1<?php
2/**
3 * Authorize Application Screen
4 *
5 * @package WordPress
6 * @subpackage Administration
7 */
8
9/** WordPress Administration Bootstrap */
10require_once __DIR__ . '/admin.php';
11
12$error = null;
13$new_password = '';
14
15// This is the no-js fallback script. Generally this will all be handled by `auth-app.js`.
16if ( isset( $_POST['action'] ) && 'authorize_application_password' === $_POST['action'] ) {
17 check_admin_referer( 'authorize_application_password' );
18
19 $success_url = $_POST['success_url'];
20 $reject_url = $_POST['reject_url'];
21 $app_name = $_POST['app_name'];
22 $app_id = $_POST['app_id'];
23 $redirect = '';
24
25 if ( isset( $_POST['reject'] ) ) {
26 if ( $reject_url ) {
27 $redirect = $reject_url;
28 } else {
29 $redirect = admin_url();
30 }
31 } elseif ( isset( $_POST['approve'] ) ) {
32 $created = WP_Application_Passwords::create_new_application_password(
33 get_current_user_id(),
34 array(
35 'name' => $app_name,
36 'app_id' => $app_id,
37 )
38 );
39
40 if ( is_wp_error( $created ) ) {
41 $error = $created;
42 } else {
43 list( $new_password ) = $created;
44
45 if ( $success_url ) {
46 $redirect = add_query_arg(
47 array(
48 'site_url' => urlencode( site_url() ),
49 'user_login' => urlencode( wp_get_current_user()->user_login ),
50 'password' => urlencode( $new_password ),
51 ),
52 $success_url
53 );
54 }
55 }
56 }
57
58 if ( $redirect ) {
59 // Explicitly not using wp_safe_redirect b/c sends to arbitrary domain.
60 wp_redirect( $redirect );
61 exit;
62 }
63}
64
65// Used in the HTML title tag.
66$title = __( 'Authorize Application' );
67
68$app_name = ! empty( $_REQUEST['app_name'] ) ? $_REQUEST['app_name'] : '';
69$app_id = ! empty( $_REQUEST['app_id'] ) ? $_REQUEST['app_id'] : '';
70$success_url = ! empty( $_REQUEST['success_url'] ) ? $_REQUEST['success_url'] : null;
71
72if ( ! empty( $_REQUEST['reject_url'] ) ) {
73 $reject_url = $_REQUEST['reject_url'];
74} elseif ( $success_url ) {
75 $reject_url = add_query_arg( 'success', 'false', $success_url );
76} else {
77 $reject_url = null;
78}
79
80$user = wp_get_current_user();
81
82$request = compact( 'app_name', 'app_id', 'success_url', 'reject_url' );
83$is_valid = wp_is_authorize_application_password_request_valid( $request, $user );
84
85if ( is_wp_error( $is_valid ) ) {
86 wp_die(
87 __( 'The Authorize Application request is not allowed.' ) . ' ' . implode( ' ', $is_valid->get_error_messages() ),
88 __( 'Cannot Authorize Application' )
89 );
90}
91
92if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {
93 wp_die(
94 __( 'Your website appears to use Basic Authentication, which is not currently compatible with application passwords.' ),
95 __( 'Cannot Authorize Application' ),
96 array(
97 'response' => 501,
98 'link_text' => __( 'Go Back' ),
99 'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),
100 )
101 );
102}
103
104if ( ! wp_is_application_passwords_available_for_user( $user ) ) {
105 if ( wp_is_application_passwords_available() ) {
106 $message = __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' );
107 } else {
108 $message = __( 'Application passwords are not available.' );
109 }
110
111 wp_die(
112 $message,
113 __( 'Cannot Authorize Application' ),
114 array(
115 'response' => 501,
116 'link_text' => __( 'Go Back' ),
117 'link_url' => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),
118 )
119 );
120}
121
122wp_enqueue_script( 'auth-app' );
123wp_localize_script(
124 'auth-app',
125 'authApp',
126 array(
127 'site_url' => site_url(),
128 'user_login' => $user->user_login,
129 'success' => $success_url,
130 'reject' => $reject_url ? $reject_url : admin_url(),
131 )
132);
133
134require_once ABSPATH . 'wp-admin/admin-header.php';
135
136?>
137<div class="wrap">
138 <h1><?php echo esc_html( $title ); ?></h1>
139
140 <?php
141 if ( is_wp_error( $error ) ) {
142 wp_admin_notice(
143 $error->get_error_message(),
144 array(
145 'type' => 'error',
146 )
147 );
148 }
149 ?>
150
151 <div class="card auth-app-card">
152 <h2 class="title"><?php _e( 'An application would like to connect to your account.' ); ?></h2>
153 <?php if ( $app_name ) : ?>
154 <p>
155 <?php
156 printf(
157 /* translators: %s: Application name. */
158 __( 'Would you like to give the application identifying itself as %s access to your account? You should only do this if you trust the application in question.' ),
159 '<strong>' . esc_html( $app_name ) . '</strong>'
160 );
161 ?>
162 </p>
163 <?php else : ?>
164 <p><?php _e( 'Would you like to give this application access to your account? You should only do this if you trust the application in question.' ); ?></p>
165 <?php endif; ?>
166
167 <?php
168 if ( is_multisite() ) {
169 $blogs = get_blogs_of_user( $user->ID, true );
170 $blogs_count = count( $blogs );
171
172 if ( $blogs_count > 1 ) {
173 ?>
174 <p>
175 <?php
176 /* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */
177 $message = _n(
178 'This will grant access to <a href="%1$s">the %2$s site in this installation that you have permissions on</a>.',
179 'This will grant access to <a href="%1$s">all %2$s sites in this installation that you have permissions on</a>.',
180 $blogs_count
181 );
182
183 if ( is_super_admin() ) {
184 /* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */
185 $message = _n(
186 'This will grant access to <a href="%1$s">the %2$s site on the network as you have Super Admin rights</a>.',
187 'This will grant access to <a href="%1$s">all %2$s sites on the network as you have Super Admin rights</a>.',
188 $blogs_count
189 );
190 }
191
192 printf(
193 $message,
194 admin_url( 'my-sites.php' ),
195 number_format_i18n( $blogs_count )
196 );
197 ?>
198 </p>
199 <?php
200 }
201 }
202 ?>
203
204 <?php
205 if ( $new_password ) :
206 $message = '<p class="application-password-display">
207 <label for="new-application-password-value">' . sprintf(
208 /* translators: %s: Application name. */
209 esc_html__( 'Your new password for %s is:' ),
210 '<strong>' . esc_html( $app_name ) . '</strong>'
211 ) . '
212 </label>
213 <input id="new-application-password-value" type="text" class="code" readonly="readonly" value="' . esc_attr( WP_Application_Passwords::chunk_password( $new_password ) ) . '" />
214 </p>
215 <p>' . __( 'Be sure to save this in a safe location. You will not be able to retrieve it.' ) . '</p>';
216 $args = array(
217 'type' => 'success',
218 'additional_classes' => array( 'notice-alt', 'below-h2' ),
219 'paragraph_wrap' => false,
220 );
221 wp_admin_notice( $message, $args );
222
223 /**
224 * Fires in the Authorize Application Password new password section in the no-JS version.
225 *
226 * In most cases, this should be used in combination with the {@see 'wp_application_passwords_approve_app_request_success'}
227 * action to ensure that both the JS and no-JS variants are handled.
228 *
229 * @since 5.6.0
230 * @since 5.6.1 Corrected action name and signature.
231 *
232 * @param string $new_password The newly generated application password.
233 * @param array $request The array of request data. All arguments are optional and may be empty.
234 * @param WP_User $user The user authorizing the application.
235 */
236 do_action( 'wp_authorize_application_password_form_approved_no_js', $new_password, $request, $user );
237 else :
238 ?>
239 <form action="<?php echo esc_url( admin_url( 'authorize-application.php' ) ); ?>" method="post" class="form-wrap">
240 <?php wp_nonce_field( 'authorize_application_password' ); ?>
241 <input type="hidden" name="action" value="authorize_application_password" />
242 <input type="hidden" name="app_id" value="<?php echo esc_attr( $app_id ); ?>" />
243 <input type="hidden" name="success_url" value="<?php echo esc_url( $success_url ); ?>" />
244 <input type="hidden" name="reject_url" value="<?php echo esc_url( $reject_url ); ?>" />
245
246 <div class="form-field">
247 <label for="app_name"><?php _e( 'New Application Password Name' ); ?></label>
248 <input type="text" id="app_name" name="app_name" value="<?php echo esc_attr( $app_name ); ?>" required />
249 </div>
250
251 <?php
252 /**
253 * Fires in the Authorize Application Password form before the submit buttons.
254 *
255 * @since 5.6.0
256 *
257 * @param array $request {
258 * The array of request data. All arguments are optional and may be empty.
259 *
260 * @type string $app_name The suggested name of the application.
261 * @type string $success_url The URL the user will be redirected to after approving the application.
262 * @type string $reject_url The URL the user will be redirected to after rejecting the application.
263 * }
264 * @param WP_User $user The user authorizing the application.
265 */
266 do_action( 'wp_authorize_application_password_form', $request, $user );
267 ?>
268
269 <?php
270 submit_button(
271 __( 'Yes, I approve of this connection' ),
272 'primary',
273 'approve',
274 false,
275 array(
276 'aria-describedby' => 'description-approve',
277 )
278 );
279 ?>
280 <p class="description" id="description-approve">
281 <?php
282 if ( $success_url ) {
283 printf(
284 /* translators: %s: The URL the user is being redirected to. */
285 __( 'You will be sent to %s' ),
286 '<strong><code>' . esc_html(
287 add_query_arg(
288 array(
289 'site_url' => site_url(),
290 'user_login' => $user->user_login,
291 'password' => '[------]',
292 ),
293 $success_url
294 )
295 ) . '</code></strong>'
296 );
297 } else {
298 _e( 'You will be given a password to manually enter into the application in question.' );
299 }
300 ?>
301 </p>
302
303 <?php
304 submit_button(
305 __( 'No, I do not approve of this connection' ),
306 'secondary',
307 'reject',
308 false,
309 array(
310 'aria-describedby' => 'description-reject',
311 )
312 );
313 ?>
314 <p class="description" id="description-reject">
315 <?php
316 if ( $reject_url ) {
317 printf(
318 /* translators: %s: The URL the user is being redirected to. */
319 __( 'You will be sent to %s' ),
320 '<strong><code>' . esc_html( $reject_url ) . '</code></strong>'
321 );
322 } else {
323 _e( 'You will be returned to the WordPress Dashboard, and no changes will be made.' );
324 }
325 ?>
326 </p>
327 </form>
328 <?php endif; ?>
329 </div>
330</div>
331<?php
332
333require_once ABSPATH . 'wp-admin/admin-footer.php';
334