Vor dem Redirect Prüfen, auf aktuelle URL prüfen

bueltge / authenticator

This plugin allows you to make your WordPress site accessible to logged in users only.

https://wordpress.org/plugins/authenticator/

GNU General Public License v3.0

24 stars 7 forks source link

Vor dem Redirect Prüfen, auf aktuelle URL prüfen #13

Open dnaber-de opened 11 years ago

dnaber-de commented 11 years ago

Prüfen, ob die aktuelle Seite nicht schon die Login-Page ist, um Loops zu vermeiden. Der check auf $pagenow läuft bei Custom Login-Pages ins leere.

bueltge commented 10 years ago

@dnaber-de Welche Prüfung meinst du, direkt in der Methode 'redirect()`?

dnaber-de commented 10 years ago

Es gab in Zusammenspiel mit gehookten Login-Pages (nicht wp-login.php) Probleme. Es kam zu einer Schleife. Das wurde aber schon behoben, ob seitens Authenticator oder projektbezogen weiß ich gerade nicht. Ich schau mir das noch mal an.

bueltge commented 10 years ago

Danke dir! Ansonsten schließen wir den Issue und können ggf. wp.org updaten, was notwendig wäre, wegen eines Bugs.

bueltge commented 10 years ago

@dnaber-de Kannst du das bei Gelegenheit prüfen, dann wäre 1.2 fertig.

dnaber-de commented 10 years ago

I suggest to use English as language for issues. I think the problem still persists, theoretically. We check for wp-login.php as $GLOBALS[ 'pagenow' ] but we then redirect using wp_login_url(). If someone hooks into login_url, the comparison of »pagenow« becomes invalid and with this, we got an infinite redirection loop.

dnaber-de commented 10 years ago

I've provided a possible fix for this problem in cd8fbe4 on the branch fix_13 but I don't have time to make a proper validation at the moment.

bueltge commented 10 years ago

Thanks for your time and effort. The language for issues is all the same for me, but if we discus without other guys and dolls, then is German much easier for me. I will also say thank you for the time. I understand much more as other people's. Currently I'm also only online via mobile, the fritz box was broken.

deantomasevic commented 9 years ago

I have updated the prev. fix for this issue (17acc202035b6cfe4a1ceda4b7cc520162a108f4). In my case the prev. fix doesnt work if i had a custom login page and add a filter for my login_url.

Example:

page-login.php - Added a blank page with url /login/

<?php
...
wp_login_form( $args );
...

functions.php

...
add_filter( 'login_url', 'my_login_page', 10, 2 );
function my_login_page( $login_url, $redirect ) {
    return home_url( '/login/?redirect_to=' . $redirect );
}

Testcases:

Request: http://inspyde-auth.local will be redirected to http://inspyde-auth.local/login/?redirect_to=/login/
Request http://inspyde-auth.local/login/ will be redirected to http://inspyde-auth.local/login/ (nothing happens)
Request http://inspyde-auth.local/beispiel-seite will be redirected to http://inspyde-auth.local/login/?redirect_to=/beispiel-seite/

dnaber-de commented 9 years ago

About 17acc202: What happens if you request a sub-page with the permalink /some-page/login/? I assume that you won't be redirected to the login page as of the strpos() comparison.

Furthermore I think we should compare the complete login URL (including the host) to respect setups where logins might be combined on one site in a multisite.