Context Navigation

← Previous Changeset
Next Changeset →

Changeset 14262

Timestamp:

12/11/2024 05:36:31 AM (4 months ago)

Author:

dd32

Message:

Plugin Directory: Require 2FA verification to confirm a plugin release.

This replaces the email access links.
All plugin committers are required to have 2FA enabled now.

Closes https://github.com/WordPress/wordpress.org/pull/344.
Fixes #7704.

Location:

sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory

Files:

: 1 deleted
: 3 edited

api/routes/class-plugin-release-confirmation.php (modified) (4 diffs)
class-template.php (modified) (1 diff)
email/class-release-confirmation-access.php (deleted)
shortcodes/class-release-confirmation.php (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed

sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/api/routes/class-plugin-release-confirmation.php

-                      r14218
+                      r14262
 use WordPressdotorg\Plugin_Directory\Tools;
 use WordPressdotorg\Plugin_Directory\Jobs\Plugin_Import;
-use WordPressdotorg\Plugin_Directory\Shortcodes\Release_Confirmation as Release_Confirmation_Shortcode;
 use WordPressdotorg\Plugin_Directory\Email\Release_Confirmation_Enabled as Release_Confirmation_Enabled_Email;
+use WordPressdotorg\Plugin_Directory\Email\Release_Confirmation_Access as Release_Confirmation_Access_Email;
+use Two_Factor_Core;
+use function WordPressdotorg\Two_Factor\Revalidation\{
+    get_status as get_revalidation_status,
+    get_url as get_revalidation_url,
+};
 /**
 …
                 return false;
             },
-        ] );
-        register_rest_route( 'plugins/v1', '/release-confirmation-access', [
-            'methods'             => \WP_REST_Server::READABLE,
-            'callback'            => [ $this, 'send_access_email' ],
-            'args'                => [
-            ],
-            'permission_callback' => 'is_user_logged_in',
         ] );
 …
         $plugin = Plugin_Directory::get_plugin_post( $request['plugin_slug'] );
+        return (
+            Release_Confirmation_Shortcode::can_access() &&
+            current_user_can( 'plugin_manage_releases', $plugin )
+        );
+        if ( ! $plugin || ! current_user_can( 'plugin_manage_releases', $plugin ) ) {
+            return false;
+        }
+        // Check to see if they've confirmed their 2FA status recently..
+        $status = get_revalidation_status();
+        if ( $status && $status['can_save'] ) {
+            return true;
+        }
+        // Before we say no, check if the user just needs to validate their 2FA.
+        if ( $status && $status['needs_revalidate'] && 'GET' === $request->get_method() ) {
+            $current_rest_url = add_query_arg(
+                array(
+                    '_wpnonce'         => wp_create_nonce( 'wp_rest' ),
+                    '_wp_http_referer' => wp_get_referer(),
+                ),
+                get_rest_url( null, $request->get_route() )
+            );
+            wp_safe_redirect( get_revalidation_url( $current_rest_url ) );
+            exit;
+        }
+        return false;
+    }
 …
+    }
-    /**
-     * Send a Access email
-     */
-    public function send_access_email( $request ) {
-        $result = [
-            'location' => wp_get_referer() ?: home_url( '/developers/releases/' ),
-        ];
-        $result['location'] = add_query_arg( 'send_access_email', '1', $result['location'] );
-        header( 'Location: ' . $result['location'] );
-        $email = new Release_Confirmation_Access_Email(
-            wp_get_current_user()
-        );
-        $result['sent'] = $email->send();
-        return $result;
+    }
     public function validate_plugin_tag_callback( $tag, $request ) {
         $plugin = Plugin_Directory::get_plugin_post( $request['plugin_slug'] );

sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-template.php

-                      r14218
+                      r14262
             array( '_wpnonce' => wp_create_nonce( 'wp_rest' ) ),
             $url
-        );
+    }
-    /**
-     * Generates a link to email the release confirmation link.
+     *
-     * @param int|\WP_Post|null $post Optional. Post ID or post object. Defaults to global $post.
-     * @return string URL to enable confirmations.
-     */
-    public static function get_release_confirmation_access_link() {
-        return add_query_arg(
-            array( '_wpnonce' => wp_create_nonce( 'wp_rest' ) ),
-            home_url( 'wp-json/plugins/v1/release-confirmation-access' )
         );
+    }

sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/shortcodes/class-release-confirmation.php

-                      r14245
+                      r14262
 use WordPressdotorg\Plugin_Directory\Template;
 use WordPressdotorg\Plugin_Directory\Tools;
+use Two_Factor_Core;
+use function WordPressdotorg\Two_Factor\{
+    Revalidation\get_status as get_revalidation_status,
+    Revalidation\get_js_url as get_revalidation_js_url,
+    get_onboarding_account_url as get_2fa_onboarding_url
+};
 /**
 …
     const SHORTCODE = 'release-confirmation';
-    const COOKIE    = 'release_confirmation_access_token';
-    const META_KEY  = '_release_confirmation_access_token';
     const URL_PARAM = 'access_token';
 …
         ob_start();
+        $should_show_access_notice = false;
+        foreach ( $plugins as $plugin ) {
+            if ( $plugin->release_confirmation ) {
+                $should_show_access_notice = true;
+            }
+        }
+        if ( ! self::can_access() && $should_show_access_notice ) {
+            if ( isset( $_REQUEST['send_access_email'] ) ) {
+                printf(
+                    '<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
+                    __( 'Check your email for an access link to perform actions.', 'wporg-plugins')
+                );
+            } else {
+                printf(
+                    '<div class="plugin-notice notice notice-info notice-alt"><p>%s</p></div>',
+                    sprintf(
+                        /* translators: %s: URL */
+                        __( 'Check your email for an access link, or <a href="%s">request a new email</a> to perform actions.', 'wporg-plugins'),
+                        Template::get_release_confirmation_access_link()
+                    )
+                );
+            }
+        // If the user is not using 2FA, show a notice.
+        if ( ! Two_Factor_Core::is_user_using_two_factor( get_current_user_id() ) ) {
+            printf(
+                '<div class="plugin-notice notice notice-error notice-alt"><p>%s</p></div>',
+                sprintf(
+                    __( 'Your account has elevated privileges and requires extra security before you can manage plugin releases. Please <a href="%s">enable two-factor authentication now</a>.', 'wporg-plugins' ),
+                    get_2fa_onboarding_url()
+                )
+            );
+        }
 …
         $buttons = [];
+        if ( $data['confirmations_required'] && empty( $data['discarded'] ) ) {
+        if (
+            ! is_user_logged_in() ||
+            ! Two_Factor_Core::is_user_using_two_factor( get_current_user_id() ) ||
+            ! current_user_can( 'plugin_manage_releases', $plugin  ) ||
+            // No need to show actions if the release can't be confirmed, or is already confirmed
+            ! $data['confirmations_required'] ||
+            $data['confirmed']
+        ) {
+            return '';
+        }
+        if ( empty( $data['discarded'] ) ) {
             $current_user_confirmed = isset( $data['confirmations'][ wp_get_current_user()->user_login ] );
+            if ( ! $current_user_confirmed && ! $data['confirmed'] ) {
+                if (
+                    self::can_access() &&
+                    current_user_can( 'plugin_manage_releases', $plugin  )
+                ) {
+                    $buttons[] = sprintf(
+                        '<a href="%s" class="wp-element-button button approve-release">%s</a>',
+                        Template::get_release_confirmation_link( $data['tag'], $plugin ),
+                        __( 'Confirm', 'wporg-plugins' )
+                    );
+                    $buttons[] = sprintf(
+                        '<a href="%s" class="wp-element-button button approve-release">%s</a>',
+                        Template::get_release_confirmation_link( $data['tag'], $plugin, 'discard' ),
+                        __( 'Discard', 'wporg-plugins' )
+                    );
+                } else {
+                    $buttons[] = sprintf(
+                        '<a class="wp-element-button button approve-release disabled">%s</a>',
+                        __( 'Confirm', 'wporg-plugins' )
+                    );
+                    $buttons[] = sprintf(
+                        '<a class="wp-element-button button approve-release disabled">%s</a>',
+                        __( 'Discard', 'wporg-plugins' )
+                    );
+                }
+            } elseif ( $current_user_confirmed ) {
+            if ( ! $current_user_confirmed ) {
+                $confirm_link = Template::get_release_confirmation_link( $data['tag'], $plugin );
+                $discard_link = Template::get_release_confirmation_link( $data['tag'], $plugin, 'discard' );
+                $confirm_link = get_revalidation_js_url( $confirm_link );
+                $discard_link = get_revalidation_js_url( $discard_link );
                 $buttons[] = sprintf(
+                    '<a class="wp-element-button button approve-release disabled">%s</a>',
+                    __( 'Confirmed', 'wporg-plugins' )
+                );
+                    '<a href="%s" class="wp-element-button button approve-release" data-2fa-required data-2fa-message="%s">%s</a>',
+                    $confirm_link,
+                    esc_attr(
+                        sprintf(
+                            /* translators: 1: Version number, 2: Plugin name. */
+                            __( 'Confirm your Two-Factor Authentication to release version %1$s of %2$s.', 'wporg-plugins' ),
+                            esc_html( $data['version'] ),
+                            $plugin->post_title
+                        )
+                    ),
+                    __( 'Confirm', 'wporg-plugins' )
+                );
+                $buttons[] = sprintf(
+                    '<a href="%s" class="wp-element-button button approve-release" data-2fa-required data-2fa-message="%s">%s</a>',
+                    $discard_link,
+                    esc_attr(
+                        sprintf(
+                            /* translators: 1: Version number, 2: Plugin name. */
+                            __( 'Confirm your Two-Factor Authentication to discard the release %1$s for %2$s.', 'wporg-plugins' ),
+                            esc_html( $data['version'] ),
+                            $plugin->post_title
+                        )
+                    ),
+                    __( 'Discard', 'wporg-plugins' )
+                );
+            }
         } elseif (
 …
+    }
-    static function can_access() {
-        if ( ! is_user_logged_in() ) {
-            return false;
+        }
-        // Plugin reviewers can always access the release management functionality, in wp-admin.
-        if ( current_user_can( 'plugin_review' ) && ( is_admin() || wp_is_serving_rest_request() ) ) {
-            return true;
+        }
-        // Must have an access token..
-        if ( empty( $_COOKIE[ self::COOKIE ] ) ) {
-            return false;
+        }
-        // ...and it be valid..
-        $token = get_user_meta( get_current_user_id(), self::META_KEY, true );
-        if (
-            $token &&
-            $token['time'] > ( time() - DAY_IN_SECONDS ) &&
-            wp_check_password( $_COOKIE[ self::COOKIE ], $token['token'] )
-        ) {
-            return true;
+        }
-        return false;
+    }
     static function generate_access_url( $user = null ) {
+        if ( ! $user ) {
+            $user = wp_get_current_user();
+        }
+        if ( ! $user || ! $user->exists() ) {
+            return false;
+        }
+        $time      = time();
+        $plaintext = wp_generate_password( 24, false );
+        $token     = wp_hash_password( $plaintext );
+        update_user_meta( $user->ID, self::META_KEY, compact( 'token', 'time' ) );
+        $url = add_query_arg(
+            self::URL_PARAM,
+            urlencode( $plaintext ),
+            home_url( '/developers/releases/' )
+        );
+        return $url;
+        return home_url( '/developers/releases/' );
+    }
 …
         if ( ! $post || ! is_page() || ! has_shortcode( $post->post_content, self::SHORTCODE ) ) {
             return;
+        }
-        // Migrate URL param to cookie.
-        if ( isset( $_REQUEST[ self::URL_PARAM ] ) ) {
-            setcookie( self::COOKIE, $_REQUEST[ self::URL_PARAM ], time() + DAY_IN_SECONDS, '/plugins/', 'wordpress.org', true, true );
+        }
-        // Expire the cookie when needed. This is not for security, only performance / cleanliness.
-        if ( isset( $_COOKIE[ self::COOKIE ] ) && ! self::can_access() ) {
-            unset( $_COOKIE[ self::COOKIE ] );
-            setcookie( self::COOKIE, false, time() - DAY_IN_SECONDS );
+        }

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Making WordPress.org