Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/dt login security fixes #2277

Merged
merged 9 commits into from
Nov 29, 2023
Merged

Fix/dt login security fixes #2277

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4c2bb91
fix: show multisite fields as password fields to hide secrets
squigglybob Nov 23, 2023
e3e394c
fix: remove the css link to disciple-tools-theme
squigglybob Nov 23, 2023
747ab62
docs: add text to let super admins know to install multisite plugin t…
squigglybob Nov 24, 2023
2631cac
fix: also hide secret key's value in input when not super admin
squigglybob Nov 27, 2023
adb6473
fix: remove uneccesary description 2
squigglybob Nov 27, 2023
ee64412
fix: create streamlined css for login page
squigglybob Nov 27, 2023
d7fde78
fix: style resetpass form correctly
squigglybob Nov 28, 2023
91aa5f3
fix: use custom resetpass page if using custom login
squigglybob Nov 28, 2023
5156aa1
fix: final styles checks for warnings/alerts and register page
squigglybob Nov 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions dt-core/admin/menu/tabs/tab-sso-login.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,17 +114,21 @@ class="nav-tab <?php echo esc_html( ( $tab == $key ) ? 'nav-tab-active' : '' );
<table class="widefat striped">
<tbody>
<?php
$any_multisite_level_args = false;
if ( ! empty( $vars ) ) {
foreach ( $vars as $key => $value ) {
if ( $tab === $value['tab'] ) {
$any_multisite_level_args = is_multisite() && !empty( $value['multisite_level'] );
$this->tab( $value );
}
}
}


?>
<tr>
<td colspan="2">
<button class="button" type="submit">Save</button> <button class="button" type="submit" style="float:right;" name="delete" value="1">Reset</button>
<button class="button" type="submit">Save</button> <button class="button" <?php echo esc_attr( $any_multisite_level_args ? 'disabled' : '' ) ?> type="submit" style="float:right;" name="delete" value="1">Reset</button>
</td>
</tr>
</tbody>
Expand All @@ -151,9 +155,9 @@ public function tab( $args ) {
</td>
<td>
<input
type="text"
type="<?php echo esc_attr( $must_have_super_admin_rights ? 'password' : 'text' ) ?>"
name="<?php echo esc_attr( $args['key'] ) ?>"
value="<?php echo esc_attr( $args['value'] ) ?>"
value="<?php echo esc_attr( $must_have_super_admin_rights ? 'hidden secret value' : $args['value'] ) ?>"
<?php echo $must_have_super_admin_rights ? 'disabled' : '' ?>
/>
<?php echo esc_attr( $args['description'] ) ?>
Expand Down
2 changes: 1 addition & 1 deletion dt-login/login-fields.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,7 @@ private static function get_defaults() {
'key' => 'firebase_config_label',
'label' => 'Where to find the config details',
'description' => 'Go to your firebase console and in the project settings get the config details from your webapp https://console.firebase.google.com/',
'description_2' => '',
'description_2' => is_multisite() && !is_network_admin() ? 'If you are a super admin, please install the dt multisite plugin at the network level in order to control the firebase keys. https://github.com/DiscipleTools/disciple-tools-multisite' : '',
'value' => '',
'type' => 'label',
'multisite_level' => true,
Expand Down
3 changes: 2 additions & 1 deletion dt-login/login-page.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,9 @@ public function __construct() {
}

public function header_style(){
// parent::header_style();
parent::header_style();
?>

<style>
body { background: #f0f0f1; }
.login-remember { float: left; }
Expand Down
10 changes: 4 additions & 6 deletions dt-login/pages/base.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ public function _header(){
}
public function header_style(){
?>

<style>
body {
background: white;
}
<?php require __DIR__ . '/../../dt-assets/build/css/style.min.css' ?>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@squigglybob
this includes ALL of the 30 kB of D.T css in the header.
It is just for this UI, right:
image

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could sift the CSS, for what is needed for this/ write some CSS to make it look like this 😆

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've created a stripped down css for the login page, that has no dependencies on foundation either.

I wasn't able to test the page where you create a new password after receiving the lost password email. 😬
it was taking me to the wp-login new password page instead

</style>

<?php
}
public function _browser_tab_title( $title ){
Expand Down Expand Up @@ -85,9 +85,7 @@ public function _print_scripts(){
}
public function _print_styles(){
// @link /disciple-tools-theme/dt-assets/functions/enqueue-scripts.php
$allowed_css = [
'site-css',
];
$allowed_css = [];

$allowed_css = apply_filters( 'dt_login_allowed_css', $allowed_css );

Expand Down
Loading