<?php
/**
* Plugins administration panel.
*
* @package WordPress
* @subpackage Administration
*/
/** WordPress Administration Bootstrap */
require_once dirname(__FILE__) . '/admin.php';
// XTEC ************ AFEGIT - Block access to plugin management to all users but xtecadmin, only in Nodes
// 2014.10.21 @aginard
// 2015.07.31 @nacho
if (!is_xtecblocs() && !is_xtec_super_admin()) {
wp_die(__('You do not have sufficient permissions to manage plugins for this site.'));
}
//************ FI
if (!current_user_can('activate_plugins')) {
wp_die(__('You do not have sufficient permissions to manage plugins for this site.'));
}
$wp_list_table = _get_list_table('WP_Plugins_List_Table');
$pagenum = $wp_list_table->get_pagenum();
$action = $wp_list_table->current_action();
$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
$s = isset($_REQUEST['s']) ? urlencode($_REQUEST['s']) : '';
// Clean up request URI from temporary args for screen options/paging uri's to work as expected.
$_SERVER['REQUEST_URI'] = remove_query_arg(array('error', 'deleted', 'activate', 'activate-multi', 'deactivate', 'deactivate-multi', '_error_nonce'), $_SERVER['REQUEST_URI']);
wp_enqueue_script('updates');
if ($action) {
switch ($action) {
case 'activate':
function _add_themes_utility_last()
{
// Must use API on the admin_menu hook, direct modification is only possible on/before the _admin_menu hook
add_submenu_page('themes.php', _x('Editor', 'theme editor'), _x('Editor', 'theme editor'), 'edit_themes', 'theme-editor.php');
}
$count = '';
if (!is_multisite() && current_user_can('update_plugins')) {
if (!isset($update_data)) {
$update_data = wp_get_update_data();
}
$count = "<span class='update-plugins count-{$update_data['counts']['plugins']}'><span class='plugin-count'>" . number_format_i18n($update_data['counts']['plugins']) . "</span></span>";
}
// XTEC ************ AFEGIT - Block access to plugin management to all users but xtecadmin, only in Nodes
// 2014.10.21 @aginard
// 2015.07.31 @nacho
if (is_xtecblocs() || is_xtec_super_admin()) {
//************ FI
$menu[65] = array(sprintf(__('Plugins %s'), $count), 'activate_plugins', 'plugins.php', '', 'menu-top menu-icon-plugins', 'menu-plugins', 'dashicons-admin-plugins');
$submenu['plugins.php'][5] = array(__('Installed Plugins'), 'activate_plugins', 'plugins.php');
if (!is_multisite()) {
/* translators: add new plugin */
$submenu['plugins.php'][10] = array(_x('Add New', 'plugin'), 'install_plugins', 'plugin-install.php');
$submenu['plugins.php'][15] = array(_x('Editor', 'plugin editor'), 'edit_plugins', 'plugin-editor.php');
}
// XTEC ************ AFEGIT - Block access to plugin management to all users but xtecadmin
// 2014.10.21 @aginard
}
//************ FI
unset($update_data);
if (current_user_can('list_users')) {
$menu[70] = array(__('Users'), 'list_users', 'users.php', '', 'menu-top menu-icon-users', 'menu-users', 'dashicons-admin-users');
/**
* Output the controls to allow user roles to be changed in bulk.
*
* @since 3.1.0
* @access protected
*
* @param string $which Whether this is being invoked above ("top")
* or below the table ("bottom").
*/
protected function extra_tablenav($which)
{
// XTEC ************ AFEGIT - Hide bulk actions because of the unactive role.
// 2015.02.15 @vsaavedra
if (!is_xtecblocs() || (!isset($_REQUEST['status']) || isset($_REQUEST['status']) && $_REQUEST['status'] != 'unactive')) {
// ************ FI
if ('top' != $which) {
return;
}
?>
<div class="alignleft actions">
<?php
if (current_user_can('promote_users')) {
?>
<label class="screen-reader-text" for="new_role"><?php
_e('Change role to…');
?>
</label>
<select name="new_role" id="new_role">
<option value=""><?php
_e('Change role to…');
?>
</option>
<?php
wp_dropdown_roles();
?>
</select>
<?php
submit_button(__('Change'), 'button', 'changeit', false);
}
/**
* Fires just before the closing div containing the bulk role-change controls
* in the Users list table.
*
* @since 3.5.0
*/
do_action('restrict_manage_users');
echo '</div>';
// XTEC ************ AFEGIT - Hide bulk actions because of the unactive role.
// 2015.02.15 @vsaavedra
}
// ************ FI
}
/**
* Checks a user's login information and it tries to log them in through LDAP
* server or locally depending on plugin configuration. Usernames longer than
* 8 chars or having edu365 domain or called 'admin', always log in locally.
* Any existing user whose e-mail is XTEC, will always log in through LDAP if
* it is activated. Users that validate successfully via LDAP who doesn't exist
* locally, are created using WordPress API.
*
* @param WP_User $user
* @param string $username User's username
* @param string $password User's password
* @return WP_Error|WP_User WP_User object if login successful, otherwise WP_Error object.
*/
function xtec_ldap_authenticate($user, $username, $password)
{
if (is_a($user, 'WP_User')) {
return $user;
}
// Remove standard authentication only in XTECBlocs.
if (is_xtecblocs()) {
remove_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
}
if (empty($username) || empty($password)) {
$error = new WP_Error();
if (empty($username)) {
$error->add('empty_username', __('The username is empty.', 'xtec-ldap-login'));
}
if (empty($password)) {
$error->add('empty_password', __('The password is empty.', 'xtec-ldap-login'));
}
return $error;
}
// Filter username to remove trailing '@xtec.cat' in case it exists
if (strpos($username, XTEC_DOMAIN)) {
$username = substr($username, 0, -strlen(XTEC_DOMAIN));
}
// Check if user exists in wp_users
$user_info = get_user_by('login', $username);
// If cannot find user_login in wp_users, look for any user with @xtec.cat e-mail
if ($user_info === false) {
$user_info = get_user_by('email', $username . XTEC_DOMAIN);
}
// In some cases always do local login (admin and @edu365.cat)
if ($user_info && (strlen($username) > 8 || $username == 'admin' || is_xtecblocs() && preg_match("/^.+@edu365\\.cat\$/", $user_info->user_email))) {
if (!wp_check_password($password, $user_info->user_pass, $user_info->ID)) {
do_action('wp_login_failed', $username);
return new WP_Error('incorrect_password', __('The password is not correct', 'xtec-ldap-login'));
}
return new WP_User($user_info->ID);
}
$xtec_ldap_login_type = get_site_option('xtec_ldap_login_type');
$xtec_ldap_host = get_site_option('xtec_ldap_host');
$xtec_ldap_port = get_site_option('xtec_ldap_port');
$xtec_ldap_version = get_site_option('xtec_ldap_version');
$xtec_ldap_base_dn = get_site_option('xtec_ldap_base_dn');
if ($xtec_ldap_login_type == 'LDAP') {
// Verify credentials through LDAP
$ldap_conn = ldap_connect($xtec_ldap_host, $xtec_ldap_port);
if ($ldap_conn === false) {
return new WP_Error('ldap_connection', __('Could not connect to LDAP server', 'xtec-ldap-login'));
}
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, $xtec_ldap_version);
$ldap_bind = @ldap_bind($ldap_conn, 'cn=' . $username . ',' . $xtec_ldap_base_dn, $password);
if ($ldap_bind === false) {
// If LDAP fails, in Nodes, this do_action activates the local login. In XTECBlocs,
// it was previously removed, so this do_action has no effect
do_action('wp_login_failed', $username);
return new WP_Error('incorrect_password', __('Could not bind to the LDAP directory. The username, the password or both are not correct', 'xtec-ldap-login'));
}
$result = ldap_search($ldap_conn, $xtec_ldap_base_dn, '(cn=' . $username . ')', array('cn', 'sn', 'givenname', 'mail'));
$ldap_user = ldap_get_entries($ldap_conn, $result);
// If user does not exist in wp_users and the credentials are valid in LDAP, create the local user
if (!$user_info && $ldap_user['count'] == 1) {
// Create user using wp standard API
$user_data = array('user_pass' => $password, 'user_login' => $username, 'user_nicename' => $ldap_user[0]['givenname'][0] . ' ' . $ldap_user[0]['sn'][0], 'user_email' => $ldap_user[0]['mail'][0], 'display_name' => $ldap_user[0]['givenname'][0] . ' ' . $ldap_user[0]['sn'][0], 'first_name' => $ldap_user[0]['givenname'][0], 'last_name' => $ldap_user[0]['sn'][0]);
// In Àgora will use the default role of WordPress
if (is_xtecblocs()) {
$user_data['role'] = strtolower('subscriber');
}
// Insert the user into the database (creates it)
$user_id = wp_insert_user($user_data);
// Set user metadata required for XTECBlocs
$domain = strstr($ldap_user[0]['mail'][0], '@');
if ($domain == XTEC_DOMAIN) {
update_user_meta($user_id, 'xtec_user_creator', 'LDAP_XTEC');
}
if (is_wp_error($user_id)) {
return new WP_Error($user_id->get_error_code(), $user_id->get_error_message());
}
// Do the actual validation
return new WP_User($user_id);
} else {
if (is_multisite()) {
// Is user marked as spam?
if (1 == $user_info->spam) {
return new WP_Error('invalid_username', __('Your account has been marked as a spammer', 'xtec-ldap-login'));
}
// Is a user's blog marked as spam?
if (!is_super_admin($user_info->ID) && isset($user_info->primary_blog)) {
$details = get_blog_details($user_info->primary_blog);
if (is_object($details) && $details->spam == 1) {
return new WP_Error('blog_suspended', __('Site Suspended', 'xtec-ldap-login'));
}
}
}
$user_info = apply_filters('wp_authenticate_user', $user_info, $password);
if (is_wp_error($user_info)) {
return new WP_Error($user_info->get_error_code(), $user_info->get_error_message());
}
// Update the password if it has changed
if (!wp_check_password($password, $user_info->user_pass, $user_info->ID)) {
wp_update_user(array('ID' => $user_info->ID, 'user_pass' => $password));
}
if ($ldap_user['count'] == 1) {
$domain = strstr($ldap_user[0]['mail'][0], '@');
if ($domain == XTEC_DOMAIN) {
// Ensure the user metadata is set, as it is required to create blogs in XTECBlocs
update_user_meta($user_info->ID, 'xtec_user_creator', 'LDAP_XTEC');
}
}
// Do the actual validation
return new WP_User($user_info->ID);
}
} else {
// get_site_option('xtec_ldap_login_type') == "Application Data Base")
if (!wp_check_password($password, $user_info->user_pass, $user_info->ID)) {
return new WP_Error('incorrect_password', sprintf(__('The password you entered for the username <strong>%1$s</strong> is incorrect. <a href="%2$s" title="Password Lost and Found">Lost your password</a>?', 'xtec-ldap-login'), $username, site_url('wp-login.php?action=lostpassword', 'login')));
}
// Do the actual validation
return new WP_User($user_info->ID);
}
}
* This is a WordPress plugin settings that handles calling reCAPTCHA.
* - Documentation and latest version
* https://developers.google.com/recaptcha/docs/php
* - Get a reCAPTCHA API Key
* https://www.google.com/recaptcha/admin/create
* - Discussion group
* http://groups.google.com/group/recaptcha
*
* @link http://www.google.com/recaptcha
*/
if (defined('ALLOW_INCLUDE') === false) {
die('no direct access');
}
// XTEC ********** AFEGIT -> Update site parameters (to share them in all blogs)
// 2015.06.12 @sarjona
if (is_xtecblocs() && isset($_REQUEST['settings-updated'])) {
// Move recaptcha options from current blog (wp_options) to site option (wp_sitemeta)
update_site_option('recaptcha_options', $this->validate_options(get_option('recaptcha_options')));
// Remove recaptcha options from current blog (wp_options)
delete_option('recaptcha_options');
$this->options = WPPlugin::retrieve_options('recaptcha_options');
} else {
if (is_agora()) {
global $agora;
$this->options = WPPlugin::retrieve_options('recaptcha_options');
$this->options['site_key'] = $agora['recaptchapublickey'];
$this->options['secret'] = $agora['recaptchaprivatekey'];
}
}
// ********** FI
?>