Changeset 12759
- Timestamp:
- 07/25/2023 05:02:49 AM (3 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
sites/trunk/common/includes/wporg-sso/wp-plugin.php
r12578 r12759 528 528 $user = wp_get_current_user(); 529 529 530 // Perform the logout on this network first.531 wp_logout();532 533 530 // Redirect back to the requested location.. the referer.. or failing that, the current sites front page after it's all done. 534 531 $logout_redirect = ( wp_unslash( $_REQUEST['redirect_to'] ?? '' ) ?: wp_get_referer() ) ?: home_url( '/' ); 532 533 // Never to wp-admin. 534 if ( str_contains( $logout_redirect, '/wp-admin/' ) ) { 535 $logout_redirect = home_url( '/' ); 536 } 537 535 538 $logout_redirect = apply_filters( 'logout_redirect', $logout_redirect, $logout_redirect, $user ); 536 539 … … 539 542 'action' => 'remote-logout', 540 543 'redirect_to' => urlencode( $logout_redirect ), 541 'loggedout_on[]' => urlencode( $this->_get_targetted_host( $this->host ) ),542 544 'sso_logout' => urlencode( $this->_generate_remote_token( $user ) ) 543 545 ), … … 643 645 644 646 /** 645 * Log out a user from all sites and networks. 646 * 647 * This works by keeping track of the domains logged out on, and redirecting the user to the next 648 * site in self::VALID_HOSTS. Each is only requested once, so the user should experience minimal 649 * redirects. 647 * Log out a user and destroy the session. 650 648 */ 651 649 protected function _maybe_perform_remote_logout() { 652 if ( empty( $_GET['sso_logout'] ) ) {650 if ( empty( $_GET['sso_logout'] ) || ! $this->is_sso_host() ) { 653 651 return; 654 652 } 655 653 654 // Validate the logout token. 656 655 $remote_token = wp_unslash( $_GET['sso_logout'] ); 657 656 $remote_token = $this->_validate_remote_token( $remote_token ); 658 659 657 if ( ! $remote_token || ! $remote_token['valid'] ) { 660 658 return; 661 659 } 662 $user = $remote_token['user']; 663 664 // If the matching user is logged in, log them out. 665 // If they're logged in as someone else, that's problematic, but we ignore that intentionally. 666 if ( is_user_logged_in() && get_current_user_id() == $user->ID ) { 667 wp_logout(); 668 } 669 670 // Hosts logged out on.. 671 $logged_out_on = (array) $_REQUEST['loggedout_on'] ?? []; 672 $logged_out_on[] = $this->_get_targetted_host( $this->host ); 673 $need_to_logout_on = array_diff( self::VALID_HOSTS, $logged_out_on ); 674 675 // Logged out everywhere, send them over to the logout confirmation screen. 676 if ( ! $need_to_logout_on ) { 677 $final_url = $this->sso_host_url . '/loggedout'; 678 679 if ( ! empty( $_REQUEST['redirect_to'] ) ) { 680 $final_url = add_query_arg( 'redirect_to', $_REQUEST['redirect_to'], $final_url ); 660 661 // Perform the logout. This will destroy the session, logging the user out of all sites. 662 wp_logout(); 663 664 // Default to the logout confirmation screen, or back to the source site if possible. 665 $redirect_to = $this->sso_host_url . '/loggedout'; 666 if ( ! empty( $_REQUEST['redirect_to'] ) ) { 667 $requested_redirect_to = urldecode( wp_unslash( $_REQUEST['redirect_to'] ) ); 668 $redirect_to = add_query_arg( 'redirect_to', urlencode( $requested_redirect_to ), $redirect_to ); 669 670 // If the requested redirect_to is valid, use it. 671 if ( wp_validate_redirect( $requested_redirect_to ) ) { 672 $redirect_to = $requested_redirect_to; 681 673 } 682 683 $this->_safe_redirect( $final_url ); 684 exit; 685 } 686 687 // Redirect on to the next host in self::VALID_HOSTS to logout from. 688 $logout_redirect = add_query_arg( 689 array( 690 'action' => 'remote-logout', 691 'sso_logout' => urlencode( $this->_generate_remote_token( $user ) ), 692 'redirect_to' => urlencode( wp_unslash( $_REQUEST['redirect_to'] ?? '' ) ), 693 'loggedout_on' => array_values( $logged_out_on ) 694 ), 695 'https://' . reset( $need_to_logout_on ) . '/wp-login.php' 696 ); 697 698 $this->_safe_redirect( $logout_redirect ); 674 } 675 676 $this->_safe_redirect( $redirect_to ); 699 677 exit; 700 678 }
Note: See TracChangeset
for help on using the changeset viewer.