PageRenderTime 52ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/password-protected.php

https://bitbucket.org/paulwib/wordpress-plugin-mirrors-password-protected
PHP | 333 lines | 189 code | 49 blank | 95 comment | 47 complexity | e65a7b659f0847172f21f19a28127526 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /*
    4. 

  4. Plugin Name: Password Protected
    5. 

  5. Plugin URI: http://www.benhuson.co.uk/
    6. 

  6. Description: A very simple way to quickly password protect your WordPress site with a single password. Integrates seamlessly into your WordPress privacy settings.
    7. 

  7. Version: 1.4
    8. 

  8. Author: Ben Huson
    9. 

  9. Author URI: http://www.benhuson.co.uk/
    10. 

  10. License: GPLv2
    11. 

  11. */
    12. 

  12. 

  13. /*
    14. 

  14. Copyright 2012 Ben Huson (email : ben@thewhiteroom.net)
    15. 

    16. 

  16. This program is free software; you can redistribute it and/or modify
    17. 

  17. it under the terms of the GNU General Public License, version 2, as 
    18. 

  18. published by the Free Software Foundation.
    19. 

    20. 

  20. This program is distributed in the hope that it will be useful,
    21. 

  21. but WITHOUT ANY WARRANTY; without even the implied warranty of
    22. 

  22. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    23. 

  23. GNU General Public License for more details.
    24. 

    25. 

  25. You should have received a copy of the GNU General Public License
    26. 

  26. along with this program; if not, write to the Free Software
    27. 

  27. Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    28. 

  28. */
    29. 

  29. 

  30. /**
    31. 

  31.  * @todo Use wp_hash_password() ?
    32. 

  32.  */
    33. 

  33. 

  34. define( 'PASSWORD_PROTECTED_SUBDIR', '/' . str_replace( basename( __FILE__ ), '', plugin_basename( __FILE__ ) ) );
    35. 

  35. define( 'PASSWORD_PROTECTED_URL', plugins_url( PASSWORD_PROTECTED_SUBDIR ) );
    36. 

  36. define( 'PASSWORD_PROTECTED_DIR', plugin_dir_path( __FILE__ ) );
    37. 

  37. 

  38. global $Password_Protected;
    39. 

  39. $Password_Protected = new Password_Protected();
    40. 

  40. 

  41. class Password_Protected {
    42. 

  42. 	
    43. 

  43. 	var $version = '1.4';
    44. 

  44. 	var $admin   = null;
    45. 

  45. 	var $errors  = null;
    46. 

  46. 	
    47. 

  47. 	/**
    48. 

  48. 	 * Constructor
    49. 

  49. 	 */
    50. 

  50. 	function Password_Protected() {
    51. 

  51. 		$this->errors = new WP_Error();
    52. 

  52. 		register_activation_hook( __FILE__, array( &$this, 'install' ) );
    53. 

  53. 		add_action( 'plugins_loaded', array( $this, 'load_plugin_textdomain' ) );
    54. 

  54. 		add_action( 'init', array( $this, 'maybe_process_login' ), 1 );
    55. 

  55. 		add_action( 'wp', array( $this, 'disable_feeds' ) );
    56. 

  56. 		add_action( 'template_redirect', array( $this, 'maybe_show_login' ), 1 );
    57. 

  57. 		add_filter( 'pre_option_password_protected_status', array( $this, 'allow_feeds' ) );
    58. 

  58. 		add_filter( 'pre_option_password_protected_status', array( $this, 'allow_administrators' ) );
    59. 

  59. 		if ( is_admin() ) {
    60. 

  60. 			include_once( dirname( __FILE__ ) . '/admin/admin.php' );
    61. 

  61. 			$this->admin = new Password_Protected_Admin();
    62. 

  62. 		}
    63. 

  63. 	}
    64. 

  64. 	
    65. 

  65. 	/**
    66. 

  66. 	 * I18n
    67. 

  67. 	 */
    68. 

  68. 	function load_plugin_textdomain() {
    69. 

  69. 		load_plugin_textdomain( 'password-protected', false, basename( dirname( __FILE__ ) ) . '/languages' );
    70. 

  70. 	}
    71. 

  71. 	
    72. 

  72. 	/**
    73. 

  73. 	 * Is Active?
    74. 

  74. 	 */
    75. 

  75. 	function is_active() {
    76. 

  76. 		if ( (bool) get_option( 'password_protected_status' ) ) {
    77. 

  77. 			if ( ! defined( 'DONOTCACHEPAGE' ) )
    78. 

  78. 				define( 'DONOTCACHEPAGE', true );
    79. 

  79. 			return true;
    80. 

  80. 		}
    81. 

  81. 		return false;
    82. 

  82. 	}
    83. 

  83. 	
    84. 

  84. 	/**
    85. 

  85. 	 * Disable Feeds
    86. 

  86. 	 *
    87. 

  87. 	 * @todo An option/filter to prevent disabling of feeds.
    88. 

  88. 	 */
    89. 

  89. 	function disable_feeds() {
    90. 

  90. 		if ( $this->is_active() ) {
    91. 

  91. 			add_action( 'do_feed', array( $this, 'disable_feed' ), 1 );
    92. 

  92. 			add_action( 'do_feed_rdf', array( $this, 'disable_feed' ), 1 );
    93. 

  93. 			add_action( 'do_feed_rss', array( $this, 'disable_feed' ), 1 );
    94. 

  94. 			add_action( 'do_feed_rss2', array( $this, 'disable_feed' ), 1 );
    95. 

  95. 			add_action( 'do_feed_atom', array( $this, 'disable_feed' ), 1 );
    96. 

  96. 		}
    97. 

  97. 	}
    98. 

  98. 	
    99. 

  99. 	/**
    100. 

  100. 	 * Disable Feed
    101. 

  101. 	 * @todo Make Translatable
    102. 

  102. 	 */
    103. 

  103. 	function disable_feed() {
    104. 

  104. 		wp_die( sprintf( __( 'Feeds are not available for this site. Please visit the <a href="%s">website</a>.', 'password-protected' ), get_bloginfo( 'url' ) ) );
    105. 

  105. 	}
    106. 

  106. 	
    107. 

  107. 	/**
    108. 

  108. 	 * Allow Feeds
    109. 

  109. 	 */
    110. 

  110. 	function allow_feeds( $bool ) {
    111. 

  111. 		if ( is_feed() && (bool) get_option( 'password_protected_feeds' ) )
    112. 

  112. 			return 0;
    113. 

  113. 		return $bool;
    114. 

  114. 	}
    115. 

  115. 	
    116. 

  116. 	/**
    117. 

  117. 	 * Allow Administrators
    118. 

  118. 	 */
    119. 

  119. 	function allow_administrators( $bool ) {
    120. 

  120. 		if ( ! is_admin() && current_user_can( 'manage_options' ) && (bool) get_option( 'password_protected_administrators' ) )
    121. 

  121. 			return 0;
    122. 

  122. 		return $bool;
    123. 

  123. 	}
    124. 

  124. 	
    125. 

  125. 	/**
    126. 

  126. 	 * Maybe Process Login
    127. 

  127. 	 */
    128. 

  128. 	function maybe_process_login() {
    129. 

  129. 		if ( $this->is_active() && isset( $_REQUEST['password_protected_pwd'] ) ) {
    130. 

  130. 			$password_protected_pwd = $_REQUEST['password_protected_pwd'];
    131. 

  131. 			$pwd = get_option( 'password_protected_password' );
    132. 

  132. 			// If correct password...
    133. 

  133. 			if ( ( md5( $password_protected_pwd ) == $pwd && $pwd != '' ) || apply_filters( 'password_protected_process_login', false, $password_protected_pwd ) ) {
    134. 

  134. 				$this->set_auth_cookie();
    135. 

  135. 				if ( ! empty( $_REQUEST['redirect_to'] ) ) {
    136. 

  136. 					wp_redirect( $_REQUEST['redirect_to'] );
    137. 

  137. 					exit;
    138. 

  138. 				}
    139. 

  139. 			} else {
    140. 

  140. 				// ... otherwise incorrect password
    141. 

  141. 				$this->clear_auth_cookie();
    142. 

  142. 				$this->errors->add( 'incorrect_password', __( 'Incorrect Password', 'password-protected' ) );
    143. 

  143. 			}
    144. 

  144. 		}
    145. 

  145. 		
    146. 

  146. 		// Log out
    147. 

  147. 		if ( isset( $_REQUEST['password-protected'] ) && $_REQUEST['password-protected'] == 'logout' ) {
    148. 

  148. 			$this->logout();
    149. 

  149. 			$redirect_to = remove_query_arg( array( 'password-protected', 'redirect_to' ), ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
    150. 

  150. 			$query = array(
    151. 

  151. 				'password-protected' => 'login',
    152. 

  152. 				'redirect_to' => urlencode( $redirect_to )
    153. 

  153. 			);
    154. 

  154. 			wp_redirect( add_query_arg( $query, home_url() ) );
    155. 

  155. 			exit();
    156. 

  156. 		}
    157. 

  157. 	}
    158. 

  158. 	
    159. 

  159. 	/**
    160. 

  160. 	 * Maybe Show Login
    161. 

  161. 	 */
    162. 

  162. 	function maybe_show_login() {
    163. 

  163. 		// Don't show login if not enabled
    164. 

  164. 		if ( ! $this->is_active() )
    165. 

  165. 			return;
    166. 

  166. 		
    167. 

  167. 		// Logged in
    168. 

  168. 		if ( $this->validate_auth_cookie() )
    169. 

  169. 			return;
    170. 

  170. 		
    171. 

  171. 		// Show login form
    172. 

  172. 		if ( isset( $_REQUEST['password-protected'] ) && 'login' == $_REQUEST['password-protected'] ) {
    173. 

  173. 			include( dirname( __FILE__ ) . '/theme/login.php' );
    174. 

  174. 			exit();
    175. 

  175. 		} else {
    176. 

  176. 			$query = array(
    177. 

  177. 				'password-protected' => 'login',
    178. 

  178. 				'redirect_to' => urlencode( ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] )
    179. 

  179. 			);
    180. 

  180. 			wp_redirect( add_query_arg( $query, home_url() ) );
    181. 

  181. 			exit();
    182. 

  182. 		}
    183. 

  183. 	}
    184. 

  184. 	
    185. 

  185. 	/**
    186. 

  186. 	 * Get Site ID
    187. 

  187. 	 */
    188. 

  188. 	function get_site_id() {
    189. 

  189. 		global $blog_id;
    190. 

  190. 		return 'bid_' . apply_filters( 'password_protected_blog_id', $blog_id );
    191. 

  191. 	}
    192. 

  192. 	
    193. 

  193. 	/**
    194. 

  194. 	 * Logout
    195. 

  195. 	 */
    196. 

  196. 	function logout() {
    197. 

  197. 		$this->clear_auth_cookie();
    198. 

  198. 		do_action( 'password_protected_logout' );
    199. 

  199. 	}
    200. 

  200. 	
    201. 

  201. 	/**
    202. 

  202. 	 * Validate Auth Cookie
    203. 

  203. 	 */
    204. 

  204. 	function validate_auth_cookie( $cookie = '', $scheme = '' ) {
    205. 

  205. 		if ( ! $cookie_elements = $this->parse_auth_cookie( $cookie, $scheme ) ) {
    206. 

  206. 			do_action( 'password_protected_auth_cookie_malformed', $cookie, $scheme );
    207. 

  207. 			return false;
    208. 

  208. 		}
    209. 

  209. 		extract( $cookie_elements, EXTR_OVERWRITE );
    210. 

  210. 		
    211. 

  211. 		$expired = $expiration;
    212. 

  212. 	
    213. 

  213. 		// Allow a grace period for POST and AJAX requests
    214. 

  214. 		if ( defined( 'DOING_AJAX' ) || 'POST' == $_SERVER['REQUEST_METHOD'] )
    215. 

  215. 			$expired += 3600;
    216. 

  216. 	
    217. 

  217. 		// Quick check to see if an honest cookie has expired
    218. 

  218. 		if ( $expired < time() ) {
    219. 

  219. 			do_action('password_protected_auth_cookie_expired', $cookie_elements);
    220. 

  220. 			return false;
    221. 

  221. 		}
    222. 

  222. 		
    223. 

  223. 		$pass = md5( get_option( 'password_protected_password' ) );
    224. 

  224. 		$pass_frag = substr( $pass, 8, 4 );
    225. 

  225. 	
    226. 

  226. 		$key = md5( $this->get_site_id() . $pass_frag . '|' . $expiration );
    227. 

  227. 		$hash = hash_hmac( 'md5', $this->get_site_id() . '|' . $expiration, $key);
    228. 

  228. 		
    229. 

  229. 		if ( $hmac != $hash ) {
    230. 

  230. 			do_action( 'password_protected_auth_cookie_bad_hash', $cookie_elements );
    231. 

  231. 			return false;
    232. 

  232. 		}
    233. 

  233. 	
    234. 

  234. 		if ( $expiration < time() ) // AJAX/POST grace period set above
    235. 

  235. 			$GLOBALS['login_grace_period'] = 1;
    236. 

  236. 	
    237. 

  237. 		return true;
    238. 

  238. 	}
    239. 

  239. 

  240. 	/**
    241. 

  241. 	 * Generate Auth Cookie
    242. 

  242. 	 */
    243. 

  243. 	function generate_auth_cookie( $expiration, $scheme = 'auth' ) {
    244. 

  244. 		$pass = md5( get_option( 'password_protected_password' ) );
    245. 

  245. 		$pass_frag = substr( $pass, 8, 4 );
    246. 

  246. 		
    247. 

  247. 		$key = md5( $this->get_site_id() . $pass_frag . '|' . $expiration );
    248. 

  248. 		$hash = hash_hmac( 'md5', $this->get_site_id() . '|' . $expiration, $key );
    249. 

  249. 		$cookie = $this->get_site_id() . '|' . $expiration . '|' . $hash;
    250. 

  250. 	
    251. 

  251. 		return $cookie;
    252. 

  252. 	}
    253. 

  253. 	
    254. 

  254. 	/**
    255. 

  255. 	 * Parse Auth Cookie
    256. 

  256. 	 */
    257. 

  257. 	function parse_auth_cookie( $cookie = '', $scheme = '' ) {
    258. 

  258. 		if ( empty( $cookie ) ) {
    259. 

  259. 			$cookie_name = $this->cookie_name();
    260. 

  260. 	
    261. 

  261. 			if ( empty( $_COOKIE[$cookie_name] ) )
    262. 

  262. 				return false;
    263. 

  263. 			$cookie = $_COOKIE[$cookie_name];
    264. 

  264. 		}
    265. 

  265. 	
    266. 

  266. 		$cookie_elements = explode( '|', $cookie );
    267. 

  267. 		if ( count( $cookie_elements ) != 3 )
    268. 

  268. 			return false;
    269. 

  269. 	
    270. 

  270. 		list( $site_id, $expiration, $hmac ) = $cookie_elements;
    271. 

  271. 	
    272. 

  272. 		return compact( 'site_id', 'expiration', 'hmac', 'scheme' );
    273. 

  273. 	}
    274. 

  274. 	
    275. 

  275. 	/**
    276. 

  276. 	 * Set Auth Cookie
    277. 

  277. 	 * @todo
    278. 

  278. 	 */
    279. 

  279. 	function set_auth_cookie( $remember = false, $secure = '') {
    280. 

  280. 		if ( $remember ) {
    281. 

  281. 			$expiration = $expire = time() + apply_filters( 'password_protected_auth_cookie_expiration', 1209600, $remember );
    282. 

  282. 		} else {
    283. 

  283. 			$expiration = time() + apply_filters( 'password_protected_auth_cookie_expiration', 172800, $remember );
    284. 

  284. 			$expire = 0;
    285. 

  285. 		}
    286. 

  286. 	
    287. 

  287. 		if ( '' === $secure )
    288. 

  288. 			$secure = is_ssl();
    289. 

  289. 	
    290. 

  290. 		$secure_password_protected_cookie = apply_filters( 'password_protected_secure_password_protected_cookie', false, $secure );
    291. 

  291. 		$password_protected_cookie = $this->generate_auth_cookie( $expiration, 'password_protected' );
    292. 

  292. 		
    293. 

  293. 		setcookie( $this->cookie_name(), $password_protected_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
    294. 

  294. 		if ( COOKIEPATH != SITECOOKIEPATH )
    295. 

  295. 			setcookie( $this->cookie_name(), $password_protected_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_password_protected_cookie, true );
    296. 

  296. 	}
    297. 

  297. 	
    298. 

  298. 	/**
    299. 

  299. 	 * Clear Auth Cookie
    300. 

  300. 	 */
    301. 

  301. 	function clear_auth_cookie() {
    302. 

  302. 		setcookie( $this->cookie_name(), ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN );
    303. 

  303. 		setcookie( $this->cookie_name(), ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN );
    304. 

  304. 	}
    305. 

  305. 	
    306. 

  306. 	/**
    307. 

  307. 	 * Cookie Name
    308. 

  308. 	 */
    309. 

  309. 	function cookie_name() {
    310. 

  310. 		return $this->get_site_id() . '_password_protected_auth';
    311. 

  311. 	}
    312. 

  312. 	
    313. 

  313. 	/**
    314. 

  314. 	 * Install
    315. 

  315. 	 */
    316. 

  316. 	function install() {
    317. 

  317. 		$old_version = get_option( 'password_protected_version' );
    318. 

  318. 		
    319. 

  319. 		// 1.1 - Upgrade to MD5
    320. 

  320. 		if ( empty( $old_version ) || version_compare( '1.1', $old_version ) ) {
    321. 

  321. 			$pwd = get_option( 'password_protected_password' );
    322. 

  322. 			if ( ! empty( $pwd ) ) {
    323. 

  323. 				$new_pwd = md5( $pwd );
    324. 

  324. 				update_option( 'password_protected_password', $new_pwd );
    325. 

  325. 			} 
    326. 

  326. 		}
    327. 

  327. 		
    328. 

  328. 		update_option( 'password_protected_version', $this->version );
    329. 

  329. 	}
    330. 

  330. 

  331. }
    332. 

  332. 

  333. ?>
    334.