1<?php
  2/**
  3 * Authorize Application Screen
  4 *
  5 * @package WordPress
  6 * @subpackage Administration
  7 */
  8
  9/** WordPress Administration Bootstrap */
 10require_once __DIR__ . '/admin.php';
 11
 12$error        = null;
 13$new_password = '';
 14
 15// This is the no-js fallback script. Generally this will all be handled by `auth-app.js`.
 16if ( isset( $_POST['action'] ) && 'authorize_application_password' === $_POST['action'] ) {
 17	check_admin_referer( 'authorize_application_password' );
 18
 19	$success_url = $_POST['success_url'];
 20	$reject_url  = $_POST['reject_url'];
 21	$app_name    = $_POST['app_name'];
 22	$app_id      = $_POST['app_id'];
 23	$redirect    = '';
 24
 25	if ( isset( $_POST['reject'] ) ) {
 26		if ( $reject_url ) {
 27			$redirect = $reject_url;
 28		} else {
 29			$redirect = admin_url();
 30		}
 31	} elseif ( isset( $_POST['approve'] ) ) {
 32		$created = WP_Application_Passwords::create_new_application_password(
 33			get_current_user_id(),
 34			array(
 35				'name'   => $app_name,
 36				'app_id' => $app_id,
 37			)
 38		);
 39
 40		if ( is_wp_error( $created ) ) {
 41			$error = $created;
 42		} else {
 43			list( $new_password ) = $created;
 44
 45			if ( $success_url ) {
 46				$redirect = add_query_arg(
 47					array(
 48						'site_url'   => urlencode( site_url() ),
 49						'user_login' => urlencode( wp_get_current_user()->user_login ),
 50						'password'   => urlencode( $new_password ),
 51					),
 52					$success_url
 53				);
 54			}
 55		}
 56	}
 57
 58	if ( $redirect ) {
 59		// Explicitly not using wp_safe_redirect b/c sends to arbitrary domain.
 60		wp_redirect( $redirect );
 61		exit;
 62	}
 63}
 64
 65// Used in the HTML title tag.
 66$title = __( 'Authorize Application' );
 67
 68$app_name    = ! empty( $_REQUEST['app_name'] ) ? $_REQUEST['app_name'] : '';
 69$app_id      = ! empty( $_REQUEST['app_id'] ) ? $_REQUEST['app_id'] : '';
 70$success_url = ! empty( $_REQUEST['success_url'] ) ? $_REQUEST['success_url'] : null;
 71
 72if ( ! empty( $_REQUEST['reject_url'] ) ) {
 73	$reject_url = $_REQUEST['reject_url'];
 74} elseif ( $success_url ) {
 75	$reject_url = add_query_arg( 'success', 'false', $success_url );
 76} else {
 77	$reject_url = null;
 78}
 79
 80$user = wp_get_current_user();
 81
 82$request  = compact( 'app_name', 'app_id', 'success_url', 'reject_url' );
 83$is_valid = wp_is_authorize_application_password_request_valid( $request, $user );
 84
 85if ( is_wp_error( $is_valid ) ) {
 86	wp_die(
 87		__( 'The Authorize Application request is not allowed.' ) . ' ' . implode( ' ', $is_valid->get_error_messages() ),
 88		__( 'Cannot Authorize Application' )
 89	);
 90}
 91
 92if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {
 93	wp_die(
 94		__( 'Your website appears to use Basic Authentication, which is not currently compatible with application passwords.' ),
 95		__( 'Cannot Authorize Application' ),
 96		array(
 97			'response'  => 501,
 98			'link_text' => __( 'Go Back' ),
 99			'link_url'  => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),
100		)
101	);
102}
103
104if ( ! wp_is_application_passwords_available_for_user( $user ) ) {
105	if ( wp_is_application_passwords_available() ) {
106		$message = __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' );
107	} else {
108		$message = __( 'Application passwords are not available.' );
109	}
110
111	wp_die(
112		$message,
113		__( 'Cannot Authorize Application' ),
114		array(
115			'response'  => 501,
116			'link_text' => __( 'Go Back' ),
117			'link_url'  => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),
118		)
119	);
120}
121
122wp_enqueue_script( 'auth-app' );
123wp_localize_script(
124	'auth-app',
125	'authApp',
126	array(
127		'site_url'   => site_url(),
128		'user_login' => $user->user_login,
129		'success'    => $success_url,
130		'reject'     => $reject_url ? $reject_url : admin_url(),
131	)
132);
133
134require_once ABSPATH . 'wp-admin/admin-header.php';
135
136?>
137<div class="wrap">
138	<h1><?php echo esc_html( $title ); ?></h1>
139
140	<?php
141	if ( is_wp_error( $error ) ) {
142		wp_admin_notice(
143			$error->get_error_message(),
144			array(
145				'type' => 'error',
146			)
147		);
148	}
149	?>
150
151	<div class="card auth-app-card">
152		<h2 class="title"><?php _e( 'An application would like to connect to your account.' ); ?></h2>
153		<?php if ( $app_name ) : ?>
154			<p>
155				<?php
156				printf(
157					/* translators: %s: Application name. */
158					__( 'Would you like to give the application identifying itself as %s access to your account? You should only do this if you trust the application in question.' ),
159					'<strong>' . esc_html( $app_name ) . '</strong>'
160				);
161				?>
162			</p>
163		<?php else : ?>
164			<p><?php _e( 'Would you like to give this application access to your account? You should only do this if you trust the application in question.' ); ?></p>
165		<?php endif; ?>
166
167		<?php
168		if ( is_multisite() ) {
169			$blogs       = get_blogs_of_user( $user->ID, true );
170			$blogs_count = count( $blogs );
171
172			if ( $blogs_count > 1 ) {
173				?>
174				<p>
175					<?php
176					/* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */
177					$message = _n(
178						'This will grant access to <a href="%1$s">the %2$s site in this installation that you have permissions on</a>.',
179						'This will grant access to <a href="%1$s">all %2$s sites in this installation that you have permissions on</a>.',
180						$blogs_count
181					);
182
183					if ( is_super_admin() ) {
184						/* translators: 1: URL to my-sites.php, 2: Number of sites the user has. */
185						$message = _n(
186							'This will grant access to <a href="%1$s">the %2$s site on the network as you have Super Admin rights</a>.',
187							'This will grant access to <a href="%1$s">all %2$s sites on the network as you have Super Admin rights</a>.',
188							$blogs_count
189						);
190					}
191
192					printf(
193						$message,
194						admin_url( 'my-sites.php' ),
195						number_format_i18n( $blogs_count )
196					);
197					?>
198				</p>
199				<?php
200			}
201		}
202		?>
203
204		<?php
205		if ( $new_password ) :
206			$message = '<p class="application-password-display">
207				<label for="new-application-password-value">' . sprintf(
208				/* translators: %s: Application name. */
209				esc_html__( 'Your new password for %s is:' ),
210				'<strong>' . esc_html( $app_name ) . '</strong>'
211			) . '
212				</label>
213				<input id="new-application-password-value" type="text" class="code" readonly="readonly" value="' . esc_attr( WP_Application_Passwords::chunk_password( $new_password ) ) . '" />
214			</p>
215			<p>' . __( 'Be sure to save this in a safe location. You will not be able to retrieve it.' ) . '</p>';
216			$args = array(
217				'type'               => 'success',
218				'additional_classes' => array( 'notice-alt', 'below-h2' ),
219				'paragraph_wrap'     => false,
220			);
221			wp_admin_notice( $message, $args );
222
223			/**
224			 * Fires in the Authorize Application Password new password section in the no-JS version.
225			 *
226			 * In most cases, this should be used in combination with the {@see 'wp_application_passwords_approve_app_request_success'}
227			 * action to ensure that both the JS and no-JS variants are handled.
228			 *
229			 * @since 5.6.0
230			 * @since 5.6.1 Corrected action name and signature.
231			 *
232			 * @param string  $new_password The newly generated application password.
233			 * @param array   $request      The array of request data. All arguments are optional and may be empty.
234			 * @param WP_User $user         The user authorizing the application.
235			 */
236			do_action( 'wp_authorize_application_password_form_approved_no_js', $new_password, $request, $user );
237		else :
238			?>
239			<form action="<?php echo esc_url( admin_url( 'authorize-application.php' ) ); ?>" method="post" class="form-wrap">
240				<?php wp_nonce_field( 'authorize_application_password' ); ?>
241				<input type="hidden" name="action" value="authorize_application_password" />
242				<input type="hidden" name="app_id" value="<?php echo esc_attr( $app_id ); ?>" />
243				<input type="hidden" name="success_url" value="<?php echo esc_url( $success_url ); ?>" />
244				<input type="hidden" name="reject_url" value="<?php echo esc_url( $reject_url ); ?>" />
245
246				<div class="form-field">
247					<label for="app_name"><?php _e( 'New Application Password Name' ); ?></label>
248					<input type="text" id="app_name" name="app_name" value="<?php echo esc_attr( $app_name ); ?>" required />
249				</div>
250
251				<?php
252				/**
253				 * Fires in the Authorize Application Password form before the submit buttons.
254				 *
255				 * @since 5.6.0
256				 *
257				 * @param array   $request {
258				 *     The array of request data. All arguments are optional and may be empty.
259				 *
260				 *     @type string $app_name    The suggested name of the application.
261				 *     @type string $success_url The URL the user will be redirected to after approving the application.
262				 *     @type string $reject_url  The URL the user will be redirected to after rejecting the application.
263				 * }
264				 * @param WP_User $user The user authorizing the application.
265				 */
266				do_action( 'wp_authorize_application_password_form', $request, $user );
267				?>
268
269				<?php
270				submit_button(
271					__( 'Yes, I approve of this connection' ),
272					'primary',
273					'approve',
274					false,
275					array(
276						'aria-describedby' => 'description-approve',
277					)
278				);
279				?>
280				<p class="description" id="description-approve">
281					<?php
282					if ( $success_url ) {
283						printf(
284							/* translators: %s: The URL the user is being redirected to. */
285							__( 'You will be sent to %s' ),
286							'<strong><code>' . esc_html(
287								add_query_arg(
288									array(
289										'site_url'   => site_url(),
290										'user_login' => $user->user_login,
291										'password'   => '[------]',
292									),
293									$success_url
294								)
295							) . '</code></strong>'
296						);
297					} else {
298						_e( 'You will be given a password to manually enter into the application in question.' );
299					}
300					?>
301				</p>
302
303				<?php
304				submit_button(
305					__( 'No, I do not approve of this connection' ),
306					'secondary',
307					'reject',
308					false,
309					array(
310						'aria-describedby' => 'description-reject',
311					)
312				);
313				?>
314				<p class="description" id="description-reject">
315					<?php
316					if ( $reject_url ) {
317						printf(
318							/* translators: %s: The URL the user is being redirected to. */
319							__( 'You will be sent to %s' ),
320							'<strong><code>' . esc_html( $reject_url ) . '</code></strong>'
321						);
322					} else {
323						_e( 'You will be returned to the WordPress Dashboard, and no changes will be made.' );
324					}
325					?>
326				</p>
327			</form>
328		<?php endif; ?>
329	</div>
330</div>
331<?php
332
333require_once ABSPATH . 'wp-admin/admin-footer.php';
334