forked from Automattic/vip-go-mu-plugins
-
Notifications
You must be signed in to change notification settings - Fork 0
/
two-factor.php
184 lines (149 loc) · 6.12 KB
/
two-factor.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<?php
/**
* Plugin Name: VIP Force Two Factor
* Description: Force Two Factor Authentication for stronger security.
* Author: Automattic
* License: GPL version 2 or later - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
*/
// Custom list of providers
require_once __DIR__ . '/wpcom-vip-two-factor/set-providers.php';
define( 'VIP_2FA_TIME_GATE', strtotime( '2019-05-29 18:00:00' ) );
define( 'VIP_IS_AFTER_2FA_TIME_GATE', time() > VIP_2FA_TIME_GATE );
function wpcom_vip_should_force_two_factor() {
// The proxy is the second factor for VIP Support users
if ( true === A8C_PROXIED_REQUEST ) {
return false;
}
// The Two Factor plugin wasn't loaded for some reason.
if ( ! class_exists( 'Two_Factor_Core' ) ) {
return false;
}
if ( Two_Factor_Core::is_user_using_two_factor() ) {
return false;
}
// Don't force 2FA for OneLogin SSO
if ( function_exists( 'is_saml_enabled' ) && is_saml_enabled() ) {
return false;
}
// Don't force 2FA for SimpleSaml
if ( function_exists( '\HumanMade\SimpleSaml\instance' ) && \HumanMade\SimpleSaml\instance() ) {
return false;
}
return true;
}
function wpcom_vip_is_two_factor_forced() {
if ( ! wpcom_vip_should_force_two_factor() ) {
return false;
}
return apply_filters( 'wpcom_vip_is_two_factor_forced', false );
}
function wpcom_vip_enforce_two_factor_plugin() {
if ( is_user_logged_in() ) {
$limited = current_user_can( 'edit_posts' );
if ( VIP_IS_AFTER_2FA_TIME_GATE ) {
// Calculate current_user_can outside map_meta_cap to avoid callback loop
add_filter( 'wpcom_vip_is_two_factor_forced', function() use ( $limited ) {
return $limited;
} );
} else if ( $limited && wpcom_vip_should_force_two_factor() ) {
add_action( 'admin_notices', 'wpcom_vip_two_factor_prep_admin_notice' );
}
add_action( 'admin_notices', 'wpcom_vip_two_factor_admin_notice' );
add_filter( 'map_meta_cap', 'wpcom_vip_two_factor_filter_caps', 0, 4 );
}
}
add_action( 'muplugins_loaded', 'wpcom_enable_two_factor_plugin' );
function wpcom_enable_two_factor_plugin() {
wpcom_vip_load_plugin( 'two-factor' );
add_action( 'set_current_user', 'wpcom_vip_enforce_two_factor_plugin' );
}
/**
* Filter Caps
*
* Remove caps for users without two-factor enabled so they are treated as a Contributor.
*/
function wpcom_vip_two_factor_filter_caps( $caps, $cap, $user_id, $args ) {
if ( wpcom_vip_is_two_factor_forced() ) {
// Use a hard-coded list of caps that give just enough access to set up 2FA
$subscriber_caps = [
'read',
'level_0',
];
// You can edit your own user account (required to set up 2FA)
if ( $cap === 'edit_user' && ! empty( $args ) && $user_id === $args[ 0 ] ) {
$subscriber_caps[] = 'edit_user';
}
if ( ! in_array( $cap, $subscriber_caps, true ) ) {
return array( 'do_not_allow' );
}
}
return $caps;
}
function wpcom_vip_should_show_notice_on_current_screen() {
$screen = get_current_screen();
// Don't show on the "Edit Post" screen as it interferes with the Block Editor.
if ( 'post' === $screen->id ) {
return false;
}
return true;
}
function wpcom_vip_two_factor_admin_notice() {
if ( ! wpcom_vip_is_two_factor_forced() ) {
return;
}
if ( ! wpcom_vip_should_show_notice_on_current_screen() ) {
return;
}
?>
<div id="vip-2fa-error" class="notice-error wrap clearfix" style="align-items: center;background: #ffffff;border-left-width:4px;border-left-style:solid;border-radius: 6px;display: flex;margin-top: 30px;padding: 30px;line-height: 2em;">
<div class="dashicons dashicons-warning" style="display:flex;float:left;margin-right:2rem;font-size:38px;align-items:center;margin-left:-20px;color:#ffb900;"></div>
<div>
<p style="font-weight:bold; font-size:16px;">
<a href="https://wpvip.com/documentation/vip-go/two-factor-authentication-on-vip-go/">Two Factor Authentication</a> is required to edit content on this site.
</p>
<p>For the safety and security of this site, your account access has been downgraded. Please enable two-factor authentication to restore your access.</p>
<p>
<a href="<?php echo esc_url( admin_url( 'profile.php#two-factor-options' ) ); ?>" class="button button-primary">
Enable Two-factor Authentication
</a>
<a href="https://wpvip.com/documentation/vip-go/two-factor-authentication-on-vip-go/" class="button" target="_blank">Learn More</a>
</p>
</div>
</div>
<?php
}
function wpcom_vip_two_factor_prep_admin_notice() {
if ( wpcom_vip_is_two_factor_forced() ) {
return;
}
if ( ! wpcom_vip_should_show_notice_on_current_screen() ) {
return;
}
// Allow site owners to hide the preparatory notice if this doesn't apply to their site
if ( apply_filters( 'wpcom_vip_two_factor_prep_hide_admin_notice', false ) ) {
return;
}
$timezone = get_option( 'timezone_string' );
if ( ! $timezone || $timezone === '' ) {
$timezone = 'UTC';
}
$date = new DateTime( "now", new DateTimeZone( $timezone ) );
$date->setTimestamp( VIP_2FA_TIME_GATE );
?>
<div id="vip-2fa-warning" class="notice-warning wrap clearfix" style="align-items: center;background: #ffffff;border-left-width:4px;border-left-style:solid;border-radius: 6px;display: flex;margin-top: 30px;padding: 30px;line-height: 2em;">
<div class="dashicons dashicons-warning" style="display:flex;float:left;margin-right:2rem;font-size:38px;align-items:center;margin-left:-20px;color:#ffb900;"></div>
<div>
<p style="font-weight:bold; font-size:16px;">
Starting on <em><?php echo $date->format( 'M d, Y \a\t g:i a T' ) ?></em>, <a href="https://wpvip.com/documentation/vip-go/two-factor-authentication-on-vip-go/">Two Factor Authentication</a> will be required to edit content on this site.
</p>
<p>To avoid any disruption in access, please enable two-factor authentication on your account as soon as possible. Thank you for keeping your account safe and secure!</p>
<p>
<a href="<?php echo esc_url( admin_url( 'profile.php#two-factor-options' ) ); ?>" class="button button-primary">
Enable Two-factor Authentication
</a>
<a href="https://wpvip.com/documentation/vip-go/two-factor-authentication-on-vip-go/" class="button" target="_blank">Learn More</a>
</p>
</div>
</div>
<?php
}