<?php

[0] Fix | Delete

/**

[1] Fix | Delete

* Authorize Application Screen

[2] Fix | Delete

*

[3] Fix | Delete

* @package WordPress

[4] Fix | Delete

* @subpackage Administration

[5] Fix | Delete

*/

[6] Fix | Delete

[7] Fix | Delete

/** WordPress Administration Bootstrap */

[8] Fix | Delete

require_once __DIR__ . '/admin.php';

[9] Fix | Delete

[10] Fix | Delete

$error = null;

[11] Fix | Delete

$new_password = '';

[12] Fix | Delete

[13] Fix | Delete

// This is the no-js fallback script. Generally this will all be handled by `auth-app.js`.

[14] Fix | Delete

if ( isset( $_POST['action'] ) && 'authorize_application_password' === $_POST['action'] ) {

[15] Fix | Delete

check_admin_referer( 'authorize_application_password' );

[16] Fix | Delete

[17] Fix | Delete

$success_url = $_POST['success_url'];

[18] Fix | Delete

$reject_url = $_POST['reject_url'];

[19] Fix | Delete

$app_name = $_POST['app_name'];

[20] Fix | Delete

$app_id = $_POST['app_id'];

[21] Fix | Delete

$redirect = '';

[22] Fix | Delete

[23] Fix | Delete

if ( isset( $_POST['reject'] ) ) {

[24] Fix | Delete

if ( $reject_url ) {

[25] Fix | Delete

$redirect = $reject_url;

[26] Fix | Delete

} else {

[27] Fix | Delete

$redirect = admin_url();

[28] Fix | Delete

}

[29] Fix | Delete

} elseif ( isset( $_POST['approve'] ) ) {

[30] Fix | Delete

$created = WP_Application_Passwords::create_new_application_password(

[31] Fix | Delete

get_current_user_id(),

[32] Fix | Delete

array(

[33] Fix | Delete

'name' => $app_name,

[34] Fix | Delete

'app_id' => $app_id,

[35] Fix | Delete

)

[36] Fix | Delete

);

[37] Fix | Delete

[38] Fix | Delete

if ( is_wp_error( $created ) ) {

[39] Fix | Delete

$error = $created;

[40] Fix | Delete

} else {

[41] Fix | Delete

list( $new_password ) = $created;

[42] Fix | Delete

[43] Fix | Delete

if ( $success_url ) {

[44] Fix | Delete

$redirect = add_query_arg(

[45] Fix | Delete

array(

[46] Fix | Delete

'site_url' => urlencode( site_url() ),

[47] Fix | Delete

'user_login' => urlencode( wp_get_current_user()->user_login ),

[48] Fix | Delete

'password' => urlencode( $new_password ),

[49] Fix | Delete

),

[50] Fix | Delete

$success_url

[51] Fix | Delete

);

[52] Fix | Delete

}

[53] Fix | Delete

}

[54] Fix | Delete

}

[55] Fix | Delete

[56] Fix | Delete

if ( $redirect ) {

[57] Fix | Delete

// Explicitly not using wp_safe_redirect b/c sends to arbitrary domain.

[58] Fix | Delete

wp_redirect( $redirect );

[59] Fix | Delete

exit;

[60] Fix | Delete

}

[61] Fix | Delete

}

[62] Fix | Delete

[63] Fix | Delete

// Used in the HTML title tag.

[64] Fix | Delete

$title = __( 'Authorize Application' );

[65] Fix | Delete

[66] Fix | Delete

$app_name = ! empty( $_REQUEST['app_name'] ) ? $_REQUEST['app_name'] : '';

[67] Fix | Delete

$app_id = ! empty( $_REQUEST['app_id'] ) ? $_REQUEST['app_id'] : '';

[68] Fix | Delete

$success_url = ! empty( $_REQUEST['success_url'] ) ? $_REQUEST['success_url'] : null;

[69] Fix | Delete

[70] Fix | Delete

if ( ! empty( $_REQUEST['reject_url'] ) ) {

[71] Fix | Delete

$reject_url = $_REQUEST['reject_url'];

[72] Fix | Delete

} elseif ( $success_url ) {

[73] Fix | Delete

$reject_url = add_query_arg( 'success', 'false', $success_url );

[74] Fix | Delete

} else {

[75] Fix | Delete

$reject_url = null;

[76] Fix | Delete

}

[77] Fix | Delete

[78] Fix | Delete

$user = wp_get_current_user();

[79] Fix | Delete

[80] Fix | Delete

$request = compact( 'app_name', 'app_id', 'success_url', 'reject_url' );

[81] Fix | Delete

$is_valid = wp_is_authorize_application_password_request_valid( $request, $user );

[82] Fix | Delete

[83] Fix | Delete

if ( is_wp_error( $is_valid ) ) {

[84] Fix | Delete

wp_die(

[85] Fix | Delete

__( 'The Authorize Application request is not allowed.' ) . ' ' . implode( ' ', $is_valid->get_error_messages() ),

[86] Fix | Delete

__( 'Cannot Authorize Application' )

[87] Fix | Delete

);

[88] Fix | Delete

}

[89] Fix | Delete

[90] Fix | Delete

if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {

[91] Fix | Delete

wp_die(

[92] Fix | Delete

__( 'Your website appears to use Basic Authentication, which is not currently compatible with application passwords.' ),

[93] Fix | Delete

__( 'Cannot Authorize Application' ),

[94] Fix | Delete

array(

[95] Fix | Delete

'response' => 501,

[96] Fix | Delete

'link_text' => __( 'Go Back' ),

[97] Fix | Delete

'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),

[98] Fix | Delete

)

[99] Fix | Delete

);

[100] Fix | Delete

}

[101] Fix | Delete

[102] Fix | Delete

if ( ! wp_is_application_passwords_available_for_user( $user ) ) {

[103] Fix | Delete

if ( wp_is_application_passwords_available() ) {

[104] Fix | Delete

$message = __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' );

[105] Fix | Delete

} else {

[106] Fix | Delete

$message = __( 'Application passwords are not available.' );

[107] Fix | Delete

}

[108] Fix | Delete

[109] Fix | Delete

wp_die(

[110] Fix | Delete

$message,

[111] Fix | Delete

__( 'Cannot Authorize Application' ),

[112] Fix | Delete

array(

[113] Fix | Delete

'response' => 501,

[114] Fix | Delete

'link_text' => __( 'Go Back' ),

[115] Fix | Delete

'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),

[116] Fix | Delete

)

[117] Fix | Delete

);

[118] Fix | Delete

}

[119] Fix | Delete

[120] Fix | Delete

wp_enqueue_script( 'auth-app' );

[121] Fix | Delete

wp_localize_script(

[122] Fix | Delete

'auth-app',

[123] Fix | Delete

'authApp',

[124] Fix | Delete

array(

[125] Fix | Delete

'site_url' => site_url(),

[126] Fix | Delete

'user_login' => $user->user_login,

[127] Fix | Delete

'success' => $success_url,

[128] Fix | Delete

'reject' => $reject_url ? $reject_url : admin_url(),

[129] Fix | Delete

)

[130] Fix | Delete

);

[131] Fix | Delete

[132] Fix | Delete

require_once ABSPATH . 'wp-admin/admin-header.php';

[133] Fix | Delete

[134] Fix | Delete

?>

[135] Fix | Delete

<div class="wrap">

[136] Fix | Delete

<h1><?php echo esc_html( $title ); ?></h1>

[137] Fix | Delete

[138] Fix | Delete

<?php

[139] Fix | Delete

if ( is_wp_error( $error ) ) {

[140] Fix | Delete

wp_admin_notice(

[141] Fix | Delete

$error->get_error_message(),

[142] Fix | Delete

array(

[143] Fix | Delete

'type' => 'error',

[144] Fix | Delete

)

[145] Fix | Delete

);

[146] Fix | Delete

}

[147] Fix | Delete

?>

[148] Fix | Delete

[149] Fix | Delete

<div class="card auth-app-card">

[150] Fix | Delete

<h2 class="title"><?php _e( 'An application would like to connect to your account.' ); ?></h2>

[151] Fix | Delete

<?php if ( $app_name ) : ?>

[152] Fix | Delete

<p>

[153] Fix | Delete

<?php

[154] Fix | Delete

printf(

[155] Fix | Delete

/* translators: %s: Application name. */

[156] Fix | Delete

__( 'Would you like to give the application identifying itself as %s access to your account? You should only do this if you trust the application in question.' ),

[157] Fix | Delete

'<strong>' . esc_html( $app_name ) . '</strong>'

[158] Fix | Delete

);

[159] Fix | Delete

?>

[160] Fix | Delete

</p>

[161] Fix | Delete

<?php else : ?>

[162] Fix | Delete

<p><?php _e( 'Would you like to give this application access to your account? You should only do this if you trust the application in question.' ); ?></p>

[163] Fix | Delete

<?php endif; ?>

[164] Fix | Delete

[165] Fix | Delete

<?php

[166] Fix | Delete

if ( is_multisite() ) {

[167] Fix | Delete

$blogs = get_blogs_of_user( $user->ID, true );

[168] Fix | Delete

$blogs_count = count( $blogs );

[169] Fix | Delete

[170] Fix | Delete

if ( $blogs_count > 1 ) {

[171] Fix | Delete

?>

[172] Fix | Delete

<p>

[173] Fix | Delete

<?php

[174] Fix | Delete

/* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */

[175] Fix | Delete

$message = _n(

[176] Fix | Delete

'This will grant access to <a href="%1$s">the %2$s site in this installation that you have permissions on</a>.',

[177] Fix | Delete

'This will grant access to <a href="%1$s">all %2$s sites in this installation that you have permissions on</a>.',

[178] Fix | Delete

$blogs_count

[179] Fix | Delete

);

[180] Fix | Delete

[181] Fix | Delete

if ( is_super_admin() ) {

[182] Fix | Delete

/* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */

[183] Fix | Delete

$message = _n(

[184] Fix | Delete

'This will grant access to <a href="%1$s">the %2$s site on the network as you have Super Admin rights</a>.',

[185] Fix | Delete

'This will grant access to <a href="%1$s">all %2$s sites on the network as you have Super Admin rights</a>.',

[186] Fix | Delete

$blogs_count

[187] Fix | Delete

);

[188] Fix | Delete

}

[189] Fix | Delete

[190] Fix | Delete

printf(

[191] Fix | Delete

$message,

[192] Fix | Delete

admin_url( 'my-sites.php' ),

[193] Fix | Delete

number_format_i18n( $blogs_count )

[194] Fix | Delete

);

[195] Fix | Delete

?>

[196] Fix | Delete

</p>

[197] Fix | Delete

<?php

[198] Fix | Delete

}

[199] Fix | Delete

}

[200] Fix | Delete

?>

[201] Fix | Delete

[202] Fix | Delete

<?php

[203] Fix | Delete

if ( $new_password ) :

[204] Fix | Delete

$message = '<p class="application-password-display">

[205] Fix | Delete

<label for="new-application-password-value">' . sprintf(

[206] Fix | Delete

/* translators: %s: Application name. */

[207] Fix | Delete

esc_html__( 'Your new password for %s is:' ),

[208] Fix | Delete

'<strong>' . esc_html( $app_name ) . '</strong>'

[209] Fix | Delete

) . '

[210] Fix | Delete

</label>

[211] Fix | Delete

<input id="new-application-password-value" type="text" class="code" readonly="readonly" value="' . esc_attr( WP_Application_Passwords::chunk_password( $new_password ) ) . '" />

[212] Fix | Delete

</p>

[213] Fix | Delete

<p>' . __( 'Be sure to save this in a safe location. You will not be able to retrieve it.' ) . '</p>';

[214] Fix | Delete

$args = array(

[215] Fix | Delete

'type' => 'success',

[216] Fix | Delete

'additional_classes' => array( 'notice-alt', 'below-h2' ),

[217] Fix | Delete

'paragraph_wrap' => false,

[218] Fix | Delete

);

[219] Fix | Delete

wp_admin_notice( $message, $args );

[220] Fix | Delete

[221] Fix | Delete

/**

[222] Fix | Delete

* Fires in the Authorize Application Password new password section in the no-JS version.

[223] Fix | Delete

*

[224] Fix | Delete

* In most cases, this should be used in combination with the {@see 'wp_application_passwords_approve_app_request_success'}

[225] Fix | Delete

* action to ensure that both the JS and no-JS variants are handled.

[226] Fix | Delete

*

[227] Fix | Delete

* @since 5.6.0

[228] Fix | Delete

* @since 5.6.1 Corrected action name and signature.

[229] Fix | Delete

*

[230] Fix | Delete

* @param string $new_password The newly generated application password.

[231] Fix | Delete

* @param array $request The array of request data. All arguments are optional and may be empty.

[232] Fix | Delete

* @param WP_User $user The user authorizing the application.

[233] Fix | Delete

*/

[234] Fix | Delete

do_action( 'wp_authorize_application_password_form_approved_no_js', $new_password, $request, $user );

[235] Fix | Delete

else :

[236] Fix | Delete

?>

[237] Fix | Delete

<form action="<?php echo esc_url( admin_url( 'authorize-application.php' ) ); ?>" method="post" class="form-wrap">

[238] Fix | Delete

<?php wp_nonce_field( 'authorize_application_password' ); ?>

[239] Fix | Delete

<input type="hidden" name="action" value="authorize_application_password" />

[240] Fix | Delete

<input type="hidden" name="app_id" value="<?php echo esc_attr( $app_id ); ?>" />

[241] Fix | Delete

<input type="hidden" name="success_url" value="<?php echo esc_url( $success_url ); ?>" />

[242] Fix | Delete

<input type="hidden" name="reject_url" value="<?php echo esc_url( $reject_url ); ?>" />

[243] Fix | Delete

[244] Fix | Delete

<div class="form-field">

[245] Fix | Delete

<label for="app_name"><?php _e( 'New Application Password Name' ); ?></label>

[246] Fix | Delete

<input type="text" id="app_name" name="app_name" value="<?php echo esc_attr( $app_name ); ?>" required />

[247] Fix | Delete

</div>

[248] Fix | Delete

[249] Fix | Delete

<?php

[250] Fix | Delete

/**

[251] Fix | Delete

* Fires in the Authorize Application Password form before the submit buttons.

[252] Fix | Delete

*

[253] Fix | Delete

* @since 5.6.0

[254] Fix | Delete

*

[255] Fix | Delete

* @param array $request {

[256] Fix | Delete

* The array of request data. All arguments are optional and may be empty.

[257] Fix | Delete

*

[258] Fix | Delete

* @type string $app_name The suggested name of the application.

[259] Fix | Delete

* @type string $success_url The URL the user will be redirected to after approving the application.

[260] Fix | Delete

* @type string $reject_url The URL the user will be redirected to after rejecting the application.

[261] Fix | Delete

* }

[262] Fix | Delete

* @param WP_User $user The user authorizing the application.

[263] Fix | Delete

*/

[264] Fix | Delete

do_action( 'wp_authorize_application_password_form', $request, $user );

[265] Fix | Delete

?>

[266] Fix | Delete

[267] Fix | Delete

<?php

[268] Fix | Delete

submit_button(

[269] Fix | Delete

__( 'Yes, I approve of this connection' ),

[270] Fix | Delete

'primary',

[271] Fix | Delete

'approve',

[272] Fix | Delete

false,

[273] Fix | Delete

array(

[274] Fix | Delete

'aria-describedby' => 'description-approve',

[275] Fix | Delete

)

[276] Fix | Delete

);

[277] Fix | Delete

?>

[278] Fix | Delete

<p class="description" id="description-approve">

[279] Fix | Delete

<?php

[280] Fix | Delete

if ( $success_url ) {

[281] Fix | Delete

printf(

[282] Fix | Delete

/* translators: %s: The URL the user is being redirected to. */

[283] Fix | Delete

__( 'You will be sent to %s' ),

[284] Fix | Delete

'<strong><code>' . esc_html(

[285] Fix | Delete

add_query_arg(

[286] Fix | Delete

array(

[287] Fix | Delete

'site_url' => site_url(),

[288] Fix | Delete

'user_login' => $user->user_login,

[289] Fix | Delete

'password' => '[------]',

[290] Fix | Delete

),

[291] Fix | Delete

$success_url

[292] Fix | Delete

)

[293] Fix | Delete

) . '</code></strong>'

[294] Fix | Delete

);

[295] Fix | Delete

} else {

[296] Fix | Delete

_e( 'You will be given a password to manually enter into the application in question.' );

[297] Fix | Delete

}

[298] Fix | Delete

?>

[299] Fix | Delete

</p>

[300] Fix | Delete

[301] Fix | Delete

<?php

[302] Fix | Delete

submit_button(

[303] Fix | Delete

__( 'No, I do not approve of this connection' ),

[304] Fix | Delete

'secondary',

[305] Fix | Delete

'reject',

[306] Fix | Delete

false,

[307] Fix | Delete

array(

[308] Fix | Delete

'aria-describedby' => 'description-reject',

[309] Fix | Delete

)

[310] Fix | Delete

);

[311] Fix | Delete

?>

[312] Fix | Delete

<p class="description" id="description-reject">

[313] Fix | Delete

<?php

[314] Fix | Delete

if ( $reject_url ) {

[315] Fix | Delete

printf(

[316] Fix | Delete

/* translators: %s: The URL the user is being redirected to. */

[317] Fix | Delete

__( 'You will be sent to %s' ),

[318] Fix | Delete

'<strong><code>' . esc_html( $reject_url ) . '</code></strong>'

[319] Fix | Delete

);

[320] Fix | Delete

} else {

[321] Fix | Delete

_e( 'You will be returned to the WordPress Dashboard, and no changes will be made.' );

[322] Fix | Delete

}

[323] Fix | Delete

?>

[324] Fix | Delete

</p>

[325] Fix | Delete

</form>

[326] Fix | Delete

<?php endif; ?>

[327] Fix | Delete

</div>

[328] Fix | Delete

</div>

[329] Fix | Delete

<?php

[330] Fix | Delete

[331] Fix | Delete

require_once ABSPATH . 'wp-admin/admin-footer.php';

[332] Fix | Delete

[333] Fix | Delete