MERGE: branch develop into master 💯

wpwhitesecurity · Jan 31, 2018 · 6e575aa · 6e575aa
2 parents f8da546 + 6ab37c5
commit 6e575aa
Show file tree

Hide file tree

Showing 10 changed files with 172 additions and 40 deletions.
diff --git a/classes/Loggers/Database.php b/classes/Loggers/Database.php
@@ -209,7 +209,11 @@ private function GetActivePromoText() {
 	 */
 	private function CheckPromoToShow() {
 		// If the package is free, show the promo.
-		if ( wsal_freemius()->is_not_paying() ) {
+		if ( ! class_exists( 'WSAL_NP_Plugin' )
+			&& ! class_exists( 'WSAL_Ext_Plugin' )
+			&& ! class_exists( 'WSAL_Rep_Plugin' )
+			&& ! class_exists( 'WSAL_SearchExtension' )
+			&& ! class_exists( 'WSAL_User_Management_Plugin' ) ) {
 			return 80;
 		}
 		return null;

diff --git a/classes/Sensors/Content.php b/classes/Sensors/Content.php
@@ -1457,8 +1457,9 @@ public function ViewingPost() {
 				// Filter $_SERVER array for security.
 				$server_array = filter_input_array( INPUT_SERVER );
 
-				$current_path = $server_array['REQUEST_URI'];
+				$current_path = isset( $server_array['REQUEST_URI'] ) ? $server_array['REQUEST_URI'] : false;
 				if ( ! empty( $server_array['HTTP_REFERER'] )
+					&& ! empty( $current_path )
 					&& strpos( $server_array['HTTP_REFERER'], $current_path ) !== false ) {
 					// Ignore this if we were on the same page so we avoid double audit entries.
 					return;

diff --git a/classes/Sensors/Files.php b/classes/Sensors/Files.php
@@ -39,7 +39,15 @@ class WSAL_Sensors_Files extends WSAL_AbstractSensor {
 	public function HookEvents() {
 		add_action( 'add_attachment', array( $this, 'EventFileUploaded' ) );
 		add_action( 'delete_attachment', array( $this, 'EventFileUploadedDeleted' ) );
-		add_action( 'admin_init', array( $this, 'EventAdminInit' ) );
+
+		/**
+		 * Commenting the code to detect file changes in plugins and themes.
+		 *
+		 * @todo Figure out a way to detect changes in files of plugins and themes.
+		 * With the introduction of the new code editor in 4.9 the previous code
+		 * stopped working.
+		 */
+		// add_action( 'admin_init', array( $this, 'EventAdminInit' ) );
 	}
 
 	/**

diff --git a/classes/Sensors/Menus.php b/classes/Sensors/Menus.php
@@ -380,7 +380,13 @@ public function EventAdminInit() {
 		$server_array = filter_input_array( INPUT_SERVER );
 		$get_array = filter_input_array( INPUT_GET );
 
-		$is_nav_menu = basename( $server_array['SCRIPT_NAME'] ) == 'nav-menus.php';
+		// Check if SCRIPT_NAME exists or not.
+		$script_name = '';
+		if ( ! empty( $server_array['SCRIPT_NAME'] ) ) {
+			$script_name = $server_array['SCRIPT_NAME'];
+		}
+
+		$is_nav_menu = basename( $script_name ) == 'nav-menus.php';
 		if ( $is_nav_menu ) {
 			if ( isset( $get_array['action'] ) && 'delete' == $get_array['action'] ) {
 				if ( isset( $get_array['menu'] ) ) {

diff --git a/classes/Sensors/System.php b/classes/Sensors/System.php
@@ -398,7 +398,11 @@ public function EventAdminInit() {
 			return;
 		}
 
-		$actype = basename( $server_array['SCRIPT_NAME'], '.php' );
+		$actype = '';
+		if ( ! empty( $server_array['SCRIPT_NAME'] ) ) {
+			$actype = basename( $server_array['SCRIPT_NAME'], '.php' );
+		}
+
 		$is_option_page = 'options' === $actype;
 		$is_network_settings = 'settings' === $actype;
 		$is_permalink_page = 'options-permalink' === $actype;

diff --git a/classes/Settings.php b/classes/Settings.php
@@ -367,6 +367,43 @@ public function SetRestrictAdmins( $enable ) {
 		$this->_plugin->SetGlobalOption( 'restrict-admins', (bool) $enable );
 	}
 
+	/**
+	 * Method: Set Login Page Notification.
+	 *
+	 * @param bool $enable - Enable/Disable.
+	 */
+	public function set_login_page_notification( $enable ) {
+		$this->_plugin->SetGlobalOption( 'login_page_notification', $enable );
+	}
+
+	/**
+	 * Method: Check if Login Page Notification is set.
+	 *
+	 * @return bool - True if set, false if not.
+	 */
+	public function is_login_page_notification() {
+		return $this->_plugin->GetGlobalOption( 'login_page_notification', false );
+	}
+
+	/**
+	 * Method: Set Login Page Notification Text.
+	 *
+	 * @param string $text - Login Page Notification Text.
+	 */
+	public function set_login_page_notification_text( $text ) {
+		$text = wp_kses( $text, $this->_plugin->allowed_html_tags );
+		$this->_plugin->SetGlobalOption( 'login_page_notification_text', $text );
+	}
+
+	/**
+	 * Method: Return Login Page Notification Text.
+	 *
+	 * @return string|bool - Text if set, false if not.
+	 */
+	public function get_login_page_notification_text() {
+		return $this->_plugin->GetGlobalOption( 'login_page_notification_text', false );
+	}
+
 	public function GetDefaultDisabledAlerts() {
 		return array( 0000, 0001, 0002, 0003, 0004, 0005 );
 	}

diff --git a/classes/Views/Settings.php b/classes/Views/Settings.php
@@ -145,6 +145,8 @@ protected function Save() {
 		$this->_plugin->settings->set_excluded_post_types( isset( $post_array['ExCPTss'] ) ? $post_array['ExCPTss'] : array() );
 
 		$this->_plugin->settings->SetRestrictAdmins( isset( $post_array['RestrictAdmins'] ) );
+		$this->_plugin->settings->set_login_page_notification( isset( $post_array['login_page_notification'] ) ? 'true' : 'false' );
+		$this->_plugin->settings->set_login_page_notification_text( isset( $post_array['login_page_notification_text'] ) ? $post_array['login_page_notification_text'] : false );
 		$this->_plugin->settings->SetRefreshAlertsEnabled( $post_array['EnableAuditViewRefresh'] );
 		$this->_plugin->settings->SetMainIPFromProxy( isset( $post_array['EnableProxyIpCapture'] ) );
 		$this->_plugin->settings->SetInternalIPsFiltering( isset( $post_array['EnableIpFiltering'] ) );
@@ -353,6 +355,45 @@ public function Render() {
 								</fieldset>
 							</td>
 						</tr>
+						<!-- Login Page Notification -->
+						<tr>
+							<th><label for="login_page_notification"><?php esc_html_e( 'Login Page Notification', 'wp-security-audit-log' ); ?></label></th>
+							<td>
+								<fieldset>
+									<label for="login_page_notification">
+										<?php
+										// Get login page notification checkbox.
+										$wsal_lpn = $this->_plugin->settings->is_login_page_notification();
+										if ( $wsal_lpn && 'true' === $wsal_lpn ) {
+											// If option exists, value is true then set to true.
+											$wsal_lpn = true;
+										} elseif ( $wsal_lpn && 'false' === $wsal_lpn ) {
+											// If option exists, value is false then set to false.
+											$wsal_lpn = false;
+										} elseif ( ! $wsal_lpn ) {
+											// Default option value.
+											$wsal_lpn = true;
+										}
+										?>
+										<input type="checkbox" name="login_page_notification" id="login_page_notification" <?php checked( $wsal_lpn ); ?> />
+									</label>
+									<br />
+									<?php
+									// Get login page notification text.
+									$wsal_lpn_text = $this->_plugin->settings->get_login_page_notification_text();
+									?>
+									<textarea name="login_page_notification_text"
+										id="login_page_notification_text"
+										cols="50" rows="5"
+										<?php echo ( $wsal_lpn ) ? false : 'disabled'; ?>
+									><?php echo ( $wsal_lpn_text ) ? wp_kses( $wsal_lpn_text, $this->_plugin->allowed_html_tags ) : false; ?></textarea>
+									<br/>
+									<span class="description">
+										<?php esc_html_e( 'Many compliance regulations (such as the GDRP) require you, as a website administrator to tell all the users of this website that all their actions are being logged.', 'wp-security-audit-log' ); ?>
+									</span>
+								</fieldset>
+							</td>
+						</tr>
 						<!-- Developer Options -->
 						<tr>
 							<th><label><?php esc_html_e( 'Developer Options', 'wp-security-audit-log' ); ?></label></th>
@@ -467,7 +508,7 @@ public function Render() {
 				<!-- Second tab -->
 				<table class="form-table wsal-tab widefat" id="tab-audit-log">
 					<tbody>
-						<!-- Security Alerts Pruning -->
+						<!-- Audit Log Retention -->
 						<?php
 						$disabled = '';
 						if ( $this->_plugin->settings->IsArchivingEnabled() ) {
@@ -480,7 +521,7 @@ public function Render() {
 							</tr>
 						<?php } ?>
 						<tr>
-							<th><label for="delete1"><?php esc_html_e( 'Security Alerts Pruning', 'wp-security-audit-log' ); ?></label></th>
+							<th><label for="delete1"><?php esc_html_e( 'Audit Log Retention', 'wp-security-audit-log' ); ?></label></th>
 							<td>
 								<fieldset>
 									<?php $text = __( '(eg: 1 month)', 'wp-security-audit-log' ); ?>
@@ -834,6 +875,24 @@ function wsalUpdateLoggingStatus(checkbox, label) {
 				logging_status.on( 'change', function() {
 					wsalUpdateLoggingStatus( logging_status, txtNot );
 				} );
+
+				// Enable/disable login notification textarea.
+				function wsal_update_login_page_text( checkbox, textarea ) {
+					if ( checkbox.prop( 'checked' ) ) {
+						textarea.removeProp( 'disabled' );
+					} else {
+						textarea.prop( 'disabled', 'disabled' );
+					}
+				}
+
+				// Login page notification settings.
+				var login_page_notif = jQuery( '#login_page_notification' );
+				var login_page_notif_text = jQuery( '#login_page_notification_text' );
+
+				// Check the change event on checkbox.
+				login_page_notif.on( 'change', function() {
+					wsal_update_login_page_text( login_page_notif, login_page_notif_text );
+				} );
 			} );
 		// -->
 		</script>

diff --git a/readme.txt b/readme.txt
@@ -5,8 +5,8 @@ License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl.html
 Tags: wordpress security plugin, wordpress security audit log, audit log, event log wordpress, wordpress user tracking, wordpress activity log, wordpress audit, security event log, audit trail, wordpress security monitor, wordpress admin, wordpress admin monitoring, user activity, admin, multisite, dashboard, notification, wordpress monitoring, email notification, wordpress email alerts, tracking, user tracking, user activity report, wordpress audit trail
 Requires at least: 3.6
-Tested up to: 4.9.1
-Stable tag: 3.0
+Tested up to: 4.9.2
+Stable tag: 3.0.1
 Requires PHP: 5.3
 
 Keep an audit trail of all changes on your WordPress - ensure productivity & thwart attacks with the most comprehensive audit trail plugin.
@@ -80,7 +80,7 @@ See our [premium features page](https://www.wpsecurityauditlog.com/premium-featu
 
 Support for the WP Security Audit Log plugin on the WordPress forums is free.
 
-Premium world-class support is available via email to all [WP Security Audit Log Premium](https://www.wpsecurityauditlog.com/premium-features/) customers. 
+Premium world-class support is available via email to all [WP Security Audit Log Premium](https://www.wpsecurityauditlog.com/premium-features/) customers.
 
 > <strong>Note</strong>: paid customers support is always given priority  over free support. Paid customers support is provided via one-to-one email and over the phone. [Upgrade to Premium](https://www.wpsecurityauditlog.com/premium-features/) to benefit from priority support.
 >
@@ -91,7 +91,7 @@ WP Security Audit Log plugin also has a number of features that make WordPress a
 * Built-in [support for reverse proxies and web application firewalls](http://www.wpsecurityauditlog.com/documentation/automatically-retrieve-originating-wordpress-user-ip-address/)
 * Full [WordPress multisite support](http://www.wpsecurityauditlog.com/documentation/wordpress-multisite-plugin-features-support/)
 * Easily [create your custom alerts](https://www.wpsecurityauditlog.com/support-documentation/create-custom-alerts-wordpress-audit-trail/) to monitor additional functionality
-* Developer tools including the logging of all HTTP GET and POST requests 
+* Developer tools including the logging of all HTTP GET and POST requests
 * Integration with WhatIsMyIpAddress.com so you can get all information about an IP address with just a mouse click
 * Limit who can view the WordPress audit trail by either users or roles
 * Limit who can manage the plugin by either users or roles
@@ -101,7 +101,7 @@ WP Security Audit Log plugin also has a number of features that make WordPress a
 * Enable or disable any security alerts
 * and much more...
 
-### As Featured On: 
+### As Featured On:
 
 * [GoDaddy](https://www.godaddy.com/garage/decode-security-logs-wordpress/)
 * [Pagely](https://pagely.com/blog/2015/01/log-wordpress-dashboard-activity-improved-security-auditing/)
@@ -111,6 +111,7 @@ WP Security Audit Log plugin also has a number of features that make WordPress a
 * [WP Mayor](http://www.wpmayor.com/wp-security-audit-log-plugin-review-user-activity-logging-wordpress/)
 * [WP SmackDown](https://wpsmackdown.com/wp-plugins/wp-security-audit-log/)
 * [SourceWP](https://www.sourcewp.com/wp-security-audit-log-plugin-review/)
+* [Techwibe](https://www.techwibe.com/wp-security-audit-log-wordpress-plugin/)
 * [KevinMuldoon.com](https://www.kevinmuldoon.com/wp-security-audit-log-review/)
 * [Cloudways](https://www.cloudways.com/blog/monitor-wordpress-with-wp-security-audit-log-plugin/)
 * [ManageWP Plugins of the month](https://managewp.com/free-wordpress-plugins-june-2014)
@@ -178,30 +179,18 @@ Please refer to our [Support & Documentation pages](https://www.wpsecurityauditl
 
 == Changelog ==
 
-=3.0 (2017-01-24)
+=3.0.1 (2018-02-01)
 
 * **New Features**
-	* Added [Freemius](https://www.wpsecurityauditlog.com/support-documentation/what-is-freemius/) to the plugin (opt-in is optional)
-	* Code changes to support new [licensing model](https://www.wpsecurityauditlog.com/blog/)
-	* Message for blocked users sessions can now be edited (PREMIUM)
-
-* **New Alerts**
-	* Alert 9034: Enabled / Disabled the option Cash on Delivery in WooCommerce
-	* Alert 6024: Changed the WordPress address (URL)
-	* Alert 6025: Changed the site address (URL)
-
+	* Added a new editable message that is shown on login page alerting users that their actions are logged (plugin is GDPR compliant).
+	*
+
 * **Improvements**
-	* Fixed escaping issues, improved security and the code of the plugin up to latest WordPress standards.
-	* Improved the Data Retention option (Alerts Pruning). Now users only have to specify the number of months.
-	* Added option to view Tag in all Tag alerts.
-	* Plugin now stores Post ID, Type, Status and Created Date records for every post. Capturing of such data is important for future updates.
-
-* **Update**
-	* Updated Italian translation files.
-
+	* Changed the name of a setting from "Security Alerts Pruning" to "Audit Log Retention" (using correct terms for GDPR compliance).
+
 * **Bug Fixes**
-	* Fixed an issue where users with view audit log privileges could disable alerts from the hover over option.
-	* Fixed broken links in notification emails (PREMIUM)
-	* Fixed a security issue reported by [Jahan Khan](https://5dspectrum.com/)
+	* Updated Freemius SDK - Freemius was not firing on new installs.
+	* Fixed an issue where a URL was reported as NULL in email alerts (PREMIUM).
+	* Removed promo alerts when premium add-ons are installed.
 
 Refer to the [WP Security Audit Log change log](https://www.wpsecurityauditlog.com/plugin-change-log/) page for the complete change log.
diff --git a/sdk/freemius/includes/class-freemius.php b/sdk/freemius/includes/class-freemius.php
@@ -773,8 +773,7 @@ private function _register_hooks() {
 				 */
 				if ( empty( $this->_storage->was_plugin_loaded ) ) {
 					if ( $this->is_plugin() &&
-					     $this->is_activation_mode( false ) &&
-					     0 == did_action( 'plugins_loaded' )
+					     $this->is_activation_mode( false )
 					) {
 						add_action( 'plugins_loaded', array( &$this, '_plugins_loaded' ) );
 					} else {
@@ -2427,7 +2426,7 @@ static function is_valid_email( $email ) {
 
 			return ( checkdnsrr( $domain, 'MX' ) || checkdnsrr( $domain, 'A' ) );
 		}
-		
+
 		/**
 		 * Generate API connectivity issue message.
 		 *
@@ -3941,7 +3940,7 @@ private function deactivate_premium_only_addon_without_license( $is_after_trial_
 			     ! $this->has_features_enabled_license() &&
 			     ! $this->_has_premium_license()
 			) {
-				if ( $this->is_registered() ) {				
+				if ( $this->is_registered() ) {
 					// IF wrapper is turned off because activation_timestamp is currently only stored for plugins (not addons).
 	//                if (empty($this->_storage->activation_timestamp) ||
 	//                    (WP_FS__SCRIPT_START_TIME - $this->_storage->activation_timestamp) > 30
@@ -8637,7 +8636,7 @@ function opt_in(
 					 * If opting in with a context license and the context WP Admin user already opted in
 					 * before from the current site, add the user context security params to avoid the
 					 * unnecessry email activation when the context license is owned by the same context user.
-					 * 
+					 *
 					 * @author Leo Fajardo (@leorw)
 					 * @since 1.2.3
 					 */

diff --git a/wp-security-audit-log.php b/wp-security-audit-log.php
@@ -4,7 +4,7 @@
  * Plugin URI: http://www.wpsecurityauditlog.com/
  * Description: Identify WordPress security issues before they become a problem. Keep track of everything happening on your WordPress including WordPress users activity. Similar to Windows Event Log and Linux Syslog, WP Security Audit Log generates a security alert for everything that happens on your WordPress blogs and websites. Use the Audit Log Viewer included in the plugin to see all the security alerts.
  * Author: WP White Security
- * Version: 3.0
+ * Version: 3.0.1
  * Text Domain: wp-security-audit-log
  * Author URI: http://www.wpsecurityauditlog.com/
  * License: GPL2
@@ -54,7 +54,7 @@ class WpSecurityAuditLog {
 		 *
 		 * @var string
 		 */
-		public $version = '3.0';
+		public $version = '3.0.1';
 
 		// Plugin constants.
 		const PLG_CLS_PRFX = 'WSAL_';
@@ -216,6 +216,9 @@ public function __construct() {
 			// Handle admin Disable Alerts.
 			add_action( 'wp_ajax_AjaxDisableByCode', array( $this, 'AjaxDisableByCode' ) );
 
+			// Render Login Page Notification.
+			add_filter( 'login_message', array( $this, 'render_login_page_message' ), 10, 1 );
+
 			// Register freemius uninstall event.
 			wsal_freemius()->add_action( 'after_uninstall', array( $this, 'wsal_freemius_uninstall_cleanup' ) );
 
@@ -1060,6 +1063,28 @@ public function UpdateGlobalOption( $option, $value ) {
 			return $this->options->SetOptionValue( $option, $value );
 		}
 
+		/**
+		 * Method: Render login page message.
+		 *
+		 * @param string $message - Login message.
+		 */
+		public function render_login_page_message( $message ) {
+			// Check if the option is enabled.
+			$login_message_enabled = $this->settings->is_login_page_notification();
+			if ( 'true' === $login_message_enabled
+				|| ( ! $login_message_enabled && 'false' !== $login_message_enabled ) ) {
+				// Get login message.
+				$message = $this->settings->get_login_page_notification_text();
+
+				// Default message.
+				if ( ! $message ) {
+					$message = wp_kses( __( 'For security and auditing purposes, a record of all of your logged-in actions and changes within the WordPress dashboard will be recorded in an audit log with the <a href="https://www.wpsecurityauditlog.com/" target="_blank">WP Security Audit Log plugin</a>. The audit log also includes the IP address where you accessed this site from.', 'wp-security-audit-log' ), $this->allowed_html_tags );
+				}
+			}
+			// Return message.
+			return $message;
+		}
+
 	}
 
 	// Profile WSAL load time.