Merge pull request #40 from trustedlogin/develop

Version 1.2
trustedlogin · Jan 30, 2024 · f2546f2 · f2546f2
2 parents caaf99d + cde0711
commit f2546f2
Show file tree

Hide file tree

Showing 5 changed files with 203 additions and 163 deletions.
diff --git a/README.md b/README.md
@@ -1,11 +1,5 @@
 # Remove Dashboard Access
-##### (Remove Dashboard Access for Non-Admins)
-
-* Contributors: DrewAPicture
-* Tags: dashboard, access, users, administration
-* Requires at least: 3.1.0
-* Tested up to: 4.1.1
-* Stable tag: 1.1.3
+## (Remove Dashboard Access for Non-Admins)
 
 This WordPress plugin limits user access to the dashboard based on whether users have a chosen capability or role. Disallowed users are redirected to a chosen URL.
 
@@ -15,9 +9,6 @@ This WordPress plugin limits user access to the dashboard based on whether users
 * Choose your own redirect URL
 * Optionally allow user profile access
 * Optionally display a message on the login screen
-* See **Other Notes** for more info
-
-A full list of capabilities and their associated roles can be found here: http://codex.wordpress.org/Roles_and_Capabilities
 
 #### Contribute to RDA
 
@@ -27,122 +18,3 @@ Pull requests are welcome!
 
 1. Search 'Remove Dashboard Access' from the Install Plugins screen.
 2. Install plugin, click Activate.
-
-## Frequently Asked Questions
-
-#### What happens to disallowed users who try to login to the Dashboard?
-
-Users lacking the chosen capability or role will be redirected to the URL set in Settings > Dashboard Access.
-
-#### Why haven't you added an option to disable the WordPress Toolbar?
-
-The Toolbar contains certain important links (even for disallowed users) such as for accessing to the profile editor and/or logging out. Plus, there are many plugins out there for disabling the Toolbar if you really want to.
-
-#### Can I disable the redirection/profile-editing controls without disabling the plugin?
-
-No. Disable the plugin if you don't wish to leverage the functionality.
-
-## Other Notes
-
-#### Capabilities
-
-* You can limit Dashboard access to Admins only, Editors or above, Authors or above, or by selecting a capability. More information on WordPress' default roles and capabilities can be found here: http://codex.wordpress.org/Roles_and_Capabilities
-
-#### User Profile Access
-
-* You can optionally allow all users the ability to edit their profiles in the Dashboard. Users lacking the chosen capability won't be able to access any other sections of the Dashboard.
-
-#### Login Message
-
-* Supply a message to display on the login screen. Leaving this blank disables the message.
-
-#### Hiding other plugins/themes' Toolbar menus
-
-This hides some built-in WordPress Toolbar menus by default, but can be extended to hide menus from other plugins or themes via two filters: `rda_toolbar_nodes`, and `rda_frontend_toolbar_nodes`.
-
-##### How to find the menu (node) id:
-
-* In the HTML page source, look for the `<li>` container for the menu node you're targeting. It should take the form of `<li id="wp-admin-bar-SOMETHING">`
-* In `<li id="wp-admin-bar-SOMETHING">`, you want the "SOMETHING" part.
-
-##### How to filter the disallowed Toolbar nodes on the front-end:
-
-```php
-/**
- * Filter hidden Toolbar menus on the front-end.
- *
- * @param array $ids Toolbar menu IDs.
- * @return array (maybe) filtered front-end Toolbar menu IDs.
- */
-function hide_some_toolbar_menu( $ids ) {
-	$ids[] = 'SOMETHING';
-	return $ids;
-}
-add_filter( 'rda_frontend_toolbar_nodes', 'hide_some_toolbar_menu' );
-```
-
-##### Common plugin Toolbar menus and their ids:
-
-| Plugin | Menu ID |
-| ------ | ------- |
-| [Jetpack by WordPress.com](http://wordpress.org/extend/plugins/jetpack/) (notifications) | 'notes |
-| [WordPress SEO by Yoast](http://wordpress.org/extend/plugins/wordpress-seo/) | 'wpseo-menu' |
-| [W3 Total Cache](http://wordpress.org/extend/plugins/w3-total-cache/) | 'w3tc' |
-
-#### Debug Mode
-
-* To view debugging information on the Settings > Reading screen, visit yoursite.com/options-general.php?page=dashboard-access&rda_debug=1
-
-## Changelog
-
-#### 1.1.3
-
-* Fixed a compatibility issue with bbPress and the media grid view.
-
-#### 1.1.2
-
-* Bump tested-up-to to 4.1.0
-* Miscellaneous readme changes.
-
-#### 1.1.1
-
-Bug Fix:
-* Move options back to Settings > Dashboard Access screen to resolve conflict with page_on_front UI.
-
-#### 1.1
-
-Enhancements:
-* Instantiate as a static instance for better modularity
-* Move Dashboard Access Controls settings to Settings > Dashboard Access
-* Add optional login message option
-* Add better settings sanitization
-* New Filter: `rda_default_caps_for_role` - Filter default roles for Admins, Editors, and Authors
-
-Bug Fixes:
-* Remove unnecessarily stringent URL mask on the redirect URL option
-
-#### 1.0
-
-* Complete rewrite!
-* New: Limit dashboard access for Admins only or by capability
-* New: Allow/disallow edit-profile access
-* New: Choose your own redirect URL
-* New Filter: `rda_default_access_cap` - Change default access capability
-* New Filter: `rda_toolbar_nodes` - Filter which back-end Toolbar nodes are hidden
-* New Filter: `rda_frontend_toolbar_nodes` - Filter which front-end Toolbar nodes are hidden
-
-#### 0.4
-
-* Refined DOING_AJAX check for logged-out users, props @nacin and @BoiteAWeb
-
-#### 0.3
-
-* Changed cap to manage_options, replaced PHP_SELF with DOING_AJAX
-
-#### 0.2
-
-* Replaced preg_match with admin-ajax test. Added compatibility with rewritten dashboard URLs.
-
-#### 0.1
-
-* Submitted to repository
diff --git a/inc/class.rda-options.php b/inc/class.rda-options.php
@@ -16,14 +16,15 @@ class RDA_Options {
 	/**
 	 * Static instance to make removing actions and filters modular.
 	 *
+	 * @var $instance RDA_Options
 	 * @since 1.1
 	 * @access public
 	 * @static
 	 */
 	public static $instance;
 
 	/**
-	 * @var $settings rda-settings options array
+	 * @var $settings array rda-settings options array
 	 *
 	 * @since 1.0
 	 * @access public
@@ -409,7 +410,7 @@ private function _output_caps_dropdown() {
 	 * @uses checked() Outputs the checked attribute when the option is enabled.
 	 */
 	public function profile_enable_cb() {
-		printf( '<input name="rda_enable_profile" type="checkbox" value="1" class="code" %1$s/>%2$s',
+		printf( '<label><input name="rda_enable_profile" type="checkbox" value="1" class="code" %1$s/>%2$s</label>',
 			checked( esc_attr( $this->settings['enable_profile'] ), true, false ),
 			/* Translators: The leading space is intentional to space the text away from the checkbox */
 			esc_html__( ' Allow all users to edit their profiles in the dashboard.', 'remove_dashboard_access' )
@@ -443,7 +444,23 @@ public function url_redirect_cb() {
 	 */
 	public function login_message_cb() {
 		?>
-		<p><input name="rda_login_message" class="regular-text" type="text" value="<?php echo esc_attr( $this->settings['login_message'] ); ?>" placeholder="<?php esc_attr_e( '(Disabled when empty)', 'remove_dashboard_access' ); ?>" /></p>
+		<p><label>
+                <?php esc_html_e( 'Display this message to users above the login form:', 'remove_dashboard_access' ); ?>
+                <input name="rda_login_message" class="widefat" type="text" value="<?php echo esc_attr( $this->settings['login_message'] ); ?>" placeholder="<?php esc_attr_e( '(Disabled when empty)', 'remove_dashboard_access' ); ?>" />
+            </label>
+        </p>
+        <p class="howto">
+			<span class="howto"><?php
+
+				// translators: %s is replaced with the default login message
+				echo sprintf(
+					esc_html__( 'Leave blank to not show a message. This message will only be shown on the %1$sLog In screen%2$s, not in embedded Login/Logout blocks.', 'remove_dashboard_access' ),
+					'<a href="' . esc_url( wp_login_url() ) . '" target="_blank">',
+					'<span class="screen-reader-text"> ' . esc_html__( '(This link opens in a new window.)' ) . '</span></a>'
+				);
+
+				?></span>
+        </p>
 		<?php
 	}
 

diff --git a/inc/class.rda-remove-access.php b/inc/class.rda-remove-access.php
@@ -120,12 +120,113 @@ function dashboard_redirect() {
 		/** @global string $pagenow */
 		global $pagenow;
 
+		if ( $this->is_allowed_page() ) {
+			return;
+		}
+
 		if ( ( $pagenow && 'profile.php' !== $pagenow ) || ( defined( 'IS_PROFILE_PAGE' ) && ! IS_PROFILE_PAGE ) || ! $this->settings['enable_profile'] ) {
 			wp_redirect( $this->settings['redirect_url'] );
 			exit;
 		}
 	}
 
+	/**
+	 * Returns an array of admin pages that are allowed.
+	 *
+	 * @since 1.2
+	 *
+	 * @return array Allowlist of admin pages.
+	 */
+	private function get_allowlist() {
+
+		$allowlist = array(
+			'admin.php' => array(
+				array(
+					'page' => 'WFLS', // Wordfence Login Security 2FA
+				),
+			),
+		);
+
+		/**
+		 * Filter the allowlist of admin pages.
+		 * The function returns an associative array with $pagenow as the key and a nested array of key => value pairs
+		 * where the key is the $_GET variable and the value is the allowed value.
+		 *
+		 * Example: To allow the Wordfence Login Security 2FA page, with a URL of admin.php?page=WFLS, the array would be:
+		 *
+		 *  array(
+		 *     'admin.php' => array(
+		 *         array(
+		 *           'page' => 'WFLS',
+		 *         ),
+		 *     ),
+		 *  );
+		 * @param array $allowlist The allowlist of admin pages.
+		 */
+		$allowlist = apply_filters( 'rda_allowlist', $allowlist );
+
+		return $allowlist;
+	}
+
+	/**
+	 * Checks if the current page is allowed.
+	 *
+	 * @since 1.2
+	 *
+	 * @return bool True if the current page is in the allowlist, false otherwise.
+	 */
+	private function is_allowed_page() {
+		global $pagenow;
+
+		if ( empty( $pagenow ) ) {
+			return false;
+		}
+
+		$allowlist = $this->get_allowlist();
+
+		if ( ! array_key_exists( $pagenow, $allowlist ) ) {
+			return false;
+		}
+
+		// Iterate over each set of allowed GET parameters for the current page.
+		foreach ( $allowlist[ $pagenow ] as $allowed_params_set ) {
+			if ( $this->is_params_set_allowed( $allowed_params_set ) ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * Checks if a set of parameters matches the current $_GET parameters.
+	 *
+	 * @since 1.2
+	 *
+	 * @param array $allowed_params_set A set of allowed GET parameters.
+	 * @return bool True if the current $_GET parameters match the allowed set, false otherwise.
+	 */
+	private function is_params_set_allowed( $allowed_params_set ) {
+
+		if ( ! is_array( $_GET ) || ! is_array( $allowed_params_set ) ) {
+			return false;
+		}
+
+		// Check if the number of parameters in both arrays is the same. This prevents sub-pages from being allowed,
+		// e.g. admin.php?page=example&subpage=secure-thing.
+		if ( count( $_GET ) !== count( $allowed_params_set ) ) {
+			return false;
+		}
+
+		foreach ( $allowed_params_set as $param_key => $param_value ) {
+			if ( ! isset( $_GET[ $param_key ] ) || $_GET[ $param_key ] !== $param_value ) {
+				return false;
+			}
+		}
+
+		return true;
+	}
+
 	/**
 	 * Hide Toolbar Items.
 	 *