public function process_post_data($post_data)
{
if (!wp_verify_nonce($_REQUEST['jwp6_nonce'], $this->page_slug)) {
wp_nonce_ays($this->page_slug);
}
parent::process_post_data($post_data, true);
}
public static function template_redirect()
{
global $wp_query;
if (isset($wp_query->query_vars['wpak_addon_file']) && !empty($wp_query->query_vars['wpak_addon_file'])) {
if (!empty($_GET['wpak_app_id'])) {
$app_id = esc_attr($_GET['wpak_app_id']);
//can be ID or slug
$app = WpakApps::get_app($app_id);
if (!empty($app)) {
$app_id = $app->ID;
$default_capability = current_user_can('wpak_edit_apps') ? 'wpak_edit_apps' : 'manage_options';
$capability = apply_filters('wpak_private_simulation_capability', $default_capability, $app_id);
if (WpakApps::get_app_simulation_is_secured($app_id) && !current_user_can($capability)) {
wp_nonce_ays('wpak-addon-file');
}
$file = $wp_query->query_vars['wpak_addon_file'];
if (preg_match('/([^\\/]+?)\\/(.+[\\.js|\\.css|\\.html])$/', $file, $matches)) {
$addon_slug = $matches[1];
$asset_file = $matches[2];
$app_addons = self::get_app_addons($app_id);
if (array_key_exists($addon_slug, $app_addons)) {
$addon = $app_addons[$addon_slug];
if ($asset_full_path = $addon->get_asset_file($asset_file)) {
$file_type = pathinfo($asset_full_path, PATHINFO_EXTENSION);
if ($file_type == 'js') {
header("Content-type: text/javascript; charset=utf-8");
} elseif ($file_type == 'css') {
header("Content-type: text/css; charset=utf-8");
} elseif ($file_type == 'html') {
header("Content-type: text/html; charset=utf-8");
}
echo file_get_contents($asset_full_path);
exit;
} else {
header("HTTP/1.0 404 Not Found");
_e('Addon file not found', WpAppKit::i18n_domain);
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('Addon not found for this app', WpAppKit::i18n_domain);
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('Wrong addon file', WpAppKit::i18n_domain);
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('App not found', WpAppKit::i18n_domain) . ' : [' . $app_id . ']';
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('App id not found in _GET parmeters', WpAppKit::i18n_domain);
exit;
}
}
}
/**
* Checks if the given nonce is valid, and if not, terminates WordPress execution unless this is an admin request.
*
* This function is the MultilingualPress equivalent of the WordPress function with the same name.
*
* @since 3.0.0
*
* @param Nonce $nonce Nonce object.
*
* @return bool Whether or not the nonce is valid.
*/
function check_admin_referer(Nonce $nonce)
{
if ($nonce->is_valid()) {
return true;
}
if (0 !== strpos(strtolower(wp_get_referer()), strtolower(admin_url()))) {
wp_nonce_ays(null);
call_exit();
}
return false;
}
public function process_post_data($post_data)
{
if (!wp_verify_nonce($_REQUEST['jwp6_nonce'], $this->page_slug . $_REQUEST['player_id'])) {
wp_nonce_ays($this->page_slug);
}
parent::process_post_data($post_data, false);
if (isset($_GET['player_id'])) {
return $this->process_edit_post_data($post_data);
} else {
return $this->process_overview_post_data($post_data);
}
}
public static function template_redirect()
{
global $wp_query;
if (isset($wp_query->query_vars['wpak_appli_file']) && !empty($wp_query->query_vars['wpak_appli_file'])) {
if (!empty($_GET['wpak_app_id'])) {
$app_id = esc_attr($_GET['wpak_app_id']);
//can be ID or slug
$app = WpakApps::get_app($app_id);
if (!empty($app)) {
$app_id = $app->ID;
$default_capability = current_user_can('wpak_edit_apps') ? 'wpak_edit_apps' : 'manage_options';
$capability = apply_filters('wpak_private_simulation_capability', $default_capability, $app_id);
if (WpakApps::get_app_simulation_is_secured($app_id) && !current_user_can($capability)) {
wp_nonce_ays($action);
}
$file = $wp_query->query_vars['wpak_appli_file'];
switch ($file) {
case 'config.js':
header("Content-type: text/javascript; charset=utf-8");
echo "/* Wp AppKit simulator config.js */\n";
self::get_config_js($app_id, true);
exit;
case 'config.xml':
header("Content-type: text/xml; charset=utf-8");
self::get_config_xml($app_id, true);
exit;
default:
exit;
}
} else {
echo __('App not found', WpAppKit::i18n_domain) . ' : [' . $app_id . ']';
exit;
}
} else {
_e('App id not found in _GET parameters', WpAppKit::i18n_domain);
exit;
}
}
}
/**
* Display 'Are you sure you want to do this?' message to confirm the action being taken.
* If the action has the nonce explain message, then it will be displayed along with the 'Are you sure?' message.
*
* @param string $action Required. The nonce action.
*/
public function nonceAys($action)
{
return wp_nonce_ays($action);
}
/**
* Load action
*
* @return void
*/
function load()
{
w3_require_once(W3TC_INC_FUNCTIONS_DIR . '/admin.php');
$this->_page = w3tc_get_current_page();
/**
* Run plugin action
*/
$action = false;
foreach ($_REQUEST as $key => $value) {
if (strpos($key, 'w3tc_') === 0) {
$action = 'action_' . substr($key, 5);
break;
}
}
$flush = false;
$cdn = false;
$support = false;
$action_handler = w3_instance('W3_AdminActions_ActionHandler');
$action_handler->set_default($this);
$action_handler->set_current_page($this->_page);
if ($action && $action_handler->exists($action)) {
if (!wp_verify_nonce(W3_Request::get_string('_wpnonce'), 'w3tc')) {
wp_nonce_ays('w3tc');
}
try {
$action_handler->execute($action);
} catch (Exception $e) {
w3_admin_redirect_with_custom_messages(array(), array($e->getMessage()));
}
exit;
}
}
/**
* The actual export is done here
*/
function run_export()
{
if (is_admin() && isset($_GET['wp-attachment-export-download'])) {
if (current_user_can('administrator') && isset($_REQUEST['wp_attachment_export_nonce']) && wp_verify_nonce($_REQUEST['wp_attachment_export_nonce'], 'wp_attachment_export_download')) {
require_once ABSPATH . '/wp-admin/includes/export.php';
$args = array();
$args['content'] = $_GET['content'];
export_wp($args);
die;
} else {
wp_nonce_ays('wp_attachment_export_download');
}
}
}
/**
* Create Custom Archives pages when needed.
*
* @since 2.1
*
* @return array IDs a newly created pages.
*/
public static function add_custom_pages()
{
global $wpmoly_redux_config;
$nonce = '_wpmolynonce_create_custom_pages';
if (!isset($_GET[$nonce]) || !wpmoly_verify_nonce($_GET[$nonce], 'create-custom-pages')) {
wp_nonce_ays('create-custom-pages');
return false;
}
$allowed = array('all', 'movie', 'collection', 'genre', 'actor');
$create = sanitize_text_field($_GET['create_pages']);
if (!in_array($create, $allowed)) {
return false;
}
switch ($create) {
case 'all':
$pages = array('movie' => __('Movies', 'wpmovielibrary'), 'collection' => __('Collections', 'wpmovielibrary'), 'genre' => __('Genres', 'wpmovielibrary'), 'actor' => __('Actors', 'wpmovielibrary'));
break;
case 'movie':
$pages = array('movie' => __('Movies', 'wpmovielibrary'));
break;
case 'collection':
$pages = array('collection' => __('Collections', 'wpmovielibrary'));
break;
case 'genre':
$pages = array('genre' => __('Genres', 'wpmovielibrary'));
break;
case 'actor':
$pages = array('actor' => __('Actors', 'wpmovielibrary'));
break;
default:
$pages = array();
break;
}
if (empty($pages)) {
return false;
}
$post = array('ID' => null, 'post_content' => '', 'post_name' => '', 'post_title' => '', 'post_status' => 'publish', 'post_type' => 'page', 'post_author' => 1, 'ping_status' => '', 'post_excerpt' => '', 'post_date' => '', 'post_date_gmt' => '', 'comment_status' => '');
$_pages = array();
foreach ($pages as $slug => $page) {
$exists = intval(wpmoly_o("{$slug}-archives"));
if (!$exists) {
$post['post_title'] = $page;
$page = wp_insert_post($post);
$_pages[$slug] = $page;
if ($page) {
$wpmoly_redux_config->ReduxFramework->set("wpmoly-{$slug}-archives", $page);
}
}
}
$self = new WPMOLY_Archives();
if ($self->has_custom_page()) {
update_option('wpmoly_has_custom_pages', 'yes');
}
return $_pages;
}
function check_admin_referer($action = -1, $query_arg = "_wpnonce")
{
global $secure_url;
$secure_uris = as_secure_uris();
$adminurl = strtolower(in_array("wp-admin", $secure_uris) || in_array("wp-admin/", $secure_uris) ? $secure_url : get_option("siteurl")) . "/wp-admin";
$referer = strtolower(wp_get_referer());
$result = wp_verify_nonce($_REQUEST[$query_arg], $action);
if (!$result && !(-1 == $action && strpos($referer, $adminurl) !== false)) {
wp_nonce_ays($action);
die;
}
do_action("check_admin_referer", $action, $result);
return $result;
}
/**
* Display 'Are you sure you want to do this?' message to
* confirm the action being taken.
*
* @param string $action The nonce action.
*
* @return void
*/
public static function wpNonceAys($action)
{
wp_nonce_ays($action);
}
public function wp_ajax_w3tc_ajax()
{
if (!wp_verify_nonce(Util_Request::get_string('_wpnonce'), 'w3tc')) {
wp_nonce_ays('w3tc');
}
try {
$base_capability = apply_filters('w3tc_ajax', 'manage_options');
$capability = apply_filters('w3tc_ajax_capability_' . $_REQUEST['w3tc_action'], $base_capability);
if (!empty($capability) && !current_user_can($capability)) {
throw new \Exception('no permissions');
}
do_action('w3tc_ajax');
do_action('w3tc_ajax_' . $_REQUEST['w3tc_action']);
} catch (\Exception $e) {
echo $e->getMessage();
}
exit;
}
/**
* Makes sure that a user was referred from another admin page.
*
* To avoid security exploits.
*
* @since 1.2.0
* @uses do_action() Calls 'check_admin_referer' on $action.
*
* @param string $action Action nonce
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
*/
function check_admin_referer($action = -1, $query_arg = '_wpnonce')
{
if (-1 == $action) {
_doing_it_wrong(__FUNCTION__, __('You should specify a nonce action to be verified by using the first parameter.'), '3.2');
}
$adminurl = strtolower(admin_url());
$referer = strtolower(wp_get_referer());
$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
if (!$result && !(-1 == $action && strpos($referer, $adminurl) === 0)) {
wp_nonce_ays($action);
die;
}
do_action('check_admin_referer', $action, $result);
return $result;
}
/**
* Saves a form to the database
*
* @param $data
* @return int
*/
public function save_form($data)
{
$post_data = array('post_type' => 'mc4wp-form', 'post_status' => !empty($data['status']) ? $data['status'] : 'publish', 'post_title' => $data['name'], 'post_content' => $data['content']);
if (!empty($data['ID'])) {
$post_data['ID'] = $data['ID'];
$post = get_post($data['ID']);
// check if attempted post is of post_type `mc4wp-form`
if (!is_object($post) || $post->post_type !== 'mc4wp-form') {
wp_nonce_ays('');
return 0;
}
}
$form_id = wp_insert_post($post_data);
update_post_meta($form_id, '_mc4wp_settings', $data['settings']);
// save form messages in individual meta keys
foreach ($data['messages'] as $key => $message) {
update_post_meta($form_id, 'text_' . $key, $message);
}
return $form_id;
}
function handle_login()
{
$wpcom_nonce = sanitize_key($_GET['sso_nonce']);
$wpcom_user_id = (int) $_GET['user_id'];
$result = sanitize_key($_GET['result']);
Jetpack::load_xml_rpc_client();
$xml = new Jetpack_IXR_Client(array('user_id' => get_current_user_id()));
$xml->query('jetpack.sso.validateResult', $wpcom_nonce, $wpcom_user_id);
if ($xml->isError()) {
wp_die(sprintf('%s: %s', $xml->getErrorCode(), $xml->getErrorMessage()));
}
$user_data = $xml->getResponse();
if (empty($user_data)) {
wp_die(__('Error, invalid response data.', 'jetpack'));
}
$user_data = (object) $user_data;
$user = null;
do_action('jetpack_sso_pre_handle_login', $user_data);
if (isset($_GET['state']) && 0 < strpos($_GET['state'], '|')) {
list($state, $nonce) = explode('|', $_GET['state']);
if (wp_verify_nonce($nonce, $state)) {
if ('sso-link-user' == $state) {
$user = wp_get_current_user();
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
add_filter('login_redirect', array(__CLASS__, 'profile_page_url'));
}
} else {
wp_nonce_ays();
}
}
if (empty($user)) {
$user = $this->get_user_by_wpcom_id($user_data->ID);
}
// If we don't have one by wpcom_user_id, try by the email?
if (empty($user) && self::match_by_email()) {
$user = get_user_by('email', $user_data->email);
if ($user) {
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
}
}
// If we've still got nothing, create the user.
if (empty($user) && (get_option('users_can_register') || self::new_user_override())) {
$username = $user_data->login;
if (username_exists($username)) {
$username = $user_data->login . '_' . $user_data->ID;
}
$tries = 0;
while (username_exists($username)) {
$username = $user_data->login . '_' . $user_data->ID . '_' . mt_rand();
if ($tries++ >= 5) {
wp_die(__("Error: Couldn't create suitable username.", 'jetpack'));
}
}
$password = wp_generate_password(20);
$user_id = wp_create_user($username, $password, $user_data->email);
$user = get_userdata($user_id);
$user->display_name = $user_data->display_name;
$user->first_name = $user_data->first_name;
$user->last_name = $user_data->last_name;
$user->url = $user_data->url;
$user->description = $user_data->description;
wp_update_user($user);
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
}
do_action('jetpack_sso_handle_login', $user, $user_data);
if ($user) {
// Cache the user's details, so we can present it back to them on their user screen.
update_user_meta($user->ID, 'wpcom_user_data', $user_data);
wp_set_auth_cookie($user->ID);
$_request_redirect_to = isset($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : '';
$redirect_to = user_can($user, 'edit_posts') ? admin_url() : self::profile_page_url();
wp_safe_redirect(apply_filters('login_redirect', $redirect_to, $_request_redirect_to, $user));
exit;
}
$this->user_data = $user_data;
add_action('login_message', array($this, 'cant_find_user'));
}
/**
* Purges the cache and redirects to referrer (admin bar button)
*
* @since 2.2.1
*/
public static function purge_cache_admin_bar()
{
if (isset($_GET['_wpnonce'])) {
if (!wp_verify_nonce($_GET['_wpnonce'], 'sg-cachepress-purge')) {
wp_nonce_ays('');
}
self::purge_cache(true);
wp_redirect($_SERVER["HTTP_REFERER"]);
}
}
/**
* Purges the cache and redirects to referrer (admin bar button)
*
* @since 2.2.1
*/
public static function purge_cache_admin_bar()
{
if (isset($_GET['_wpnonce'])) {
if (!wp_verify_nonce($_GET['_wpnonce'], 'sg-cachepress-purge')) {
wp_nonce_ays('');
}
self::purge_cache(true);
wp_redirect(wp_get_referer());
die;
}
}
function admin_post_rocket_purge_cloudflare()
{
if (!isset($_GET['_wpnonce']) || !wp_verify_nonce($_GET['_wpnonce'], 'rocket_purge_cloudflare')) {
wp_nonce_ays('');
}
// Purge CloudFlare
rocket_purge_cloudflare();
wp_redirect(wp_get_referer());
die;
}
function check_admin_referer($action = -1) {
$adminurl = strtolower(get_option('siteurl')).'/wp-admin';
$referer = strtolower(wp_get_referer());
if ( !wp_verify_nonce($_REQUEST['_wpnonce'], $action) &&
!(-1 == $action && strpos($referer, $adminurl) !== false)) {
wp_nonce_ays($action);
die();
}
do_action('check_admin_referer', $action);
}endif;
function check_admin_referer($action = -1)
{
$adminurl = strtolower(get_settings('siteurl')) . '/wp-admin';
$referer = strtolower(wp_get_referer());
if (!wp_verify_nonce($_REQUEST['_wpnonce'], $action) && !(-1 == $action && strstr($referer, $adminurl))) {
wp_nonce_ays($action);
die;
}
do_action('check_admin_referer', $action);
}
/**
* Saves a form to the database
*
* @param array $data
* @return int
*/
public function save_form($data)
{
static $keys = array('settings' => array(), 'messages' => array(), 'name' => '', 'content' => '');
$data = array_merge($keys, $data);
$data = $this->sanitize_form_data($data);
$post_data = array('post_type' => 'mc4wp-form', 'post_status' => !empty($data['status']) ? $data['status'] : 'publish', 'post_title' => $data['name'], 'post_content' => $data['content']);
// if an `ID` is given, make sure post is of type `mc4wp-form`
if (!empty($data['ID'])) {
$post_data['ID'] = $data['ID'];
$post = get_post($data['ID']);
// check if attempted post is of post_type `mc4wp-form`
if (!is_object($post) || $post->post_type !== 'mc4wp-form') {
wp_nonce_ays('');
return 0;
}
// merge new settings with current settings to allow passing partial data
$current_settings = get_post_meta($post->ID, '_mc4wp_settings', true);
if (is_array($current_settings)) {
$data['settings'] = array_merge($current_settings, $data['settings']);
}
}
$form_id = wp_insert_post($post_data);
update_post_meta($form_id, '_mc4wp_settings', $data['settings']);
// save form messages in individual meta keys
foreach ($data['messages'] as $key => $message) {
update_post_meta($form_id, 'text_' . $key, $message);
}
return $form_id;
}
/**
* Makes sure that a user was referred from another admin page.
*
* To avoid security exploits.
*
* @since 1.2.0
*
* @param int|string $action Action nonce.
* @param string $query_arg Optional. Key to check for nonce in `$_REQUEST` (since 2.5).
* Default '_wpnonce'.
* @return false|int False if the nonce is invalid, 1 if the nonce is valid and generated between
* 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
*/
function check_admin_referer($action = -1, $query_arg = '_wpnonce')
{
if (-1 == $action) {
_doing_it_wrong(__FUNCTION__, __('You should specify a nonce action to be verified by using the first parameter.'), '3.2');
}
$adminurl = strtolower(admin_url());
$referer = strtolower(wp_get_referer());
$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
if (!$result && !(-1 == $action && strpos($referer, $adminurl) === 0)) {
wp_nonce_ays($action);
die;
}
/**
* Fires once the admin request has been validated or not.
*
* @since 1.5.1
*
* @param string $action The nonce action.
* @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
* 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
*/
do_action('check_admin_referer', $action, $result);
return $result;
}
/**
* Display 'Are You Sure' message to confirm the action being taken.
*/
public function nonce_ays()
{
\wp_nonce_ays($this->get_action());
}
function check_admin_referer($action = -1)
{
$adminurl = BLOG_BASEURL . 'admin.php';
$referer = strtolower(wp_get_referer());
if (!wp_verify_nonce(@$_REQUEST['_wpnonce'], $action) && !(-1 == $action && strstr($referer, $adminurl))) {
wp_nonce_ays($action);
die;
}
do_action('check_admin_referer', $action);
}
/**
* Makes sure that a user was referred from another admin page.
*
* To avoid security exploits.
*
* @since 1.2.0
* @uses do_action() Calls 'check_admin_referer' on $action.
*
* @param string $action Action nonce
* @param string $query_arg where to look for nonce in $_REQUEST (since 2.5)
*/
function check_admin_referer($action = -1, $query_arg = '_wpnonce')
{
$adminurl = strtolower(admin_url());
$referer = strtolower(wp_get_referer());
$result = wp_verify_nonce($_REQUEST[$query_arg], $action);
if (!$result && !(-1 == $action && strpos($referer, $adminurl) !== false)) {
wp_nonce_ays($action);
die;
}
do_action('check_admin_referer', $action, $result);
return $result;
}
function handle_login()
{
$wpcom_nonce = sanitize_key($_GET['sso_nonce']);
$wpcom_user_id = (int) $_GET['user_id'];
$result = sanitize_key($_GET['result']);
Jetpack::load_xml_rpc_client();
$xml = new Jetpack_IXR_Client(array('user_id' => get_current_user_id()));
$xml->query('jetpack.sso.validateResult', $wpcom_nonce, $wpcom_user_id);
if ($xml->isError()) {
wp_die(sprintf('%s: %s', $xml->getErrorCode(), $xml->getErrorMessage()));
}
$user_data = $xml->getResponse();
if (empty($user_data)) {
wp_die(__('Error, invalid response data.', 'jetpack'));
}
$user_data = (object) $user_data;
$user = null;
do_action('jetpack_sso_pre_handle_login', $user_data);
// Check to see if having two step enable on wpcom is a requirement to login here
$require_two_step = apply_filters('jetpack_sso_require_two_step', get_option('jetpack_sso_require_two_step'));
if ($require_two_step && 0 == (int) $user_data->two_step_enabled) {
$this->user_data = $user_data;
do_action('wp_login_failed', $user_data->login);
add_action('login_message', array($this, 'error_msg_enable_two_step'));
return;
}
if (isset($_GET['state']) && 0 < strpos($_GET['state'], '|')) {
list($state, $nonce) = explode('|', $_GET['state']);
if (wp_verify_nonce($nonce, $state)) {
if ('sso-link-user' == $state) {
$user = wp_get_current_user();
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
add_filter('login_redirect', array(__CLASS__, 'profile_page_url'));
}
} else {
wp_nonce_ays();
}
}
if (empty($user)) {
$user = $this->get_user_by_wpcom_id($user_data->ID);
}
// If we don't have one by wpcom_user_id, try by the email?
if (empty($user) && self::match_by_email()) {
$user = get_user_by('email', $user_data->email);
if ($user) {
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
}
}
// If we've still got nothing, create the user.
if (empty($user) && (get_option('users_can_register') || self::new_user_override())) {
// If not matching by email we still need to verify the email does not exist
// or this blows up
if (!self::match_by_email() && !get_user_by('email', $user_data->email)) {
$username = $user_data->login;
if (username_exists($username)) {
$username = $user_data->login . '_' . $user_data->ID;
}
$tries = 0;
while (username_exists($username)) {
$username = $user_data->login . '_' . $user_data->ID . '_' . mt_rand();
if ($tries++ >= 5) {
wp_die(__("Error: Couldn't create suitable username.", 'jetpack'));
}
}
$password = wp_generate_password(20);
$user_id = wp_create_user($username, $password, $user_data->email);
$user = get_userdata($user_id);
$user->display_name = $user_data->display_name;
$user->first_name = $user_data->first_name;
$user->last_name = $user_data->last_name;
$user->url = $user_data->url;
$user->description = $user_data->description;
wp_update_user($user);
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
}
}
do_action('jetpack_sso_handle_login', $user, $user_data);
if ($user) {
// Cache the user's details, so we can present it back to them on their user screen.
update_user_meta($user->ID, 'wpcom_user_data', $user_data);
// Set remember me value
$remember = apply_filters('jetpack_remember_login', false);
wp_set_auth_cookie($user->ID, $remember);
// Run the WP core login action
do_action('wp_login', $user->user_login, $user);
$_request_redirect_to = isset($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : '';
$redirect_to = user_can($user, 'edit_posts') ? admin_url() : self::profile_page_url();
// If we have a saved redirect to request in a cookie
if (!empty($_COOKIE['jetpack_sso_redirect_to'])) {
// Set that as the requested redirect to
$redirect_to = $_request_redirect_to = esc_url_raw($_COOKIE['jetpack_sso_redirect_to']);
// And then purge it
setcookie('jetpack_sso_redirect_to', ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN);
}
wp_safe_redirect(apply_filters('login_redirect', $redirect_to, $_request_redirect_to, $user));
exit;
}
$this->user_data = $user_data;
do_action('wp_login_failed', $user_data->login);
add_action('login_message', array($this, 'cant_find_user'));
}
/**
* Load action
*
* @return void
*/
function load()
{
w3_require_once(W3TC_LIB_W3_DIR . '/Request.php');
$this->_page = W3_Request::get_string('page');
switch (true) {
case $this->_page == 'w3tc_dashboard':
case $this->_page == 'w3tc_general':
case $this->_page == 'w3tc_pgcache':
case $this->_page == 'w3tc_minify':
case $this->_page == 'w3tc_dbcache':
case $this->_page == 'w3tc_objectcache':
case $this->_page == 'w3tc_fragmentcache':
case $this->_page == 'w3tc_browsercache':
case $this->_page == 'w3tc_mobile':
case $this->_page == 'w3tc_referrer':
case $this->_page == 'w3tc_cdn':
case $this->_page == 'w3tc_monitoring':
case $this->_page == 'w3tc_install':
case $this->_page == 'w3tc_faq':
case $this->_page == 'w3tc_about':
case $this->_page == 'w3tc_support':
break;
default:
$this->_page = 'w3tc_dashboard';
}
$this->_support_reminder = $this->_config->get_boolean('notes.support_us') && $this->_config_admin->get_integer('common.install') < time() - W3TC_SUPPORT_US_TIMEOUT && $this->_config->get_string('common.support') == '' && !$this->_config->get_boolean('common.tweeted');
/**
* Run plugin action
*/
$action = false;
foreach ($_REQUEST as $key => $value) {
if (strpos($key, 'w3tc_') === 0) {
$action = 'action_' . substr($key, 5);
break;
}
}
$flush = false;
$cdn = false;
$support = false;
$action_handler = w3_instance('W3_AdminActions_ActionHandler');
$action_handler->set_default($this);
$action_handler->set_current_page($this->_page);
if ($action && $action_handler->exists($action)) {
if (strpos($action, 'view') !== false) {
if (!wp_verify_nonce(W3_Request::get_string('_wpnonce'), 'w3tc')) {
wp_nonce_ays('w3tc');
} else {
check_admin_referer('w3tc');
}
}
try {
$action_handler->execute($action);
} catch (Exception $e) {
w3_require_once(W3TC_INC_FUNCTIONS_DIR . '/admin.php');
w3_admin_redirect_with_custom_messages(array(), array($e->getMessage()));
}
exit;
}
}
public static function template_redirect()
{
global $wp_query;
//The following is only for app simulation in browser
if (isset($wp_query->query_vars['wpak_theme_file']) && !empty($wp_query->query_vars['wpak_theme_file'])) {
$file = $wp_query->query_vars['wpak_theme_file'];
//For assets files like fonts, images or css we can't
//be sure that the wpak_app_id GET arg is there, because they can
//be included directly in themes sources (CSS/HTML) where the WP AppKit API can't
//be used. So, we can't check that the file comes from the right app
//or theme > we just check that the theme the asset belongs to is a real
//WP AppKit theme and that at least one app uses this theme :
if (self::is_asset_file($file)) {
if (preg_match('/([^\\/]+?)\\/(.+)$/', $file, $matches)) {
$theme_slug = $matches[1];
$theme_file = $matches[2];
if (self::is_theme($theme_slug) && self::theme_is_used($theme_slug)) {
if ($file_full_path = self::get_theme_file($theme_slug, $theme_file)) {
self::exit_send_theme_file($file_full_path);
}
} else {
header("HTTP/1.0 404 Not Found");
_e('Not a valid theme file', WpAppKit::i18n_domain);
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('Not a valid theme file path', WpAppKit::i18n_domain);
exit;
}
} else {
if (!empty($_GET['wpak_app_id'])) {
//For non considered asset files (like JS) we check that the file is
//asked for the correct app and for the theme of the app:
$app_id = esc_attr($_GET['wpak_app_id']);
//can be ID or slug
$app = WpakApps::get_app($app_id);
if (!empty($app)) {
$app_id = $app->ID;
$default_capability = current_user_can('wpak_edit_apps') ? 'wpak_edit_apps' : 'manage_options';
$capability = apply_filters('wpak_private_simulation_capability', $default_capability, $app_id);
if (WpakApps::get_app_simulation_is_secured($app_id) && !current_user_can($capability)) {
wp_nonce_ays('wpak-theme-file');
}
if (preg_match('/([^\\/]+?)\\/(.+)$/', $file, $matches)) {
$theme_slug = $matches[1];
$theme_file = $matches[2];
$app_theme = WpakThemesStorage::get_current_theme($app_id);
if ($theme_slug == $app_theme) {
if ($file_full_path = self::get_theme_file($theme_slug, $theme_file)) {
self::exit_send_theme_file($file_full_path);
} else {
header("HTTP/1.0 404 Not Found");
_e('Theme file not found', WpAppKit::i18n_domain);
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('Asked theme is not activated for the given app', WpAppKit::i18n_domain);
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('Wrong theme file', WpAppKit::i18n_domain);
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('App not found', WpAppKit::i18n_domain) . ' : [' . $app_id . ']';
exit;
}
} else {
header("HTTP/1.0 404 Not Found");
_e('App id not found in _GET parmeters', WpAppKit::i18n_domain);
exit;
}
}
}
}
/**
* The function that actually handles the login!
*/
function handle_login()
{
$wpcom_nonce = sanitize_key($_GET['sso_nonce']);
$wpcom_user_id = (int) $_GET['user_id'];
$result = sanitize_key($_GET['result']);
Jetpack::load_xml_rpc_client();
$xml = new Jetpack_IXR_Client(array('user_id' => get_current_user_id()));
$xml->query('jetpack.sso.validateResult', $wpcom_nonce, $wpcom_user_id);
if ($xml->isError()) {
wp_die(sprintf('%s: %s', $xml->getErrorCode(), $xml->getErrorMessage()));
}
$user_data = $xml->getResponse();
if (empty($user_data)) {
wp_die(__('Error, invalid response data.', 'jetpack'));
}
$user_data = (object) $user_data;
$user = null;
/**
* Fires before Jetpack's SSO modifies the log in form.
*
* @module sso
*
* @since 2.6.0
*
* @param object $user_data User login information.
*/
do_action('jetpack_sso_pre_handle_login', $user_data);
/**
* Is it required to have 2-step authentication enabled on WordPress.com to use SSO?
*
* @module sso
*
* @since 2.8.0
*
* @param bool get_option( 'jetpack_sso_require_two_step' ) Does SSO require 2-step authentication?
*/
$require_two_step = apply_filters('jetpack_sso_require_two_step', get_option('jetpack_sso_require_two_step'));
if ($require_two_step && 0 == (int) $user_data->two_step_enabled) {
$this->user_data = $user_data;
/** This filter is documented in core/src/wp-includes/pluggable.php */
do_action('wp_login_failed', $user_data->login);
add_action('login_message', array($this, 'error_msg_enable_two_step'));
return;
}
if (isset($_GET['state']) && 0 < strpos($_GET['state'], '|')) {
list($state, $nonce) = explode('|', $_GET['state']);
if (wp_verify_nonce($nonce, $state)) {
if ('sso-link-user' == $state) {
$user = wp_get_current_user();
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
add_filter('login_redirect', array(__CLASS__, 'profile_page_url'));
}
} else {
wp_nonce_ays();
}
}
if (empty($user)) {
$user = $this->get_user_by_wpcom_id($user_data->ID);
}
// If we don't have one by wpcom_user_id, try by the email?
if (empty($user) && self::match_by_email()) {
$user = get_user_by('email', $user_data->email);
if ($user) {
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
}
}
// If we've still got nothing, create the user.
if (empty($user) && (get_option('users_can_register') || self::new_user_override())) {
// If not matching by email we still need to verify the email does not exist
// or this blows up
/**
* If match_by_email is true, we know the email doesn't exist, as it would have
* been found in the first pass. If get_user_by( 'email' ) doesn't find the
* user, then we know that email is unused, so it's safe to add.
*/
if (self::match_by_email() || !get_user_by('email', $user_data->email)) {
$username = $user_data->login;
if (username_exists($username)) {
$username = $user_data->login . '_' . $user_data->ID;
}
$tries = 0;
while (username_exists($username)) {
$username = $user_data->login . '_' . $user_data->ID . '_' . mt_rand();
if ($tries++ >= 5) {
wp_die(__("Error: Couldn't create suitable username.", 'jetpack'));
}
}
$password = wp_generate_password(20);
$user_id = wp_create_user($username, $password, $user_data->email);
$user = get_userdata($user_id);
$user->display_name = $user_data->display_name;
$user->first_name = $user_data->first_name;
$user->last_name = $user_data->last_name;
$user->url = $user_data->url;
$user->description = $user_data->description;
wp_update_user($user);
update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID);
} else {
$this->user_data = $user_data;
// do_action( 'wp_login_failed', $user_data->login );
add_action('login_message', array($this, 'error_msg_email_already_exists'));
return;
}
}
/**
* Fires after we got login information from WordPress.com.
*
* @module sso
*
* @since 2.6.0
*
* @param array $user WordPress.com User information.
* @param object $user_data User Login information.
*/
do_action('jetpack_sso_handle_login', $user, $user_data);
if ($user) {
// Cache the user's details, so we can present it back to them on their user screen.
update_user_meta($user->ID, 'wpcom_user_data', $user_data);
$remember = false;
if (!empty($_COOKIE['jetpack_sso_remember_me'])) {
$remember = true;
// And then purge it
setcookie('jetpack_sso_remember_me', ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN);
}
/**
* Filter the remember me value.
*
* @module sso
*
* @since 2.8.0
*
* @param bool $remember Is the remember me option checked?
*/
$remember = apply_filters('jetpack_remember_login', $remember);
wp_set_auth_cookie($user->ID, $remember);
/** This filter is documented in core/src/wp-includes/user.php */
do_action('wp_login', $user->user_login, $user);
$_request_redirect_to = isset($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : '';
$redirect_to = user_can($user, 'edit_posts') ? admin_url() : self::profile_page_url();
// If we have a saved redirect to request in a cookie
if (!empty($_COOKIE['jetpack_sso_redirect_to'])) {
// Set that as the requested redirect to
$redirect_to = $_request_redirect_to = esc_url_raw($_COOKIE['jetpack_sso_redirect_to']);
// And then purge it
setcookie('jetpack_sso_redirect_to', ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN);
}
wp_safe_redirect(apply_filters('login_redirect', $redirect_to, $_request_redirect_to, $user));
exit;
}
$this->user_data = $user_data;
/** This filter is documented in core/src/wp-includes/pluggable.php */
do_action('wp_login_failed', $user_data->login);
add_action('login_message', array($this, 'cant_find_user'));
}
/**
* Saves a form to the database
*
* @param array $data
* @return int
*/
public function save_form($data)
{
static $keys = array('settings' => array(), 'messages' => array(), 'name' => '', 'content' => '');
$data = array_merge($keys, $data);
$data = $this->sanitize_form_data($data);
$post_data = array('post_type' => 'mc4wp-form', 'post_status' => !empty($data['status']) ? $data['status'] : 'publish', 'post_title' => $data['name'], 'post_content' => $data['content']);
// if an `ID` is given, make sure post is of type `mc4wp-form`
if (!empty($data['ID'])) {
$post_data['ID'] = $data['ID'];
$post = get_post($data['ID']);
// check if attempted post is of post_type `mc4wp-form`
if (!is_object($post) || $post->post_type !== 'mc4wp-form') {
wp_nonce_ays('');
return 0;
}
// merge new settings with current settings to allow passing partial data
$current_settings = get_post_meta($post->ID, '_mc4wp_settings', true);
if (is_array($current_settings)) {
$data['settings'] = array_merge($current_settings, $data['settings']);
}
}
// Fix for MultiSite stripping KSES for roles other than administrator
remove_all_filters('content_save_pre');
$form_id = wp_insert_post($post_data);
update_post_meta($form_id, '_mc4wp_settings', $data['settings']);
// save form messages in individual meta keys
foreach ($data['messages'] as $key => $message) {
update_post_meta($form_id, 'text_' . $key, $message);
}
/**
* Runs right after a form is updated.
*
* @since 3.0
*
* @param int $form_id
*/
do_action('mc4wp_save_form', $form_id);
return $form_id;
}