From a41a94e6c0395222c0f7cbba740e7c88c5dd35f6 Mon Sep 17 00:00:00 2001 From: Jonathan Champ Date: Fri, 27 Aug 2021 12:45:11 -0400 Subject: [PATCH 1/7] phpcs: automatic fixes + manual cleanup --- options-admin.php | 843 ++++++++++++++++++++++++++++++---------------- options-user.php | 87 +++-- shibboleth.php | 151 +++++---- 3 files changed, 692 insertions(+), 389 deletions(-) diff --git a/options-admin.php b/options-admin.php index 3bfa7a2..ab62971 100644 --- a/options-admin.php +++ b/options-admin.php @@ -10,9 +10,14 @@ * @since 1.9 */ function shibboleth_admin_tabs( $current = 'general' ) { - $tabs = array( 'general' => 'General', 'user' => 'User', 'authorization' => 'Authorization', 'logging' => 'Logging' ); + $tabs = array( + 'general' => 'General', + 'user' => 'User', + 'authorization' => 'Authorization', + 'logging' => 'Logging', + ); echo '

'; - foreach( $tabs as $tab => $name ){ + foreach ( $tabs as $tab => $name ) { $class = ( $tab == $current ) ? ' nav-tab-active' : ''; echo "$name"; } @@ -57,13 +62,14 @@ function shibboleth_options_page() { if ( isset( $_POST['submit'] ) ) { check_admin_referer( 'shibboleth_update_options' ); - if ( isset ( $_GET['tab'] ) ) + if ( isset( $_GET['tab'] ) ) { $tab = $_GET['tab']; - else + } else { $tab = 'general'; + } switch ( $tab ) { - case 'general' : + case 'general': if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD' ) ) { update_site_option( 'shibboleth_attribute_access_method', $_POST['attribute_access'] ); } @@ -101,12 +107,13 @@ function shibboleth_options_page() { update_site_option( 'shibboleth_disable_local_auth', ! empty( $_POST['disable_local_auth'] ) ); } break; - case 'user' : + case 'user': if ( ! defined( 'SHIBBOLETH_HEADERS' ) ) { $shib_headers = (array) get_site_option( 'shibboleth_headers' ); $shib_headers = array_merge( $shib_headers, $_POST['headers'] ); /** * filter shibboleth_form_submit_headers + * * @param $shib_headers array * @since 1.4 * Hint: access $_POST within the filter. @@ -124,12 +131,13 @@ function shibboleth_options_page() { update_site_option( 'shibboleth_manually_combine_accounts', $_POST['manually_combine_accounts'] ); } break; - case 'authorization' : + case 'authorization': if ( ! defined( 'SHIBBOLETH_ROLES' ) ) { $shib_roles = (array) get_site_option( 'shibboleth_roles' ); $shib_roles = array_merge( $shib_roles, $_POST['shibboleth_roles'] ); /** * filter shibboleth_form_submit_roles + * * @param $shib_roles array * @since 1.4 * Hint: access $_POST within the filter. @@ -144,7 +152,7 @@ function shibboleth_options_page() { update_site_option( 'shibboleth_update_roles', ! empty( $_POST['update_roles'] ) ); } break; - case 'logging' : + case 'logging': if ( ! defined( 'SHIBBOLETH_LOGGING' ) ) { if ( isset( $_POST['logging'] ) ) { update_site_option( 'shibboleth_logging', $_POST['logging'] ); @@ -164,6 +172,7 @@ function shibboleth_options_page() { /** * action shibboleth_form_submit + * * @since 1.4 * Hint: use global $_POST within the action. */ @@ -173,26 +182,26 @@ function shibboleth_options_page() { $shibboleth_plugin_path = apply_filters( 'shibboleth_plugin_path', plugins_url( 'shibboleth' ) ); -?> + ?>

- +

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

@@ -230,134 +239,245 @@ function shibboleth_options_page() { - />
- " size="50" />
+ -
: + . ' and the SessionInitiator Location.', + 'shibboleth' + ); + ?> +
: Shibboleth 1.3 | Shibboleth 2 - + - />
- " size="50" />
+ -
: + . ' SingleLogoutService Location in Shibboleth 1.3).', + 'shibboleth' + ); + ?> +
: Shibboleth 1.3 | Shibboleth 2 - + - />
- + />
+ - + - />
- ALL users here to reset their password.', 'shibboleth'); ?> + />
+ ALL users here to reset their password.', 'shibboleth' ); ?> - + - > + + + + -

REDIRECT_, you should select the "Redirected Environment Variables" option. If you are running ' - . 'your Shibboleth Service Provider on a reverse proxy, you should select the "HTTP Headers" option and, if at all possible, add a spoofkey below. ' - . ' If you are running Shibboleth with a custom prefix, you should select the "Custom Prefix" option and complete the "Custom Attribute Access Prefix" field that appears below.', 'shibboleth'); ?>

+

+ REDIRECT_, you should select the "Redirected Environment Variables" option. If you are running ' + . 'your Shibboleth Service Provider on a reverse proxy, you should select the "HTTP Headers" option and, if at all possible, add a spoofkey below. ' + . ' If you are running Shibboleth with a custom prefix, you should select the "Custom Prefix" option and complete the "Custom Attribute Access Prefix" field that appears below.', + 'shibboleth' + ); + ?> +

> - + - />
-

WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', 'shibboleth'); ?>

+ />
+

+ WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', + 'shibboleth' + ); + ?> +

> - + - />
-

this wiki document. ' - . '
WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', 'shibboleth'); ?>

+ />
+

+ this wiki document. ' + . '
WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', + 'shibboleth' + ); + ?> +

- > - + > + - /> - - -

+ /> + + +

+ +

- + - /> - - -

/> + + +

+

+ . ' initiated from the WordPress login form by clicking the "Log in with Shibboleth" link.', + 'shibboleth' + ); + ?> +

- + - /> - - -

wp_signon() call and wp_safe_redirect() back to the $_SERVER[\'REQUEST_URI\'].' , 'shibboleth'); ?>

+ /> + + +

+ wp_signon() call and wp_safe_redirect() back to the $_SERVER[\'REQUEST_URI\'].', + 'shibboleth' + ); + ?> +

- + - /> - -

WARNING: Disabling local authentication can potentially lock you out of WordPress if you have misconfigured the plugin or have a non-functional Shibboleth Service Provider. ' - . 'Make sure that you are confident your configuration is functional before enabling this option.', 'shibboleth'); ?>

+ /> + +

+ WARNING: Disabling local authentication can potentially lock you out of WordPress if you have misconfigured the plugin or have a non-functional Shibboleth Service Provider. ' + . 'Make sure that you are confident your configuration is functional before enabling this option.', + 'shibboleth' + ); + ?> +

- + - />
-

wp-login.php page.', 'shibboleth'); ?>

+ />
+

wp-login.php page.', 'shibboleth' ); ?>

- so add a with appropriate styling. - * - * @param $shib_headers array - * @param $shib_roles array - * @since 1.4 - * @todo support new structure of table and tabs - */ - #do_action( 'shibboleth_options_table', $shib_headers, $shib_roles ); -?> + so add a with appropriate styling. + * + * @param $shib_headers array + * @param $shib_roles array + * @since 1.4 + * @todo support new structure of table and tabs + */ + // do_action( 'shibboleth_options_table', $shib_headers, $shib_roles ); + ?>
@@ -365,41 +485,33 @@ function shibboleth_options_page() { - -

- +

+

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

-

+

-

attribute-map.xml (for Shibboleth 2.x) or' - . ' AAP.xml (for Shibboleth 1.x).', 'shibboleth'); ?>

+

+ attribute-map.xml (for Shibboleth 2.x) or' + . ' AAP.xml (for Shibboleth 1.x).', + 'shibboleth' + ); + ?> +

- : + : Shibboleth 1.3 | Shibboleth 2

- - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - -
/>/> + /> + + /> +
/> /> + /> + + /> +
/> /> + /> + + /> +
/> /> + /> + + /> +
/> /> + /> + + /> +
/> /> + /> + + /> +
+ -

Managed profile fields are updated each time the user logs in using the current' - . ' data provided by Shibboleth. Additionally, users will be prevented from manually updating these' - . ' fields from within WordPress. Note that Shibboleth data is always used to populate the user' - . ' profile during initial account creation.', 'shibboleth'); ?>

+

+ Managed profile fields are updated each time the user logs in using the current' + . ' data provided by Shibboleth. Additionally, users will be prevented from manually updating these' + . ' fields from within WordPress. Note that Shibboleth data is always used to populate the user' + . ' profile during initial account creation.', + 'shibboleth' + ); + ?> +

- - - +
+ + - - + - + . 'This option prevents users from experiencing an error in this case by bypassing the username management requirement.', + 'shibboleth' + ); + ?> +

+ + + - - + +
- /> - -

Authorization tab. ' - . 'If a user does not match any mappings, they will be placed into the role selected under "Default Role" on the Authorization tab.', 'shibboleth') ?>

+ /> + +

+ Authorization tab. ' + . 'If a user does not match any mappings, they will be placed into the role selected under "Default Role" on the Authorization tab.', + 'shibboleth' + ); + ?> +

- -


' +

+ +

+
' . 'Prevent Automatic Account Merging: This option prevents automatic merging of accounts.
' . 'Allow Automatic Account Merging: This option prevents users from experiencing an error if they share a username with both a local and a Shibboleth account. ' . 'This option WILL NOT prevent an error if another user shares the email passed via Shibboleth attributes.
' . 'Allow Automatic Account Merging (Bypass Username Management): Occasionally, users have pre-existing local WordPress user accounts with a different username than that provided via Shibboleth attributes. ' - . 'This option prevents users from experiencing an error in this case by bypassing the username management requirement.', 'shibboleth') ?>

-
- -


' - . 'Prevent Manual Account Merging: This option does not allow users to manually link accounts.
' - . 'Allow Manual Account Merging: This option allows users to manually link accounts if they share a username with both a local and a Shibboleth account. ' - . 'This option WILL NOT prevent an error if another user shares the email passed via Shibboleth attributes.
' - . 'Allow Manual Account Merging (Bypass Username Management): Occasionally, users have pre-existing local WordPress user accounts with a different username than that provided via Shibboleth attributes. ' - . 'This option allows users to manually link accounts by bypassing the username management requirement.', 'shibboleth') ?>

-
+ +

+
' + . 'Prevent Manual Account Merging: This option does not allow users to manually link accounts.
' + . 'Allow Manual Account Merging: This option allows users to manually link accounts if they share a username with both a local and a Shibboleth account. ' + . 'This option WILL NOT prevent an error if another user shares the email passed via Shibboleth attributes.
' + . 'Allow Manual Account Merging (Bypass Username Management): Occasionally, users have pre-existing local WordPress user accounts with a different username than that provided via Shibboleth attributes. ' + . 'This option allows users to manually link accounts by bypassing the username management requirement.', + 'shibboleth' + ); + ?> +

+
- -

- +

+

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

- - -

- -

Current Limitations: While WordPress supports users having' - . ' multiple roles, the Shibboleth plugin will only place the user in the highest ranking' - . ' role. Only a single header/value pair is supported for each user role. This may be' - . ' expanded in the future to support multiple header/value pairs or regular expression' - . ' values. In the meantime, you can use the shibboleth_roles and' - . ' shibboleth_user_role WordPress filters to provide your own logic for assigning' - . ' user roles.', 'shibboleth'); ?>

+ + +

+ +

+ +

+ Current Limitations: While WordPress supports users having' + . ' multiple roles, the Shibboleth plugin will only place the user in the highest ranking' + . ' role. Only a single header/value pair is supported for each user role. This may be' + . ' expanded in the future to support multiple header/value pairs or regular expression' + . ' values. In the meantime, you can use the shibboleth_roles and' + . ' shibboleth_user_role WordPress filters to provide your own logic for assigning' + . ' user roles.', + 'shibboleth' + ); + ?> +

- - + - + - +
@@ -585,22 +804,22 @@ function AttributeAccessMethod() - - + + -role_names as $key => $name) { - echo ' + foreach ( $wp_roles->role_names as $key => $name ) { + echo ' - - - + + + '; - } -?> + } + ?>
' . __($name) . '' . __( $name ) . '
@@ -608,107 +827,145 @@ function AttributeAccessMethod()
- > + + + role_names as $key => $name ) { + echo ''; + } + ?> -

+

+ +

- /> - - -

not update user roles manually,' - . ' since they will be overwritten from Shibboleth the next time the user logs in. Note that Shibboleth data' - . ' is always used to populate the initial user role during account creation.', 'shibboleth') ?>

- + + /> + + +

+ not update user roles manually,' + . ' since they will be overwritten from Shibboleth the next time the user logs in. Note that Shibboleth data' + . ' is always used to populate the initial user role during account creation.', + 'shibboleth' + ); + ?> +

- - -

- + +

+

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

- - - +
+ + - + - + - +
- /> - + /> +
- /> - + /> +
- /> - + /> +
- /> - + /> +
- + wp_nonce_field( 'shibboleth_update_options' ); + ?>

- +

- @@ -65,22 +73,27 @@ function shibboleth_change_password_profile_link() { $password_change_url = shibboleth_getoption( 'shibboleth_password_change_url' ); if ( get_user_meta( $user->ID, 'shibboleth_account' ) && ! empty( $password_change_url ) ) { -?> + ?> - - + +
+ + + +
-ID, 'shibboleth_account', true ); ?> + $linked = get_user_meta( $user->ID, 'shibboleth_account', true ); + ?>
-

+

-

+

- user_login === $username ) { $prevent_conflict = get_user_by( 'email', $email ); // If username matches and there is no existing account with the email, safe to merge - if ( ! $prevent_conflict->ID ) { - update_user_meta( $user->ID, 'shibboleth_account', true ); - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { - error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts manually.' ); - } - wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' ); - exit; + if ( ! $prevent_conflict->ID ) { + update_user_meta( $user->ID, 'shibboleth_account', true ); + if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts manually.' ); + } + wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' ); + exit; // If username matches and there is an existing account with the email, fail - } else { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { - error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: An account already exists with the email: ' . $email . ' .' ); - } - wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); - exit; + } else { + if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: An account already exists with the email: ' . $email . ' .' ); } - // If email matches and username bypass is enabled, check if there is a conflict with the username - } elseif ( strtolower( $user->user_email) === strtolower( $email ) && $allowed === 'bypass' ) { + wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); + exit; + } + // If email matches and username bypass is enabled, check if there is a conflict with the username + } elseif ( strtolower( $user->user_email ) === strtolower( $email ) && $allowed === 'bypass' ) { $prevent_conflict = get_user_by( 'user_login', $username ); // If email matches and there is no existing account with the username, safe to merge if ( ! $prevent_conflict->ID ) { update_user_meta( $user->ID, 'shibboleth_account', true ); if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts manually using username bypass. Username provided by attribute is: ' . $username . '.' ); - } + } wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' ); exit; - // If there is an existing account with the email, fail + // If there is an existing account with the email, fail } else { if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts using username bypass. Reason: An account already exists with the email: ' . $email . ' .' ); @@ -224,7 +239,7 @@ function shibboleth_link_accounts() { wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); exit; } - // If no other conditions are met, fail + // If no other conditions are met, fail } else { if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: Username and email do not match what is provided by attributes. Username provided by attribute is: ' . $username . ' and email provided by attribute is ' . $email . '.' ); @@ -232,14 +247,14 @@ function shibboleth_link_accounts() { wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); exit; } - // If there is no existing shibboleth session, kick to the shibboleth_session_initiator_url - // and redirect to this page with the ?shibboleth=link action + // If there is no existing shibboleth session, kick to the shibboleth_session_initiator_url + // and redirect to this page with the ?shibboleth=link action } else { $initiator_url = shibboleth_session_initiator_url( get_edit_user_link() . '?shibboleth=link' ); wp_redirect( $initiator_url ); exit; } - // If manual merging is disabled, fail + // If manual merging is disabled, fail } else { if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: Manual account merging is disabled.' ); @@ -247,7 +262,7 @@ function shibboleth_link_accounts() { wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); exit; } - // If account is already merged, warn + // If account is already merged, warn } else { if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] WARN: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: User\'s account is already merged.' ); diff --git a/shibboleth.php b/shibboleth.php index 1233a7d..3430b32 100644 --- a/shibboleth.php +++ b/shibboleth.php @@ -12,7 +12,7 @@ */ define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '4.0' ); -define( 'SHIBBOLETH_MINIMUM_PHP_VERSION', '5.6'); +define( 'SHIBBOLETH_MINIMUM_PHP_VERSION', '5.6' ); define( 'SHIBBOLETH_PLUGIN_VERSION', '2.3' ); /** @@ -53,7 +53,7 @@ function shibboleth_getoption( $option, $default = false, $array = false, $compa if ( $array && version_compare( PHP_VERSION, '5.6.0', '<' ) ) { $value = unserialize( $value ); } - // If no constant is set, just get the value from get_site_option() + // If no constant is set, just get the value from get_site_option() } else { $value = get_site_option( $option, $default ); $constant = false; @@ -61,8 +61,13 @@ function shibboleth_getoption( $option, $default = false, $array = false, $compa // If compact is set to true, we compact $value and $constant together for easy use if ( $compact ) { - return array( $value, $constant, 'value' => $value, 'constant' => $constant ); - // Otherwise, just return the $value + return array( + $value, + $constant, + 'value' => $value, + 'constant' => $constant, + ); + // Otherwise, just return the $value } else { return $value; } @@ -86,13 +91,13 @@ function shibboleth_getenv( $var ) { switch ( $method ) { // Use standard by default for security - case 'standard' : + case 'standard': $var_method = ''; // Disable fallback to prevent the same variables from being checked twice. $fallback = false; break; // If specified, use redirect - case 'redirect' : + case 'redirect': $var_method = 'REDIRECT_'; break; // If specified, use http @@ -105,7 +110,7 @@ function shibboleth_getenv( $var ) { $var_method = $custom; break; // Otherwise, fall back to standard for security - default : + default: $var_method = ''; // Disable fallback to prevent the same variables from being checked twice. $fallback = false; @@ -117,31 +122,31 @@ function shibboleth_getenv( $var ) { $var_under_upper = strtoupper( $var_under ); $check_vars = array( - $var_method . $var => TRUE, - $var_method . $var_under => TRUE, - $var_method . $var_upper => TRUE, - $var_method . $var_under_upper => TRUE, + $var_method . $var => true, + $var_method . $var_under => true, + $var_method . $var_upper => true, + $var_method . $var_under_upper => true, ); // If fallback is enabled, we will add the standard environment variables to the end of the array to allow for fallback if ( $fallback ) { $fallback_check_vars = array( - $var => TRUE, - $var_under => TRUE, - $var_upper => TRUE, - $var_under_upper => TRUE, + $var => true, + $var_under => true, + $var_upper => true, + $var_under_upper => true, ); $check_vars = array_merge( $check_vars, $fallback_check_vars ); } foreach ( $check_vars as $check_var => $true ) { - if ( isset( $_SERVER[$check_var] ) && ( $result = $_SERVER[$check_var] ) !== FALSE ) { + if ( isset( $_SERVER[ $check_var ] ) && ( $result = $_SERVER[ $check_var ] ) !== false ) { return $result; } } - return FALSE; + return false; } /** @@ -175,10 +180,10 @@ function shibboleth_auto_login() { function shibboleth_activate_plugin() { if ( version_compare( $GLOBALS['wp_version'], SHIBBOLETH_MINIMUM_WP_VERSION, '<' ) ) { deactivate_plugins( plugin_basename( __FILE__ ) ); - wp_die( __( 'Shibboleth requires WordPress '. SHIBBOLETH_MINIMUM_WP_VERSION . ' or higher!', 'shibboleth' ) ); + wp_die( __( 'Shibboleth requires WordPress ' . SHIBBOLETH_MINIMUM_WP_VERSION . ' or higher!', 'shibboleth' ) ); } elseif ( version_compare( PHP_VERSION, SHIBBOLETH_MINIMUM_PHP_VERSION, '<' ) ) { deactivate_plugins( plugin_basename( __FILE__ ) ); - wp_die( __( 'Shibboleth requires PHP '. SHIBBOLETH_MINIMUM_PHP_VERSION . ' or higher!', 'shibboleth' ) ); + wp_die( __( 'Shibboleth requires PHP ' . SHIBBOLETH_MINIMUM_PHP_VERSION . ' or higher!', 'shibboleth' ) ); } if ( function_exists( 'switch_to_blog' ) ) { @@ -202,12 +207,30 @@ function shibboleth_activate_plugin() { add_site_option( 'shibboleth_disable_local_auth', false ); $headers = array( - 'username' => array( 'name' => 'eppn', 'managed' => 'on' ), - 'first_name' => array( 'name' => 'givenName', 'managed' => 'on' ), - 'last_name' => array( 'name' => 'sn', 'managed' => 'on' ), - 'nickname' => array( 'name' => 'eppn', 'managed' => 'off' ), - 'display_name' => array( 'name' => 'displayName', 'managed' => 'off' ), - 'email' => array( 'name' => 'mail', 'managed' => 'on' ), + 'username' => array( + 'name' => 'eppn', + 'managed' => 'on', + ), + 'first_name' => array( + 'name' => 'givenName', + 'managed' => 'on', + ), + 'last_name' => array( + 'name' => 'sn', + 'managed' => 'on', + ), + 'nickname' => array( + 'name' => 'eppn', + 'managed' => 'off', + ), + 'display_name' => array( + 'name' => 'displayName', + 'managed' => 'off', + ), + 'email' => array( + 'name' => 'mail', + 'managed' => 'on', + ), ); add_site_option( 'shibboleth_headers', $headers ); @@ -219,7 +242,7 @@ function shibboleth_activate_plugin() { 'author' => array( 'header' => 'affiliation', 'value' => 'faculty', - ) + ), ); add_site_option( 'shibboleth_roles', $roles ); @@ -242,8 +265,8 @@ function shibboleth_activate_plugin() { * @since 1.0 */ function shibboleth_deactivate_plugin() { - shibboleth_remove_htaccess(); - delete_site_option( 'shibboleth_plugin_version' ); + shibboleth_remove_htaccess(); + delete_site_option( 'shibboleth_plugin_version' ); } register_deactivation_hook( __FILE__, 'shibboleth_deactivate_plugin' ); @@ -263,8 +286,8 @@ function shibboleth_migrate_old_data() { $headers = get_site_option( 'shibboleth_headers', array() ); $updated = false; foreach ( $headers as $key => $value ) { - if ( is_string($value) ) { - $headers[$key] = array( + if ( is_string( $value ) ) { + $headers[ $key ] = array( 'name' => $value, 'managed' => $managed, ); @@ -349,14 +372,14 @@ function shibboleth_admin_hooks() { * @return boolean|WP_Error * @since 1.3 */ - function shibboleth_session_active( $auto_login = false ) { - $active = false; +function shibboleth_session_active( $auto_login = false ) { + $active = false; $method = shibboleth_getoption( 'shibboleth_attribute_access_method' ); - $session = shibboleth_getenv( 'Shib-Session-ID' ); + $session = shibboleth_getenv( 'Shib-Session-ID' ); - if ( $session && $method !== 'http' ) { - $active = true; - } elseif ( $session && $method === 'http' ) { + if ( $session && $method !== 'http' ) { + $active = true; + } elseif ( $session && $method === 'http' ) { /** * Handling HTTP header cases with a spoofkey to better protect against * HTTP header spoofing. @@ -381,9 +404,9 @@ function shibboleth_session_active( $auto_login = false ) { } } - $active = apply_filters( 'shibboleth_session_active', $active ); - return $active; - } + $active = apply_filters( 'shibboleth_session_active', $active ); + return $active; +} /** @@ -488,7 +511,7 @@ function shibboleth_session_initiator_url( $redirect = null ) { // first build the target URL. This is the WordPress URL the user will be returned to after Shibboleth // is done, and will handle actually logging the user into WordPress using the data provided by Shibboleth if ( function_exists( 'switch_to_blog' ) ) { - if ( !empty( $GLOBALS['current_blog']->blog_id ) && $GLOBALS['current_blog']->blog_id !== $GLOBALS['current_site']->site_id ) { + if ( ! empty( $GLOBALS['current_blog']->blog_id ) && $GLOBALS['current_blog']->blog_id !== $GLOBALS['current_site']->site_id ) { switch_to_blog( $GLOBALS['current_blog']->blog_id ); } else { switch_to_blog( $GLOBALS['current_site']->blog_id ); @@ -503,13 +526,13 @@ function shibboleth_session_initiator_url( $redirect = null ) { $target = add_query_arg( 'action', 'shibboleth', $target ); if ( ! empty( $redirect ) ) { - $target = add_query_arg( 'redirect_to', urlencode($redirect), $target ); + $target = add_query_arg( 'redirect_to', urlencode( $redirect ), $target ); } // now build the Shibboleth session initiator URL $initiator_url = shibboleth_getoption( 'shibboleth_login_url' ); - $initiator_url = add_query_arg( 'target', urlencode($target), $initiator_url ); + $initiator_url = add_query_arg( 'target', urlencode( $target ), $initiator_url ); $initiator_url = apply_filters( 'shibboleth_session_initiator_url', $initiator_url ); @@ -622,7 +645,9 @@ function shibboleth_authenticate_user() { // create account if new user if ( ! $user ) { $user = shibboleth_create_new_user( $username, $email ); - if ( is_wp_error( $user ) ) return new WP_Error( $user->get_error_code(), $user->get_error_message() ); + if ( is_wp_error( $user ) ) { + return new WP_Error( $user->get_error_code(), $user->get_error_message() ); + } } if ( ! $user ) { @@ -668,17 +693,23 @@ function shibboleth_create_new_user( $user_login, $user_email ) { $user_role = shibboleth_get_user_role(); if ( $create_accounts != false ) { - if ( empty( $user_login ) || empty( $user_email ) || $user_role === "_no_account" ) { + if ( empty( $user_login ) || empty( $user_email ) || $user_role === '_no_account' ) { return null; } // create account and flag as a shibboleth account - $user_id = wp_insert_user( array( 'user_login' => $user_login, 'user_email' => $user_email, 'user_pass' => NULL ) ); + $user_id = wp_insert_user( + array( + 'user_login' => $user_login, + 'user_email' => $user_email, + 'user_pass' => null, + ) + ); if ( is_wp_error( $user_id ) ) { if ( in_array( 'account_create', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: Unable to create account based on data provided. Reason: ' . $user_id->get_error_message() . '.' ); } - return new WP_Error( 'account_create_failed', $user_id->get_error_message() ); + return new WP_Error( 'account_create_failed', $user_id->get_error_message() ); } else { $user = new WP_User( $user_id ); update_user_meta( $user->ID, 'shibboleth_account', true ); @@ -721,11 +752,11 @@ function shibboleth_get_user_role() { $user_role = shibboleth_getoption( 'shibboleth_default_role' ); foreach ( $wp_roles->role_names as $key => $name ) { - if ( isset( $shib_roles[$key]['header'] ) ) { - $role_header = $shib_roles[$key]['header']; + if ( isset( $shib_roles[ $key ]['header'] ) ) { + $role_header = $shib_roles[ $key ]['header']; } - if ( isset( $shib_roles[$key]['value'] ) ) { - $role_value = $shib_roles[$key]['value']; + if ( isset( $shib_roles[ $key ]['value'] ) ) { + $role_value = $shib_roles[ $key ]['value']; } if ( empty( $role_header ) || empty( $role_value ) ) { continue; @@ -788,7 +819,7 @@ function shibboleth_update_user_data( $user_id, $force_update = false ) { 'last_name' => 'last_name', 'nickname' => 'nickname', 'display_name' => 'display_name', - 'user_email' => 'email' + 'user_email' => 'email', ); $user_data = array( @@ -797,12 +828,12 @@ function shibboleth_update_user_data( $user_id, $force_update = false ) { foreach ( $user_fields as $field => $header ) { $managed = false; - if ( isset( $shib_headers[$header]['managed'] ) ) { - $managed = $shib_headers[$header]['managed']; + if ( isset( $shib_headers[ $header ]['managed'] ) ) { + $managed = $shib_headers[ $header ]['managed']; } if ( $force_update || $managed ) { $filter = 'shibboleth_' . ( strpos( $field, 'user_' ) === 0 ? '' : 'user_' ) . $field; - $user_data[$field] = apply_filters( $filter, shibboleth_getenv( $shib_headers[$header]['name'] ) ); + $user_data[ $field ] = apply_filters( $filter, shibboleth_getenv( $shib_headers[ $header ]['name'] ) ); } } @@ -871,7 +902,7 @@ function shibboleth_disable_login_form() { $bypass = defined( 'SHIBBOLETH_ALLOW_LOCAL_AUTH' ) && SHIBBOLETH_ALLOW_LOCAL_AUTH; if ( $disable && ! $bypass ) { - ?> + ?> - -
> + - Date: Fri, 27 Aug 2021 15:12:17 -0400 Subject: [PATCH 2/7] phpcs: manual fixes, mostly documentation and escaping output --- options-admin.php | 391 +++++++++++++++++++++++++--------------------- options-user.php | 48 +++--- shibboleth.php | 119 ++++++++------ 3 files changed, 309 insertions(+), 249 deletions(-) diff --git a/options-admin.php b/options-admin.php index ab62971..a849b00 100644 --- a/options-admin.php +++ b/options-admin.php @@ -1,12 +1,15 @@ '; foreach ( $tabs as $tab => $name ) { $class = ( $tab == $current ) ? ' nav-tab-active' : ''; - echo "$name"; + echo '' . esc_html( $name ) . ''; } echo '

'; } @@ -112,7 +115,7 @@ function shibboleth_options_page() { $shib_headers = (array) get_site_option( 'shibboleth_headers' ); $shib_headers = array_merge( $shib_headers, $_POST['headers'] ); /** - * filter shibboleth_form_submit_headers + * Filter shibboleth_form_submit_headers * * @param $shib_headers array * @since 1.4 @@ -136,7 +139,7 @@ function shibboleth_options_page() { $shib_roles = (array) get_site_option( 'shibboleth_roles' ); $shib_roles = array_merge( $shib_roles, $_POST['shibboleth_roles'] ); /** - * filter shibboleth_form_submit_roles + * Filter shibboleth_form_submit_roles * * @param $shib_roles array * @since 1.4 @@ -171,7 +174,7 @@ function shibboleth_options_page() { } /** - * action shibboleth_form_submit + * Action shibboleth_form_submit * * @since 1.4 * Hint: use global $_POST within the action. @@ -186,7 +189,7 @@ function shibboleth_options_page() {
-

+

-

+

-

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

+

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?>

- + - + - + - + - + - > - + > + - > - + > + > - + - + - + - + - + so add a with appropriate styling. * @@ -524,45 +537,47 @@ function AttributeAccessMethod() { ?> -

+

-

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

+

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?>

-

+

attribute-map.xml (for Shibboleth 2.x) or' - . ' AAP.xml (for Shibboleth 1.x).', - 'shibboleth' + echo wp_kses_post( + __( + 'Define the Shibboleth headers which should be mapped to each user profile attribute. These + header names are configured in attribute-map.xml (for Shibboleth 2.x) or + AAP.xml (for Shibboleth 1.x).', + 'shibboleth' + ) ); ?>

- : + : Shibboleth 1.3 | Shibboleth 2

/>
-
: +
: Shibboleth 1.3 | Shibboleth 2
/>
-
: +
: Shibboleth 1.3 | Shibboleth 2
/>
- +
/>
- ALL users here to reset their password.', 'shibboleth' ); ?> + ALL users here to reset their password.', 'shibboleth' ) ); ?>

REDIRECT_, you should select the "Redirected Environment Variables" option. If you are running ' - . 'your Shibboleth Service Provider on a reverse proxy, you should select the "HTTP Headers" option and, if at all possible, add a spoofkey below. ' - . ' If you are running Shibboleth with a custom prefix, you should select the "Custom Prefix" option and complete the "Custom Attribute Access Prefix" field that appears below.', - 'shibboleth' + echo wp_kses_post( + __( + 'By default, attributes passed from your Shibboleth Service Provider will be accessed using standard environment variables. + For most users, leaving these defaults is perfectly fine. If you are running a special server configuration that results in environment variables + being sent with the prefix REDIRECT_, you should select the "Redirected Environment Variables" option. If you are running + your Shibboleth Service Provider on a reverse proxy, you should select the "HTTP Headers" option and, if at all possible, add a spoofkey below. + If you are running Shibboleth with a custom prefix, you should select the "Custom Prefix" option and complete the "Custom Attribute Access Prefix" field that appears below.', + 'shibboleth' + ) ); ?>

/>

WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', - 'shibboleth' + echo wp_kses_post( + __( + 'If you wish to use a custom attribute access prefix, enter it here. This field is case-insensitive. +
WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', + 'shibboleth' + ) ); ?>

/>

this wiki document. ' - . '
WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', - 'shibboleth' + echo wp_kses_post( + __( + 'For more details on setting a spoof key on the Shibboleth Service Provider, see this wiki document. +
WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', + 'shibboleth' + ) ); ?>

/> - +

@@ -392,21 +401,21 @@ function shibboleth_options_page() {

/> - +

@@ -414,60 +423,64 @@ function shibboleth_options_page() {

/> - +

wp_signon() call and wp_safe_redirect() back to the $_SERVER[\'REQUEST_URI\'].', - 'shibboleth' + echo wp_kses_post( + __( + 'If set, this option checks to see if a Shibboleth session exists on every page load, and, + if it does, forces a wp_signon() call and wp_safe_redirect() back to the $_SERVER[\'REQUEST_URI\'].', + 'shibboleth' + ) ); ?>

/> - +

WARNING: Disabling local authentication can potentially lock you out of WordPress if you have misconfigured the plugin or have a non-functional Shibboleth Service Provider. ' - . 'Make sure that you are confident your configuration is functional before enabling this option.', - 'shibboleth' + echo wp_kses_post( + __( + 'WARNING: Disabling local authentication can potentially lock you out of WordPress if you have misconfigured the plugin or have a non-functional Shibboleth Service Provider. + Make sure that you are confident your configuration is functional before enabling this option.', + 'shibboleth' + ) ); ?>

/>
-

wp-login.php page.', 'shibboleth' ); ?>

+

wp-login.php page.', 'shibboleth' ) ); ?>
- + - + + + + + - + - +
/> - /> + />
- - - -
/> - +

Authorization tab. ' - . 'If a user does not match any mappings, they will be placed into the role selected under "Default Role" on the Authorization tab.', - 'shibboleth' + echo wp_kses_post( + __( + 'Automatically created users will be provisioned with the role that they map to, as defined on the Authorization tab. + If a user does not match any mappings, they will be placed into the role selected under "Default Role" on the Authorization tab.', + 'shibboleth' + ) ); ?>


' - . 'Prevent Manual Account Merging: This option does not allow users to manually link accounts.
' - . 'Allow Manual Account Merging: This option allows users to manually link accounts if they share a username with both a local and a Shibboleth account. ' - . 'This option WILL NOT prevent an error if another user shares the email passed via Shibboleth attributes.
' - . 'Allow Manual Account Merging (Bypass Username Management): Occasionally, users have pre-existing local WordPress user accounts with a different username than that provided via Shibboleth attributes. ' - . 'This option allows users to manually link accounts by bypassing the username management requirement.', - 'shibboleth' + echo wp_kses_post( + __( + 'This option offers users the ability to manually link their local accounts to Shibboleth from their profile page.

+ Prevent Manual Account Merging: This option does not allow users to manually link accounts.
+ Allow Manual Account Merging: This option allows users to manually link accounts if they share a username with both a local and a Shibboleth account. + This option WILL NOT prevent an error if another user shares the email passed via Shibboleth attributes.
+ Allow Manual Account Merging (Bypass Username Management): Occasionally, users have pre-existing local WordPress user accounts with a different username than that provided via Shibboleth attributes. + This option allows users to manually link accounts by bypassing the username management requirement.', + 'shibboleth' + ) ); ?>

@@ -739,16 +762,16 @@ function AttributeAccessMethod() { $constant = $constant || $from_constant; ?> -

+

-

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

+

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?>

@@ -774,15 +797,17 @@ function AttributeAccessMethod() {

Current Limitations: While WordPress supports users having' - . ' multiple roles, the Shibboleth plugin will only place the user in the highest ranking' - . ' role. Only a single header/value pair is supported for each user role. This may be' - . ' expanded in the future to support multiple header/value pairs or regular expression' - . ' values. In the meantime, you can use the shibboleth_roles and' - . ' shibboleth_user_role WordPress filters to provide your own logic for assigning' - . ' user roles.', - 'shibboleth' + echo wp_kses_post( + __( + 'Current Limitations: While WordPress supports users having + multiple roles, the Shibboleth plugin will only place the user in the highest ranking + role. Only a single header/value pair is supported for each user role. This may be + expanded in the future to support multiple header/value pairs or regular expression + values. In the meantime, you can use the shibboleth_roles and + shibboleth_user_role WordPress filters to provide your own logic for assigning + user roles.', + 'shibboleth' + ) ); ?>

@@ -795,7 +820,7 @@ function AttributeAccessMethod() { - +
@@ -804,19 +829,27 @@ function AttributeAccessMethod() { - - + + role_names as $key => $name ) { + $header = ''; + if ( isset( $shib_roles[ $key ]['header'] ) ) { + $header = $shib_roles[ $key ]['header']; + } + $value = ''; + if ( isset( $shib_roles[ $key ]['value'] ) ) { + $value = $shib_roles[ $key ]['value']; + } echo ' - - - + + + '; } ?> @@ -827,30 +860,30 @@ function AttributeAccessMethod() { - + - + From e3311f2bfe3ad2553f17f1a7ef12f628f56fcf60 Mon Sep 17 00:00:00 2001 From: Jonathan Champ Date: Fri, 27 Aug 2021 16:58:51 -0400 Subject: [PATCH 7/7] release: v2.4 --- readme.txt | 8 +++++++- shibboleth.php | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/readme.txt b/readme.txt index b80b72d..82aec0e 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: shibboleth, authentication, login, saml Requires at least: 4.0 Tested up to: 5.8 Requires PHP: 5.6 -Stable tag: 2.3 +Stable tag: 2.4 Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider. @@ -197,6 +197,12 @@ This update brings with it a major change to the way Shibboleth attributes are a This update brings with it a major change to the way Shibboleth attributes are accessed. For most users, no additional configuration will be necessary. If you are using a specialized server configuration, such as a Shibboleth Service Provider on a reverse proxy or a server configuration that results in environment variables being sent with the prefix REDIRECT_, you should see the changelog for additional details: https://wordpress.org/plugins/shibboleth/#developers == Changelog == += version 2.4 (2021-08-27) = + - Added hooks for hopefully rare cases where user overrides are necessary; thanks @dsXLII [#74](https://github.com/michaelryanmcneill/shibboleth/issues/74) + - Better login form support for WordPress 5.3; thanks @jakeparis [#76](https://github.com/michaelryanmcneill/shibboleth/issues/76) + - Spelling fixes; thanks @junaidkbr [#72](https://github.com/michaelryanmcneill/shibboleth/pull/72) + - General cleanup to better align with the WordPress Coding Standards [#80](https://github.com/michaelryanmcneill/shibboleth/pull/80) + = version 2.3 (2020-08-17) = - Implementing a fallback option for the "Shibboleth Attribute Access Method". For example, if your web server returns redirected environment variables, but occasionally returns standard environment variables, you would want to enable this option. - Removing deprecated `create_function()` from use. diff --git a/shibboleth.php b/shibboleth.php index 03cb860..36a86c4 100644 --- a/shibboleth.php +++ b/shibboleth.php @@ -9,7 +9,7 @@ * Plugin URI: https://wordpress.org/plugins/shibboleth/ * Description: Easily externalize user authentication to a Shibboleth Service Provider * Author: Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris - * Version: 2.3 + * Version: 2.4 * Requires PHP: 5.6 * Requires at least: 4.0 * License: Apache 2 (https://www.apache.org/licenses/LICENSE-2.0.html) @@ -18,7 +18,7 @@ define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '4.0' ); define( 'SHIBBOLETH_MINIMUM_PHP_VERSION', '5.6' ); -define( 'SHIBBOLETH_PLUGIN_VERSION', '2.3' ); +define( 'SHIBBOLETH_PLUGIN_VERSION', '2.4' ); /** * Determine if this is a new install or upgrade and, if so, run the
' . __( $name ) . '' . esc_html( $name ) . '

@@ -859,7 +892,7 @@ function AttributeAccessMethod() {

/> - +

not update user roles manually,' - . ' since they will be overwritten from Shibboleth the next time the user logs in. Note that Shibboleth data' - . ' is always used to populate the initial user role during account creation.', - 'shibboleth' + echo wp_kses_post( + __( + 'Be aware that if you use this option, you should not update user roles manually, + since they will be overwritten from Shibboleth the next time the user logs in. Note that Shibboleth data + is always used to populate the initial user role during account creation.', + 'shibboleth' + ) ); ?>

@@ -886,7 +921,7 @@ function AttributeAccessMethod() { -

+

-

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ); ?>

+

Note: Some options below are defined in the wp-config.php file as constants and cannot be modified from this page.', 'shibboleth' ) ); ?>

- + - + - + - +
/> - +
/> - +
/> - +
/> - +
@@ -962,7 +997,7 @@ function AttributeAccessMethod() { wp_nonce_field( 'shibboleth_update_options' ); ?>

- +

diff --git a/options-user.php b/options-user.php index d0b2c09..6df95c4 100644 --- a/options-user.php +++ b/options-user.php @@ -1,4 +1,10 @@ jQuery(function() { - jQuery("' . $selectors . '").attr("disabled", true); + jQuery("' . esc_attr( $selectors ) . '").attr("disabled", true); jQuery("#first_name").parents(".form-table").before("

' - . __( 'Some profile fields cannot be changed from WordPress.', 'shibboleth' ) . '

"); + . esc_attr( __( 'Some profile fields cannot be changed from WordPress.', 'shibboleth' ) ) . '

"); jQuery("form#your-profile").submit(function() { - jQuery("' . $selectors . '").attr("disabled", false); + jQuery("' . esc_attr( $selectors ) . '").attr("disabled", false); }); if(jQuery("#email").is(":disabled")){ jQuery("#email-description").hide(); @@ -76,11 +82,11 @@ function shibboleth_change_password_profile_link() { ?> - + @@ -96,7 +102,7 @@ function shibboleth_change_password_profile_link() { * Ensure profile data isn't updated when managed. * * @since 2.3 - * @param int $user_id + * @param int $user_id The ID of the user. */ function shibboleth_prevent_managed_fields_update( $user_id ) { @@ -134,25 +140,25 @@ function shibboleth_prevent_managed_fields_update( $user_id ) { * Adds a button to user profile pages if administrator has allowed * users to manually combine accounts. * - * @param object $user WP_User object + * @param object $user WP_User object. * @since 1.9 */ function shibboleth_link_accounts_button( $user ) { $allowed = shibboleth_getoption( 'shibboleth_manually_combine_accounts', 'disallow' ); - if ( $allowed === 'allow' || $allowed === 'bypass' ) { + if ( 'allow' === $allowed || 'bypass' === $allowed ) { $linked = get_user_meta( $user->ID, 'shibboleth_account', true ); ?>
- + @@ -172,18 +178,18 @@ function shibboleth_link_accounts_button( $user ) { function shibboleth_link_accounts() { $screen = get_current_screen(); - if ( is_admin() && $screen->id == 'profile' ) { + if ( is_admin() && 'profile' === $screen->id ) { $user_id = get_current_user_id(); // If profile page has ?shibboleth=link action and current user can edit their profile, proceed - if ( isset( $_GET['shibboleth'] ) && $_GET['shibboleth'] === 'link' && current_user_can( 'edit_user', $user_id ) ) { + if ( isset( $_GET['shibboleth'] ) && 'link' === $_GET['shibboleth'] && current_user_can( 'edit_user', $user_id ) ) { $shib_logging = shibboleth_getoption( 'shibboleth_logging', false, true ); $allowed = shibboleth_getoption( 'shibboleth_manually_combine_accounts', 'disallow' ); // If user's account is not already linked with shibboleth, proceed if ( ! get_user_meta( $user_id, 'shibboleth_account' ) ) { // If manual account merging is enabled, proceed - if ( $allowed === 'allow' || $allowed === 'bypass' ) { + if ( 'allow' === $allowed || 'bypass' === $allowed ) { // If there is an existing shibboleth session, proceed if ( shibboleth_session_active() ) { $shib_headers = shibboleth_getoption( 'shibboleth_headers', false, true ); @@ -221,7 +227,7 @@ function shibboleth_link_accounts() { exit; } // If email matches and username bypass is enabled, check if there is a conflict with the username - } elseif ( strtolower( $user->user_email ) === strtolower( $email ) && $allowed === 'bypass' ) { + } elseif ( strtolower( $user->user_email ) === strtolower( $email ) && 'bypass' === $allowed ) { $prevent_conflict = get_user_by( 'user_login', $username ); // If email matches and there is no existing account with the username, safe to merge if ( ! $prevent_conflict->ID ) { @@ -287,7 +293,7 @@ function shibboleth_disable_password_changes() { $bypass = defined( 'SHIBBOLETH_ALLOW_LOCAL_AUTH' ) && SHIBBOLETH_ALLOW_LOCAL_AUTH; if ( $disable && ! $bypass ) { - add_filter( 'show_password_fields', '__return_false' ); + add_filter( 'show_password_fields', '__return_false' ); } } @@ -300,13 +306,13 @@ function shibboleth_disable_password_changes() { */ function shibboleth_link_accounts_notice() { if ( isset( $_GET['shibboleth'] ) ) { - if ( $_GET['shibboleth'] === 'failed' ) { + if ( 'failed' === $_GET['shibboleth'] ) { $class = 'notice notice-error'; $message = __( 'Your account was unable to be linked with Shibboleth.', 'shibboleth' ); - } elseif ( $_GET['shibboleth'] === 'linked' ) { + } elseif ( 'linked' === $_GET['shibboleth'] ) { $class = 'notice notice-success is-dismissible'; $message = __( 'Your account has been linked with Shibboleth.', 'shibboleth' ); - } elseif ( $_GET['shibboleth'] === 'duplicate' ) { + } elseif ( 'duplicate' === $_GET['shibboleth'] ) { $class = 'notice notice-info is-dismissible'; $message = __( 'Your account is already linked with Shibboleth.', 'shibboleth' ); } else { diff --git a/shibboleth.php b/shibboleth.php index 3430b32..880a9be 100644 --- a/shibboleth.php +++ b/shibboleth.php @@ -1,14 +1,19 @@ Shibboleth Service Provider - Author: Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris - Version: 2.3 - Requires PHP: 5.6 - Requires at least: 4.0 - License: Apache 2 (http://www.apache.org/licenses/LICENSE-2.0.html) - Text Domain: shibboleth +/** + * Shibboleth + * + * @package shibboleth + * + * @wordpress-plugin + * Plugin Name: Shibboleth + * Plugin URI: https://wordpress.org/plugins/shibboleth/ + * Description: Easily externalize user authentication to a Shibboleth Service Provider + * Author: Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris + * Version: 2.3 + * Requires PHP: 5.6 + * Requires at least: 4.0 + * License: Apache 2 (https://www.apache.org/licenses/LICENSE-2.0.html) + * Text Domain: shibboleth */ define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '4.0' ); @@ -36,10 +41,10 @@ * retreived from a constant, look at the constant key. * * @since 2.1 - * @param string $option - * @param bool $default - * @param bool $array - * @param bool $compact + * @param string $option Option identifier. + * @param bool $default Default value. + * @param bool $array If we expect the value to be an array. + * @param bool $compact If you want the constant and value returned as an array. * @return mixed */ function shibboleth_getoption( $option, $default = false, $array = false, $compact = false ) { @@ -80,7 +85,7 @@ function shibboleth_getoption( $option, $default = false, $array = false, $compa * secure configuration possible. * * @since 1.8 - * @param string $var + * @param string $var Environment variable. * @return string|bool */ function shibboleth_getenv( $var ) { @@ -141,8 +146,8 @@ function shibboleth_getenv( $var ) { } foreach ( $check_vars as $check_var => $true ) { - if ( isset( $_SERVER[ $check_var ] ) && ( $result = $_SERVER[ $check_var ] ) !== false ) { - return $result; + if ( isset( $_SERVER[ $check_var ] ) && false !== $_SERVER[ $check_var ] ) { + return $_SERVER[ $check_var ]; } } @@ -180,10 +185,12 @@ function shibboleth_auto_login() { function shibboleth_activate_plugin() { if ( version_compare( $GLOBALS['wp_version'], SHIBBOLETH_MINIMUM_WP_VERSION, '<' ) ) { deactivate_plugins( plugin_basename( __FILE__ ) ); - wp_die( __( 'Shibboleth requires WordPress ' . SHIBBOLETH_MINIMUM_WP_VERSION . ' or higher!', 'shibboleth' ) ); + /* translators: 1: A version number */ + wp_die( sprintf( esc_html( __( 'Shibboleth requires WordPress %1$s or higher!', 'shibboleth' ) ), esc_html( SHIBBOLETH_MINIMUM_WP_VERSION ) ) ); } elseif ( version_compare( PHP_VERSION, SHIBBOLETH_MINIMUM_PHP_VERSION, '<' ) ) { deactivate_plugins( plugin_basename( __FILE__ ) ); - wp_die( __( 'Shibboleth requires PHP ' . SHIBBOLETH_MINIMUM_PHP_VERSION . ' or higher!', 'shibboleth' ) ); + /* translators: 1: A version number */ + wp_die( sprintf( esc_html( __( 'Shibboleth requires PHP %1$s or higher!', 'shibboleth' ) ), esc_html( SHIBBOLETH_MINIMUM_PHP_VERSION ) ) ); } if ( function_exists( 'switch_to_blog' ) ) { @@ -313,13 +320,13 @@ function shibboleth_migrate_old_data() { * @since 2.0 */ $roles = get_site_option( 'shibboleth_roles', array() ); - if ( isset( $roles['default'] ) && $roles['default'] != '' ) { + if ( isset( $roles['default'] ) && '' !== $roles['default'] ) { update_site_option( 'shibboleth_testing', '1' ); update_site_option( 'shibboleth_default_role', $roles['default'] ); update_site_option( 'shibboleth_create_accounts', true ); unset( $roles['default'] ); update_site_option( 'shibboleth_roles', $roles ); - } elseif ( isset( $roles['default'] ) && $roles['default'] === '' ) { + } elseif ( isset( $roles['default'] ) && '' === $roles['default'] ) { update_site_option( 'shibboleth_testing', '2' ); update_site_option( 'shibboleth_default_role', 'subscriber' ); update_site_option( 'shibboleth_create_accounts', false ); @@ -368,7 +375,7 @@ function shibboleth_admin_hooks() { * we do additional testing to see if a spoofkey needs to be validated. * * @uses apply_filters calls 'shibboleth_session_active' before returning final result - * @param boolean $auto_login whether this is being triggered by an auto_login request or not + * @param boolean $auto_login whether this is being triggered by an auto_login request or not. * @return boolean|WP_Error * @since 1.3 */ @@ -377,9 +384,9 @@ function shibboleth_session_active( $auto_login = false ) { $method = shibboleth_getoption( 'shibboleth_attribute_access_method' ); $session = shibboleth_getenv( 'Shib-Session-ID' ); - if ( $session && $method !== 'http' ) { + if ( $session && 'http' !== $method ) { $active = true; - } elseif ( $session && $method === 'http' ) { + } elseif ( $session && 'http' === $method ) { /** * Handling HTTP header cases with a spoofkey to better protect against * HTTP header spoofing. @@ -389,7 +396,7 @@ function shibboleth_session_active( $auto_login = false ) { $spoofkey = shibboleth_getoption( 'shibboleth_spoof_key' ); $shibboleth_auto_login = shibboleth_getoption( 'shibboleth_auto_login' ); - if ( $spoofkey !== false && $spoofkey !== '' ) { + if ( false !== $spoofkey && '' !== $spoofkey ) { $bypass = defined( 'SHIBBOLETH_BYPASS_SPOOF_CHECKING' ) && SHIBBOLETH_BYPASS_SPOOF_CHECKING; $checkkey = shibboleth_getenv( 'Shib-Spoof-Check' ); if ( $checkkey == $spoofkey || $bypass ) { @@ -397,7 +404,7 @@ function shibboleth_session_active( $auto_login = false ) { } elseif ( $auto_login ) { $active = false; } else { - wp_die( __( 'The Shibboleth request you submitted failed validation. Please contact your site administrator for further assistance.', 'shibboleth' ) ); + wp_die( esc_html( __( 'The Shibboleth request you submitted failed validation. Please contact your site administrator for further assistance.', 'shibboleth' ) ) ); } } else { $active = true; @@ -416,6 +423,9 @@ function shibboleth_session_active( $auto_login = false ) { * URL to initiate the session. * * @since 1.0 + * @param null|WP_User|WP_Error $user WP_User if the user is authenticated. WP_Error or null otherwise. + * @param string $username Username or email address. + * @param string $password User password. */ function shibboleth_authenticate( $user, $username, $password ) { if ( shibboleth_session_active() ) { @@ -449,6 +459,7 @@ function shibboleth_login_form_shibboleth() { * reset URL is set, redirect the user there. * * @since 1.3 + * @param string $user_login Username. */ function shibboleth_retrieve_password( $user_login ) { $password_reset_url = shibboleth_getoption( 'shibboleth_password_reset_url' ); @@ -469,6 +480,7 @@ function shibboleth_retrieve_password( $user_login ) { * WordPress login URL. * * @since 1.0 + * @param string $login_url The login URL. */ function shibboleth_login_url( $login_url ) { $default = shibboleth_getoption( 'shibboleth_default_to_shib_login' ); @@ -501,7 +513,7 @@ function shibboleth_logout() { /** * Generate the URL to initiate Shibboleth login. * - * @param string $redirect the final URL to redirect the user to after all login is complete + * @param string $redirect the final URL to redirect the user to after all login is complete. * @return the URL to direct the user to in order to initiate Shibboleth login * @uses apply_filters() Calls 'shibboleth_session_initiator_url' before returning session intiator URL * @since 1.3 @@ -618,9 +630,9 @@ function shibboleth_authenticate_user() { // if this account is not a Shibboleth account, then do account combine (if allowed) if ( is_object( $user ) && $user->ID && ! get_user_meta( $user->ID, 'shibboleth_account' ) ) { $do_account_combine = false; - if ( $user_by === 'username' && ( $auto_combine_accounts === 'allow' || $manually_combine_accounts === 'allow' ) ) { + if ( 'username' === $user_by && ( 'allow' === $auto_combine_accounts || 'allow' === $manually_combine_accounts ) ) { $do_account_combine = true; - } elseif ( $auto_combine_accounts === 'bypass' || $manually_combine_accounts === 'bypass' ) { + } elseif ( 'bypass' === $auto_combine_accounts || 'bypass' === $manually_combine_accounts ) { $do_account_combine = true; } @@ -629,7 +641,7 @@ function shibboleth_authenticate_user() { if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts automatically.' ); } - } elseif ( $user_by === 'username' ) { + } elseif ( 'username' === $user_by ) { if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to automatically merge accounts. Reason: An account already exists with this username.' ); } @@ -682,9 +694,9 @@ function shibboleth_authenticate_user() { /** * Create a new WordPress user account, and mark it as a Shibboleth account. * - * @param string $user_login login name for the new user - * @param string $user_email email address for the new user - * @return object WP_User object for newly created user + * @param string $user_login login name for the new user. + * @param string $user_email email address for the new user. + * @return object WP_User object for newly created user. * @since 1.0 */ function shibboleth_create_new_user( $user_login, $user_email ) { @@ -692,8 +704,8 @@ function shibboleth_create_new_user( $user_login, $user_email ) { $shib_logging = shibboleth_getoption( 'shibboleth_logging', array(), true ); $user_role = shibboleth_get_user_role(); - if ( $create_accounts != false ) { - if ( empty( $user_login ) || empty( $user_email ) || $user_role === '_no_account' ) { + if ( ! empty( $create_accounts ) ) { + if ( empty( $user_login ) || empty( $user_email ) || '_no_account' === $user_role ) { return null; } @@ -719,7 +731,7 @@ function shibboleth_create_new_user( $user_login, $user_email ) { $user->set_role( $user_role ); do_action( 'shibboleth_set_user_roles', $user ); if ( in_array( 'account_create', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { - error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') was created with role ' . ( $user_role ?: 'none' ) . '.' ); + error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') was created with role ' . ( $user_role ? $user_role : 'none' ) . '.' ); } return $user; } @@ -731,7 +743,6 @@ function shibboleth_create_new_user( $user_login, $user_email ) { } } - /** * Get the role the current user should have. This is determined by the role * mapping configured for the plugin, and the Shibboleth headers present at the @@ -743,15 +754,23 @@ function shibboleth_create_new_user( $user_login, $user_email ) { * @since 1.0 */ function shibboleth_get_user_role() { - global $wp_roles; - if ( ! $wp_roles ) { - $wp_roles = new WP_Roles(); + // wp_roles() requires WordPress version 4.3 or higher. + if ( function_exists( 'wp_roles' ) ) { + $roles = wp_roles(); + } else { + global $wp_roles; + + if ( isset( $wp_roles ) ) { + $roles = $wp_roles; + } else { + $roles = new WP_Roles(); + } } $shib_roles = apply_filters( 'shibboleth_roles', shibboleth_getoption( 'shibboleth_roles', array(), true ) ); $user_role = shibboleth_getoption( 'shibboleth_default_role' ); - foreach ( $wp_roles->role_names as $key => $name ) { + foreach ( $roles->role_names as $key => $name ) { if ( isset( $shib_roles[ $key ]['header'] ) ) { $role_header = $shib_roles[ $key ]['header']; } @@ -802,8 +821,8 @@ function shibboleth_get_managed_user_fields() { * the 'force_update' parameter is true, only the user fields marked as 'managed' fields will be * updated. * - * @param int $user_id ID of the user to update - * @param boolean $force_update force update of user data, regardless of 'managed' flag on fields + * @param int $user_id ID of the user to update. + * @param boolean $force_update force update of user data, regardless of 'managed' flag on fields. * @uses apply_filters() Calls 'shibboleth_user_*' before setting user attributes, * where '*' is one of: login, nicename, first_name, last_name, * nickname, display_name, email @@ -861,7 +880,7 @@ function shibboleth_login_enqueue_scripts() { global $action; // Only add scripts for the login action to avoid breaking other forms. - if ( $action === 'login' || $action === 'shibboleth' ) { + if ( 'login' === $action || 'shibboleth' === $action ) { wp_enqueue_style( 'shibboleth-login', plugins_url( 'assets/css/shibboleth_login_form.css', __FILE__ ), array( 'login' ), SHIBBOLETH_PLUGIN_VERSION ); wp_enqueue_script( 'shibboleth-login', plugins_url( 'assets/js/shibboleth_login_form.js', __FILE__ ), array( 'jquery' ), SHIBBOLETH_PLUGIN_VERSION ); } @@ -879,12 +898,12 @@ function shibboleth_disable_login() { $bypass = defined( 'SHIBBOLETH_ALLOW_LOCAL_AUTH' ) && SHIBBOLETH_ALLOW_LOCAL_AUTH; if ( $disable && ! $bypass ) { - if ( isset( $_GET['action'] ) && $_GET['action'] === 'lostpassword' ) { + if ( isset( $_GET['action'] ) && 'lostpassword' === $_GET['action'] ) { // Disable the ability to reset passwords from wp-login.php add_filter( 'allow_password_reset', '__return_false' ); - } elseif ( isset( $_POST['log'] ) || isset( $_POST['user_login'] ) ) { + } elseif ( isset( $_POST['log'] ) || isset( $_POST['user_login'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing // Disable the ability to login using local authentication - wp_die( __( 'Shibboleth authentication is required.', 'shibboleth' ) ); + wp_die( esc_html( __( 'Shibboleth authentication is required.', 'shibboleth' ) ) ); } } } @@ -922,7 +941,7 @@ function shibboleth_disable_login_form() { /** * Updates the lost password URL, if specified. * - * @param string $url original password reset URL + * @param string $url original password reset URL. * @since 2.1 */ function shibboleth_custom_password_reset_url( $url ) { @@ -951,7 +970,7 @@ function shibboleth_login_form() { } $login_url = add_query_arg( 'action', 'shibboleth', $url ); $login_url = remove_query_arg( 'reauth', $login_url ); - $button_text = shibboleth_getoption( 'shibboleth_button_text', 'Log in with Shibboleth' ); + $button_text = shibboleth_getoption( 'shibboleth_button_text', __( 'Log in with Shibboleth', 'shibboleth' ) ); $disable = shibboleth_getoption( 'shibboleth_disable_local_auth', false ); ?>
> @@ -966,7 +985,7 @@ function shibboleth_login_form() { ?> - +
Date: Fri, 27 Aug 2021 15:32:09 -0400 Subject: [PATCH 3/7] phpcs: strict comparisons, recommended fixes --- options-admin.php | 10 +++++----- options-user.php | 26 +++++++++++++------------- shibboleth.php | 30 +++++++++++++++--------------- 3 files changed, 33 insertions(+), 33 deletions(-) diff --git a/options-admin.php b/options-admin.php index a849b00..969c51a 100644 --- a/options-admin.php +++ b/options-admin.php @@ -21,7 +21,7 @@ function shibboleth_admin_tabs( $current = 'general' ) { ); echo '

'; foreach ( $tabs as $tab => $name ) { - $class = ( $tab == $current ) ? ' nav-tab-active' : ''; + $class = ( $tab === $current ) ? ' nav-tab-active' : ''; echo '' . esc_html( $name ) . ''; } echo '

'; @@ -948,7 +948,7 @@ function AttributeAccessMethod() { @@ -671,7 +671,7 @@ function AttributeAccessMethod() { > - > + > @@ -568,9 +516,7 @@ function AttributeAccessMethod() {
- -

+ +

- -

+ +

- - - - first_name; } - if ( in_array( 'last_name', $managed ) ) { + if ( in_array( 'last_name', $managed, true ) ) { $_POST['last_name'] = $user->last_name; } - if ( in_array( 'nickname', $managed ) ) { + if ( in_array( 'nickname', $managed, true ) ) { $_POST['nickname'] = $user->nickname; } - if ( in_array( 'display_name', $managed ) ) { + if ( in_array( 'display_name', $managed, true ) ) { $_POST['display_name'] = $user->display_name; } - if ( in_array( 'email', $managed ) ) { + if ( in_array( 'email', $managed, true ) ) { $_POST['email'] = $user->user_email; } } @@ -202,7 +202,7 @@ function shibboleth_link_accounts() { // If username and email match, safe to merge if ( $user->user_login === $username && strtolower( $user->user_email ) === strtolower( $email ) ) { update_user_meta( $user->ID, 'shibboleth_account', true ); - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts manually.' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' ); @@ -213,14 +213,14 @@ function shibboleth_link_accounts() { // If username matches and there is no existing account with the email, safe to merge if ( ! $prevent_conflict->ID ) { update_user_meta( $user->ID, 'shibboleth_account', true ); - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts manually.' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' ); exit; // If username matches and there is an existing account with the email, fail } else { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: An account already exists with the email: ' . $email . ' .' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); @@ -232,14 +232,14 @@ function shibboleth_link_accounts() { // If email matches and there is no existing account with the username, safe to merge if ( ! $prevent_conflict->ID ) { update_user_meta( $user->ID, 'shibboleth_account', true ); - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts manually using username bypass. Username provided by attribute is: ' . $username . '.' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=linked' ); exit; // If there is an existing account with the email, fail } else { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts using username bypass. Reason: An account already exists with the email: ' . $email . ' .' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); @@ -247,7 +247,7 @@ function shibboleth_link_accounts() { } // If no other conditions are met, fail } else { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: Username and email do not match what is provided by attributes. Username provided by attribute is: ' . $username . ' and email provided by attribute is ' . $email . '.' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); @@ -262,7 +262,7 @@ function shibboleth_link_accounts() { } // If manual merging is disabled, fail } else { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: Manual account merging is disabled.' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=failed' ); @@ -270,7 +270,7 @@ function shibboleth_link_accounts() { } // If account is already merged, warn } else { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] WARN: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to manually merge accounts. Reason: User\'s account is already merged.' ); } wp_safe_redirect( get_edit_user_link() . '?shibboleth=duplicate' ); diff --git a/shibboleth.php b/shibboleth.php index 880a9be..50052ea 100644 --- a/shibboleth.php +++ b/shibboleth.php @@ -27,7 +27,7 @@ * @since 1.0 */ $plugin_version = get_site_option( 'shibboleth_plugin_version', '0' ); -if ( SHIBBOLETH_PLUGIN_VERSION != $plugin_version ) { +if ( SHIBBOLETH_PLUGIN_VERSION !== $plugin_version ) { add_action( 'admin_init', 'shibboleth_activate_plugin' ); } @@ -399,7 +399,7 @@ function shibboleth_session_active( $auto_login = false ) { if ( false !== $spoofkey && '' !== $spoofkey ) { $bypass = defined( 'SHIBBOLETH_BYPASS_SPOOF_CHECKING' ) && SHIBBOLETH_BYPASS_SPOOF_CHECKING; $checkkey = shibboleth_getenv( 'Shib-Spoof-Check' ); - if ( $checkkey == $spoofkey || $bypass ) { + if ( $checkkey === $spoofkey || $bypass ) { $active = true; } elseif ( $auto_login ) { $active = false; @@ -538,13 +538,13 @@ function shibboleth_session_initiator_url( $redirect = null ) { $target = add_query_arg( 'action', 'shibboleth', $target ); if ( ! empty( $redirect ) ) { - $target = add_query_arg( 'redirect_to', urlencode( $redirect ), $target ); + $target = add_query_arg( 'redirect_to', rawurlencode( $redirect ), $target ); } // now build the Shibboleth session initiator URL $initiator_url = shibboleth_getoption( 'shibboleth_login_url' ); - $initiator_url = add_query_arg( 'target', urlencode( $target ), $initiator_url ); + $initiator_url = add_query_arg( 'target', rawurlencode( $target ), $initiator_url ); $initiator_url = apply_filters( 'shibboleth_session_initiator_url', $initiator_url ); @@ -638,16 +638,16 @@ function shibboleth_authenticate_user() { if ( $do_account_combine ) { update_user_meta( $user->ID, 'shibboleth_account', true ); - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') merged accounts automatically.' ); } } elseif ( 'username' === $user_by ) { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to automatically merge accounts. Reason: An account already exists with this username.' ); } return new WP_Error( 'invalid_username', __( 'An account already exists with this username.', 'shibboleth' ) ); } else { - if ( in_array( 'account_merge', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_merge', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User ' . $user->user_login . ' (ID: ' . $user->ID . ') failed to automatically merge accounts. Reason: An account already exists with this email.' ); } return new WP_Error( 'invalid_email', __( 'An account already exists with this email.', 'shibboleth' ) ); @@ -664,7 +664,7 @@ function shibboleth_authenticate_user() { if ( ! $user ) { $error_message = 'Unable to create account based on data provided.'; - if ( in_array( 'account_create', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_create', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: Unable to create account based on data provided.' ); } return new WP_Error( 'missing_data', $error_message ); @@ -678,13 +678,13 @@ function shibboleth_authenticate_user() { if ( $update ) { $user_role = shibboleth_get_user_role(); $user->set_role( $user_role ); - if ( in_array( 'role_update', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'role_update', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') role was updated to ' . $user_role . '.' ); } do_action( 'shibboleth_set_user_roles', $user ); } - if ( in_array( 'auth', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'auth', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') successfully authenticated.' ); } return $user; @@ -718,7 +718,7 @@ function shibboleth_create_new_user( $user_login, $user_email ) { ) ); if ( is_wp_error( $user_id ) ) { - if ( in_array( 'account_create', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_create', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: Unable to create account based on data provided. Reason: ' . $user_id->get_error_message() . '.' ); } return new WP_Error( 'account_create_failed', $user_id->get_error_message() ); @@ -730,13 +730,13 @@ function shibboleth_create_new_user( $user_login, $user_email ) { shibboleth_update_user_data( $user->ID, true ); $user->set_role( $user_role ); do_action( 'shibboleth_set_user_roles', $user ); - if ( in_array( 'account_create', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'account_create', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] SUCCESS: User ' . $user->user_login . ' (ID: ' . $user->ID . ') was created with role ' . ( $user_role ? $user_role : 'none' ) . '.' ); } return $user; } } else { - if ( in_array( 'auth', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { + if ( in_array( 'auth', $shib_logging, true ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) { error_log( '[Shibboleth WordPress Plugin Logging] ERROR: User account does not exist and account creation is disabled.' ); } return new WP_Error( 'no_access', __( 'You do not have sufficient access.' ) ); @@ -781,7 +781,7 @@ function shibboleth_get_user_role() { continue; } $values = explode( ';', shibboleth_getenv( $role_header ) ); - if ( in_array( $role_value, $values ) ) { + if ( in_array( $role_value, $values, true ) ) { $user_role = $key; break; } @@ -882,7 +882,7 @@ function shibboleth_login_enqueue_scripts() { // Only add scripts for the login action to avoid breaking other forms. if ( 'login' === $action || 'shibboleth' === $action ) { wp_enqueue_style( 'shibboleth-login', plugins_url( 'assets/css/shibboleth_login_form.css', __FILE__ ), array( 'login' ), SHIBBOLETH_PLUGIN_VERSION ); - wp_enqueue_script( 'shibboleth-login', plugins_url( 'assets/js/shibboleth_login_form.js', __FILE__ ), array( 'jquery' ), SHIBBOLETH_PLUGIN_VERSION ); + wp_enqueue_script( 'shibboleth-login', plugins_url( 'assets/js/shibboleth_login_form.js', __FILE__ ), array( 'jquery' ), SHIBBOLETH_PLUGIN_VERSION, true ); } } add_action( 'login_enqueue_scripts', 'shibboleth_login_enqueue_scripts' ); From 01705433d5741781fa05ef5abf428e621a678d67 Mon Sep 17 00:00:00 2001 From: Jonathan Champ Date: Fri, 27 Aug 2021 15:33:33 -0400 Subject: [PATCH 4/7] cleanup: remove unsupported PHP 5.5 workaround --- shibboleth.php | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/shibboleth.php b/shibboleth.php index 50052ea..03cb860 100644 --- a/shibboleth.php +++ b/shibboleth.php @@ -52,14 +52,8 @@ function shibboleth_getoption( $option, $default = false, $array = false, $compa if ( defined( strtoupper( $option ) ) ) { $value = constant( strtoupper( $option ) ); $constant = true; - - // In PHP 5.5 and below, we can't use arrays in constants, so we have to use - // serialize and unserialize - if ( $array && version_compare( PHP_VERSION, '5.6.0', '<' ) ) { - $value = unserialize( $value ); - } - // If no constant is set, just get the value from get_site_option() } else { + // If no constant is set, just get the value from get_site_option() $value = get_site_option( $option, $default ); $constant = false; } From 16bf43e849870ffe56b9b45671f73a22a1bceef9 Mon Sep 17 00:00:00 2001 From: Jonathan Champ Date: Fri, 27 Aug 2021 15:54:39 -0400 Subject: [PATCH 5/7] cleanup: use WordPress checked() and disabled() helpers --- options-admin.php | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/options-admin.php b/options-admin.php index 969c51a..968756b 100644 --- a/options-admin.php +++ b/options-admin.php @@ -382,7 +382,7 @@ function shibboleth_options_page() { ?>> - - - - " /> - /> + />
- - - - - - Date: Fri, 27 Aug 2021 16:16:32 -0400 Subject: [PATCH 6/7] phpcs: final errors cleanup --- options-admin.php | 186 ++++++++-------------------------------------- 1 file changed, 33 insertions(+), 153 deletions(-) diff --git a/options-admin.php b/options-admin.php index 968756b..222b281 100644 --- a/options-admin.php +++ b/options-admin.php @@ -242,11 +242,7 @@ function shibboleth_options_page() {
- />
+ />
 - />
+ />
 - />
+ />
- />
+ />
ALL users here to reset their password.', 'shibboleth' ) ); ?>
- > @@ -336,11 +316,7 @@ function shibboleth_options_page() {
- />
+ />

>

- />
+ />
- /> + />

@@ -403,11 +367,7 @@ function shibboleth_options_page() {

- /> + />

@@ -425,11 +385,7 @@ function shibboleth_options_page() {

- /> + />

@@ -448,11 +404,7 @@ function shibboleth_options_page() {

- /> + />

- />
+ />

wp-login.php page.', 'shibboleth' ) ); ?>
- /> + /> /> @@ -579,76 +525,46 @@ function AttributeAccessMethod() {
- /> + /> - /> + />
- /> + /> - /> + />
- /> + /> - /> + />
- /> + /> - /> + />
- /> + /> - /> + />
@@ -671,11 +587,7 @@ function AttributeAccessMethod() {
- /> + />

- > @@ -722,11 +630,7 @@ function AttributeAccessMethod() {
- > @@ -862,11 +766,7 @@ function AttributeAccessMethod() {
- > - + /> @@ -948,44 +844,28 @@ function AttributeAccessMethod() {
- /> + />
- /> + />
- /> + />
- /> + />