YahnisElsts / wp-update-server

A custom update API for WordPress plugins and themes. Intended to be used in conjunction with my plugin-update-checker library.
MIT License
824 stars 176 forks source link

Secure download link error message #99

Closed haydeningham closed 3 years ago

haydeningham commented 3 years ago

Hi there, I have followed your guide in order to secure download links via License Keys here: https://w-shadow.com/blog/2013/03/19/plugin-updates-securing-download-links/

It works great however when a user doesn't have a valid license and they try to update the plugin they get a generic forbidden error message (see screenshot attached).

Screenshot 2021-07-28 at 20 42 04

Within the extended class in the Wpup_UpdateServer::checkAuthorization($request) method I have defined an error message using $this->exitWithError($message, 403); but the passed message does not get displayed when the user tries to update. Do you have any recommendations on how I can get this message to display in place of the Update failed: Download failed. Forbidden default message.

Thanks, Hayden

haydeningham commented 3 years ago

You can ignore this issue. I have resolved it. For anyone else wanting to achieve this I removed the download link from the metadata if the license key is not valid (this is also covered in the article linked above). I then used the following filter to add a message to the update notice if the download link is not present:

add_action( 'in_plugin_update_message-your-plugin/your-plugin.php', 'add_upgrade_message', 10, 2 );

function add_upgrade_message( $plugin_data, $new_data ) {

  if( !$plugin_data['package'] ):
    echo '<strong>You must have a valid license key to update.</strong>';
  endif;

}

This way users still see that an update is available but if they don't have a license key activated in the plugin's settings they will not have the update link and instead be shown a message detailing they need a licence key.

Thanks Hayden