App Passwords: Extract Basic Auth check into a reusable filterable function.
In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end. This commit extracts the Basic Auth check into a reusable function, `wp_is_site_protected_by_basic_auth()`, which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature. In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a `WWW-Authenticate` header to make this detection more robust out of the box. Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs. Fixes #52066. Built from https://develop.svn.wordpress.org/trunk@50006 git-svn-id: http://core.svn.wordpress.org/trunk@49707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
20d961e622
commit
6a8a83ea09
|
@ -88,7 +88,7 @@ if ( is_wp_error( $is_valid ) ) {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
|
if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {
|
||||||
wp_die(
|
wp_die(
|
||||||
__( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ),
|
__( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ),
|
||||||
__( 'Cannot Authorize Application' ),
|
__( 'Cannot Authorize Application' ),
|
||||||
|
|
|
@ -739,7 +739,7 @@ endif;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
|
if ( ! wp_is_site_protected_by_basic_auth( 'front' ) ) {
|
||||||
?>
|
?>
|
||||||
<div class="create-application-password form-wrap">
|
<div class="create-application-password form-wrap">
|
||||||
<div class="form-field">
|
<div class="form-field">
|
||||||
|
|
|
@ -1685,3 +1685,46 @@ function wp_is_xml_request() {
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if this site is protected by HTTP Basic Auth.
|
||||||
|
*
|
||||||
|
* At the moment, this merely checks for the present of Basic Auth credentials. Therefore, calling this function
|
||||||
|
* with a context different from the current context may give inaccurate results. In a future release, this
|
||||||
|
* evaluation may be made more robust.
|
||||||
|
*
|
||||||
|
* Currently, this is only used by Application Passwords to prevent a conflict since it also utilizes Basic Auth.
|
||||||
|
*
|
||||||
|
* @since 5.6.1
|
||||||
|
*
|
||||||
|
* @global string $pagenow The current page.
|
||||||
|
*
|
||||||
|
* @param string $context The context to check for protection. Accepts 'login', 'admin', and 'front'. Defaults to the current context.
|
||||||
|
*
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
function wp_is_site_protected_by_basic_auth( $context = '' ) {
|
||||||
|
global $pagenow;
|
||||||
|
|
||||||
|
if ( ! $context ) {
|
||||||
|
if ( 'wp-login.php' === $pagenow ) {
|
||||||
|
$context = 'login';
|
||||||
|
} elseif ( is_admin() ) {
|
||||||
|
$context = 'admin';
|
||||||
|
} else {
|
||||||
|
$context = 'front';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$is_protected = ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters whether a site is protected by HTTP Basic Auth.
|
||||||
|
*
|
||||||
|
* @since 5.6.1
|
||||||
|
*
|
||||||
|
* @param bool $is_protected Whether the site is protected by Basic Auth.
|
||||||
|
* @param string $context The context to check for protection. One of 'login', 'admin', or 'front'.
|
||||||
|
*/
|
||||||
|
return apply_filters( 'wp_is_site_protected_by_basic_auth', $is_protected, $context );
|
||||||
|
}
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '5.7-alpha-50005';
|
$wp_version = '5.7-alpha-50006';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue