/** * Synchronize connected user role changes */ static function user_role_change($user_id) { if (Jetpack::is_active() && Jetpack::is_user_connected($user_id)) { $current_user_id = get_current_user_id(); wp_set_current_user($user_id); $role = Jetpack::translate_current_user_to_role(); $signed_role = Jetpack::sign_role($role); wp_set_current_user($current_user_id); $master_token = Jetpack_Data::get_access_token(JETPACK_MASTER_USER); $master_user_id = absint($master_token->external_user_id); if (!$master_user_id) { return; } // this shouldn't happen Jetpack::xmlrpc_async_call('jetpack.updateRole', $user_id, $signed_role); //@todo retry on failure //try to choose a new master if we're demoting the current one if ($user_id == $master_user_id && 'administrator' != $role) { $query = new WP_User_Query(array('fields' => array('id'), 'role' => 'administrator', 'orderby' => 'id', 'exclude' => array($master_user_id))); $new_master = false; foreach ($query->results as $result) { $uid = absint($result->id); if ($uid && Jetpack::is_user_connected($uid)) { $new_master = $uid; break; } } if ($new_master) { Jetpack_Options::update_option('master_user', $new_master); } // else disconnect..? } } }
static function get_role($user_id) { if (isset($user_roles[$user_id])) { return $user_roles[$user_id]; } $current_user_id = get_current_user_id(); wp_set_current_user($user_id); $role = Jetpack::translate_current_user_to_role(); wp_set_current_user($current_user_id); $user_roles[$user_id] = $role; return $role; }
/** * The function that actually handles the login! */ function handle_login() { $wpcom_nonce = sanitize_key($_GET['sso_nonce']); $wpcom_user_id = (int) $_GET['user_id']; Jetpack::load_xml_rpc_client(); $xml = new Jetpack_IXR_Client(array('user_id' => get_current_user_id())); $xml->query('jetpack.sso.validateResult', $wpcom_nonce, $wpcom_user_id); if ($xml->isError()) { $error_message = sanitize_text_field(sprintf('%s: %s', $xml->getErrorCode(), $xml->getErrorMessage())); JetpackTracking::record_user_event('sso_login_failed', array('error_message' => $error_message)); wp_die($error_message); } $user_data = $xml->getResponse(); if (empty($user_data)) { JetpackTracking::record_user_event('sso_login_failed', array('error_message' => 'invalid_response_data')); wp_die(__('Error, invalid response data.', 'jetpack')); } $user_data = (object) $user_data; $user = null; /** * Fires before Jetpack's SSO modifies the log in form. * * @module sso * * @since 2.6.0 * * @param object $user_data WordPress.com User information. */ do_action('jetpack_sso_pre_handle_login', $user_data); if (Jetpack_SSO_Helpers::is_two_step_required() && 0 === (int) $user_data->two_step_enabled) { $this->user_data = $user_data; JetpackTracking::record_user_event('sso_login_failed', array('error_message' => 'error_msg_enable_two_step')); /** This filter is documented in core/src/wp-includes/pluggable.php */ do_action('wp_login_failed', $user_data->login); add_filter('login_message', array($this, 'error_msg_enable_two_step')); return; } $user_found_with = ''; if (empty($user) && isset($user_data->external_user_id)) { $user_found_with = 'external_user_id'; $user = get_user_by('id', intval($user_data->external_user_id)); if ($user) { update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID); } } // If we don't have one by wpcom_user_id, try by the email? if (empty($user) && Jetpack_SSO_Helpers::match_by_email()) { $user_found_with = 'match_by_email'; $user = get_user_by('email', $user_data->email); if ($user) { update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID); } } // If we've still got nothing, create the user. if (empty($user) && (get_option('users_can_register') || Jetpack_SSO_Helpers::new_user_override())) { // If not matching by email we still need to verify the email does not exist // or this blows up /** * If match_by_email is true, we know the email doesn't exist, as it would have * been found in the first pass. If get_user_by( 'email' ) doesn't find the * user, then we know that email is unused, so it's safe to add. */ if (Jetpack_SSO_Helpers::match_by_email() || !get_user_by('email', $user_data->email)) { $username = $user_data->login; if (username_exists($username)) { $username = $user_data->login . '_' . $user_data->ID; } $tries = 0; while (username_exists($username)) { $username = $user_data->login . '_' . $user_data->ID . '_' . mt_rand(); if ($tries++ >= 5) { JetpackTracking::record_user_event('sso_login_failed', array('error_message' => 'could_not_create_username')); wp_die(__("Error: Couldn't create suitable username.", 'jetpack')); } } $user_found_with = Jetpack_SSO_Helpers::new_user_override() ? 'user_created_new_user_override' : 'user_created_users_can_register'; $password = wp_generate_password(20); $user_id = wp_create_user($username, $password, $user_data->email); $user = get_userdata($user_id); $user->display_name = $user_data->display_name; $user->first_name = $user_data->first_name; $user->last_name = $user_data->last_name; $user->url = $user_data->url; $user->description = $user_data->description; wp_update_user($user); update_user_meta($user->ID, 'wpcom_user_id', $user_data->ID); } else { JetpackTracking::record_user_event('sso_login_failed', array('error_message' => 'error_msg_email_already_exists')); $this->user_data = $user_data; add_action('login_message', array($this, 'error_msg_email_already_exists')); return; } } /** * Fires after we got login information from WordPress.com. * * @module sso * * @since 2.6.0 * * @param array $user Local User information. * @param object $user_data WordPress.com User Login information. */ do_action('jetpack_sso_handle_login', $user, $user_data); if ($user) { // Cache the user's details, so we can present it back to them on their user screen update_user_meta($user->ID, 'wpcom_user_data', $user_data); $remember = false; if (!empty($_COOKIE['jetpack_sso_remember_me'])) { $remember = true; // And then purge it setcookie('jetpack_sso_remember_me', ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN); } /** * Filter the remember me value. * * @module sso * * @since 2.8.0 * * @param bool $remember Is the remember me option checked? */ $remember = apply_filters('jetpack_remember_login', $remember); wp_set_auth_cookie($user->ID, $remember); /** This filter is documented in core/src/wp-includes/user.php */ do_action('wp_login', $user->user_login, $user); wp_set_current_user($user->ID); $_request_redirect_to = isset($_REQUEST['redirect_to']) ? esc_url_raw($_REQUEST['redirect_to']) : ''; $redirect_to = user_can($user, 'edit_posts') ? admin_url() : self::profile_page_url(); // If we have a saved redirect to request in a cookie if (!empty($_COOKIE['jetpack_sso_redirect_to'])) { // Set that as the requested redirect to $redirect_to = $_request_redirect_to = esc_url_raw($_COOKIE['jetpack_sso_redirect_to']); // And then purge it setcookie('jetpack_sso_redirect_to', ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN); } $is_user_connected = Jetpack::is_user_connected($user->ID); JetpackTracking::record_user_event('sso_user_logged_in', array('user_found_with' => $user_found_with, 'user_connected' => (bool) $is_user_connected, 'user_role' => Jetpack::translate_current_user_to_role())); if (!$is_user_connected) { $calypso_env = !empty($_GET['calypso_env']) ? sanitize_key($_GET['calypso_env']) : ''; wp_safe_redirect(add_query_arg(array('redirect_to' => $redirect_to, 'request_redirect_to' => $_request_redirect_to, 'calypso_env' => $calypso_env, 'jetpack-sso-auth-redirect' => '1'), admin_url())); exit; } wp_safe_redirect(apply_filters('login_redirect', $redirect_to, $_request_redirect_to, $user)); exit; } add_filter('jetpack_sso_default_to_sso_login', '__return_false'); JetpackTracking::record_user_event('sso_login_failed', array('error_message' => 'cant_find_user')); $this->user_data = $user_data; /** This filter is documented in core/src/wp-includes/pluggable.php */ do_action('wp_login_failed', $user_data->login); add_filter('login_message', array($this, 'cant_find_user')); }
/** * @return object|WP_Error */ function get_token($data) { $role = Jetpack::translate_current_user_to_role(); if (!$role) { return new Jetpack_Error('role', __('An administrator for this blog must set up the Jetpack connection.', 'jetpack')); } $client_secret = Jetpack_Data::get_access_token(); if (!$client_secret) { return new Jetpack_Error('client_secret', __('You need to register your Jetpack before connecting it.', 'jetpack')); } $redirect = isset($data['redirect']) ? esc_url_raw((string) $data['redirect']) : ''; $redirect_uri = 'calypso' === $data['auth_type'] ? $data['redirect_uri'] : add_query_arg(array('action' => 'authorize', '_wpnonce' => wp_create_nonce("jetpack-authorize_{$role}_{$redirect}"), 'redirect' => $redirect ? urlencode($redirect) : false), menu_page_url('jetpack', false)); $body = array('client_id' => Jetpack_Options::get_option('id'), 'client_secret' => $client_secret->secret, 'grant_type' => 'authorization_code', 'code' => $data['code'], 'redirect_uri' => $redirect_uri); $args = array('method' => 'POST', 'body' => $body, 'headers' => array('Accept' => 'application/json')); $response = Jetpack_Client::_wp_remote_request(Jetpack::fix_url_for_bad_hosts(Jetpack::api_url('token')), $args); if (is_wp_error($response)) { return new Jetpack_Error('token_http_request_failed', $response->get_error_message()); } $code = wp_remote_retrieve_response_code($response); $entity = wp_remote_retrieve_body($response); if ($entity) { $json = json_decode($entity); } else { $json = false; } if (200 != $code || !empty($json->error)) { if (empty($json->error)) { return new Jetpack_Error('unknown', '', $code); } $error_description = isset($json->error_description) ? sprintf(__('Error Details: %s', 'jetpack'), (string) $json->error_description) : ''; return new Jetpack_Error((string) $json->error, $error_description, $code); } if (empty($json->access_token) || !is_scalar($json->access_token)) { return new Jetpack_Error('access_token', '', $code); } if (empty($json->token_type) || 'X_JETPACK' != strtoupper($json->token_type)) { return new Jetpack_Error('token_type', '', $code); } if (empty($json->scope)) { return new Jetpack_Error('scope', 'No Scope', $code); } @(list($role, $hmac) = explode(':', $json->scope)); if (empty($role) || empty($hmac)) { return new Jetpack_Error('scope', 'Malformed Scope', $code); } if (Jetpack::sign_role($role) !== $json->scope) { return new Jetpack_Error('scope', 'Invalid Scope', $code); } if (!($cap = Jetpack::translate_role_to_cap($role))) { return new Jetpack_Error('scope', 'No Cap', $code); } if (!current_user_can($cap)) { return new Jetpack_Error('scope', 'current_user_cannot', $code); } /** * Fires after user has successfully received an auth token. * * @since 3.9.0 */ do_action('jetpack_user_authorized'); return (string) $json->access_token; }