Changeset 2577925
- Timestamp:
- 08/04/2021 11:36:19 AM (5 years ago)
- Location:
- secured-wp
- Files:
-
- 16 edited
-
tags/1.4/classes/Controllers/LoginCheck.php (modified) (3 diffs)
-
tags/1.4/classes/Controllers/User.php (modified) (5 diffs)
-
tags/1.4/classes/Helpers/NotifyAdmin.php (modified) (2 diffs)
-
tags/1.4/classes/Secured.php (modified) (1 diff)
-
tags/1.4/classes/Views/UserProfile.php (modified) (3 diffs)
-
tags/1.4/classes/Views/UsersList.php (modified) (1 diff)
-
tags/1.4/secured-wp.php (modified) (2 diffs)
-
tags/1.4/uninstall.php (modified) (1 diff)
-
trunk/classes/Controllers/LoginCheck.php (modified) (3 diffs)
-
trunk/classes/Controllers/User.php (modified) (5 diffs)
-
trunk/classes/Helpers/NotifyAdmin.php (modified) (2 diffs)
-
trunk/classes/Secured.php (modified) (1 diff)
-
trunk/classes/Views/UserProfile.php (modified) (3 diffs)
-
trunk/classes/Views/UsersList.php (modified) (1 diff)
-
trunk/secured-wp.php (modified) (2 diffs)
-
trunk/uninstall.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
secured-wp/tags/1.4/classes/Controllers/LoginCheck.php
r2576070 r2577925 55 55 public static function check( $user, $username, $password ) { 56 56 57 if ( User::isTwoFaUserExcluded( $username ) ) { 58 return $user; 57 if ( (bool) \WPSEC\Controllers\Modules\LoginAttempts::getGlobalSettingsValue() 58 && 59 (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() ) { 60 return $user; 61 } 62 63 if ( (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() || User::isTwoFaUserExcluded( $username ) ) { 64 if ( (bool) \WPSEC\Controllers\Modules\LoginAttempts::getGlobalSettingsValue() ) { 65 return $user; 66 } 59 67 } 60 68 … … 75 83 } 76 84 77 if ( null === $user || is_wp_error( $user ) ) {85 if ( null === $user || \is_wp_error( $user ) ) { 78 86 if ( ! (bool) \WPSEC\Controllers\Modules\LoginAttempts::getGlobalSettingsValue() ) { 79 87 $userTriedToLogIn = \get_user_by( 'login', $username ); … … 102 110 } elseif ( ! \is_wp_error( $user ) ) { 103 111 LoginAttempts::clearLoginAttempts( $user ); 104 if ( ! (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() && TwoFASettings::isTotpEnabled() ) {112 if ( ! (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() && TwoFASettings::isTotpEnabled() && ! User::isTwoFaUserExcluded( $username ) ) { 105 113 LoginForms::loginTotp( '', $user ); 106 114 -
secured-wp/tags/1.4/classes/Controllers/User.php
r2576070 r2577925 280 280 * 281 281 * @param mixed $user - @see setUser method of this class. 282 * 283 * @return void 284 */ 285 public static function lockUser( $user = null ): void { 282 * @param bool $destroySessions - should we also destroy all the sessions for the user?. 283 * 284 * @return void 285 */ 286 public static function lockUser( $user = null, $destroySessions = false ): void { 286 287 self::setUser( $user ); 287 288 … … 292 293 ); 293 294 294 $manager = \WP_Session_Tokens::get_instance( self::$user->ID ); 295 $manager->destroy_all(); 295 if ( $destroySessions ) { 296 $manager = \WP_Session_Tokens::get_instance( self::$user->ID ); 297 $manager->destroy_all(); 298 } 296 299 } 297 300 … … 340 343 341 344 /** 345 * Deletes user meta 346 * 347 * @param mixed $user - The user for which the TOTP key must be deleted. 348 * 349 * @return void 350 * 351 * @since 1.3 352 */ 353 public static function deleteUserTotp( $user = null ) { 354 self::deleteMeta( self::$totpKeyMetaKeyName, $user ); 355 self::removeUserTotpEnabledMeta( $user ); 356 } 357 358 /** 342 359 * Validates authentication. 343 360 * … … 387 404 public static function enableTotp( $user = null ) { 388 405 self::setMeta( self::$totEnabledKey, true, $user ); 406 } 407 408 /** 409 * Remove the TOTP meta key completely 410 * 411 * @param mixed $user - The user for which the meta must be removed. 412 * 413 * @return void 414 * 415 * @since 1.3 416 */ 417 public static function removeUserTotpEnabledMeta( $user = null ) { 418 self::deleteMeta( self::$totEnabledKey, $user ); 389 419 } 390 420 … … 593 623 594 624 if ( self::isTwoFaUserExcluded( $user ) ) { 595 $status['2FAEnabled'] = __( '2FA enabled: NO', 'secured-wp' );625 $status['2FAEnabled'] = __( '2FA enabled: EXCLUDED', 'secured-wp' ); 596 626 } 597 627 -
secured-wp/tags/1.4/classes/Helpers/NotifyAdmin.php
r2576070 r2577925 35 35 $url = WPHelper::getSiteUrl(); 36 36 37 $to = \get_ option( 'admin_email' );37 $to = \get_bloginfo( 'admin_email' ); 38 38 39 39 $subject = \__( 'Maximum number of unsuccessful login attempts reached', 'secured-wp' ); … … 51 51 ); 52 52 53 return \wp_mail( $to, $subject, $message ); 53 $headers = [ 'Content-Type: text/html; charset=UTF-8' ]; 54 55 return \wp_mail( $to, $subject, $message, $headers ); 54 56 } 55 57 } -
secured-wp/tags/1.4/classes/Secured.php
r2576070 r2577925 301 301 AjaxRequests::initAdmin(); 302 302 303 if ( WPHelper::isMultisite() ) { 304 // add_action( 'personal_options_update', [ $this->user_profiles, 'save_user_2fa_options' ] ); 305 } 303 \add_action( 'personal_options_update', [ 'WPSEC\Views\UserProfile', 'regenerateQRCode' ], 10, 1 ); 304 \add_action( 'edit_user_profile_update', [ 'WPSEC\Views\UserProfile', 'regenerateQRCode' ], 10, 1 ); 306 305 } 307 306 } -
secured-wp/tags/1.4/classes/Views/UserProfile.php
r2576070 r2577925 28 28 */ 29 29 class UserProfile { 30 31 /** 32 * QR code regeneration nonce prefix 33 * 34 * @var string 35 * 36 * @since 1.2 37 */ 38 private static $qrNoncePrefix = '_regenerate-qr-code_'; 30 39 31 40 /** … … 137 146 <hr> 138 147 <?php 139 if ( User::isCurrentlyLogged() && ! (bool) User::isTwoFaUserExcluded() ) {148 if ( \current_user_can( 'edit_user', User::getUser()->ID ) && ! (bool) User::isTwoFaUserExcluded() ) { 140 149 self::editUserQR(); 141 150 } … … 171 180 <div><?php echo \esc_html__( 'Or use the following key, by entering it directly in you preferable authentication application:', 'secured-wp' ); ?></div> 172 181 <div><strong><?php echo \esc_html( $otp->getSecret() ); ?></strong></div> 173 <?php 182 <div class="tablenav"> 183 <div class="alignleft"> 184 <?php 185 $nonce = \wp_create_nonce( self::$qrNoncePrefix . User::getUser()->ID ); 186 187 ?> 188 <input type="hidden" name="qr-nonce" value="<?php echo \esc_attr( $nonce ); ?>" /> 189 <?php 190 191 \submit_button( 192 __( 'Regenerate QR code', 'secured-wp' ), 193 'delete', 194 'regenerate-qr-code', 195 false 196 ); 197 ?> 198 </div> 199 </div> 200 <?php 201 } 202 } 203 204 /** 205 * Deletes the TOTP code for the user, it will be regenerated next time the user logs / see its profile page 206 * 207 * @param int $userId - the user which TOTP must be regenerated. 208 * 209 * @return void 210 * 211 * @since 1.3 212 */ 213 public static function regenerateQRCode( $userId ) { 214 if ( \current_user_can( 'edit_user', $userId ) ) { 215 if ( isset( $_POST['qr-nonce'] ) && 216 \wp_verify_nonce( \sanitize_text_field( \wp_unslash( $_POST['qr-nonce'] ) ), self::$qrNoncePrefix . $userId ) && 217 isset( $_POST['regenerate-qr-code'] ) ) { 218 219 User::deleteUserTotp( $userId ); 220 } 174 221 } 175 222 } -
secured-wp/tags/1.4/classes/Views/UsersList.php
r2576070 r2577925 364 364 if ( self::$changeLockedBulkActionName === $doAction ) { 365 365 foreach ( $userIds as $userId ) { 366 User::lockUser( $userId );366 User::lockUser( $userId, true ); 367 367 } 368 368 } -
secured-wp/tags/1.4/secured-wp.php
r2577922 r2577925 9 9 * 10 10 * @link https://wp-secured.com 11 * @since 1.0. 111 * @since 1.0.0 12 12 * @package Secured 13 13 * … … 16 16 * Plugin URI: https://wp-secured.com 17 17 * Description: Provides Security for WP sites. 2FA, login attempts, hardens WP login process 18 <<<<<<< HEAD 18 19 * Version: 1.4 20 ======= 21 * Version: 1.3 22 >>>>>>> 2f789104d0138048ccdce57a31ec7ac6d526f8ba 19 23 * Author: wp-secured 20 24 * Author URI: https://wp-secured.com -
secured-wp/tags/1.4/uninstall.php
r2576070 r2577925 1 1 <?php 2 3 2 /** 4 3 * Plugin WPS secured -
secured-wp/trunk/classes/Controllers/LoginCheck.php
r2576070 r2577925 55 55 public static function check( $user, $username, $password ) { 56 56 57 if ( User::isTwoFaUserExcluded( $username ) ) { 58 return $user; 57 if ( (bool) \WPSEC\Controllers\Modules\LoginAttempts::getGlobalSettingsValue() 58 && 59 (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() ) { 60 return $user; 61 } 62 63 if ( (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() || User::isTwoFaUserExcluded( $username ) ) { 64 if ( (bool) \WPSEC\Controllers\Modules\LoginAttempts::getGlobalSettingsValue() ) { 65 return $user; 66 } 59 67 } 60 68 … … 75 83 } 76 84 77 if ( null === $user || is_wp_error( $user ) ) {85 if ( null === $user || \is_wp_error( $user ) ) { 78 86 if ( ! (bool) \WPSEC\Controllers\Modules\LoginAttempts::getGlobalSettingsValue() ) { 79 87 $userTriedToLogIn = \get_user_by( 'login', $username ); … … 102 110 } elseif ( ! \is_wp_error( $user ) ) { 103 111 LoginAttempts::clearLoginAttempts( $user ); 104 if ( ! (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() && TwoFASettings::isTotpEnabled() ) {112 if ( ! (bool) \WPSEC\Controllers\Modules\TwoFASettings::getGlobalSettingsValue() && TwoFASettings::isTotpEnabled() && ! User::isTwoFaUserExcluded( $username ) ) { 105 113 LoginForms::loginTotp( '', $user ); 106 114 -
secured-wp/trunk/classes/Controllers/User.php
r2576070 r2577925 280 280 * 281 281 * @param mixed $user - @see setUser method of this class. 282 * 283 * @return void 284 */ 285 public static function lockUser( $user = null ): void { 282 * @param bool $destroySessions - should we also destroy all the sessions for the user?. 283 * 284 * @return void 285 */ 286 public static function lockUser( $user = null, $destroySessions = false ): void { 286 287 self::setUser( $user ); 287 288 … … 292 293 ); 293 294 294 $manager = \WP_Session_Tokens::get_instance( self::$user->ID ); 295 $manager->destroy_all(); 295 if ( $destroySessions ) { 296 $manager = \WP_Session_Tokens::get_instance( self::$user->ID ); 297 $manager->destroy_all(); 298 } 296 299 } 297 300 … … 340 343 341 344 /** 345 * Deletes user meta 346 * 347 * @param mixed $user - The user for which the TOTP key must be deleted. 348 * 349 * @return void 350 * 351 * @since 1.3 352 */ 353 public static function deleteUserTotp( $user = null ) { 354 self::deleteMeta( self::$totpKeyMetaKeyName, $user ); 355 self::removeUserTotpEnabledMeta( $user ); 356 } 357 358 /** 342 359 * Validates authentication. 343 360 * … … 387 404 public static function enableTotp( $user = null ) { 388 405 self::setMeta( self::$totEnabledKey, true, $user ); 406 } 407 408 /** 409 * Remove the TOTP meta key completely 410 * 411 * @param mixed $user - The user for which the meta must be removed. 412 * 413 * @return void 414 * 415 * @since 1.3 416 */ 417 public static function removeUserTotpEnabledMeta( $user = null ) { 418 self::deleteMeta( self::$totEnabledKey, $user ); 389 419 } 390 420 … … 593 623 594 624 if ( self::isTwoFaUserExcluded( $user ) ) { 595 $status['2FAEnabled'] = __( '2FA enabled: NO', 'secured-wp' );625 $status['2FAEnabled'] = __( '2FA enabled: EXCLUDED', 'secured-wp' ); 596 626 } 597 627 -
secured-wp/trunk/classes/Helpers/NotifyAdmin.php
r2576070 r2577925 35 35 $url = WPHelper::getSiteUrl(); 36 36 37 $to = \get_ option( 'admin_email' );37 $to = \get_bloginfo( 'admin_email' ); 38 38 39 39 $subject = \__( 'Maximum number of unsuccessful login attempts reached', 'secured-wp' ); … … 51 51 ); 52 52 53 return \wp_mail( $to, $subject, $message ); 53 $headers = [ 'Content-Type: text/html; charset=UTF-8' ]; 54 55 return \wp_mail( $to, $subject, $message, $headers ); 54 56 } 55 57 } -
secured-wp/trunk/classes/Secured.php
r2576070 r2577925 301 301 AjaxRequests::initAdmin(); 302 302 303 if ( WPHelper::isMultisite() ) { 304 // add_action( 'personal_options_update', [ $this->user_profiles, 'save_user_2fa_options' ] ); 305 } 303 \add_action( 'personal_options_update', [ 'WPSEC\Views\UserProfile', 'regenerateQRCode' ], 10, 1 ); 304 \add_action( 'edit_user_profile_update', [ 'WPSEC\Views\UserProfile', 'regenerateQRCode' ], 10, 1 ); 306 305 } 307 306 } -
secured-wp/trunk/classes/Views/UserProfile.php
r2576070 r2577925 28 28 */ 29 29 class UserProfile { 30 31 /** 32 * QR code regeneration nonce prefix 33 * 34 * @var string 35 * 36 * @since 1.2 37 */ 38 private static $qrNoncePrefix = '_regenerate-qr-code_'; 30 39 31 40 /** … … 137 146 <hr> 138 147 <?php 139 if ( User::isCurrentlyLogged() && ! (bool) User::isTwoFaUserExcluded() ) {148 if ( \current_user_can( 'edit_user', User::getUser()->ID ) && ! (bool) User::isTwoFaUserExcluded() ) { 140 149 self::editUserQR(); 141 150 } … … 171 180 <div><?php echo \esc_html__( 'Or use the following key, by entering it directly in you preferable authentication application:', 'secured-wp' ); ?></div> 172 181 <div><strong><?php echo \esc_html( $otp->getSecret() ); ?></strong></div> 173 <?php 182 <div class="tablenav"> 183 <div class="alignleft"> 184 <?php 185 $nonce = \wp_create_nonce( self::$qrNoncePrefix . User::getUser()->ID ); 186 187 ?> 188 <input type="hidden" name="qr-nonce" value="<?php echo \esc_attr( $nonce ); ?>" /> 189 <?php 190 191 \submit_button( 192 __( 'Regenerate QR code', 'secured-wp' ), 193 'delete', 194 'regenerate-qr-code', 195 false 196 ); 197 ?> 198 </div> 199 </div> 200 <?php 201 } 202 } 203 204 /** 205 * Deletes the TOTP code for the user, it will be regenerated next time the user logs / see its profile page 206 * 207 * @param int $userId - the user which TOTP must be regenerated. 208 * 209 * @return void 210 * 211 * @since 1.3 212 */ 213 public static function regenerateQRCode( $userId ) { 214 if ( \current_user_can( 'edit_user', $userId ) ) { 215 if ( isset( $_POST['qr-nonce'] ) && 216 \wp_verify_nonce( \sanitize_text_field( \wp_unslash( $_POST['qr-nonce'] ) ), self::$qrNoncePrefix . $userId ) && 217 isset( $_POST['regenerate-qr-code'] ) ) { 218 219 User::deleteUserTotp( $userId ); 220 } 174 221 } 175 222 } -
secured-wp/trunk/classes/Views/UsersList.php
r2576070 r2577925 364 364 if ( self::$changeLockedBulkActionName === $doAction ) { 365 365 foreach ( $userIds as $userId ) { 366 User::lockUser( $userId );366 User::lockUser( $userId, true ); 367 367 } 368 368 } -
secured-wp/trunk/secured-wp.php
r2577922 r2577925 9 9 * 10 10 * @link https://wp-secured.com 11 * @since 1.0. 111 * @since 1.0.0 12 12 * @package Secured 13 13 * … … 16 16 * Plugin URI: https://wp-secured.com 17 17 * Description: Provides Security for WP sites. 2FA, login attempts, hardens WP login process 18 <<<<<<< HEAD 18 19 * Version: 1.4 20 ======= 21 * Version: 1.3 22 >>>>>>> 2f789104d0138048ccdce57a31ec7ac6d526f8ba 19 23 * Author: wp-secured 20 24 * Author URI: https://wp-secured.com -
secured-wp/trunk/uninstall.php
r2576070 r2577925 1 1 <?php 2 3 2 /** 4 3 * Plugin WPS secured
Note: See TracChangeset
for help on using the changeset viewer.