Merge pull request #148 from dshanske/multiuser

Fixes

Author: dshanske

.travis.yml

@@ -29,9 +29,9 @@ matrix:
   - php: 5.6
     env: WP_PLUGIN_DEPLOY=1
   - php: 5.5
-    env: WP_VERSION=4.7 WP_MULTISITE=0
+    env: WP_VERSION=4.9.9 WP_MULTISITE=0
   - php: 5.4
-    env: WP_VERSION=4.7 WP_MULTISITE=0
+    env: WP_VERSION=4.9.9 WP_MULTISITE=0
 before_script:
 - |
   # Remove Xdebug for a huge performance increase:

includes/class-indieauth-admin.php

@@ -11,6 +11,121 @@ public function __construct() {
 		add_action( 'init', array( $this, 'settings' ) );
 		add_action( 'login_form_authdiag', array( $this, 'login_form_authdiag' ) );
 		add_action( 'admin_menu', array( $this, 'admin_menu' ) );
+		add_filter( 'wp_pre_insert_user_data', array( $this, 'unique_user_url' ), 10, 3 );
+		add_filter( 'manage_users_columns', array( $this, 'add_user_url_column' ) );
+		add_filter( 'manage_users_custom_column', array( $this, 'user_url_column' ), 10, 3 );
+		add_filter( 'site_status_tests', array( $this, 'add_indieauth_test' ) );
+		add_action( 'admin_notices', array( $this, 'admin_notices' ) );
+	}
+
+
+	public function admin_notices() {
+		if ( ! get_option( 'indieauth_header_check', 0 ) ) {
+			echo '<div class="notice notice-warning"><p>';
+			esc_html_e( 'In order to ensure IndieAuth tokens will work please visit the settings page to check:', 'indieauth' );
+			printf( ' <a href="%1s">%2$s</a>', esc_url( menu_page_url( 'indieauth', false ) ), esc_html__( 'Visit Settings Page', 'indieauth' ) );
+			echo '</p></div>';
+		}
+		$screen = get_current_screen();
+		if ( ( 'users' === $screen->id ) && $this->check_dupe_user_urls() ) {
+			echo '<div class="notice notice-error"><p>';
+			esc_html_e( 'Multiple user accounts have the same URL set. This is not permitted as this value is used by IndieAuth for login. Please resolve', 'indieauth' );
+			echo '</p></div>';
+		}
+	}
+
+	public function add_indieauth_test( $tests ) {
+		$tests['direct']['indieauth_plugin'] = array(
+			'label' => __( 'IndieAuth Test', 'indieauth' ),
+			'test'  => array( $this, 'site_health_test' ),
+		);
+		return $tests;
+	}
+
+	public function site_health_test() {
+		$result = array(
+			'label'       => __( 'Authorization Header Passed', 'indieauth' ),
+			'status'      => 'good',
+			'badge'       => array(
+				'label' => __( 'IndieAuth', 'indieauth' ),
+				'color' => 'green',
+			),
+			'description' => sprintf(
+				'<p>%s</p>',
+				__( 'Your hosting provider allows authorization headers to pass so IndieAuth should work', 'indieauth' )
+			),
+			'actions'     => '',
+			'test'        => 'indieauth_headers',
+		);
+
+		if ( ! self::test_auth() ) {
+			$result['status']      = 'critical';
+			$result['label']       = __( 'Authorization Test Failed', 'indieauth' );
+			$result['description'] = sprintf(
+				'<p>%s</p>',
+				__( 'Authorization Headers are being blocked by your hosting provider. This will cause IndieAuth to fail.', 'indieauth' )
+			);
+			$result['actions']     = sprintf( '<a href="%1$s" >%2$s</a>', menu_page_url( 'indieauth', false ), __( 'Visit the Settings page for guidance on how to resolve.', 'indieauth' ) );
+		}
+
+		return $result;
+	}
+
+	public function user_url_column( $val, $column_id, $user_id ) {
+		if ( 'user_url' === $column_id ) {
+			$user = get_user_by( 'id', $user_id );
+			if ( ! wp_http_validate_url( $user->user_url ) ) {
+				return __( 'None', 'indieauth' );
+			}
+			$url = esc_url( $user->user_url );
+			return sprintf( '<a href="%1s">%1$s</a>', $url );
+		}
+		return $val;
+	}
+
+	public function add_user_url_column( $column ) {
+		$column['user_url'] = __( 'Website', 'indieauth' );
+		return $column;
+	}
+
+	/**
+	 * Ensure all user URL fields are unique
+	 *
+	 */
+	public function unique_user_url( $data, $update, $id ) {
+		if ( empty( $data['user_url'] ) ) {
+			return $data;
+		}
+		$data['user_url'] = normalize_url( $data['user_url'] );
+		$users            = get_users(
+			array(
+				'search'         => '*' . wp_parse_url( $data['user_url'], PHP_URL_HOST ) . '*',
+				'search_columns' => array( 'user_url' ),
+				'fields'         => array( 'ID', 'user_url' ),
+			)
+		);
+
+		$url = normalize_url( $data['user_url'], true );
+		foreach ( $users as $user ) {
+			if ( ( normalize_url( $user->user_url, true ) === $url ) && $user->ID !== $id ) {
+				$data['user_url'] = '';
+			}
+		}
+			return $data;
+	}
+
+	public function check_dupe_user_urls() {
+		$urls = get_users(
+			array(
+				'fields' => array( 'user_url' ),
+			)
+		);
+		$urls = array_filter( wp_list_pluck( $urls, 'user_url' ) );
+		$urls = array_map( 'normalize_url', $urls );
+		if ( count( array_unique( $urls ) ) === count( $urls ) ) {
+			return false;
+		}
+		return true;
 	}
 
 	public function login_form_authdiag() {
@@ -33,7 +148,7 @@ public function login_form_authdiag() {
 				header( 'Content-Type: application/json' );
 				$return = wp_json_encode( array( 'message' => $return ) );
 			}
-			echo $return;
+			echo $return; // phpcs:ignore
 			exit;
 		}
 		$args = array(
@@ -44,7 +159,6 @@ public function login_form_authdiag() {
 		exit;
 	}
 
-
 	public function settings() {
 		register_setting(
 			'indieauth',
@@ -102,10 +216,7 @@ public function admin_menu() {
 		add_action( 'load-' . $options_page, array( $this, 'add_help_tab' ) );
 	}
 
-	/**
-	 * Load settings page
-	 */
-	public function settings_page() {
+	public function test_auth() {
 		$response = wp_remote_post(
 			add_query_params_to_url(
 				array(
@@ -123,15 +234,27 @@ public function settings_page() {
 		);
 		if ( ! is_wp_error( $response ) ) {
 			$json = json_decode( wp_remote_retrieve_body( $response ) );
-			set_query_var( 'authdiag_message', $json->message );
+			return $json->message;
 		} else {
-			set_query_var( 'authdiag_message', 'Fail' );
+			return false;
 		}
+	}
 
+	/**
+	 * Load settings page
+	 */
+	public function settings_page() {
+		$response = self::test_auth();
+		if ( ! $response ) {
+			ob_start();
+			include plugin_dir_path( __DIR__ ) . 'templates/authdiagfail.php';
+			$response = ob_get_contents();
+			ob_end_clean();
+		}
+		set_query_var( 'authdiag_message', $response );
 		load_template( plugin_dir_path( __DIR__ ) . '/templates/indieauth-settings.php' );
 	}
 
-
 	public function add_help_tab() {
 		get_current_screen()->add_help_tab(
 			array(
@@ -150,15 +273,15 @@ public function add_help_tab() {
 				'content' =>
 					'<p>' . __( 'The IndieWeb is a people-focused alternative to the "corporate web".', 'indieauth' ) . '</p>' .
 					'<p>
-						<strong>' . __( 'Your content is yours', 'indieauth' ) . '</strong><br />' .
+					<strong>' . __( 'Your content is yours', 'indieauth' ) . '</strong><br />' .
 						__( 'When you post something on the web, it should belong to you, not a corporation. Too many companies have gone out of business and lost all of their users’ data. By joining the IndieWeb, your content stays yours and in your control.', 'indieauth' ) .
 					'</p>' .
 					'<p>
-						<strong>' . __( 'You are better connected', 'indieauth' ) . '</strong><br />' .
+					<strong>' . __( 'You are better connected', 'indieauth' ) . '</strong><br />' .
 						__( 'Your articles and status messages can go to all services, not just one, allowing you to engage with everyone. Even replies and likes on other services can come back to your site so they’re all in one place.', 'indieauth' ) .
 					'</p>' .
 					'<p>
-						<strong>' . __( 'You are in control', 'indieauth' ) . '</strong><br />' .
+					<strong>' . __( 'You are in control', 'indieauth' ) . '</strong><br />' .
 						__( 'You can post anything you want, in any format you want, with no one monitoring you. In addition, you share simple readable links such as example.com/ideas. These links are permanent and will always work.', 'indieauth' ) .
 					'</p>',
 			)

includes/class-indieauth-authorization-endpoint.php

@@ -179,12 +179,7 @@ public function verify( $request ) {
 		if ( array() === array_diff_assoc( $params, $token ) ) {
 			$this->delete_code( $code, $token['user'] );
 
-			if ( ( class_exists( 'Indieweb_Plugin' ) && get_option( 'iw_single_author' ) ) || ! is_multi_author() ) {
-				$return = array( 'me' => home_url( '/' ) );
-			} else {
-				// Return the user profile URL and scope
-				$return = array( 'me' => get_author_posts_url( $user->ID ) );
-			}
+			$return = array( 'me' => get_url_from_url( $user->ID ) );
 
 			if ( isset( $token['scope'] ) ) {
 				$return['scope'] = $token['scope'];

includes/class-indieauth-debug.php

@@ -114,8 +114,6 @@ public function test( $request ) {
 		}
 		return indieauth_get_response();
 	}
-
-
 }
 
 new IndieAuth_Debug();

includes/class-indieauth-token-endpoint.php

@@ -218,13 +218,9 @@ public static function verify_local_authorization_code( $post_args ) {
 			unset( $return['code_challenge'] );
 			unset( $return['code_challenge_method'] );
 		}
-		if ( ( class_exists( 'Indieweb_Plugin' ) && get_option( 'iw_single_author' ) ) || ! is_multi_author() ) {
-			$return['me'] = home_url( '/' );
-		} else {
-			// Return the user profile URL and scope
-			$return['me'] = get_author_posts_url( $return['user'] );
-		}
-		$user = get_user_by_identifier( $return['me'] );
+		$return['me'] = get_url_from_user( $return['user'] );
+
+		$user = get_user_by( 'id', $return['user'] );
 		if ( $user ) {
 			$return['profile'] = indieauth_get_user( $user );
 		}

includes/class-token-list-table.php

@@ -20,13 +20,13 @@ public function get_columns() {
 
 	public function get_bulk_actions() {
 			  return array(
-				  'revoke'   => __( 'Revoke', 'indieauth' ),
+				  'revoke'       => __( 'Revoke', 'indieauth' ),
 				  'revoke_year'  => __( 'Revoke Tokens Last Accessed 1 Year Ago or Never', 'indieauth' ),
-				  'revoke_month'  => __( 'Revoke Tokens Last Accessed 1 Month Ago or Never', 'indieauth' ),
+				  'revoke_month' => __( 'Revoke Tokens Last Accessed 1 Month Ago or Never', 'indieauth' ),
 				  'revoke_week'  => __( 'Revoke Tokens Last Accessed 1 Week Ago or Never', 'indieauth' ),
-				  'revoke_day'  => __( 'Revoke Tokens Last Accessed 1 Day Ago or Never', 'indieauth' ),
+				  'revoke_day'   => __( 'Revoke Tokens Last Accessed 1 Day Ago or Never', 'indieauth' ),
 				  'revoke_hour'  => __( 'Revoke Tokens Last Accessed 1 Hour Ago or Never', 'indieauth' ),
-				  'cleanup' => __( 'Clean Up Expired Tokens and Authorization Codes', 'indieauth' ),
+				  'cleanup'      => __( 'Clean Up Expired Tokens and Authorization Codes', 'indieauth' ),
 			  );
 	}
 

includes/functions.php

@@ -144,6 +144,22 @@ function parse_html_rels( $contents, $url ) {
 	}
 }
 
+/**
+ * Uses the code from is_multi_author to determine the identity of the single author
+ * @return false|int User ID of the single author if exists
+ */
+if ( ! function_exists( 'get_single_author' ) ) {
+	function get_single_author() {
+		global $wpdb;
+		if ( false === ( $single_author = get_transient( 'single_author' ) ) ) {
+			$rows          = (array) $wpdb->get_col( "SELECT DISTINCT post_author FROM $wpdb->posts WHERE post_type = 'post' AND post_status = 'publish' LIMIT 2" );
+			$single_author = 1 === count( $rows ) ? (int) $rows[0] : false;
+			set_transient( 'single_author', $single_author );
+		}
+		return $single_author;
+	}
+}
+
 /**
  * Get the user associated with the specified Identifier-URI.
  *
@@ -155,24 +171,30 @@ function get_user_by_identifier( $identifier ) {
 		if ( empty( $identifier ) ) {
 			return null;
 		}
-		// Ensure has trailing slash
-		$identifier = trailingslashit( $identifier );
+
+		$identifier = normalize_url( $identifier );
 		if ( ( 'https' === wp_parse_url( home_url(), PHP_URL_SCHEME ) ) && ( wp_parse_url( home_url(), PHP_URL_HOST ) === wp_parse_url( $identifier, PHP_URL_HOST ) ) ) {
 			$identifier = set_url_scheme( $identifier, 'https' );
 		}
 		// Try to save the expense of a search query if the URL is the site URL
 		if ( home_url( '/' ) === $identifier ) {
 			// Use the Indieweb settings to set the default author
-			if ( class_exists( 'Indieweb_Plugin' ) && ( get_option( 'iw_single_author' ) || ! is_multi_author() ) ) {
+			if ( class_exists( 'Indieweb_Plugin' ) && get_option( 'iw_single_author' ) ) {
 				return get_user_by( 'id', get_option( 'iw_default_author' ) );
 			}
-			$users = get_users( array( 'who' => 'authors' ) );
-			if ( 1 === count( $users ) ) {
-				return $users[0];
+			$author = get_single_author();
+			//  If there is only a single author then they will get the root url
+			if ( $author ) {
+				return get_user_by( 'id', $author );
+			} else {
+				$users = get_users( array( 'fields' => 'ID' ) );
+				if ( 1 === count( $users ) ) {
+					return get_user_by( 'id', $users[0] );
+				}
+				return null;
 			}
-			return null;
-
 		}
+
 		// Check if this is a author post URL
 		$user = url_to_author( $identifier );
 		if ( $user instanceof WP_User ) {
@@ -186,13 +208,29 @@ function get_user_by_identifier( $identifier ) {
 
 		$users = get_users( $args );
 		// check result
-		if ( ! empty( $users ) ) {
+		if ( is_countable( $users ) && 1 === count( $users ) ) {
 			return $users[0];
 		}
 		return null;
 	}
 }
 
+
+/**
+ * Tries to make some decisions about what URL to return for a user
+ */
+if ( ! function_exists( 'get_url_from_user' ) ) {
+	function get_url_from_user( $user_id ) {
+		if ( class_exists( 'Indieweb_Plugin' ) && get_option( 'iw_single_author' ) ) {
+			if ( get_option( 'iw_default_author' ) === $user_id ) {
+				return home_url( '/' );
+			}
+		}
+		$user = get_user_by( 'ID', $user_id );
+		return get_author_posts_url( $user_id );
+	}
+}
+
 /**
  * Examine a url and try to determine the author ID it represents.
  *
@@ -354,6 +392,34 @@ function build_url( $parsed_url ) {
 	}
 }
 
+if ( ! function_exists( 'normalize_url' ) ) {
+	// Adds slash if no path is in the URL, and convert hostname to lowercase
+	function normalize_url( $url, $force_ssl = false ) {
+		$parts = wp_parse_url( $url );
+		if ( array_key_exists( 'path', $parts ) && '' === $parts['path'] ) {
+			return false;
+		}
+		// wp_parse_url returns just "path" for naked domains
+		if ( count( $parts ) === 1 && array_key_exists( 'path', $parts ) ) {
+			$parts['host'] = $parts['path'];
+			unset( $parts['path'] );
+		}
+		if ( ! array_key_exists( 'scheme', $parts ) ) {
+			$parts['scheme'] = $force_ssl ? 'https' : 'http';
+		} elseif ( $force_ssl ) {
+			$parts['scheme'] = 'https';
+		}
+		if ( ! array_key_exists( 'path', $parts ) ) {
+			$parts['path'] = '/';
+		}
+		// Invalid scheme
+		if ( ! in_array( $parts['scheme'], array( 'http', 'https' ), true ) ) {
+			return false;
+		}
+		return build_url( $parts );
+	}
+}
+
 /**
  * Get Scope
  *