search

usefulteam / jwt-auth

WordPress JSON Web Token Authentication
https://wordpress.org/plugins/jwt-auth/
116 stars 49 forks source link

Issues with non-wordpress/custom profile pages #95

Open hayhurst opened 1 year ago

hayhurst commented 1 year ago

If !is_admin is false, then the 'Connected Devices' shortcode returns nothing at all - leaving you with the 'Connected Devices' header, and no explanation to the end user as to why there isn't any content returned.

At the very least this should echo a text response explaining what the issue is?

But equally... we're implementing this on a profile page for end users outside of the wp-admin ecosystem, which is possibly why this hasn't been an issue before...

https://github.com/usefulteam/jwt-auth/blob/84087733a6ed087df2ca53e6b4be767854754eb5/class-devices.php#L341

        if (!is_admin()) {
            return '';
        }

        $atts = shortcode_atts(
            array(
                'user_id' => get_current_user_id(),
            ),
            $atts,
            'jwt_auth_devices'
        );

        $user_id = absint($atts['user_id']);

        if (get_current_user_id() !== $user_id) {
            if (!current_user_can('administrator')) {
                return '';
            }
        }

The same goes for the below section where we've had to add in an or operator to the if statement to account for a custom profile page.

Originally upon installing this plugin, the die() function was running, killing any further rendering of this page. This seems like an unwarranted use of die which should really only be used for Ajax requests (and even then, wp_die() is preferable).

This should probably be changed to return echo 'No user id defined' so that it fails a little more gracefully.

        // If is current user's profile (profile.php).
        if (defined('IS_PROFILE_PAGE') && IS_PROFILE_PAGE) {
            $user_id = get_current_user_id();
        } elseif (!empty($_GET['user_id']) && is_numeric($_GET['user_id'])) { // phpcs:ignore
            // If is another user's profile page.
            $user_id = absint($_GET['user_id']); // phpcs:ignore
        } else {
            // Otherwise something is wrong.
            die( 'No user id defined.' );
        }
hayhurst commented 1 year ago

Don't have permission to add a branch to offer a proposed solution to these two issues so are the changes I'd like to see in comment form...

Remove this to allow for the shortcode to work on non-'wp-admin' pages

https://github.com/usefulteam/jwt-auth/blob/84087733a6ed087df2ca53e6b4be767854754eb5/class-devices.php#L341-L343

Replace this

https://github.com/usefulteam/jwt-auth/blob/84087733a6ed087df2ca53e6b4be767854754eb5/class-devices.php#L322 With

            echo 'No user id defined.';
            return;