1<?php 2/** 3 * Authorize Application Screen 4 * 5 * @package WordPress 6 * @subpackage Administration 7 */ 8 9/** WordPress Administration Bootstrap */ 10require_once __DIR__ . '/admin.php'; 11 12$error = null; 13$new_password = ''; 14 15// This is the no-js fallback script. Generally this will all be handled by `auth-app.js`. 16if ( isset( $_POST['action'] ) && 'authorize_application_password' === $_POST['action'] ) { 17 check_admin_referer( 'authorize_application_password' ); 18 19 $success_url = $_POST['success_url']; 20 $reject_url = $_POST['reject_url']; 21 $app_name = $_POST['app_name']; 22 $app_id = $_POST['app_id']; 23 $redirect = ''; 24 25 if ( isset( $_POST['reject'] ) ) { 26 if ( $reject_url ) { 27 $redirect = $reject_url; 28 } else { 29 $redirect = admin_url(); 30 } 31 } elseif ( isset( $_POST['approve'] ) ) { 32 $created = WP_Application_Passwords::create_new_application_password( 33 get_current_user_id(), 34 array( 35 'name' => $app_name, 36 'app_id' => $app_id, 37 ) 38 ); 39 40 if ( is_wp_error( $created ) ) { 41 $error = $created; 42 } else { 43 list( $new_password ) = $created; 44 45 if ( $success_url ) { 46 $redirect = add_query_arg( 47 array( 48 'site_url' => urlencode( site_url() ), 49 'user_login' => urlencode( wp_get_current_user()->user_login ), 50 'password' => urlencode( $new_password ), 51 ), 52 $success_url 53 ); 54 } 55 } 56 } 57 58 if ( $redirect ) { 59 // Explicitly not using wp_safe_redirect b/c sends to arbitrary domain. 60 wp_redirect( $redirect ); 61 exit; 62 } 63} 64 65$title = __( 'Authorize Application' ); 66 67$app_name = ! empty( $_REQUEST['app_name'] ) ? $_REQUEST['app_name'] : ''; 68$app_id = ! empty( $_REQUEST['app_id'] ) ? $_REQUEST['app_id'] : ''; 69$success_url = ! empty( $_REQUEST['success_url'] ) ? $_REQUEST['success_url'] : null; 70 71if ( ! empty( $_REQUEST['reject_url'] ) ) { 72 $reject_url = $_REQUEST['reject_url']; 73} elseif ( $success_url ) { 74 $reject_url = add_query_arg( 'success', 'false', $success_url ); 75} else { 76 $reject_url = null; 77} 78 79$user = wp_get_current_user(); 80 81$request = compact( 'app_name', 'app_id', 'success_url', 'reject_url' ); 82$is_valid = wp_is_authorize_application_password_request_valid( $request, $user ); 83 84if ( is_wp_error( $is_valid ) ) { 85 wp_die( 86 __( 'The Authorize Application request is not allowed.' ) . ' ' . implode( ' ', $is_valid->get_error_messages() ), 87 __( 'Cannot Authorize Application' ) 88 ); 89} 90 91if ( wp_is_site_protected_by_basic_auth( 'front' ) ) { 92 wp_die( 93 __( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ), 94 __( 'Cannot Authorize Application' ), 95 array( 96 'response' => 501, 97 'link_text' => __( 'Go Back' ), 98 'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(), 99 ) 100 ); 101} 102 103if ( ! wp_is_application_passwords_available_for_user( $user ) ) { 104 if ( wp_is_application_passwords_available() ) { 105 $message = __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' ); 106 } else { 107 $message = __( 'Application passwords are not available.' ); 108 } 109 110 wp_die( 111 $message, 112 __( 'Cannot Authorize Application' ), 113 array( 114 'response' => 501, 115 'link_text' => __( 'Go Back' ), 116 'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(), 117 ) 118 ); 119} 120 121wp_enqueue_script( 'auth-app' ); 122wp_localize_script( 123 'auth-app', 124 'authApp', 125 array( 126 'site_url' => site_url(), 127 'user_login' => $user->user_login, 128 'success' => $success_url, 129 'reject' => $reject_url ? $reject_url : admin_url(), 130 ) 131); 132 133require_once ABSPATH . 'wp-admin/admin-header.php'; 134 135?> 136<div class="wrap"> 137 <h1><?php echo esc_html( $title ); ?></h1> 138 139 <?php if ( is_wp_error( $error ) ) : ?> 140 <div class="notice notice-error"><p><?php echo $error->get_error_message(); ?></p></div> 141 <?php endif; ?> 142 143 <div class="card auth-app-card"> 144 <h2 class="title"><?php _e( 'An application would like to connect to your account.' ); ?></h2> 145 <?php if ( $app_name ) : ?> 146 <p> 147 <?php 148 printf( 149 /* translators: %s: Application name. */ 150 __( 'Would you like to give the application identifying itself as %s access to your account? You should only do this if you trust the app in question.' ), 151 '<strong>' . esc_html( $app_name ) . '</strong>' 152 ); 153 ?> 154 </p> 155 <?php else : ?> 156 <p><?php _e( 'Would you like to give this application access to your account? You should only do this if you trust the app in question.' ); ?></p> 157 <?php endif; ?> 158 159 <?php 160 if ( is_multisite() ) { 161 $blogs = get_blogs_of_user( $user->ID, true ); 162 $blogs_count = count( $blogs ); 163 if ( $blogs_count > 1 ) { 164 ?> 165 <p> 166 <?php 167 printf( 168 /* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */ 169 _n( 170 'This will grant access to <a href="%1$s">the %2$s site in this installation that you have permissions on</a>.', 171 'This will grant access to <a href="%1$s">all %2$s sites in this installation that you have permissions on</a>.', 172 $blogs_count 173 ), 174 admin_url( 'my-sites.php' ), 175 number_format_i18n( $blogs_count ) 176 ); 177 ?> 178 </p> 179 <?php 180 } 181 } 182 ?> 183 184 <?php if ( $new_password ) : ?> 185 <div class="notice notice-success notice-alt below-h2"> 186 <p class="application-password-display"> 187 <label for="new-application-password-value"> 188 <?php 189 printf( 190 /* translators: %s: Application name. */ 191 esc_html__( 'Your new password for %s is:' ), 192 '<strong>' . esc_html( $app_name ) . '</strong>' 193 ); 194 ?> 195 </label> 196 <input id="new-application-password-value" type="text" class="code" readonly="readonly" value="<?php esc_attr( WP_Application_Passwords::chunk_password( $new_password ) ); ?>" /> 197 </p> 198 <p><?php _e( 'Be sure to save this in a safe location. You will not be able to retrieve it.' ); ?></p> 199 </div> 200 201 <?php 202 /** 203 * Fires in the Authorize Application Password new password section in the no-JS version. 204 * 205 * In most cases, this should be used in combination with the {@see 'wp_application_passwords_approve_app_request_success'} 206 * action to ensure that both the JS and no-JS variants are handled. 207 * 208 * @since 5.6.0 209 * @since 5.6.1 Corrected action name and signature. 210 * 211 * @param string $new_password The newly generated application password. 212 * @param array $request The array of request data. All arguments are optional and may be empty. 213 * @param WP_User $user The user authorizing the application. 214 */ 215 do_action( 'wp_authorize_application_password_form_approved_no_js', $new_password, $request, $user ); 216 ?> 217 <?php else : ?> 218 <form action="<?php echo esc_url( admin_url( 'authorize-application.php' ) ); ?>" method="post" class="form-wrap"> 219 <?php wp_nonce_field( 'authorize_application_password' ); ?> 220 <input type="hidden" name="action" value="authorize_application_password" /> 221 <input type="hidden" name="app_id" value="<?php echo esc_attr( $app_id ); ?>" /> 222 <input type="hidden" name="success_url" value="<?php echo esc_url( $success_url ); ?>" /> 223 <input type="hidden" name="reject_url" value="<?php echo esc_url( $reject_url ); ?>" /> 224 225 <div class="form-field"> 226 <label for="app_name"><?php _e( 'New Application Password Name' ); ?></label> 227 <input type="text" id="app_name" name="app_name" value="<?php echo esc_attr( $app_name ); ?>" placeholder="<?php esc_attr_e( 'WordPress App on My Phone' ); ?>" required /> 228 </div> 229 230 <?php 231 /** 232 * Fires in the Authorize Application Password form before the submit buttons. 233 * 234 * @since 5.6.0 235 * 236 * @param array $request { 237 * The array of request data. All arguments are optional and may be empty. 238 * 239 * @type string $app_name The suggested name of the application. 240 * @type string $success_url The url the user will be redirected to after approving the application. 241 * @type string $reject_url The url the user will be redirected to after rejecting the application. 242 * } 243 * @param WP_User $user The user authorizing the application. 244 */ 245 do_action( 'wp_authorize_application_password_form', $request, $user ); 246 ?> 247 248 <?php 249 submit_button( 250 __( 'Yes, I approve of this connection.' ), 251 'primary', 252 'approve', 253 false, 254 array( 255 'aria-describedby' => 'description-approve', 256 ) 257 ); 258 ?> 259 <p class="description" id="description-approve"> 260 <?php 261 if ( $success_url ) { 262 printf( 263 /* translators: %s: The URL the user is being redirected to. */ 264 __( 'You will be sent to %s' ), 265 '<strong><kbd>' . esc_html( 266 add_query_arg( 267 array( 268 'site_url' => site_url(), 269 'user_login' => $user->user_login, 270 'password' => '[------]', 271 ), 272 $success_url 273 ) 274 ) . '</kbd></strong>' 275 ); 276 } else { 277 _e( 'You will be given a password to manually enter into the application in question.' ); 278 } 279 ?> 280 </p> 281 282 <?php 283 submit_button( 284 __( 'No, I do not approve of this connection.' ), 285 'secondary', 286 'reject', 287 false, 288 array( 289 'aria-describedby' => 'description-reject', 290 ) 291 ); 292 ?> 293 <p class="description" id="description-reject"> 294 <?php 295 if ( $reject_url ) { 296 printf( 297 /* translators: %s: The URL the user is being redirected to. */ 298 __( 'You will be sent to %s' ), 299 '<strong><kbd>' . esc_html( $reject_url ) . '</kbd></strong>' 300 ); 301 } else { 302 _e( 'You will be returned to the WordPress Dashboard, and no changes will be made.' ); 303 } 304 ?> 305 </p> 306 </form> 307 <?php endif; ?> 308 </div> 309</div> 310<?php 311 312require_once ABSPATH . 'wp-admin/admin-footer.php'; 313