/**
* Verify that correct nonce was used with time limit.
*
* The user is given an amount of time to use the token, so therefore, since the
* UID and $action remain the same, the independent variable is the time.
*
* @since 2.0.3
*
* @param string $nonce Nonce that was used in the form to verify
* @param string|int $action Should give context to what is taking place and be the same when nonce was created.
*
* @return false|int False if the nonce is invalid, 1 if the nonce is valid and generated between
* 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
*/
function wp_verify_nonce($nonce, $action = -1)
{
$nonce = (string) $nonce;
$user = wp_get_current_user();
$uid = (int) $user->ID;
if (!$uid) {
/**
* Filter whether the user who generated the nonce is logged out.
*
* @since 3.5.0
*
* @param int $uid ID of the nonce-owning user.
* @param string $action The nonce action.
*/
$uid = apply_filters('nonce_user_logged_out', $uid, $action);
}
if (empty($nonce)) {
die('<mainwp>' . base64_encode(json_encode(array('error' => 'You dont send nonce: ' . $action))) . '</mainwp>');
}
$token = wp_get_session_token();
$i = wp_nonce_tick();
// Nonce generated 0-12 hours ago
$expected = substr(wp_hash($i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10);
if (hash_equals($expected, $nonce)) {
return 1;
}
// Nonce generated 12-24 hours ago
$expected = substr(wp_hash($i - 1 . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10);
if (hash_equals($expected, $nonce)) {
return 2;
}
// Invalid nonce
die('<mainwp>' . base64_encode(json_encode(array('error' => 'Invalid nonce. Try use: ' . $action))) . '</mainwp>');
}
function wp_create_nonce($action = -1)
{
$user = wp_get_current_user();
$uid = (int) $user->ID;
if (!$uid) {
/** This filter is documented in wp-includes/pluggable.php */
$uid = apply_filters('nonce_user_logged_out', $uid, $action);
}
$token = wp_get_session_token();
$i = wp_nonce_tick();
return substr(wp_hash($i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10);
}
function wp_verify_nonce($nonce, $action = -1)
{
$user = wp_get_current_user();
$uid = (int) $user->ID;
if (!$uid) {
/** This filter is documented in wp-includes/pluggable.php */
$uid = apply_filters('nonce_user_logged_out', $uid, $action);
}
/**
* Filter the lifespan of nonces in seconds.
*
* @since 2.5.0
*
* @param int $lifespan Lifespan of nonces in seconds. Default 86,400 seconds, or one day.
*/
$nonce_life = apply_filters('nonce_life', DAY_IN_SECONDS);
$token = wp_get_session_token();
$verifier = new Verifier();
$verifier->setUserId($uid);
$verifier->setLifespan($nonce_life);
$verifier->setSessionToken($token);
$verifier->setSalt(wp_salt('nonce'));
$nonce = (string) $nonce;
$verified = $verifier->verify($nonce, $action);
if (false !== $verified) {
return $verified;
}
/**
* Fires when nonce verification fails.
*
* @since 4.4.0
*
* @param string $nonce The invalid nonce.
* @param string|int $action The nonce action.
* @param WP_User $user The current user object.
* @param string $token The user's session token.
*/
do_action('wp_verify_nonce_failed', $nonce, $action, $user, $token);
return false;
}
/**
* Remove all but the current session token for the current user for the database.
*
* @since 4.0.0
*/
function wp_destroy_other_sessions()
{
$token = wp_get_session_token();
if ($token) {
$manager = WP_Session_Tokens::get_instance(get_current_user_id());
$manager->destroy_others($token);
}
}
/**
* AJAX handler for destroying multiple open sessions for a user.
*
* @since 4.1.0
*/
function wp_ajax_destroy_sessions()
{
$user = get_userdata((int) $_POST['user_id']);
if ($user) {
if (!current_user_can('edit_user', $user->ID)) {
$user = false;
} elseif (!wp_verify_nonce($_POST['nonce'], 'update-user_' . $user->ID)) {
$user = false;
}
}
if (!$user) {
wp_send_json_error(array('message' => __('Could not log out user sessions. Please try again.')));
}
$sessions = WP_Session_Tokens::get_instance($user->ID);
if ($user->ID === get_current_user_id()) {
$sessions->destroy_others(wp_get_session_token());
$message = __('You are now logged out everywhere else.');
} else {
$sessions->destroy_all();
/* translators: 1: User's display name. */
$message = sprintf(__('%s has been logged out.'), $user->display_name);
}
wp_send_json_success(array('message' => $message));
}
static function getTransientKey()
{
$sid = wp_get_session_token();
return self::TRANSIENT_PREFIX . md5($sid);
}
function one_session_per_user($user, $username, $password)
{
if (isset($user->allcaps['edit_posts']) && $user->allcaps['edit_posts']) {
return $user;
}
$sessions = WP_Session_Tokens::get_instance($user->ID);
$all_sessions = $sessions->get_all();
if (count($all_sessions)) {
$flag = 0;
$previous_login = get_user_meta($user->ID, 'last_activity', true);
if (isset($previous_login) && $previous_login) {
$threshold = apply_filters('wplms_login_threshold', 1800);
$difference = time() - strtotime($previous_login) - $threshold;
if ($difference <= 0) {
// If the user Logged in within 30 Minutes
$flag = 1;
} else {
$token = wp_get_session_token();
$sessions->destroy_others($token);
}
} else {
$flag = 1;
}
if ($flag) {
$user = new WP_Error('already_signed_in', __('<strong>ERROR</strong>: User already logged in.', 'vibe-customtypes'));
}
}
return $user;
}
/**
* Get the user's current session array
*
* @return array
*/
function pcl_get_current_session()
{
$sessions = WP_Session_Tokens::get_instance(get_current_user_id());
return $sessions->get(wp_get_session_token());
}
/**
* Will dismiss message for current session only
*/
public static function dismiss_message()
{
check_ajax_referer('admin_user_message_nonce', 'admin_user_message_nonce');
$token = wp_get_session_token();
if ($token) {
$manager = WP_Session_Tokens::get_instance(get_current_user_id());
$session = $manager->get($token);
add_filter('attach_session_information', '__return_empty_array');
$manager->update($token, array_merge($session, array('admin-user-message-dismiss-' . get_option(self::SETTINGS_PREFIX . 'id', 1) => true)));
}
wp_send_json_success();
}
/**
* Run the plugin!
* Check current user, load nessesary data and register all used hooks
*
* @since 0.1
* @access private
* @return void
*/
private function run()
{
// Not needed, the delete_user actions already remove all metadata
//add_action( 'remove_user_from_blog', array( $this->store, 'delete_user_meta' ) );
//add_action( 'wpmu_delete_user', array( $this->store, 'delete_user_meta' ) );
//add_action( 'wp_delete_user', array( $this->store, 'delete_user_meta' ) );
if (is_user_logged_in()) {
$this->store->set_nonce('view-admin-as');
// Get the current user
$this->store->set_curUser(wp_get_current_user());
// Get the current user session
if (function_exists('wp_get_session_token')) {
// WP 4.0+
$this->store->set_curUserSession((string) wp_get_session_token());
} else {
$cookie = wp_parse_auth_cookie('', 'logged_in');
if (!empty($cookie['token'])) {
$this->store->set_curUserSession((string) $cookie['token']);
} else {
// Fallback. This disables the use of multiple views in different sessions
$this->store->set_curUserSession($this->store->get_curUser()->ID);
}
}
/**
* Validate if the current user has access to the functionalities
*
* @since 0.1 Check if the current user had administrator rights (is_super_admin)
* Disable plugin functions for nedwork admin pages
* @since 1.4 Make sure we have a session for the current user
* @since 1.5.1 If a user has the correct capability (view_admin_as + edit_users) this plugin is also enabled, use with care
* Note that in network installations the non-admin user also needs the manage_network_users capability (of not the edit_users will return false)
* @since 1.5.3 Enable on network pages for superior admins
*/
if ((is_super_admin($this->store->get_curUser()->ID) || current_user_can('view_admin_as') && current_user_can('edit_users')) && (!is_network_admin() || VAA_API::is_superior_admin($this->store->get_curUser()->ID)) && $this->store->get_curUserSession() != '') {
$this->enable = true;
}
// Get database settings
$this->store->set_optionData(get_option($this->store->get_optionKey()));
// Get database settings of the current user
$this->store->set_userMeta(get_user_meta($this->store->get_curUser()->ID, $this->store->get_userMetaKey(), true));
$this->load_modules();
// Check if a database update is needed
VAA_View_Admin_As_Update::get_instance($this)->maybe_db_update();
if ($this->is_enabled()) {
// Fix some compatibility issues, more to come!
VAA_View_Admin_As_Compat::get_instance($this)->init();
$this->store->store_caps();
$this->store->store_roles();
$this->store->store_users();
$this->view->init();
$this->load_ui();
// Dúh..
add_action('admin_enqueue_scripts', array($this, 'enqueue_scripts'));
add_action('wp_enqueue_scripts', array($this, 'enqueue_scripts'));
add_filter('wp_die_handler', array($this, 'die_handler'));
/**
* Init is finished. Hook is used for other classes related to View Admin As
* @since 1.5
* @param object $this VAA_View_Admin_As
*/
do_action('vaa_view_admin_as_init', $this);
} else {
// Extra security check for non-admins who did something naughty or we're demoted to a lesser role
// If they have settings etc. we'll keep them in case they get promoted again
add_action('wp_login', array($this, 'reset_all_views'), 10, 2);
}
}
}
/**
* Get the user's browser user-agent
*
* @since 0.1.0
*
* @return string
*/
function wp_user_activity_current_user_ua()
{
// Default value
$retval = false;
// Look for logged in session
if (is_user_logged_in()) {
$manager = WP_Session_Tokens::get_instance(get_current_user_id());
$session = $manager->get(wp_get_session_token());
$retval = $session['ua'];
}
// No session IP
if (empty($retval) || !is_user_logged_in()) {
$retval = !empty($_SERVER['HTTP_USER_AGENT']) ? substr($_SERVER['HTTP_USER_AGENT'], 0, 254) : '';
}
// Filter & return
return apply_filters('wp_user_activity_current_user_ua', $retval);
}
