Changeset 11046

Timestamp:

06/21/2021 05:36:48 AM (2 years ago)

Author:

dd32

Message:

Login: When a user is logged in, or an account creation link has already been used, redirect the user more appropriately to a page explaining the issue.

This removes a "random" redirect on certain Login pages that would result in the user redirected to the WordPress.org homepage, or support forums, with no further explanation.

Fixes #5754.

Location:

sites/trunk

Files:

• common/includes/wporg-sso/class-wporg-sso.php (modified) (1 diff)
• common/includes/wporg-sso/wp-plugin.php (modified) (4 diffs)
• wordpress.org/public_html/wp-content/themes/pub/wporg-login/linkexpired.php (modified) (1 diff)
• wordpress.org/public_html/wp-content/themes/pub/wporg-login/login.php (modified) (1 diff)
• wordpress.org/public_html/wp-content/themes/pub/wporg-login/logout.php (modified) (2 diffs)
• wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-create.php (modified) (2 diffs)
• wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-profile.php (modified) (3 diffs)
• wordpress.org/public_html/wp-content/themes/pub/wporg-login/register.php (modified) (1 diff)

sites/trunk/common/includes/wporg-sso/class-wporg-sso.php

@@ -133 +133 @@
          * @return string Safe redirect URL from $_REQUEST['redirect_to']
          */
-        protected function _get_safer_redirect_to() {
+        protected function _get_safer_redirect_to( $default = 'https://wordpress.org/' ) {
             // Setup a default redirect to URL, with a safe version to only change if validation succeeds below.
-            $redirect_to = ! empty( $_GET['action'] ) && in_array( $_GET['action'], array( 'logout', 'loggedout' ) ) ? '/loggedout/' : 'https://wordpress.org/';
+            $redirect_to = ! empty( $_GET['action'] ) && in_array( $_GET['action'], array( 'logout', 'loggedout' ) ) ? '/loggedout/' : $default;
 
             if ( ! empty( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) {

sites/trunk/common/includes/wporg-sso/wp-plugin.php

@@ -17 +17 @@
          */
         public $valid_sso_paths = array(
-            'root'         => '/',
-            'robots'       => '/robots\.txt',
-            'checkemail'   => '/checkemail',
-            'loggedout'    => '/loggedout',
-            'lostpassword' => '/lostpassword(/(?P<user>[^/]+))?',
-            'linkexpired'  => '/linkexpired(/(?P<reason>register|lostpassword)/(?P<user>[^/]+))?',
-            'oauth'        => '/oauth',
-
-            // Only for logged in users, but prior to cookies.
-            'updated-tos'  => '/updated-policies',
-        );
-
-        /**
-         * List of additional valid paths on login.wordpress.org for logged in requests.
-         * @var array
-         */
-        public $valid_sso_paths_logged_in = array(
-            'logout' => '/logout',
-        );
-
-        /**
-         * List of additional valid paths on login.wordpress.org for logged-out requests.
-         * @var array
-         */
-        public $valid_sso_paths_registration = array(
+            'root'            => '/',
+            'robots'          => '/robots\.txt',
+            'checkemail'      => '/checkemail',
+            'loggedout'       => '/loggedout',
+            'lostpassword'    => '/lostpassword(/(?P<user>[^/]+))?',
+            'linkexpired'     => '/linkexpired(/(?P<reason>[^/]+)(/(?P<user>[^/]+))?)?',
+            'oauth'           => '/oauth',
+
+            // Primarily for logged in users.
+            'updated-tos'     => '/updated-policies',
+            'logout'          => '/logout',
+
+            // Primarily for logged out users.
             'pending-profile' => '/register/create-profile(/(?P<profile_user>[^/]+)/(?P<profile_key>[^/]+))?',
             'pending-create'  => '/register/create(/(?P<confirm_user>[^/]+)/(?P<confirm_key>[^/]+))?',
@@ -220 +208 @@
                 // Not in list of targeted domains, not interested, bail out
                 return;
-            }
-
-            // Extend paths which are only available for logged in users.
-            if ( is_user_logged_in() ) {
-                $this->valid_sso_paths = array_merge(
-                    $this->valid_sso_paths,
-                    $this->valid_sso_paths_logged_in
-                );
-
-            // Extend registration paths only when registration is open.
-            } elseif ( 'user' === get_site_option( 'registration', 'none' ) ) {
-                $this->valid_sso_paths = array_merge(
-                    $this->valid_sso_paths,
-                    $this->valid_sso_paths_registration
-                );
             }
 
@@ -339 +312 @@
                                 return;
                             }
-                        } else if ( is_user_logged_in() && 'logout' == self::$matched_route ) {
-                            // No redirect, ask the user if they really want to log out.
-                            return;
-                        } else if ( 'robots' === self::$matched_route ) {
-                            // No redirect, just display robots.
-                        } else if ( is_user_logged_in() ) {
-                            // Otherwise, redirect to the their profile.
-                            $this->_redirect_to_source_or_profile();
                         }
                     } elseif (
@@ -462 +427 @@
          */
         protected function _redirect_to_source_or_profile() {
-            $redirect = $this->_get_safer_redirect_to();
+            $redirect = $this->_get_safer_redirect_to( false );
 
             if ( $redirect ) {

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/linkexpired.php

@@ -14 +14 @@
 <h2 class="center"><?php _e( 'Link Expired', 'wporg' ); ?></h2>
 
-<p class="center"><?php _e( "The link you've followed has expired.", 'wporg' ); ?></p>
-
 <?php
 if ( 'register' == $reason && $user ) {
-        echo '<p class="center"><a href="' . esc_url( home_url( '/register/' . urlencode( $user ) ) ) . '">' .
-            sprintf(
-                /* translators: %s: An account name. */
-                __( 'Start over, and register %s.', 'wporg' ),
-                '<code>' . esc_html( $user ) . '</code>'
-            ) .
-            '</a></p>';
+    echo '<p class="center">' . __( "The link you've followed has expired.", 'wporg' ) . '</p>';
+
+    echo '<p class="center"><a href="' . esc_url( home_url( '/register/' . urlencode( $user ) ) ) . '">' .
+        sprintf(
+            /* translators: %s: An account name. */
+            __( 'Start over, and register %s.', 'wporg' ),
+            '<code>' . esc_html( $user ) . '</code>'
+        ) .
+        '</a></p>';
 } elseif ( 'lostpassword' == $reason && $user ) {
+    echo '<p class="center">' . __( "The link you've followed has expired.", 'wporg' ) . '</p>';
     echo '<p class="center"><a href="' . esc_url( home_url( '/lostpassword/'  . urlencode( $user ) ) ) . '">' .
             __( 'Reset your password.', 'wporg' ) .
             '</a></p>';
+} elseif ( 'account-created' === $reason ) {
+    echo '<p class="center">' . __( "That account has already been created.", 'wporg' ) . '</p>';
+
+    echo '<p class="center"><a href="' . add_query_arg( 'user', $user, home_url() ) . '">' . __( 'Please login to continue.', 'wporg' ) . '</a></p>';
+
+    echo '<p class="center"><a href="' . esc_url( home_url( '/lostpassword/'  . urlencode( $user ) ) ) . '">' .
+        __( 'Reset your password.', 'wporg' ) .
+        '</a></p>';
+
+} elseif ( 'register-logged-in' === $reason ) {
+    echo '<p class="center">' . sprintf(
+        __( 'Please do not make multiple WordPress.org accounts. Please read the <a href="%s">Forum Guidelines</a> for more information.', 'wporg' ),
+        'https://wordpress.org/support/guidelines/#do-not-create-multiple-accounts-sockpuppets'
+    ) . '</p>';
+
+    echo '<p class="center">' . __( 'Please logout, and folow the link again to complete the registration.', 'wporg' ) . '</p>';
+
+    echo '<p class="center">' . sprintf(
+        /* translators: %s: logout URL */
+        __( 'Do you really want to <a href="%s">log out</a>?', 'wporg' ),
+        wp_logout_url()
+    ) . '</p>';
+
+} else {
+    echo '<p class="center">' . __( "The link you've followed has expired.", 'wporg' ) . '</p>';
 }
 ?>

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/login.php

@@ -11 +11 @@
 <?php
 wp_login_form( [
-    // pre-fill the last user if their session has simply timed out.
-    'value_username' => wp_parse_auth_cookie()['username'] ?? ''
+    // pre-fill with a given username, or with the last user if their session has simply timed out.
+    'value_username' => $_REQUEST['user'] ?? ( wp_parse_auth_cookie()['username'] ?? '' )
 ] );
 ?>

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/logout.php

@@ -6 +6 @@
  */
 
+// This will be validated at redirect time.
+$redirect_to = !empty( $_GET['redirect_to'] ) ? $_GET['redirect_to'] : home_url( '/loggedout/' );
+
+if ( ! is_user_logged_in() ) {
+    wp_safe_redirect( $redirect_to );
+    exit;
+}
+
 get_header();
 ?>
@@ -11 +19 @@
 
 <?php
-
-// This will be validated at redirect time.
-$redirect_to = !empty( $_GET['redirect_to'] ) ? $_GET['redirect_to'] : home_url( '/loggedout/' );
 
 printf(

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-create.php

@@ -26 +26 @@
 }
 
+// Already logged in.. Warn about duplicate accounts, etc.
+if ( is_user_logged_in() && $activation_user != wp_get_current_user()->user_login ) {
+    wp_safe_redirect( home_url( '/linkexpired/register-logged-in' ) );
+    exit;
+}
+
 $can_access = false;
 if ( $pending_user && $pending_user['user_activation_key'] && ! $pending_user['created'] ) {
@@ -42 +48 @@
     }
 } elseif ( $pending_user && $pending_user['created'] ) {
-    wp_safe_redirect( 'https://wordpress.org/support/' );
+    wp_safe_redirect( home_url( '/linkexpired/account-created/' . urlencode( $pending_user['user_login'] ) ) );
     die();
 }
 
 if ( ! $can_access ) {
-    wp_safe_redirect( '/' );
+    wp_safe_redirect( '/linkexpired' );
     die();
 }

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-profile.php

@@ -8 +8 @@
 $sso = WPOrg_SSO::get_instance();
 
- // Migrate to cookies.
+// Migrate to cookies.
 if ( !empty( $sso::$matched_route_params['profile_user'] ) ) {
     setcookie( 'wporg_profile_user', $sso::$matched_route_params['profile_user'], time()+DAY_IN_SECONDS, '/register/', 'login.wordpress.org', true, true );
@@ -21 +21 @@
 
 $pending_user = wporg_get_pending_user( $profile_user );
+
+// Already logged in.. Warn about duplicate accounts, etc.
+if ( is_user_logged_in() ) {
+    wp_safe_redirect( home_url( '/linkexpired/register-logged-in' ) );
+    exit;
+}
 
 $can_access = false;
@@ -37 +43 @@
 
 if ( $can_access && $pending_user['created']  ) {
-    wp_safe_redirect( 'https://wordpress.org/support/' );
+    wp_safe_redirect( home_url( '/linkexpired/account-created/' . urlencode( $pending_user['user_login'] ) ) );
     die();
 } elseif ( ! $can_access ) {

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/register.php

@@ -13 +13 @@
 if ( ! $user_login && ! empty( WP_WPOrg_SSO::$matched_route_params['user'] ) ) {
     $user_login = trim( WP_WPOrg_SSO::$matched_route_params['user'] );
+}
+
+// Already logged in.. Warn about duplicate accounts, etc.
+if ( is_user_logged_in() ) {
+    wp_safe_redirect( home_url( '/linkexpired/register-logged-in' ) );
+    exit;
 }