Making WordPress.org

Changeset 12508


Ignore:
Timestamp:
03/29/2023 08:36:13 AM (19 months ago)
Author:
dd32
Message:

Plugin Directory: Allow plugin reviewers to generate a one-time-use token to bypass certain upload restrictions (Trademarks and Active Installs).

This allows for plugin authors to submit plugins that would be otherwise rejected by the upload form, without requiring manual work-arounds.

These tokens are user-specific, and one time use only.

See #6864.

Location:
sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-plugin-directory.php

    r12491 r12508  
    44use WordPressdotorg\Plugin_Directory\Admin\Customizations;
    55use WordPressdotorg\Plugin_Directory\Tools;
    6 use WordPressdotorg\Plugin_Directory\Admin\Tools\Author_Cards;
    7 use WordPressdotorg\Plugin_Directory\Admin\Tools\Stats_Report;
     6use WordPressdotorg\Plugin_Directory\Admin\Tools\{ Author_Cards, Stats_Report, Upload_Token };
    87
    98/**
     
    107106            Author_Cards::instance();
    108107            Stats_Report::instance();
     108            Upload_Token::instance();
    109109
    110110            add_action( 'wp_insert_post_data', array( __NAMESPACE__ . '\Admin\Status_Transitions', 'can_change_post_status' ), 10, 2 );
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-upload-handler.php

    r12394 r12508  
    55use WordPressdotorg\Plugin_Directory\Plugin_Directory;
    66use WordPressdotorg\Plugin_Directory\Tools\Filesystem;
     7use WordPressdotorg\Plugin_Directory\Admin\Tools\Upload_Token;
    78
    89/**
     
    5960     */
    6061    public function process_upload() {
     62        $has_upload_token = $this->has_valid_upload_token();
    6163        $zip_file         = $_FILES['zip_file']['tmp_name'];
    6264        $this->plugin_dir = Filesystem::unzip( $zip_file );
     
    115117
    116118        // Make sure it doesn't use a TRADEMARK protected slug.
    117         if ( false !== $this->has_trademarked_slug() ) {
     119        if ( false !== $this->has_trademarked_slug() && ! $has_upload_token ) {
    118120            $error = __( 'Error: The plugin name includes a restricted term.', 'wporg-plugins' );
    119121
     
    242244
    243245        // Prevent uploads using popular Plugin names in the wild.
    244         if ( function_exists( 'wporg_stats_get_plugin_name_install_count' ) ) {
     246        if ( function_exists( 'wporg_stats_get_plugin_name_install_count' ) && ! $has_upload_token ) {
    245247            $installs = wporg_stats_get_plugin_name_install_count( $this->plugin['Name'] );
    246248
     
    300302        }
    301303
    302         if ( function_exists( 'wporg_stats_get_plugin_name_install_count' ) ) {
     304        if ( function_exists( 'wporg_stats_get_plugin_name_install_count' ) && ! $has_upload_token ) {
    303305            $installs = wporg_stats_get_plugin_name_install_count( $readme->name );
    304306
     
    332334        $result = $this->check_plugin();
    333335
    334         if ( ! $result ) {
     336        if ( ! $result && ! $has_upload_token ) {
    335337            $error = __( 'Error: The plugin has failed the automated checks.', 'wporg-plugins' );
    336338
     
    799801    }
    800802
     803    /**
     804     * Determine if the current user has a valid upload token.
     805     *
     806     * An upload token can be used to bypass various plugin checks.
     807     */
     808    public function has_valid_upload_token() {
     809        $token = wp_unslash( $_REQUEST['upload_token'] ?? '' );
     810
     811        return $token && Upload_Token::instance()->is_valid_for_user( get_current_user_id(), $token );
     812    }
     813
    801814}
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-upload.php

    r11403 r12508  
    2828        ob_start();
    2929
     30        $uploader = new Upload_Handler();
     31
    3032        if ( is_user_logged_in() ) :
    3133            include_once ABSPATH . 'wp-admin/includes/template.php';
     
    5860            ) :
    5961                if ( UPLOAD_ERR_OK === $_FILES['zip_file']['error'] ) :
    60                     $uploader      = new Upload_Handler();
    6162                    $upload_result = $uploader->process_upload();
    6263
     
    181182                    <?php wp_nonce_field( 'wporg-plugins-upload' ); ?>
    182183                    <input type="hidden" name="action" value="upload"/>
     184                    <?php
     185                    if ( ! empty( $_REQUEST['upload_token'] ) ) {
     186                        printf(
     187                            '<input type="hidden" name="upload_token" value="%s"/>',
     188                            esc_attr( $_REQUEST['upload_token'] )
     189                        );
     190
     191                        if ( ! $uploader->has_valid_upload_token() ) {
     192                            printf(
     193                                '<div class="notice notice-error notice-alt"><p>%s</p></div>',
     194                                esc_html__( 'The token provided is invalid for this user.', 'wporg-plugins')
     195                            );
     196                        }
     197                    }
     198                    ?>
    183199                    <?php
    184200                    /*
Note: See TracChangeset for help on using the changeset viewer.