Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1422006

Timestamp:

05/22/2016 10:53:27 PM (10 years ago)

Author:

WebTechGlobal

Message:

Improvements made to the security feature for forcing administrator accounts limit.

Location:

multitool/trunk

Files:

: 12 edited

classes/class-automation.php (modified) (4 diffs)
classes/class-configuration.php (modified) (1 diff)
classes/class-forms.php (modified) (11 diffs)
classes/class-multitool.php (modified) (3 diffs)
classes/class-requests.php (modified) (5 diffs)
classes/class-schedule.php (modified) (1 diff)
classes/class-wpcore.php (modified) (1 diff)
inc/fields/automationsettings.php (modified) (1 diff)
multitool.php (modified) (2 diffs)
readme.txt (modified) (3 diffs)
views/adminaccounts.php (modified) (6 diffs)
views/main.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

multitool/trunk/classes/class-automation.php

-                      r1420327
+                      r1422006
     /**
+    * Used to determine if automated system is active or not.
+    * This does not apply to administrator triggered automation as
+    * that is required to run on its own.
+    *
+    * @var mixed
+    */
+    public $auto_switch = false;
+    /**
     * Force a delay on all automatic activity. Use this to prevent WTG plugins
     * being too active in short periods of time.
 …
         // Add our own schedule delays to WordPress.
         add_filter( 'cron_schedules', array( $this, 'webtechglobal_custom_cron_schedule' ) );
+        // Get the automation switch status.
+        $this->auto_switch = get_option( 'webtechglobal_auto_switch' );
         // Get the last time any automatic action was taking.
 …
     /**
     * Focuses on updating the schedule table so that it reflects the users
+    * requirements.
+    * requirements i.e. if a plugin is updated, new schedule methods are
+    * added or existing ones changed.
+    *
+    * Can also create cron jobs for WP Cron but this is not fully in use
+    * at this time. It works but it does not offer great enough benefits over
+    * the WTG Cron system.
+    *
     * @author Ryan R. Bayne
 …
     */
     public function webtechglobal_hourly_cron_function( $args ) {
+        global $wpdb;
+        global $wpdb;
+        // If automation not switched on return now.
+        if( !$this->auto_switch )
+        {
+            return false;
+        }
         // Apply an event delay to prevent flooding.
         if( $this->last_auto_time ) {
+        if( $this->last_auto_time ) {
             $seconds_past = time() - $this->last_auto_time;
             if( $seconds_past < $this->auto_delay_all ) {

multitool/trunk/classes/class-configuration.php

-                      r1420327
+                      r1422006
             array( 'admin_notices',                  array( 'multitool', 'admin_notices' ),                               'admin_notices', null ),
             array( 'wp_before_admin_bar_render',     array( 'multitool', 'admin_toolbars',999),                           'pluginscreens', null ),
+            ################################################################
+            #                                                              #
+            #                    AUTOMATION AND SCHEDULING                 #
+            #                                                              #
+            ################################################################
+            // WTG Cron main hourly job processes all scheduled actions.
             array( 'init',                           array( 'multitool', 'webtechglobal_hourly_cron_function', 1 ),       'cron', null ),
+            // Widgets
+            // When admin logged in runs constantly.
+            array( 'init',                           array( 'multitool', 'administrator_triggered_automation', 1 ),       'administrator', null ),
+            ################################################################
+            #                                                              #
+            #                             WIDGETS                          #
+            #                                                              #
+            ################################################################
             array( 'widgets_init',                   array( 'multitool', 'Foo_Widget' ),                                  'widget', null ),

multitool/trunk/classes/class-forms.php

-                      r1420327
+                      r1422006
         'textarea',
         'radiogroup',
+        'boolean',
         'switch',
         'password',
 …
         <input type="hidden" name="<?php echo esc_attr( $this->inputname ); ?>" id="<?php echo esc_attr( $this->inputid ); ?>" value="<?php echo esc_attr( $this->currentvalue );?>"<?php echo $disabled; ?>><?php
+    }
+    /**
+    * table row with two choice radio group styled by WordPress and used for switch type settings
+    *
+    * $current_value should be enabled or disabled, use another method and do not change this if you need other values
+    /**
+    * A boolean radio switch.
+    *
+    * @version 1.0
+    *
+    * @todo Shorten the input lines by moving functions to new lines.
+    */
+    public function input_boolean(){
+        // Init a default value if not passed by the input function.
+        if( !isset( $this->defaultvalue ) ) {
+            $defaultvalue = 0;
+        }
+        // Force a normal default if the giving default is not valid.
+        if( $this->defaultvalue != 1 && $this->defaultvalue != 0 ){
+            $defaultvalue = 0;
+        }
+        // Force a valid current value if the giving is not valid.
+        if( isset( $this->currentvalue ) ) {
+            if( $this->currentvalue != 1 && $this->currentvalue != 0 ){
+                $this->currentvalue = $this->defaultvalue;
+            }
+        }
+        // Apply input disabled state.
+        $disabled = '';
+        if( isset( $this->disabled ) && $this->disabled === true ) {
+            $disabled = ' disabled';
+        }
+        // Apply the selected status.
+        $true = ''; $false = '';
+        if( $this->currentvalue == 1 ) { $true = ' checked';}
+        if( $this->currentvalue == 0 ) { $false = ' checked';}
+        ?>
+        <!-- Option Start -->
+        <tr valign="top">
+            <th scope="row"><?php _e( $this->optiontitle, 'multitool' ); ?></th>
+            <td>
+                <fieldset<?php echo esc_attr( $disabled ); ?>><legend class="screen-reader-text"><span><?php echo esc_html( $this->optiontitle ); ?></span></legend>
+                    <input type="radio" id="<?php echo esc_attr( $this->inputname );?>_enabled" name="<?php echo esc_attr( $this->inputname );?>" value="1" <?php echo $true;?> />
+                    <label for="<?php echo esc_attr( $this->inputname );?>_enabled"> <?php echo esc_html( $this->first_switch_label ); ?></label>
+                    <br />
+                    <input type="radio" id="<?php echo esc_attr( $this->inputname );?>_disabled" name="<?php echo esc_attr( $this->inputname );?>" value="0" <?php echo $false;?> />
+                    <label for="<?php echo esc_attr( $this->inputname );?>_disabled"> <?php echo esc_html( $this->second_switch_label ); ?></label>
+                </fieldset>
+            </td>
+        </tr>
+        <!-- Option End -->
+    <?php
+    }
+    /**
+    * Radio buttons offering two choices. Use as a switch.
+    *
+    * $current_value should be enabled or disabled.
+    *
+    * Use input_boolean() for a true, false approach.
+    *
+    * @param mixed $title
+    * @param mixed $name
+    * @param mixed $id
+    * @param mixed $current_value
+    * @param string $default pass enabled or disabled depending on the softwares default state
+    * @deprecated use input_boolean() and store 1 or 0 not enabled or disabled
     */
     public function input_switch(){
 …
     * Basic radiogroup input.
+    *
-    * @param mixed $title
-    * @param mixed $id
-    * @param mixed $name
-    * @param mixed $radio_array
-    * @param mixed $current
-    * @param mixed $default
-    * @param mixed $validation
     */
     public function input_radiogroup(){
 …
     /**
+    * a standard menu of categories wrapped in <td>
+    * A standard menu of categories wrapped in <td>
+    *
+    * @version 1.0
     */
     public function input_menu_categories(){
 …
     /**
+    * radio group of post types wrapped in <tr>
+    *
+    * @param string $title
+    * @param string $name
+    * @param string $id
+    * @param string $current_value
+    * Radio group of post types wrapped in <tr>
+    *
+    * @version 1.0
     */
     public function input_radiogroup_posttypes(){
 …
     * Radio group of post formats wrapped in table.
+    *
+    * @param mixed $title
+    * @param mixed $name
+    * @param mixed $id
+    * @param mixed $current_value
+    * @param mixed $validation
+    * @version 1.0
     */
     public function input_radiogroup_postformats(){
 …
     * @since 0.0.1
     * @version 1.0
+    *
-    * @param string $title
-    * @param string $name
-    * @param string $id
-    * @param string $validation - pass name of a custom validation function
     */
     public function input_file(){?>
 …
     /**
     * A table row with menu of all WordPress capabilities
+    *
-    * @param mixed $title
-    * @param mixed $id
-    * @param mixed $name
-    * @param mixed $current
+    *
     * @author Ryan R. Bayne
 …
     /**
+    * Two radios with boolean values to act as a toggle/switch.
+    *
+    * @author Ryan R. Bayne
+    * @package WebTechGlobal WordPress Plugins
+    * @since 0.0.1
+    * @version 1.0
+    */
+    public function boolean_basic( $formid, $id, $name, $title, $defaultvalue = 0, $current_value = '', $required = false ) {
+        self::input( $formid, 'boolean', $id, $name, $title, $title, $required, $current_value, array( 'defaultvalue' => $defaultvalue ), array() );
+    }
+    /**
     * Switch configuration (two radios for switching between two states, modes)
+    *
 …
     * @package WebTechGlobal WordPress Plugins
     * @since 0.0.1
     * @version 1.0
+    * @version 1.2
     */
     public function switch_basic( $formid, $id, $name, $title, $defaultvalue = 'disabled', $current_value = '', $required = false ) {
         self::input( $formid, 'switch', $id, $name, $title, $title, $required, $current_value, array( 'defaultvalue' => 'disabled' ), array() );
+        self::input( $formid, 'switch', $id, $name, $title, $title, $required, $current_value, array( 'defaultvalue' => $defaultvalue ), array() );
+    }
 …
     * @param mixed $item_value
     * @param mixed $output
+    *
     * @return mixed
+    *
+    * @version 1.0
     */
     public function is_checked( $actual_value, $item_value, $output = 'return' ){
         if( $actual_value === $item_value){
+        if( $actual_value === $item_value ){
             if( $output == 'return' ){
                 return ' checked';

multitool/trunk/classes/class-multitool.php

-                      r1420327
+                      r1422006
+        }
+    }
+    /**
+    * Administrator Triggered Automation.
+    *
+    * This is an easy way to run tasks normally scheduled but with a user
+    * who is monitoring the blog and can respond to any problems or
+    * evidence that an automated task is over demanding and its activation
+    * by CRON needs to be reviewed.
+    *
+    * @author Ryan R. Bayne
+    * @package WebTechGlobal WordPress Plugins
+    * @since 0.0.0
+    * @version 1.0
+    *
+    * @todo Add field for user to set a delay.
+    * @todo Add options fields for activating individual functions within this method.
+    */
+    public function administrator_triggered_automation() {
+        // Has administration triggered automation been activated?
+        if( !get_option( 'multitool_adm_trig_auto') )
+        {
+            return false;// User has not activated admin triggered automation.
+        }
+        // clear out log table (48 hour log)
+        self::log_cleanup();
+        // Encorce maximum number of administration accounts.
+        $this->SECURITY = self::load_class( 'MULTITOOL_Security', 'class-security.php', 'classes' ); # interface, mainly notices
+        $this->SECURITY->security_adminaccounts_capenforcement();
+    }
     /**
     * Set variables that are required on most pages.
 …
+        }
+    }
-    /**
-    * Administrator Triggered Automation.
+    *
-    * This is an easy way to run tasks normally scheduled but with a user
-    * who is monitoring the blog and can respond to any problems or
-    * evidence that an automated task is over demanding and its activation
-    * by CRON needs to be reviewed.
+    *
-    * @author Ryan R. Bayne
-    * @package WebTechGlobal WordPress Plugins
-    * @since 0.0.0
-    * @version 1.0
-    */
-    public function administrator_triggered_automation() {
-        // clear out log table (48 hour log)
-        self::log_cleanup();
-        // prevent hackers adding administrator accounts, requires a cap
-        self::security_adminaccounts_capenforcement();
+    }
-    /**
-    * Enforces a limit on the number of allowed administration accounts.
+    *
-    * This is something to bring into effect if hackers are injecting data
-    * into wp_users table. Removal of new users is not enough as an infection
-    * or attack may occur again.
+    *
-    * @author Ryan R. Bayne
-    * @package WebTechGlobal WordPress Plugins
-    * @version 1.2
-    */
-    public function security_adminaccounts_capenforcement() {
-        global $multitool_settings;
-        if( !isset( $multitool_settings['securitysettings']['adminaccountcap'] ) ) {
-            return;
+        }
-        $cap = $multitool_settings['securitysettings']['adminaccountcap'];
-        if( !isset( $multitool_settings['securitysettings']['enforceaccountcap'] ) ) {
-            return;
+        }
-        if( $multitool_settings['securitysettings']['enforceaccountcap'] !== true ) {
-            return;
+        }
-        if( !is_numeric( $cap ) ) {
-            return;
+        }
-        // avoid the risk of disabling the only admin account that exists
-        if( $cap < 2 ) {
-            return;
+        }
-        // return admin and NEAR admin and a count of result (array)
-        $total_admin_accounts = self::total_administrators( true, true );
-        if( !$total_admin_accounts['count'] ) {
-            // TODO 2 Task: flag this situation, enforcement active but no cap!?
-            return;// cap setting or file not found (user has not set it up)
+        }
-        if( $total_admin_accounts['count'] > $cap ) {
-            // alert! Possibly hack has happened and may still be in progress.
-            $suspended_accounts = array();
-            $email_content_list = '';
-            // get users OVER the cap then change those LATEST users to subscribers
-            $output = array_slice( $total_admin_accounts['users'], $cap );
-            foreach( $output as $key => $user ) {
-                // for some safety avoid changing user with ID 1
-                if( $user->ID === 1 ) {
-                    continue;
+                }
-                // change potential hacker account to subscriber
-                $u = new WP_User( $user->ID );
-                // Remove role
-                $u->remove_role( 'administrator' );
-                // Add role
-                $u->add_role( 'subscriber' );
-                // store user ID's that have been suspended
-                $suspended_accounts[] = $user->ID;
-                // build content for emailing administrator
-                $email_content_list .= $user->ID . ' - ' . $user->user_email;
-                // add user meta to track the account
-                add_user_meta( $user->ID, 'webtechglobalsuspension', array(
-                    'time' => time(),
-                    'plugin' => MULTITOOL_TITLE,
-                    'reason' => __( 'Possible security breach detected. This user
-                    account may have been created by a hacker. Please consult with
-                    Ryan Bayne at WebTechGlobal if you are unsure why this message
-                    exists in your data. ', 'multitool' ),
-                ), true );
+            }
-            $email_recipients = array();
-            $multiple_recipients[] = get_option( 'admin_email' );
-            $subj = __( 'WebTechGlobal Security Alert: Admin accounts hack', 'multitool' );
-            // set content-type
-            add_filter( 'wp_mail_content_type', array( $this, 'set_html_content_type') );
-            wp_mail( $multiple_recipients, $subj, $email_content_list );
-            // Reset content-type to avoid conflicts -- http://core.trac.wordpress.org/ticket/23578
-            remove_filter( 'wp_mail_content_type', array( $this, 'set_html_content_type') );
+        }
+    }
     public function set_html_content_type() {
 …
         return false;
+    }
-    /**
-    * Count total number of "administrators". This is the beginning of
-    * security to counteract a hack quickly, where illegal users are being
-    * entered into the wp_users table.
+    *
-    * I have added the ability to return the result so that a count and
-    * user query can be done separate and ensure each result matches.
+    *
-    * @author Ryan R. Bayne
-    * @package WebTechGlobal WordPress Plugins
-    * @version 1.0
+    *
-    * @todo include users with highest capabilities ($partial_admin)
-    */
-    public function total_administrators( $partial_admin = false, $return_users = false ) {
-        $args = array(
-            'role'         => 'administrator',
-        );
-        // if $partial_admin = true check for none "administrator" users
-        // who have create_user, delete user or activate_plugin capabilities
-        $users = get_users( $args );
-        $count = count( $users );
-        if( $return_users ) {
-            return array(
-                'count' => $count,
-                'users' => $users
-            );
+        }
-        return $count;
+    }

multitool/trunk/classes/class-requests.php

-                      r1420327
+                      r1422006
         $this->UI->n_postresult_depreciated( 'success', __( 'Log Settings Saved', 'multitool' ), __( 'It may take sometime for new log entries to be created depending on your websites activity.', 'multitool' ) );
+    }
+    /**
+    * Save drip feed limits
+    */
+    public function schedulerestrictions() {
+        $multitool_schedule_array = $this->MULTITOOL->get_option_schedule_array();
+        // if any required values are not in $_POST set them to zero
+        if(!isset( $_POST['day'] ) ){
+            $multitool_schedule_array['limits']['day'] = 0;
+        }else{
+            $multitool_schedule_array['limits']['day'] = $_POST['day'];
+        }
+        if(!isset( $_POST['hour'] ) ){
+            $multitool_schedule_array['limits']['hour'] = 0;
+        }else{
+            $multitool_schedule_array['limits']['hour'] = $_POST['hour'];
+        }
+        if(!isset( $_POST['session'] ) ){
+            $multitool_schedule_array['limits']['session'] = 0;
+        }else{
+            $multitool_schedule_array['limits']['session'] = $_POST['session'];
+        }
+        // ensure $multitool_schedule_array is an array, it may be boolean false if schedule has never been set
+        if( isset( $multitool_schedule_array ) && is_array( $multitool_schedule_array ) ){
+            // if times array exists, unset the [times] array
+            if( isset( $multitool_schedule_array['days'] ) ){
+                unset( $multitool_schedule_array['days'] );
+            }
+            // if hours array exists, unset the [hours] array
+            if( isset( $multitool_schedule_array['hours'] ) ){
+                unset( $multitool_schedule_array['hours'] );
+            }
+        }else{
+            // $schedule_array value is not array, this is first time it is being set
+            $multitool_schedule_array = array();
+        }
+        // loop through all days and set each one to true or false
+        if( isset( $_POST['multitool_scheduleday_list'] ) ){
+            foreach( $_POST['multitool_scheduleday_list'] as $key => $submitted_day ){
+                $multitool_schedule_array['days'][$submitted_day] = true;
+            }
+        }
+        // loop through all hours and add each one to the array, any not in array will not be permitted
+        if( isset( $_POST['multitool_schedulehour_list'] ) ){
+            foreach( $_POST['multitool_schedulehour_list'] as $key => $submitted_hour){
+                $multitool_schedule_array['hours'][$submitted_hour] = true;
+            }
+        }
+        if( isset( $_POST['deleteuserswaiting'] ) )
+        {
+            $multitool_schedule_array['eventtypes']['deleteuserswaiting']['switch'] = 'enabled';
+        }
+        if( isset( $_POST['eventsendemails'] ) )
+        {
+            $multitool_schedule_array['eventtypes']['sendemails']['switch'] = 'enabled';
+        }
+        $this->MULTITOOL->update_option_schedule_array( $multitool_schedule_array );
+        $this->UI->notice_depreciated( __( 'Schedule settings have been saved.', 'multitool' ), 'success', 'Large', __( 'Schedule Times Saved', 'multitool' ) );
+    }
     /**
     * Processes a request by form submission.
 …
         $multitool_settings['developermode']['developermodeswitch'] = $_POST['developermodeswitch'];
         $multitool_settings['api']['twitter']['active'] = $_POST['twitterapiswitch'];
         $this->MULTITOOL->update_settings( $multitool_settings );
         $this->UI->create_notice( __( 'Global switches have been updated. These
 …
         add_option( 'webtechglobal_auto_plugins', array() );
         add_option( 'webtechglobal_auto_actionssettings', array() );
+        // Update automation switch, this is global to all plugins.
+        // Does not apply to administration triggered automation.
+        $existing_auto_value = get_option( 'webtechglobal_auto_switch' );
+        // Also initialize the hourly CRON job which is our basic primary trigger.
+        // TODO: allow user to select Single Hourly Cron or Many Cron
+        if (! wp_next_scheduled ( 'webtechglobal_hourly_cron' )) {
+            wp_schedule_event( time() + 100, 'hourly', 'webtechglobal_hourly_cron', array( 'trigger' => 'hourlycron' ) );
+            $description = __( "A cron job is simply the name of a schedule event controlled by
+            your server. By submitting the automation settings you have setup an hourly cron job which
+            will check for oustanding tasks. This is also done using WordPress core scheduling functions. You have
+            the option of allowing a single hourly cron job to process all tasks or allow this plugin to make
+            cron jobs for all tasks.", 'multitool' );
+            $this->UI->create_notice(
+                $description,
+                'info',
+                'Small',
+                __( 'Hourly Cron Job Scheduled', 'multitool' )
+            );
+        }
+        // Update automation switch, this is global to all plugins.
+        update_option( 'webtechglobal_auto_switch', $_POST['automationswitch'] );
+        if( $_POST['automationswitch'] === 'enabled' )
+        {
+        if( $_POST['automationswitch'] == 1 && $existing_auto_value != 1 )
+        {
+            update_option( 'webtechglobal_auto_switch', 1 );
             $description = __( "Automation and scheduling is now active. This switch
             applies to all WebTechGlobal plugins. However you must submit the same
 …
             );
+        }
         else
+        elseif( $_POST['automationswitch'] == 0 && $existing_auto_value != 0 )
+        {
+            update_option( 'webtechglobal_auto_switch', 0 );
             $description = __( "Automation and scheduling has been disabled. This switch
             applies to all WebTechGlobal plugins. If you had multiple plugins registered
 …
             );
+        }
+        $existing_admintrigauto_value = get_option( 'multitool_adm_trig_auto' );
+        if( $_POST['adminautotrigswitch'] == true && $existing_admintrigauto_value !== true )
+        {
+            update_option( 'multitool_adm_trig_auto', true );
+            $description = __( "Multitool will perform automated tasks while
+            an administrator is logged in and loading WordPress.", 'multitool' );
+            $this->UI->create_notice(
+                $description,
+                'success',
+                'Small',
+                __( 'Administrator Triggered Automation Enabled', 'multitool' )
+            );
+        }
+        elseif( $_POST['adminautotrigswitch'] == false && $existing_admintrigauto_value !== false )
+        {
+            update_option( 'multitool_adm_trig_auto', false );
+            $description = __( "Multitool will not run automation triggered by
+            administrators being logged in and loading WordPress administration
+            views.", 'multitool' );
+            $this->UI->create_notice(
+                $description,
+                'success',
+                'Small',
+                __( 'Administrator Triggered Automation Disabled', 'multitool' )
+            );
+        }
         // Process plugins registration.

multitool/trunk/classes/class-schedule.php

-                      r1420327
+                      r1422006
         $this->DB = $CONFIG->load_class( 'MULTITOOL_DB', 'class-wpdb.php', 'classes' ); # database interaction
         $this->PHP = $CONFIG->load_class( 'MULTITOOL_PHP', 'class-phplibrary.php', 'classes' ); # php library by Ryan R. Bayne
+    }
+    }
     /**
     * Sample scheduled method primarily for WTG Cron system and not WP Cron.

multitool/trunk/classes/class-wpcore.php

-                      r1365891
+                      r1422006
+        }
         return $capabilities_array;
+    }
+    }
+    /**
+    * Count total number of "administrators". This is the beginning of
+    * security to counteract a hack quickly, where illegal users are being
+    * entered into the wp_users table.
+    *
+    * I have added the ability to return the result so that a count and
+    * user query can be done separate and ensure each result matches.
+    *
+    * @author Ryan R. Bayne
+    * @package WebTechGlobal WordPress Plugins
+    * @version 1.0
+    *
+    * @todo include users with highest capabilities ($partial_admin)
+    */
+    public function total_administrators( $partial_admin = false, $return_users = false ) {
+        $args = array(
+            'role'         => 'administrator',
+        );
+        // if $partial_admin = true check for none "administrator" users
+        // who have create_user, delete user or activate_plugin capabilities
+        $users = get_users( $args );
+        $count = count( $users );
+        if( $return_users ) {
+            return array(
+                'count' => $count,
+                'users' => $users
+            );
+        }
+        return $count;
+    }
+}
 ?>

multitool/trunk/inc/fields/automationsettings.php

-                      r1420327
+                      r1422006
 <?php
 // Global switch for WebTechGlobal automation class.
+$this->FORMS->switch_basic(
+$autoswitch_current = get_option( 'webtechglobal_auto_switch', 'multitool' );
+$this->FORMS->boolean_basic(
     $formid,
     'automationswitch',
     'automationswitch',
     __( 'Automation Switch', 'multitool' ),
     'disabled',
     get_option( 'webtechglobal_auto_switch', 'multitool' ),
+,
+    $autoswitch_current,
     false
 );
+// Plugin switch for Multitool administrator triggered automation.
+$adminauto_current = get_option( 'multitool_adm_trig_auto', 'multitool' );
+$this->FORMS->boolean_basic(
+    $formid,
+    'adminautotrigswitch',
+    'adminautotrigswitch',
+    __( 'Administration Triggered Automation', 'multitool' ),
+,
+    $adminauto_current,
+    false
+);
+// TODO: add check boxes for individual admin triggered auto actions. See administrator_triggered_automation().
 // Display a list of the plugins that have been added to the automation system.

multitool/trunk/multitool.php

-                      r1420327
+                      r1422006
 /*
 Plugin Name: Multitool Beta
 Version: 1.0.3
+Version: 1.0.4
 Plugin URI: http://www.webtechglobal.co.uk/wtg-plugin-framework-wordpress/
 Description: Multitool does a little bit of everything.
 …
 // define package constants...
 if(!defined( "MULTITOOL_VERSION") ){define( "MULTITOOL_VERSION", '1.0.3' );}
+if(!defined( "MULTITOOL_VERSION") ){define( "MULTITOOL_VERSION", '1.0.4' );}
 if(!defined( "MULTITOOL_RELEASENAME") ){define( "MULTITOOL_RELEASENAME", 'Beta' );}
 if(!defined( "MULTITOOL_TITLE") ){define( "MULTITOOL_TITLE", 'Multitool' );}

multitool/trunk/readme.txt

-                      r1420327
+                      r1422006
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Tags: Tool Kit, Tools Kit, Tools, Multi, Multitool
+Tags: Tool Kit, Tools Kit, Tools, Multi, Multitool, cron, scheduling
 Requires at least: 3.8.0
 Tested up to: 4.3.1
 Stable tag: trunk
 Multitool is a place for new ideas to start before becoming the full plugin.
+Multitool aims to cover all aspects of WordPress in one massive plugin.
 == Description ==
 …
 == Changelog ==
+= 1.0.4 =
+* Feature Changes
+    * "Hourly Cron Job Scheduled" is not longer displayed when submitting main scheduling settings.
+    * Maximum Admin Accounts input now displays the stored value. It was always saved, just not displays in form.
+    * Security section and on admin accounts tab now has information about the most recent breach.
+* Technical Notes
+    * The WP cron job "webtechglobal_hourly_cron" is no longer initiated.
+    * Maximum admin accounts security no longer adds subscriber role, it only removed administrator role.
+    * Admin accounts security now disables all admin accounts apart from those with ID's 1 and 2
 = 1.0.3 =
 * Feature Changes
 …
     * Added jQuery UI .css and images
     * get_currentuserinfo() depreciated and replaced with wp_get_current_user()
+    * jQuery UI files added for datepicker and timepicker in-one
+    * Changed the way the plugin is initiated. Now uses init() and sets global $MULTITOOL_Class.
 = 1.0.2 =

multitool/trunk/views/adminaccounts.php

-                      r1420327
+                      r1422006
             array( $this->view_name . '-capmonitoringswitch', __( 'Admin Cap Monitoring', 'multitool' ), array( $this, 'parent' ), 'side','default',array( 'formid' => 'capmonitoringswitch' ), true, 'activate_plugins' ),
             array( $this->view_name . '-maximumadministrators', __( 'Maximum Administrators (cap)', 'multitool' ), array( $this, 'parent' ), 'normal','default',array( 'formid' => 'maximumadministrators' ), true, 'activate_plugins' ),
+            array( $this->view_name . '-securityeventadmincap', __( 'Security Breach Details', 'multitool' ), array( $this, 'parent' ), 'normal','default',array( 'formid' => 'securityeventadmincap' ), true, 'activate_plugins' ),
         );
+    }
 …
     /**
+    * Set a maximum number of adminstrator accounts. This is very simple. All
+    * we need to do is keep counting the number of administrators. I may
+    * do that by caching the administrator user ID's, caching the highest
+    * ID, get all ID's above the highest and check them for admin rights. If
+    * any have admin rights, check the user ID agains those cached as original
+    * legal administrators. If the new admin ID is not in that cache then the
+    * new admin is illegal.
+    * Set a maximum number of adminstrator accounts.
+    *
     * @author Ryan Bayne
 …
     * @todo allow user to enter email address for the security alert
     */
+    public function postbox_adminaccounts_maximumadministrators( $data, $box ) {
+    public function postbox_adminaccounts_maximumadministrators( $data, $box ) {
+        global $multitool_settings;
         $intro = __( 'This form allows you to enter
         the maximum number of administrators permitted to exist in the database.
+        If a hacker injects new user accounts and those accounts turn out to be
+        administrators. This plugin will change those accounts to subscribers and
+        notify the original key holder (first admin created).', 'multitool' );
+        If a hacker injects new admin user into your database this plugin will
+        change those accounts to subscribers and
+        notify the original key holder (first admin created). We do not ever
+        automatically delete a user and the code does not exist in this procedure
+        to do that.', 'multitool' );
         $this->UI->postbox_content_header( $box['title'], $box['args']['formid'], $intro, false );
         $this->FORMS->form_start( $box['args']['formid'], $box['args']['formid'], $box['title'] );
         $current_value = '';
         if( isset( $multitool_settings['securitysettings']['adminaccountcap'] ) ) {
 …
                 array( 'numeric' )
             );
+            // Display total number of administrators.
+            $user_query = new WP_User_Query( array( 'role' => 'Administrator' ) );
+            $total_admins = count( $user_query );
+            $this->FORMS->input_emptyrow( __( 'Total Administrators', 'multitool' ), $total_admins );
             ?>
 …
             $intro = __( 'Disable Administrator Account Cap enforcement. This is
             a security feature that frequently checks user data. It is recommended
             that you run it temporarily or configure this plugin so that the checks
             are less frequent. If you activated it because your WordPress was hacked
             you should be aware that this feature is not a fix and only makes it harder
             for a hacker/bot to use illegal administration accounts.', 'multitool' );
             $button_text = __( 'Disabled Security Measure', 'multitool' );
+            a security feature that frequently checks user data. If it detects
+            extra administrator accounts it takes action. Do not disable it if you
+            are under constant attack from hackers who inject new administrator
+            accounts into your user table or change a normal registered subscriber
+            to an administrator.', 'multitool' );
+            $button_text = __( 'Disable Security Measure', 'multitool' );
         } else {
+            $intro = __( 'Activate in the event of your WordPress being hacked/infected
+            and you have confirmed the creation of illegal administrator accounts.
+            This plugin will frequently check for new user accounts with the
+            administrator role, then downgrade them to subscribers. It will also
+            send you an email detailing accounts that are under suspicion. To make
+            this work you must submit the "Maximum Administrators (cap)" form.
+            $intro = __( 'Activate to monitor the total number of administrators
+            in your user table. If a hacker injects a new user or changes a
+            seemingly harmless subscriber account to an administrator this
+            plugin will prevent them using the administration account.
+            All administrator accounts will have their administrator capability
+            removed apart from those with ID 1 and 2. This covers any situation
+            where a previously trusted administrator account is breached. The
+            account with ID 2 is often and administrator also. It is a common
+            practice to create a second administrator account when WordPress is
+            setup. It is also less likely to be the account that is breached even
+            if it is a subscriber.
             ', 'multitool' );
+        }
 …
         $this->UI->postbox_content_footer( $button_text );
+    }
+    /**
+    * Information about the most recent security breach that
+    * involves extra administration accounts.
+    *
+    * @author Ryan Bayne
+    * @package Multitool
+    * @since 0.0.1
+    * @version 1.0
+    *
+    * @todo Create button or just a link for resetting the security event option.
+    */
+    public function postbox_adminaccounts_securityeventadmincap( $data, $box ) {
+        global $multitool_settings;
+        $securityevent = get_option( 'multitool_securityevent_admincap' );
+        if( !is_array( $securityevent ) ) {
+            $intro = __( 'Mulitool security has not detected extra administration
+            accounts in your user table and there are no records of a security
+            breech of this nature.', 'multitool' );
+        } else {
+             $intro = __( 'There are details about a possible security breach stored
+            in your database. This breach is related to extra administrators being
+            detected in the user table. Please review the information below and
+            decide yourself. Illegal accounts should have been disabled by Multitool
+            but you should ensure that is the case.', 'multitool' );
+        }
+        $this->UI->postbox_content_header(
+            $box['title'],
+            $box['args']['formid'],
+            $intro,
+            false
+        );
+        $this->FORMS->form_start( $box['args']['formid'], $box['args']['formid'], $box['title'] );
+        if( is_array( $securityevent ) ) {
+            ?>
+                <table class="form-table">
+                <?php
+                $time = '';
+                $limit = '';
+                if( is_array( $securityevent ) ) {
+                    $time = date( 'Y-m-d H:i:s', $securityevent['time'] );
+                    $limit = $securityevent['cap'];
+                }
+                $this->FORMS->input_emptyrow( __( 'Detection Time', 'multitool' ), $time );
+                $this->FORMS->input_emptyrow( __( 'Admin Limit Was', 'multitool' ), $limit );
+                ?>
+                </table>
+            <?php
+            $this->UI->postbox_content_footer( __( 'Reset Security Information', 'multitool' ) );
+        }
+    }
 }?>

multitool/trunk/views/main.php

-                      r1420327
+                      r1422006
             $this->UI->option_switch( __( 'Dashboard Widgets Switch', 'multitool' ), 'dashboardwidgetsswitch', 'dashboardwidgetsswitch', $multitool_settings['widgetsettings']['dashboardwidgetsswitch'], 'Enabled', 'Disabled', 'disabled' );
             $this->UI->option_switch( __( 'Developer Mode', 'multitool' ), 'developermodeswitch', 'developermodeswitch', $multitool_settings['developermode']['developermodeswitch'], 'Enabled', 'Disabled', 'disabled' );
             $this->UI->option_switch( __( 'Twitter API Switch', 'multitool' ), 'twitterapiswitch', 'twitterapiswitch', $multitool_settings['api']['twitter']['active'], 'Enabled', 'Disabled', 'disabled' );
+            $this->UI->option_switch( __( 'Twitter API Switch', 'multitool' ), 'twitterapiswitch', 'twitterapiswitch', $multitool_settings['api']['twitter']['active'], 'Enabled', 'Disabled', 'disabled' );
             ?>
             </table>
 …
     */
     public function postbox_main_twitterupdates( $data, $box ) {
+        $introduction = __( 'Follow the WTG Twitter account for news on all things
+        to do with the web - including updates about this plugin.', 'wtgeci' );
+        $introduction = __( 'Follow the WTG Twitter account for news updates on this plugins development.', 'wtgeci' );
         echo "<p class=\"multitool_boxes_introtext\">". $introduction ."</p>"
         ?>

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: