Making WordPress.org


Ignore:
Timestamp:
05/24/2023 06:05:43 AM (21 months ago)
Author:
dd32
Message:

Plugin Directory: Switch release confirmation from using a wp nonce to using a stored token for access.

Fixes #7007.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php

    r11814 r12602  
    1515    const SHORTCODE = 'release-confirmation';
    1616    const COOKIE    = 'release_confirmation_access_token';
    17     const NONCE     = 'plugins-developers-releases-page';
     17    const META_KEY  = '_release_confirmation_access_token';
    1818    const URL_PARAM = 'access_token';
    1919
     
    273273        }
    274274
    275         if ( false !== wp_verify_nonce( $_COOKIE[ self::COOKIE ], self::NONCE ) ) {
     275        // ...and it be valid..
     276        $token = get_user_meta( get_current_user_id(), self::META_KEY, true );
     277        if (
     278            $token &&
     279            $token['time'] > ( time() - DAY_IN_SECONDS ) &&
     280            wp_check_password( $_COOKIE[ self::COOKIE ], $token['token'] )
     281        ) {
    276282            return true;
    277283        }
     
    288294        }
    289295
    290         $current_user = wp_get_current_user()->ID;
    291         wp_set_current_user( $user->ID );
    292 
    293         $url = wp_nonce_url(
    294             home_url( '/developers/releases/' ), // TODO: Hardcoded url.
    295             self::NONCE,
    296             self::URL_PARAM
     296        $time      = time();
     297        $plaintext = wp_generate_password( 24, false );
     298        $token     = wp_hash_password( $plaintext );
     299        update_user_meta( $user->ID, self::META_KEY, compact( 'token', 'time' ) );
     300
     301        $url = add_query_arg(
     302            self::URL_PARAM,
     303            urlencode( $plaintext ),
     304            home_url( '/developers/releases/' )
    297305        );
    298 
    299         wp_set_current_user( $current_user );
    300306
    301307        return $url;
Note: See TracChangeset for help on using the changeset viewer.