The MU forums have moved to WordPress.org

More Privacy Options plugin issue (and possible fix) (6 posts)

  1. ctrl-alt-esc
    Member
    Posted 14 years ago #

    I've run across a small issue with the More Privacy Options plugin (http://wpmudevorg.wordpress.com/project/More-Privacy-Options)

    How to reproduce the issue:
    - enable FORCE_SSL_LOGIN in wp-config.php (I haven't tested, but this probably happens with FORCE_SSL_ADMIN also)
    - set blog visibility to one of the 3 options provided by this plugin (registered users from blog community || registered members of this blog || administrators )
    - visit the blog at http://blog123.example.com
    - login at the prompt

    What should happen:
    - after login you should be redirected to http://blog123.example.com

    What actually happens:
    - after login you will be redirected to https://blog123.example.com

    I've included a patch below that seems to take care of the problem on my site. Hopefully dsader will see this post and can comment on my fix since I'm a PHP noob.

    --- ds_private_blog.php.orig    2010-01-14 11:40:46.000000000 -0500
    +++ ds_private_blog.php 2010-01-14 11:56:34.000000000 -0500
    @@ -166,7 +166,7 @@
                   } else {
                            nocache_headers();
                            header("HTTP/1.1 302 Moved Temporarily");
    -                       header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
    +                       header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode(site_url($_SERVER['REQUEST_URI'])));
                    header("Status: 302 Moved Temporarily");
                            exit();
                            }
    @@ -221,7 +221,7 @@
                    } elseif (!current_user_can('read')) {
                            nocache_headers();
                            header("HTTP/1.1 302 Moved Temporarily");
    -                       header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
    +                       header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode(site_url($_SERVER['REQUEST_URI'])));
                    header("Status: 302 Moved Temporarily");
                            exit();
                    }
    @@ -252,7 +252,7 @@
                    } elseif (!current_user_can('manage_options')) {
                            nocache_headers();
                            header("HTTP/1.1 302 Moved Temporarily");
    -                       header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
    +                       header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode(site_url($_SERVER['REQUEST_URI'])));
                    header("Status: 302 Moved Temporarily");
                            exit();
                    }
  2. ctrl-alt-esc
    Member
    Posted 14 years ago #

    Oh, and I forgot to say thanks to dsader for providing such a useful plugin. Our school district has several 'staff only' blogs protected by this plugin.

  3. vanillaxtrakt
    Member
    Posted 14 years ago #

    Two problems:

    1. The code you posted I believe will only work if you're not going to a blog in a subdomain. For instance, if you go here:

    http://blog.example.com/information

    your code will convert the URL to this:

    http://blog.example.com/wp-login.php?redirect_to=http://blog.example.com/information

    However, if you go here:

    http://blog.example.com/myblog/somepage

    your code will convert the URL to this:

    http://blog.example.com/myblog/wp-login.php?redirect_to=http://blog.example.com/myblog/somepage/somepage

    2. The more I look at this, it looks like a Wordpress issue, not a plugin issue.

    If you enable FORCE_SSL_LOGIN in wp-config.php, and then use the login page to redirect you to any other page, it will be SSL (if you aren't already logged in). For example:

    http://blog.example.com/wp-login.php?redirect_to=/feed/

    will always send you here upon logging in:

    https://blog.example.com/feed/

    Or,

    http://blog.example.com/wp-login.php?redirect_to=/

    will send you here:

    https://blog.example.com

    I don't know if this is a Wordpress or Wordpress MU issue, but as far as I can tell, it's not the fault of this plugin.

    I went ahead and created a bug ticket:
    http://core.trac.wordpress.org/ticket/12194

  4. dsader
    Member
    Posted 14 years ago #

    I don't use "FORCE_SSL_LOGIN" or "FORCE_SSL_ADMIN".

    To code a fix for FORCE_SSL_LOGIN using this(or any) plugin it would first detect FORCE_SSL_LOGIN and the errant https and replace it with http before the header redirect.

    To illustrate, look at how the bit of code at the top of wp-login.php detects then replaces http with https (imagine vice versa in OP's case).

    // Redirect to https login if forced to use SSL
    if ( force_ssl_admin() && !is_ssl() ) {
    	if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
    		wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
    		exit();
    	} else {
    		wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    		exit();
    	}
    }
  5. ctrl-alt-esc
    Member
    Posted 14 years ago #

    I had only tried this fix on a domain based site and it worked there. I just tried it on my directory based site and it doesn't work just as vanillaxtrakt said above.

  6. ctrl-alt-esc
    Member
    Posted 14 years ago #

    now trying this instead:
    header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode((is_ssl() ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']));

    It appears to be working correctly on both domain and directory installs.

About this Topic

  • Started 14 years ago by ctrl-alt-esc
  • Latest reply from ctrl-alt-esc