( 'cas', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas'] = '';
}
if ( ! array_key_exists( 'ldap', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap'] = '';
}
if ( ! array_key_exists( 'google_clientid', $auth_multisite_settings ) ) {
$auth_multisite_settings['google_clientid'] = '';
}
if ( ! array_key_exists( 'google_clientsecret', $auth_multisite_settings ) ) {
$auth_multisite_settings['google_clientsecret'] = '';
}
if ( ! array_key_exists( 'cas_custom_label', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_custom_label'] = 'CAS';
}
if ( ! array_key_exists( 'cas_host', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_host'] = '';
}
if ( ! array_key_exists( 'cas_port', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_port'] = '';
}
if ( ! array_key_exists( 'cas_path', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_path'] = '';
}
if ( ! array_key_exists( 'cas_attr_email', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_attr_email'] = '';
}
if ( ! array_key_exists( 'cas_attr_first_name', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_attr_first_name'] = '';
}
if ( ! array_key_exists( 'cas_attr_last_name', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_attr_last_name'] = '';
}
if ( ! array_key_exists( 'cas_attr_update_on_login', $auth_multisite_settings ) ) {
$auth_multisite_settings['cas_attr_update_on_login'] = '';
}
if ( ! array_key_exists( 'ldap_host', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_host'] = '';
}
if ( ! array_key_exists( 'ldap_port', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_port'] = '';
}
if ( ! array_key_exists( 'ldap_search_base', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_search_base'] = '';
}
if ( ! array_key_exists( 'ldap_uid', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_uid'] = '';
}
if ( ! array_key_exists( 'ldap_attr_email', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_attr_email'] = '';
}
if ( ! array_key_exists( 'ldap_user', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_user'] = '';
}
if ( ! array_key_exists( 'ldap_password', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_password'] = '';
}
if ( ! array_key_exists( 'ldap_tls', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_tls'] = '1';
}
if ( ! array_key_exists( 'ldap_lostpassword_url', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_lostpassword_url'] = '';
}
if ( ! array_key_exists( 'ldap_attr_first_name', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_attr_first_name'] = '';
}
if ( ! array_key_exists( 'ldap_attr_last_name', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_attr_last_name'] = '';
}
if ( ! array_key_exists( 'ldap_attr_update_on_login', $auth_multisite_settings ) ) {
$auth_multisite_settings['ldap_attr_update_on_login'] = '';
}
// Advanced defaults.
if ( ! array_key_exists( 'advanced_lockouts', $auth_multisite_settings ) ) {
$auth_multisite_settings['advanced_lockouts'] = array(
'attempts_1' => 10,
'duration_1' => 1,
'attempts_2' => 10,
'duration_2' => 10,
'reset_duration' => 120,
);
}
if ( ! array_key_exists( 'advanced_hide_wp_login', $auth_multisite_settings ) ) {
$auth_multisite_settings['advanced_hide_wp_login'] = '';
}
// Save default network options to database.
update_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings', $auth_multisite_settings );
update_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved', $auth_multisite_settings_access_users_approved );
}
} // END set_default_options()
/**
* List sanitizer.
* $side_effect = 'none' or 'update roles' to make sure WP user roles match
* $multisite_mode = 'single' or 'multisite' to indicate which user roles to change (this site or all sites)
*/
function sanitize_user_list( $list, $side_effect = 'none', $multisite_mode = 'single' ) {
// If it's not a list, make it so.
if ( ! is_array( $list ) ) {
$list = array();
}
foreach ( $list as $key => $user_info ) {
if ( strlen( $user_info['email'] ) < 1 ) {
// Make sure there are no empty entries in the list
unset( $list[$key] );
} elseif ( $side_effect === 'update roles' ) {
// Make sure the WordPress user accounts have the same role
// as that indicated in the list.
$wp_user = get_user_by( 'email', $user_info['email'] );
if ( $wp_user ) {
if ( is_multisite() && $multisite_mode === 'multisite' ) {
foreach ( get_blogs_of_user( $wp_user->ID ) as $blog ) {
add_user_to_blog( $blog->userblog_id, $wp_user->ID, $user_info['role'] );
}
} else {
$wp_user->set_role( $user_info['role'] );
}
}
}
}
return $list;
}
/**
* Settings sanitizer callback
*/
function sanitize_options( $auth_settings, $multisite_mode = 'single' ) {
// Default to "Approved Users" login access restriction.
if ( ! in_array( $auth_settings['access_who_can_login'], array( 'external_users', 'approved_users' ) ) ) {
$auth_settings['access_who_can_login'] = 'approved_users';
}
// Default to "Everyone" view access restriction.
if ( ! in_array( $auth_settings['access_who_can_view'], array( 'everyone', 'logged_in_users' ) ) ) {
$auth_settings['access_who_can_view'] = 'everyone';
}
// Default to WordPress login access redirect.
if ( ! in_array( $auth_settings['access_redirect'], array( 'login', 'page', 'message' ) ) ) {
$auth_settings['access_redirect'] = 'login';
}
// Default to warning message for anonymous users on public pages.
if ( ! in_array( $auth_settings['access_public_warning'], array( 'no_warning', 'warning' ) ) ) {
$auth_settings['access_public_warning'] = 'no_warning';
}
// Sanitize Enable Google Logins (checkbox: value can only be '1' or empty string)
if ( array_key_exists( 'google', $auth_settings ) && strlen( $auth_settings['google'] ) > 0 ) {
$auth_settings['google'] = '1';
}
// Sanitize Enable CAS Logins (checkbox: value can only be '1' or empty string)
if ( array_key_exists( 'cas', $auth_settings ) && strlen( $auth_settings['cas'] ) > 0 ) {
$auth_settings['cas'] = '1';
}
// Sanitize Enable LDAP Logins (checkbox: value can only be '1' or empty string)
if ( array_key_exists( 'ldap', $auth_settings ) && strlen( $auth_settings['ldap'] ) > 0 ) {
$auth_settings['ldap'] = '1';
}
// Sanitize CAS Host setting
$auth_settings['cas_host'] = filter_var( $auth_settings['cas_host'], FILTER_SANITIZE_URL );
// Sanitize CAS Port (int)
$auth_settings['cas_port'] = filter_var( $auth_settings['cas_port'], FILTER_SANITIZE_NUMBER_INT );
// Sanitize CAS attribute update (checkbox: value can only be '1' or empty string)
if ( array_key_exists( 'cas_attr_update_on_login', $auth_settings ) && strlen( $auth_settings['cas_attr_update_on_login'] ) > 0 ) {
$auth_settings['cas_attr_update_on_login'] = '1';
}
// Sanitize LDAP Host setting
$auth_settings['ldap_host'] = filter_var( $auth_settings['ldap_host'], FILTER_SANITIZE_URL );
// Sanitize LDAP Port (int)
$auth_settings['ldap_port'] = filter_var( $auth_settings['ldap_port'], FILTER_SANITIZE_NUMBER_INT );
// Sanitize LDAP attributes (basically make sure they don't have any parantheses)
$auth_settings['ldap_uid'] = filter_var( $auth_settings['ldap_uid'], FILTER_SANITIZE_EMAIL );
// Sanitize LDAP TLS (checkbox: value can only be '1' or empty string)
if ( array_key_exists( 'ldap_tls', $auth_settings ) && strlen( $auth_settings['ldap_tls'] ) > 0 ) {
$auth_settings['ldap_tls'] = '1';
}
// Sanitize LDAP Lost Password URL
$auth_settings['ldap_lostpassword_url'] = filter_var( $auth_settings['ldap_lostpassword_url'], FILTER_SANITIZE_URL );
// Obfuscate LDAP directory user password
if ( strlen( $auth_settings['ldap_password'] ) > 0 ) {
// encrypt the directory user password for some minor obfuscation in the database.
$auth_settings['ldap_password'] = base64_encode( $this->encrypt( $auth_settings['ldap_password'] ) );
}
// Sanitize LDAP attribute update (checkbox: value can only be '1' or empty string)
if ( array_key_exists( 'ldap_attr_update_on_login', $auth_settings ) && strlen( $auth_settings['ldap_attr_update_on_login'] ) > 0 ) {
$auth_settings['ldap_attr_update_on_login'] = '1';
}
// Make sure public pages is an empty array if it's empty
if ( ! is_array( $auth_settings['access_public_pages'] ) ) {
$auth_settings['access_public_pages'] = array();
}
// Make sure all lockout options are integers (attempts_1,
// duration_1, attempts_2, duration_2, reset_duration).
foreach ( $auth_settings['advanced_lockouts'] as $key => $value ) {
$auth_settings['advanced_lockouts'][$key] = filter_var( $value, FILTER_SANITIZE_NUMBER_INT );
}
// Sanitize Hide WordPress logins (checkbox: value can only be '1' or empty string)
if ( array_key_exists( 'advanced_hide_wp_login', $auth_settings ) && strlen( $auth_settings['advanced_hide_wp_login'] ) > 0 ) {
$auth_settings['advanced_hide_wp_login'] = '1';
}
return $auth_settings;
} // END sanitize_options()
/**
* Keep authorizer approved users' roles in sync with WordPress roles
* if someone changes the role via the WordPress Edit User options page.
*
* @action edit_user_profile_update
* @ref https://codex.wordpress.org/Plugin_API/Action_Reference/edit_user_profile_update
* @param int $user_id The user ID of the user being edited
*/
function edit_user_profile_update_role( $user_id ) {
if ( ! current_user_can( 'edit_user', $user_id ) ) {
return;
}
// If user is in approved list, update his/her associated role.
$wp_user = get_user_by( 'id', $user_id );
if ( $this->is_email_in_list( $wp_user->get( 'user_email' ), 'approved' ) ) {
$auth_settings_access_users_approved = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_approved', 'single admin' )
);
// Find approved user and update their role.
foreach ( $auth_settings_access_users_approved as $key => $user ) {
if ( $user['email'] === $wp_user->get( 'user_email' ) ) {
$auth_settings_access_users_approved[$key]['role'] = $_REQUEST['role'];
}
}
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
}
}
/**
* Settings print callbacks
*/
function print_section_info_tabs( $args = '' ) {
if ( is_array( $args ) && array_key_exists( 'multisite_admin', $args ) && $args['multisite_admin'] === true ): ?>
get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// If this site is configured independently of any multisite overrides, make sure we are not grabbing the multisite value; otherwise, grab the multisite value to show behind the disabled overlay.
if ( is_multisite() && $this->get_plugin_option( 'advanced_override_multisite' ) == '1' ) {
$auth_settings_option = $this->get_plugin_option( $option );
} else if ( is_multisite() && $admin_mode === 'single admin' && $this->get_plugin_option( 'multisite_override', 'multisite admin' ) === '1' ) {
// Workaround: javascript code hides/shows other settings based
// on the selection in this option. If this option is overridden
// by a multisite option, it should show that value in order to
// correctly display the other appropriate options.
// Side effect: this site option will be overwritten by the
// multisite option on save. Since this is a 2-item radio, we
// determined this was acceptable.
$auth_settings_option = $this->get_plugin_option( $option, 'multisite admin' );
}
// Print option elements.
?> />
/> get_plugin_option( $option );
// Print option elements.
?>get_plugin_option( $option );
// Print option elements.
wp_editor(
wpautop( $auth_settings_option ),
"auth_settings_$option",
array(
'media_buttons' => false,
'textarea_name' => "auth_settings[$option]",
'textarea_rows' => 5,
'tinymce' => true,
'teeny' => true,
'quicktags' => false,
)
);
} // END print_wysiwyg_auth_access_pending_redirect_to_message()
function print_wysiwyg_auth_access_blocked_redirect_to_message( $args = '' ) {
// Get plugin option.
$option = 'access_blocked_redirect_to_message';
$auth_settings_option = $this->get_plugin_option( $option );
// Print option elements.
wp_editor(
wpautop( $auth_settings_option ),
"auth_settings_$option",
array(
'media_buttons' => false,
'textarea_name' => "auth_settings[$option]",
'textarea_rows' => 5,
'tinymce' => true,
'teeny' => true,
'quicktags' => false,
)
);
} // END print_wysiwyg_auth_access_blocked_redirect_to_message()
function print_checkbox_auth_access_should_email_approved_users( $args = '' ) {
// Get plugin option.
$option = 'access_should_email_approved_users';
$auth_settings_option = $this->get_plugin_option( $option );
// Print option elements.
?> />get_plugin_option( $option );
// Print option elements.
?> You can use the [site_name] shortcode.get_plugin_option( $option );
// Print option elements.
wp_editor(
wpautop( $auth_settings_option ),
"auth_settings_$option",
array(
'media_buttons' => false,
'textarea_name' => "auth_settings[$option]",
'textarea_rows' => 9,
'tinymce' => true,
'teeny' => true,
'quicktags' => false,
)
);
?>You can use [site_name], [site_url], and [user_email] shortcodes.
Choose your public access options here.
get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// If this site is configured independently of any multisite overrides, make sure we are not grabbing the multisite value; otherwise, grab the multisite value to show behind the disabled overlay.
if ( is_multisite() && $this->get_plugin_option( 'advanced_override_multisite' ) == '1' ) {
$auth_settings_option = $this->get_plugin_option( $option );
} else if ( is_multisite() && $admin_mode === 'single admin' && $this->get_plugin_option( 'multisite_override', 'multisite admin' ) === '1' ) {
// Workaround: javascript code hides/shows other settings based
// on the selection in this option. If this option is overridden
// by a multisite option, it should show that value in order to
// correctly display the other appropriate options.
// Side effect: this site option will be overwritten by the
// multisite option on save. Since this is a 2-item radio, we
// determined this was acceptable.
$auth_settings_option = $this->get_plugin_option( $option, 'multisite admin' );
}
// Print option elements.
?> />
/> get_plugin_option( $option );
// Print option elements.
?> />
/>get_plugin_option( $option );
// Print option elements.
?> />
/>get_plugin_option( $option );
// Print option elements.
wp_editor(
wpautop( $auth_settings_option ),
"auth_settings_$option",
array(
'media_buttons' => false,
'textarea_name' => "auth_settings[$option]",
'textarea_rows' => 5,
'tinymce' => true,
'teeny' => true,
'quicktags' => false,
)
);
} // END print_wysiwyg_auth_access_redirect_to_message()
function print_multiselect_auth_access_public_pages( $args = '' ) {
// Get plugin option.
$option = 'access_public_pages';
$auth_settings_option = $this->get_plugin_option( $option );
$auth_settings_option = is_array( $auth_settings_option ) ? $auth_settings_option : array();
$post_types = array_merge( array( 'page', 'post' ), get_post_types( array( '_builtin' => false ), 'names' ) );
$post_types = is_array( $post_types ) ? $post_types : array();
// Print option elements.
?>
Enter your external server settings below.
get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Print option elements.
?>get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Make sure php5-curl extension is installed on server.
$curl_installed_message = ! function_exists( 'curl_init' ) ? '(Warning: PHP CURL extension is not installed)' : '';
// Print option elements.
?> /> get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Print option elements.
$site_url_parts = parse_url( get_site_url() );
$site_url_host = $site_url_parts['scheme'] . '://' . $site_url_parts['host'] . '/';
?>If you don't have a Google Client ID and Secret, generate them by following these instructions:
Within the project, navigate to APIs and Auth > Credentials, then click Create New Client ID under OAuth. Use these settings:
Application Type: Web application
Authorized Javascript Origins:
Authorized Redirect URI: none
Copy/paste your new Client ID/Secret pair into the fields below.
Note: Navigate to APIs and Auth > Consent screen to change the way the Google consent screen appears after a user has successfully entered their password, but before they are redirected back to WordPress.
get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Print option elements.
?>get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Make sure php5-curl extension is installed on server.
$curl_installed_message = ! function_exists( 'curl_init' ) ? '(Warning: PHP CURL extension is not installed)' : '';
// Print option elements.
?> /> get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Print option elements.
?>The button on the login page will read:
You may optionally specify some advanced settings below.
get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Print option elements.
?>After
invalid password attempts, delay further attempts on that user for
minute(s).
After
more invalid attempts, increase the delay to
minutes.
Reset the delays after
minutes with no invalid attempts.get_plugin_option( $option, $admin_mode, 'allow override', 'print overlay' );
// Print option elements.
?> />
Note: You can always access the WordPress logins by adding external=wordpress to the wp-login URL, like so: ?external=wordpress.
Note for theme developers: Add more options here by using the `authorizer_add_branding_option` filter in your theme. You can see an example theme that implements this filter in the plugin directory under sample-theme-add-branding.
Pending Users: Pending users are users who have successfully logged in to the site, but who haven\'t yet been approved (or blocked) by you.
Approved Users: Approved users have access to the site once they successfully log in.
Blocked Users: Blocked users will receive an error message when they try to visit the site after authenticating.
Users in the Pending list appear automatically after a new user tries to log in from the configured external authentication service. You can add users to the Approved or Blocked lists by typing them in manually, or by clicking the Approve or Block buttons next to a user in the Pending list.
Who can log in to the site?: Choose the level of access restriction you\'d like to use on your site here. You can leave the site open to anyone with a WordPress account or an account on an external service like Google, CAS, or LDAP, or restrict it to WordPress users and only the external users that you specify via the Access Lists.
Which role should receive email notifications about pending users?: If you\'ve restricted access to approved users, you can determine which WordPress users will receive a notification email everytime a new external user successfully logs in and is added to the pending list. All users of the specified role will receive an email, and the external user will get a message (specified below) telling them their access is pending approval.
What message should pending users see after attempting to log in?: Here you can specify the exact message a new external user will see once they try to log in to the site for the first time.
';
$screen->add_help_tab(
array(
'id' => 'help_auth_settings_access_login_content',
'title' => 'Login Access',
'content' => $help_auth_settings_access_login_content,
)
);
// Add help tab for Public Access Settings
$help_auth_settings_access_public_content = '
Who can view the site?: You can restrict the site\'s visibility by only allowing logged in users to see pages. If you do so, you can customize the specifics about the site\'s privacy using the settings below.
What pages (if any) should be available to everyone?: If you\'d like to declare certain pages on your site as always public (such as the course syllabus, introduction, or calendar), specify those pages here. These pages will always be available no matter what access restrictions exist.
What happens to people without access when they visit a private page?: Choose the response anonymous users receive when visiting the site. You can choose between immediately taking them to the login screen, or simply showing them a message.
What happens to people without access when they visit a public page?: Choose the response anonymous users receive when visiting a page on the site marked as public. You can choose between showing them the page without any message, or showing them a the page with a message above the content.
What message should people without access see?: If you chose to show new users a message above, type that message here.
';
$screen->add_help_tab(
array(
'id' => 'help_auth_settings_access_public_content',
'title' => 'Public Access',
'content' => $help_auth_settings_access_public_content,
)
);
// Add help tab for External Service (CAS, LDAP) Settings
$help_auth_settings_external_content = '
Type of external service to authenticate against: Choose which authentication service type you will be using. You\'ll have to fill out different fields below depending on which service you choose.
Enable Google Logins: Choose if you want to allow users to log in with their Google Account credentials. You will need to enter your API Client ID and Secret to enable Google Logins.
Enable CAS Logins: Choose if you want to allow users to log in with via CAS (Central Authentication Service). You will need to enter details about your CAS server (host, port, and path) to enable CAS Logins.
Enable LDAP Logins: Choose if you want to allow users to log in with their LDAP (Lightweight Directory Access Protocol) credentials. You will need to enter details about your LDAP server (host, port, search base, uid attribute, directory user, directory user password, and whether to use TLS) to enable Google Logins.
Default role for new CAS users: Specify which role new external users will get by default. Be sure to choose a role with limited permissions!
If you enable Google logins:
Google Client ID: You can generate this ID by creating a new Project in the Google Developers Console. A Client ID typically looks something like this: 1234567890123-kdjr85yt6vjr6d8g7dhr8g7d6durjf7g.apps.googleusercontent.com
Google Client Secret: You can generate this secret by creating a new Project in the Google Developers Console. A Client Secret typically looks something like this: sDNgX5_pr_5bly-frKmvp8jT
If you enable CAS logins:
CAS server hostname: Enter the hostname of the CAS server you authenticate against (e.g., authn.example.edu).
CAS server port: Enter the port on the CAS server to connect to (e.g., 443).
CAS server path/context: Enter the path to the login endpoint on the CAS server (e.g., /cas).
CAS attribute containing first name: Enter the CAS attribute that has the user\'s first name. When this user first logs in, their WordPress account will have their first name retrieved from CAS and added to their WordPress profile.
CAS attribute containing last name: Enter the CAS attribute that has the user\'s last name. When this user first logs in, their WordPress account will have their last name retrieved from CAS and added to their WordPress profile.
CAS attribute update: Select whether the first and last names retrieved from CAS should overwrite any value the user has entered in the first and last name fields in their WordPress profile. If this is not set, this only happens the first time they log in.
If you enable LDAP logins:
LDAP Host: Enter the URL of the LDAP server you authenticate against.
LDAP Port: Enter the port number that the LDAP server listens on.
LDAP Search Base: Enter the LDAP string that represents the search base, e.g., ou=people,dc=example,dc=edu
LDAP attribute containing username: Enter the name of the LDAP attribute that contains the usernames used by those attempting to log in. The plugin will search on this attribute to find the cn to bind against for login attempts.
LDAP Directory User: Enter the name of the LDAP user that has permissions to browse the directory.
LDAP Directory User Password: Enter the password for the LDAP user that has permission to browse the directory.
Secure Connection (TLS): Select whether all communication with the LDAP server should be performed over a TLS-secured connection.
Custom lost password URL: The WordPress login page contains a link to recover a lost password. If you have external users who shouldn\'t change the password on their WordPress account, point them to the appropriate location to change the password on their external authentication service here.
LDAP attribute containing first name: Enter the LDAP attribute that has the user\'s first name. When this user first logs in, their WordPress account will have their first name retrieved from LDAP and added to their WordPress profile.
LDAP attribute containing last name: Enter the LDAP attribute that has the user\'s last name. When this user first logs in, their WordPress account will have their last name retrieved from LDAP and added to their WordPress profile.
LDAP attribute update: Select whether the first and last names retrieved from LDAP should overwrite any value the user has entered in the first and last name fields in their WordPress profile. If this is not set, this only happens the first time they log in.
Limit invalid login attempts: Choose how soon (and for how long) to restrict access to individuals (or bots) making repeated invalid login attempts. You may set a shorter delay first, and then a longer delay after repeated invalid attempts; you may also set how much time must pass before the delays will be reset to normal.
Hide WordPress Logins: If you want to hide the WordPress username and password fields and the Log In button on the wp-login screen, enable this option. Note: You can always access the WordPress logins by adding external=wordpress to the wp-login URL, like so: ' . wp_login_url() . '?external=wordpress.
Custom WordPress login branding: If you\'d like to use custom branding on the WordPress login page, select that here. You will need to use the `authorizer_add_branding_option` filter in your theme to add it. You can see an example theme that implements this filter in the plugin directory under sample-theme-add-branding.
';
$screen->add_help_tab(
array(
'id' => 'help_auth_settings_advanced_content',
'title' => 'Advanced',
'content' => $help_auth_settings_advanced_content,
)
);
} // END admin_head()
/**
* ***************************
* Multisite: Network Admin Options page
* ***************************
*/
/**
* Network Admin menu item
* Hook: network_admin_menu
*
* @param none
* @return void
*/
public function network_admin_menu() {
// @see http://codex.wordpress.org/Function_Reference/add_menu_page
add_menu_page(
'Authorizer', // Page title
'Authorizer', // Menu title
'manage_network_options', // Capability
'authorizer', // Menu slug
array( $this, 'create_network_admin_page' ),
'dashicons-groups', // Icon URL
89 // Position
);
} // END network_admin_menu()
/**
* Output the HTML for the options page
*/
public function create_network_admin_page() {
if ( ! current_user_can( 'manage_network_options' ) ) {
wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
}
$auth_settings = get_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings', array() ); ?>
sanitize_options( $_POST, 'multisite' );
// Filter options to only the allowed values (multisite options are a subset of all options)
$allowed = array(
'multisite_override',
'access_who_can_login',
'access_who_can_view',
'access_default_role',
'google',
'google_clientid',
'google_clientsecret',
'cas',
'cas_custom_label',
'cas_host',
'cas_port',
'cas_path',
'cas_attr_email',
'cas_attr_first_name',
'cas_attr_last_name',
'cas_attr_update_on_login',
'ldap',
'ldap_host',
'ldap_port',
'ldap_search_base',
'ldap_uid',
'ldap_attr_email',
'ldap_user',
'ldap_password',
'ldap_tls',
'ldap_lostpassword_url',
'ldap_attr_first_name',
'ldap_attr_last_name',
'ldap_attr_update_on_login',
'advanced_lockouts',
'advanced_hide_wp_login',
);
$auth_multisite_settings = array_intersect_key( $auth_multisite_settings, array_flip( $allowed ) );
// Update multisite settings in database.
update_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings', $auth_multisite_settings );
// Return 'success' value to AJAX call.
die( 'success' );
} // END ajax_save_auth_multisite_settings()
/**
* ***************************
* Dashboard widget
* ***************************
*/
function add_dashboard_widgets() {
// Only users who can edit can see the authorizer dashboard widget
if ( current_user_can( 'create_users' ) ) {
// Add dashboard widget for adding/editing users with access
wp_add_dashboard_widget( 'auth_dashboard_widget', 'Authorizer Settings', array( $this, 'add_auth_dashboard_widget' ) );
}
} // END add_dashboard_widgets()
function add_auth_dashboard_widget() {
?>get_plugin_option( 'advanced_usermeta' );
// If user doesn't exist, save usermeta selection to authorizer
// list. This value will get saved to usermeta when the user first
// logs in (i.e., when their WordPress account is created).
if ( ! ( $wp_user = get_user_by( 'email', $email ) ) ) {
// Look through multisite approved users and add a usermeta
// reference for the current blog if the user is found.
$auth_multisite_settings_access_users_approved = is_multisite() ? get_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved', array() ) : array();
$should_update_auth_multisite_settings_access_users_approved = false;
foreach ( $auth_multisite_settings_access_users_approved as $index => $approved_user ) {
if ( $email === $approved_user['email'] ) {
if ( ! is_array( $auth_multisite_settings_access_users_approved[$index]['usermeta'] ) ) {
// Initialize the array of usermeta for each blog this user belongs to.
$auth_multisite_settings_access_users_approved[$index]['usermeta'] = array();
} else {
// There is already usermeta associated with this
// preapproved user; iterate through it and make
// sure it's not for old meta_keys (delete it if
// so). This can happen if someone changes the
// usermeta key in authorizer options, and we don't
// want to hang on to old data.
foreach ( $auth_multisite_settings_access_users_approved[$index]['usermeta'] as $blog_id => $usermeta ) {
if ( array_key_exists( 'meta_key', $usermeta ) && $usermeta['meta_key'] === $meta_key ) {
continue;
} else {
unset( $auth_multisite_settings_access_users_approved[$index]['usermeta'][$blog_id] );
}
}
}
$auth_multisite_settings_access_users_approved[$index]['usermeta'][get_current_blog_id()] = array(
'meta_key' => $meta_key,
'meta_value' => $meta_value,
);
$should_update_auth_multisite_settings_access_users_approved = true;
}
}
if ( $should_update_auth_multisite_settings_access_users_approved ) {
update_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved', $auth_multisite_settings_access_users_approved );
}
// Look through the approved users (of the current blog in a
// multisite install, or just of the single site) and add a
// usermeta reference if the user is found.
$auth_settings_access_users_approved = $this->get_plugin_option( 'access_users_approved', 'single admin' );
$should_update_auth_settings_access_users_approved = false;
foreach ( $auth_settings_access_users_approved as $index => $approved_user ) {
if ( $email === $approved_user['email'] ) {
$auth_settings_access_users_approved[$index]['usermeta'] = array(
'meta_key' => $meta_key,
'meta_value' => $meta_value,
);
$should_update_auth_settings_access_users_approved = true;
}
}
if ( $should_update_auth_settings_access_users_approved ) {
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
}
} else {
// Update user's usermeta value for usermeta key stored in authorizer options.
if ( strpos( $meta_key, 'acf___' ) === 0 && class_exists( 'acf' ) ) {
// We have an ACF field value, so use the ACF function to update it.
update_field( str_replace('acf___', '', $meta_key ), $meta_value, 'user_' . $wp_user->ID );
} else {
// We have a normal usermeta value, so just update it via the WordPress function.
update_user_meta( $wp_user->ID, $meta_key, $meta_value );
}
}
// Return 'success' value to AJAX call.
die( 'success' );
} // END ajax_update_auth_usermeta()
function ajax_update_auth_user() {
// Fail silently if current user doesn't have permissions.
if ( ! current_user_can( 'create_users' ) ) {
die( '' );
}
// Nonce check.
if ( empty( $_POST['nonce_save_auth_settings'] ) || ! wp_verify_nonce( $_POST['nonce_save_auth_settings'], 'save_auth_settings' ) ) {
die( '' );
}
// Fail if requesting a change to an invalid setting.
if ( ! in_array( $_POST['setting'], array( 'access_users_pending', 'access_users_approved', 'access_users_blocked' ) ) ) {
die( '' );
}
// Editing a pending list entry.
if ( $_POST['setting'] === 'access_users_pending' ) {
// Initialize posted data if empty.
if ( ! ( array_key_exists( 'access_users_pending', $_POST ) && is_array( $_POST['access_users_pending'] ) ) ) {
$_POST['access_users_pending'] = array();
}
// Deal with each modified user (add or remove).
foreach ( $_POST['access_users_pending'] as $pending_user ) {
if ( $pending_user['edit_action'] === 'add' ) {
// Add new user to pending list and save (skip if it's
// already there--someone else might have just done it).
if ( ! $this->is_email_in_list( $pending_user['email'], 'pending' ) ) {
$auth_settings_access_users_pending = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_pending', 'single admin' )
);
array_push( $auth_settings_access_users_pending, $pending_user );
update_option( 'auth_settings_access_users_pending', $auth_settings_access_users_pending );
}
} elseif ( $pending_user['edit_action'] === 'remove' ) {
// Remove user from pending list and save
if ( $this->is_email_in_list( $pending_user['email'], 'pending' ) ) {
$auth_settings_access_users_pending = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_pending', 'single admin' )
);
foreach ( $auth_settings_access_users_pending as $key => $existing_user ) {
if ( $pending_user['email'] == $existing_user['email'] ) {
unset( $auth_settings_access_users_pending[$key] );
break;
}
}
update_option( 'auth_settings_access_users_pending', $auth_settings_access_users_pending );
}
}
}
}
// Editing an approved list entry.
if ( $_POST['setting'] === 'access_users_approved' ) {
// Initialize posted data if empty.
if ( ! ( array_key_exists( 'access_users_approved', $_POST ) && is_array( $_POST['access_users_approved'] ) ) ) {
$_POST['access_users_approved'] = array();
}
// Deal with each modified user (add, remove, or change_role).
foreach ( $_POST['access_users_approved'] as $approved_user ) {
if ( $approved_user['edit_action'] === 'add' ) {
// New user (create user, or add existing user to current site in multisite).
$new_user = get_user_by( 'email', $approved_user['email'] );
if ( $new_user !== false ) {
if ( is_multisite() ) {
add_user_to_blog( get_current_blog_id(), $new_user->ID, $approved_user['role'] );
}
} elseif ( $approved_user['local_user'] === 'true' ) {
// Create a WP account for this new *local* user and email the password.
$plaintext_password = wp_generate_password(); // random password
// If there's already a user with this username (e.g.,
// johndoe/johndoe@gmail.com exists, and we're trying to add
// johndoe/johndoe@example.com), use the full email address
// as the username.
$username = explode( "@", $approved_user['email'] );
$username = $username[0];
if ( get_user_by( 'login', $username ) !== false ) {
$username = $approved_user['email'];
}
if ( $approved_user['multisite_user'] !== 'false' ) {
$result = wpmu_create_user(
strtolower( $username ),
$plaintext_password,
strtolower( $approved_user['email'] )
);
} else {
$result = wp_insert_user(
array(
'user_login' => strtolower( $username ),
'user_pass' => $plaintext_password,
'first_name' => '',
'last_name' => '',
'user_email' => strtolower( $approved_user['email'] ),
'user_registered' => date( 'Y-m-d H:i:s' ),
'role' => $approved_user['role'],
)
);
}
if ( ! is_wp_error( $result ) ) {
// Email password to new user
wp_new_user_notification( $result, $plaintext_password );
}
}
// Email new user welcome message if plugin option is set.
$this->maybe_email_welcome_message( $approved_user['email'] );
// Add new user to approved list and save (skip if it's
// already there--someone else might have just done it).
if ( $approved_user['multisite_user'] !== 'false' ) {
if ( ! $this->is_email_in_list( $approved_user['email'], 'approved', 'multisite' ) ) {
$auth_multisite_settings_access_users_approved = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_approved', 'multisite admin' )
);
$approved_user['date_added'] = date( 'M Y' );
array_push( $auth_multisite_settings_access_users_approved, $approved_user );
update_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved', $auth_multisite_settings_access_users_approved );
}
} else {
if ( ! $this->is_email_in_list( $approved_user['email'], 'approved' ) ) {
$auth_settings_access_users_approved = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_approved', 'single admin' )
);
$approved_user['date_added'] = date( 'M Y' );
array_push( $auth_settings_access_users_approved, $approved_user );
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
}
}
// If we've added a new multisite user, go through all pending/approved/blocked lists
// on individual sites and remove this user from them (to prevent duplicate entries).
if ( $approved_user['multisite_user'] !== 'false' && is_multisite() ) {
$list_names = array( 'access_users_pending', 'access_users_approved', 'access_users_blocked' );
foreach ( wp_get_sites( array( 'limit' => 999999 ) ) as $site ) {
foreach ( $list_names as $list_name ) {
$user_list = get_blog_option( $site['blog_id'], 'auth_settings_' . $list_name, array() );
$list_changed = false;
foreach ( $user_list as $key => $user ) {
if ( $user['email'] == $approved_user['email'] ) {
unset( $user_list[$key] );
$list_changed = true;
}
}
if ( $list_changed ) {
update_blog_option( $site['blog_id'], 'auth_settings_' . $list_name, $user_list );
}
}
}
}
} elseif ( $approved_user['edit_action'] === 'remove' ) {
// Remove user from approved list and save
if ( $approved_user['multisite_user'] !== 'false' ) {
if ( $this->is_email_in_list( $approved_user['email'], 'approved', 'multisite' ) ) {
$auth_multisite_settings_access_users_approved = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_approved', 'multisite admin' )
);
foreach ( $auth_multisite_settings_access_users_approved as $key => $existing_user ) {
if ( $approved_user['email'] == $existing_user['email'] ) {
unset( $auth_multisite_settings_access_users_approved[$key] );
break;
}
}
update_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved', $auth_multisite_settings_access_users_approved );
}
} else {
if ( $this->is_email_in_list( $approved_user['email'], 'approved' ) ) {
$auth_settings_access_users_approved = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_approved', 'single admin' )
);
foreach ( $auth_settings_access_users_approved as $key => $existing_user ) {
if ( $approved_user['email'] == $existing_user['email'] ) {
unset( $auth_settings_access_users_approved[$key] );
break;
}
}
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
}
}
} elseif ( $approved_user['edit_action'] === 'change_role' ) {
// Update user's role in WordPress
$changed_user = get_user_by( 'email', $approved_user['email'] );
if ( $changed_user ) {
if ( is_multisite() && $approved_user['multisite_user'] !== 'false' ) {
foreach ( get_blogs_of_user( $changed_user->ID ) as $blog ) {
add_user_to_blog( $blog->userblog_id, $changed_user->ID, $approved_user['role'] );
}
} else {
$changed_user->set_role( $approved_user['role'] );
}
}
if ( $approved_user['multisite_user'] !== 'false' ) {
if ( $this->is_email_in_list( $approved_user['email'], 'approved', 'multisite' ) ) {
$auth_multisite_settings_access_users_approved = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_approved', 'multisite admin' )
);
foreach ( $auth_multisite_settings_access_users_approved as $key => $existing_user ) {
if ( $approved_user['email'] == $existing_user['email'] ) {
$auth_multisite_settings_access_users_approved[$key]['role'] = $approved_user['role'];
break;
}
}
update_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_access_users_approved', $auth_multisite_settings_access_users_approved );
}
} else {
// Update user's role in approved list and save.
if ( $this->is_email_in_list( $approved_user['email'], 'approved' ) ) {
$auth_settings_access_users_approved = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_approved', 'single admin' )
);
foreach ( $auth_settings_access_users_approved as $key => $existing_user ) {
if ( $approved_user['email'] == $existing_user['email'] ) {
$auth_settings_access_users_approved[$key]['role'] = $approved_user['role'];
break;
}
}
update_option( 'auth_settings_access_users_approved', $auth_settings_access_users_approved );
}
}
}
}
}
// Editing a blocked list entry.
if ( $_POST['setting'] === 'access_users_blocked' ) {
// Initialize posted data if empty.
if ( ! ( array_key_exists( 'access_users_blocked', $_POST ) && is_array( $_POST['access_users_blocked'] ) ) ) {
$_POST['access_users_blocked'] = array();
}
// Deal with each modified user (add or remove).
foreach ( $_POST['access_users_blocked'] as $blocked_user ) {
if ( $blocked_user['edit_action'] === 'add' ) {
// Add new user to blocked list and save (skip if it's
// already there--someone else might have just done it).
if ( ! $this->is_email_in_list( $blocked_user['email'], 'blocked' ) ) {
$auth_settings_access_users_blocked = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_blocked', 'single admin' )
);
$blocked_user['date_added'] = date( 'M Y' );
array_push( $auth_settings_access_users_blocked, $blocked_user );
update_option( 'auth_settings_access_users_blocked', $auth_settings_access_users_blocked );
}
} elseif ( $blocked_user['edit_action'] === 'remove' ) {
// Remove auth_blocked usermeta for the user.
$unblocked_user = get_user_by( 'email', $blocked_user['email'] );
if ( $unblocked_user !== false ) {
delete_user_meta( $unblocked_user->ID, 'auth_blocked', 'yes' );
}
// Remove user from blocked list and save
if ( $this->is_email_in_list( $blocked_user['email'], 'blocked' ) ) {
$auth_settings_access_users_blocked = $this->sanitize_user_list(
$this->get_plugin_option( 'access_users_blocked', 'single admin' )
);
foreach ( $auth_settings_access_users_blocked as $key => $existing_user ) {
if ( $blocked_user['email'] == $existing_user['email'] ) {
unset( $auth_settings_access_users_blocked[$key] );
break;
}
}
update_option( 'auth_settings_access_users_blocked', $auth_settings_access_users_blocked );
}
}
}
}
// Return 'success' value to AJAX call.
die( 'success' );
} // END update_auth_user()
/**
* ***************************
* Helper functions
* ***************************
*/
/**
* Retrieves a specific plugin option from db. Multisite enabled.
*
* @param string $option Option name
* @param string $admin_mode 'multisite admin' will retrieve the multisite value
* @param string $override_mode 'allow override' will retrieve the multisite value if it exists
* @param string $print_mode 'print overlay' will output overlay that hides this option on the settings page
* @return mixed Option value, or null on failure
*/
private function get_plugin_option( $option, $admin_mode = 'single admin', $override_mode = 'no override', $print_mode = 'no overlay' ) {
// Special case for user lists (they are saved seperately to prevent concurrency issues).
if ( in_array( $option, array( 'access_users_pending', 'access_users_approved', 'access_users_blocked' ) ) ) {
$list = $admin_mode === 'multisite admin' ? array() : get_option( 'auth_settings_' . $option );
if ( is_multisite() && $admin_mode === 'multisite admin' ) {
$list = get_blog_option( BLOG_ID_CURRENT_SITE, 'auth_multisite_settings_' . $option, array() );
}
return $list;
}
// Get all plugin options.
$auth_settings = $this->get_plugin_options( $admin_mode, $override_mode );
// Set option to null if it wasn't found.
if ( ! array_key_exists( $option, $auth_settings ) ) {
return null;
}
// If requested and appropriate, print the overlay hiding the
// single site option that is overridden by a multisite option.
if (
$admin_mode !== 'multisite admin' &&
$override_mode === 'allow override' &&
$print_mode === 'print overlay' &&
array_key_exists( 'multisite_override', $auth_settings ) &&
$auth_settings['multisite_override'] === '1' &&
( ! array_key_exists( 'advanced_override_multisite', $auth_settings ) || $auth_settings['advanced_override_multisite'] != '1' )
) {
// Get original plugin options (not overridden value). We'll
// show this old value behind the disabled overlay.
$auth_settings = $this->get_plugin_options( $admin_mode, 'no override' );
$name = "auth_settings[$option]";
$id = "auth_settings_$option"; ?>