Added validation for the auth params
This commit is contained in:
parent
a989184135
commit
8cfa3eed75
|
@ -45,6 +45,20 @@ class WC_Auth {
|
|||
add_rewrite_endpoint( 'wc-auth', EP_ROOT );
|
||||
}
|
||||
|
||||
/**
|
||||
* [build_url description]
|
||||
* @param [type] $data [description]
|
||||
* @param [type] $url [description]
|
||||
* @return [type] [description]
|
||||
*/
|
||||
protected function build_url( $data, $url ) {
|
||||
return add_query_arg( array(
|
||||
'app_name' => wc_clean( $data['app_name'] ),
|
||||
'return_url' => urlencode( $data['return_url'] ),
|
||||
'permission_type' => absint( $data['permission_type'] ),
|
||||
), $url );
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle auth requests
|
||||
*
|
||||
|
@ -61,23 +75,46 @@ class WC_Auth {
|
|||
if ( ! empty( $wp->query_vars['wc-auth'] ) ) {
|
||||
ob_start();
|
||||
|
||||
$method = strtolower( wc_clean( $wp->query_vars['wc-auth'] ) );
|
||||
try {
|
||||
$method = strtolower( wc_clean( $wp->query_vars['wc-auth'] ) );
|
||||
|
||||
if ( is_user_logged_in() ) {
|
||||
$method = 'grant_access';
|
||||
if ( empty( $_REQUEST['app_name'] ) ) {
|
||||
throw new Exception( sprintf( __( 'Missing parameter %s', 'woocommerce' ), 'app_name' ) );
|
||||
}
|
||||
|
||||
if ( empty( $_REQUEST['return_url'] ) ) {
|
||||
throw new Exception( sprintf( __( 'Missing parameter %s', 'woocommerce' ), 'return_url' ) );
|
||||
}
|
||||
|
||||
if ( empty( $_REQUEST['permission_type'] ) ) {
|
||||
throw new Exception( sprintf( __( 'Missing parameter %s', 'woocommerce' ), 'permission_type' ) );
|
||||
}
|
||||
|
||||
if ( is_user_logged_in() ) {
|
||||
$method = 'grant_access';
|
||||
}
|
||||
|
||||
$params = array(
|
||||
'app_name' => $_REQUEST['app_name'],
|
||||
'return_url' => $_REQUEST['return_url'],
|
||||
'permission_type' => $_REQUEST['permission_type'],
|
||||
'redirect' => $this->build_url( $_REQUEST, wc_get_endpoint_url( 'wc-auth', 'login', get_home_url( '/' ) ) )
|
||||
);
|
||||
|
||||
if ( 'login' == $method && ! is_user_logged_in() ) { // Login endpoint
|
||||
wc_get_template( 'auth/form-login.php', $params );
|
||||
|
||||
exit;
|
||||
} else if ( 'grant_access' == $method && current_user_can( 'manage_woocommerce' ) ) {
|
||||
wc_get_template( 'auth/form-grant-access.php', $params );
|
||||
|
||||
exit;
|
||||
}
|
||||
|
||||
wp_die( __( 'You do not have permissions to access this page!' ), __( 'Access Denied', 'woocommerce' ), array( 'response' => 401 ) );
|
||||
} catch ( Exception $e ) {
|
||||
wp_die( sprintf( __( 'Error: %s', 'woocommerce' ), $e->getMessage() ), __( 'Access Denied', 'woocommerce' ), array( 'response' => 401 ) );
|
||||
}
|
||||
|
||||
if ( 'login' == $method && ! is_user_logged_in() ) { // Login endpoint
|
||||
wc_get_template( 'auth/form-login.php' );
|
||||
|
||||
exit;
|
||||
} else if ( 'grant_access' == $method && current_user_can( 'manage_woocommerce' ) ) {
|
||||
wc_get_template( 'auth/form-login.php' );
|
||||
|
||||
exit;
|
||||
}
|
||||
|
||||
wp_die( __( 'You do not have permissions to access this page!' ), __( 'Access Denied', 'woocommerce' ), array( 'response' => 401 ) );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,8 +17,13 @@ if ( ! defined( 'ABSPATH' ) ) {
|
|||
|
||||
<h1><?php echo esc_html( get_bloginfo( 'name' ) ); ?></h1>
|
||||
|
||||
<?php wc_print_notices(); ?>
|
||||
|
||||
<form method="post" class="grant-access">
|
||||
|
||||
<input type="hidden" name="permission_type" value="<?php echo absint( $permission_type ); ?>">
|
||||
</form>
|
||||
|
||||
<a href="<?php echo esc_url( urldecode( $return_url ) ); ?>"><?php printf( __( 'Return To %s', 'woocommerce' ), wc_clean( $app_name ) ); ?></a>
|
||||
|
||||
<?php do_action( 'woocommerce_auth_page_footer' ); ?>
|
||||
|
|
|
@ -17,11 +17,13 @@ if ( ! defined( 'ABSPATH' ) ) {
|
|||
|
||||
<h1><?php printf( __( 'Login To %s', 'woocommerce' ), esc_html( get_bloginfo( 'name' ) ) ); ?></h1>
|
||||
|
||||
<?php wc_print_notices(); ?>
|
||||
|
||||
<form method="post" class="login">
|
||||
|
||||
<p class="form-row form-row-wide">
|
||||
<label for="username"><?php _e( 'Username or email address', 'woocommerce' ); ?> <span class="required">*</span></label>
|
||||
<input type="text" class="input-text" name="username" id="username" value="<?php if ( ! empty( $_POST['username'] ) ) echo esc_attr( $_POST['username'] ); ?>" />
|
||||
<input type="text" class="input-text" name="username" id="username" value="<?php echo ( ! empty( $_POST['username'] ) ) ? esc_attr( $_POST['username'] ) : ''; ?>" />
|
||||
</p>
|
||||
<p class="form-row form-row-wide">
|
||||
<label for="password"><?php _e( 'Password', 'woocommerce' ); ?> <span class="required">*</span></label>
|
||||
|
@ -32,6 +34,9 @@ if ( ! defined( 'ABSPATH' ) ) {
|
|||
<input type="submit" class="button" name="login" value="<?php _e( 'Login', 'woocommerce' ); ?>" />
|
||||
</p>
|
||||
|
||||
<input type="hidden" name="redirect" value="<?php echo esc_url( $redirect ); ?>" />
|
||||
</form>
|
||||
|
||||
<a href="<?php echo esc_url( urldecode( $return_url ) ); ?>"><?php printf( __( 'Return To %s', 'woocommerce' ), wc_clean( $app_name ) ); ?></a>
|
||||
|
||||
<?php do_action( 'woocommerce_auth_page_footer' ); ?>
|
||||
|
|
Loading…
Reference in New Issue