diff --git a/10up-experience.php b/10up-experience.php index fa9d994..88da2c4 100644 --- a/10up-experience.php +++ b/10up-experience.php @@ -3,7 +3,7 @@ * Plugin Name: 10up Experience * Plugin URI: https://github.com/10up/10up-experience * Description: The 10up Experience plugin configures WordPress to better protect and inform clients, aligned to 10up’s best practices. - * Version: 1.10.0 + * Version: 1.10.1 * Author: 10up * Author URI: https://10up.com * License: GPLv2 or later @@ -19,7 +19,7 @@ use Puc_v4_Factory; -define( 'TENUP_EXPERIENCE_VERSION', '1.10.0' ); +define( 'TENUP_EXPERIENCE_VERSION', '1.10.1' ); define( 'TENUP_EXPERIENCE_DIR', __DIR__ ); define( 'TENUP_EXPERIENCE_FILE', __FILE__ ); diff --git a/CHANGELOG.md b/CHANGELOG.md index f8bb24f..ea33138 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/). +## [1.10.1] - 2022-09-13 +### Fixed +* Fix bug allowing admin username user to authenticate + ## [1.10.0] - 2022-09-13 ### Added * Added Activity Log diff --git a/README.md b/README.md index 44d1387..23610e0 100644 --- a/README.md +++ b/README.md @@ -42,50 +42,50 @@ Updates use the built-in WordPress update system to pull from GitHub releases. ## Functionality -* __REST API__ +### REST API - Adds an option to general settings to restrict REST API access. The options are: show REST API to everyone, only show REST API to logged in users, and show REST API to everyone except `/users` endpoint. By default, the plugin requires authentication for the `/users` endpoint. +Adds an option to general settings to restrict REST API access. The options are: show REST API to everyone, only show REST API to logged in users, and show REST API to everyone except `/users` endpoint. By default, the plugin requires authentication for the `/users` endpoint. - *Configured in `Settings > Reading`.* +*Configured in `Settings > Reading`.* -* __Authors__ +### Authors - Removes 10up user author archives so they aren't mistakenly indexed by search engines. +Removes 10up user author archives so they aren't mistakenly indexed by search engines. -* __Gutenberg__ +### Gutenberg - Adds an option in writing to switch back to Classic Editor. +Adds an option in writing to switch back to Classic Editor. - *Configured in `Settings > Writing`.* +*Configured in `Settings > Writing`.* -* __Plugins__ +### Plugins - Adds a 10up Suggested Plugins section to the plugins screen. Warns users who attempt to deactivate the 10up Experience plugin. Outputs a notice on non-suggested plugins tabs warning users from installing non-approved plugins. If `DISALLOW_FILE_MODS` is on, update notices will be shown in the plugins table. + Adds a 10up Suggested Plugins section to the plugins screen. Warns users who attempt to deactivate the 10up Experience plugin. Outputs a notice on non-suggested plugins tabs warning users from installing non-approved plugins. If `DISALLOW_FILE_MODS` is on, update notices will be shown in the plugins table. -* __Post Passwords__ +### Post Passwords - Password protecting post functionality is removed both in Gutenberg and the classic editor. This can be disabled in the writing section of the admin. +Password protecting post functionality is removed both in Gutenberg and the classic editor. This can be disabled in the writing section of the admin. - *Configured in `Settings > Writing`.* +*Configured in `Settings > Writing`.* -* __Support Monitor__ +### Support Monitor - Sends non-PII information about the website back to 10up including plugins installed, constants defined in `wp-config.php`, 10up user accounts, and more. +Sends non-PII information about the website back to 10up including plugins installed, constants defined in `wp-config.php`, 10up user accounts, and more. - *Configured in `Settings > General` or `Settings > Network Settings` if network activated.* +*Configured in `Settings > General` or `Settings > Network Settings` if network activated.* -* __Authentication__ +### Authentication - By default, all users must use a medium or greater strength password. This can be turned off in general settings (or network settings if network activated). Reserved usernames such as `admin` are prevented from being used. +By default, all users must use a medium or greater strength password. This can be turned off in general settings (or network settings if network activated). Reserved usernames such as `admin` are prevented from being used. - *Configured in `Settings > General` or `Settings > Network Settings` if network activated.* +*Configured in `Settings > General` or `Settings > Network Settings` if network activated.* - **Password strength functionality requires the PHP extension [mbstring](https://www.php.net/manual/en/mbstring.installation.php) to be installed on the web server. Functionality will be bypassed if extension not installed.* + **Password strength functionality requires the PHP extension [mbstring](https://www.php.net/manual/en/mbstring.installation.php) to be installed on the web server. Functionality will be bypassed if extension not installed.* -* __Headers__ +### Headers - `X-Frame-Origins` is set to `sameorigin` to prevent click jacking. +`X-Frame-Origins` is set to `sameorigin` to prevent click jacking. *Note:* 10up admin branding can be disabled by defining the constant `TENUP_DISABLE_BRANDING` as `true`. @@ -93,19 +93,19 @@ There are 2 filters available here: - `tenup_experience_x_frame_options` - (default value) `SAMEORIGIN` can be changed to `DENY`. - `tenup_experience_disable_x_frame_options` - (default value) `FALSE` can be changed to `TRUE` - doing so will omit the header. -* __SSO__ +### SSO 10up Experience includes 10up SSO functionality. There are some useful constants related to this functionality: - `TENUPSSO_DISABLE` - Define this as `true` to disable SSO. - `TENUPSSO_DISALLOW_ALL_DIRECT_LOGIN` - Define this as `true` to disable username/password log ins completely. -* __Activity Log__ +### Activity Log The Activity Log tracks key actions taken by logged in users and stores them in Support Monitor. Note that no PII is stored. This feature can be disabled by defining `TENUP_DISABLE_ACTIVITYLOG` as `true`. -## Logged Actions -​ +#### Logged Actions + - `profile_update` Runs when a user profile is updated. Example log message: "User 1 profile updated." - `set_user_role` Runs when a user's role has changed. Example log message: "User 1 role changed from editor to administator." - `updated_user_meta` Runs when certain user metadata has changed. Example log message: "User 1 meta updated. Key: nickname." @@ -118,37 +118,28 @@ The Activity Log tracks key actions taken by logged in users and stores them in - `deleted_theme` Runs when a theme is deleted from the site. Example log message: "Theme twentytwentyone is deleted." - `updated_option` Runs when one of a specified set of core options changes. Example log message: "Option `users_can_register` is updated." - `added_option` Runs when one of a specified set of core options is added. Example log message: "Option `users_can_register` is added." -​ -## Filters -​ -### tenup_experience_logged_user_meta_changes -​ + +#### Filters + +- `tenup_experience_logged_user_meta_changes` + Filters the user meta keys whose changes should be logged. -​ -@param array $meta_keys The user meta keys to log. -​ -### tenup_support_monitor_logged_option_changes -​ + +- `tenup_support_monitor_logged_option_changes` + Filters the option keys whose changes should be logged. -​ -@param array $option_keys The option keys to log. -​ -### tenup_support_monitor_log_item -​ + +- `tenup_support_monitor_log_item` + Filters whether to log a message. -​ -@param array $data Associative array of data related to the action. -@param string $subgroup String representing a group of logged actions, e.g. 'users' or 'plugins'. -​ -### tenup_support_monitor_max_activity_log_count -​ + +- `tenup_support_monitor_max_activity_log_count` + Filters how many log items to store. Items are stored in array saved to the options table. Default is 500. -​ -@param int The number of log items to keep. Default 500. -## Constants +#### Constants -### TENUP_DISABLE_ACTIVITYLOG +- `TENUP_DISABLE_ACTIVITYLOG` Define `TENUP_DISABLE_ACTIVITYLOG` as `true` to disable Activity Log. diff --git a/includes/classes/Authentication/Usernames.php b/includes/classes/Authentication/Usernames.php index cfbb923..4b6703f 100644 --- a/includes/classes/Authentication/Usernames.php +++ b/includes/classes/Authentication/Usernames.php @@ -36,7 +36,7 @@ public function prevent_common_username( $user, $username ) { $test_tlds = array( 'test', 'local', '' ); $tld = preg_replace( '#^.*\.(.*)$#', '$1', wp_parse_url( site_url(), PHP_URL_HOST ) ); - if ( in_array( ! $tld, $test_tlds, true ) && in_array( strtolower( trim( $username ) ), $this->reserved_usernames(), true ) ) { + if ( ! in_array( $tld, $test_tlds, true ) && in_array( strtolower( trim( $username ) ), $this->reserved_usernames(), true ) ) { return new \WP_Error( 'Auth Error', __( 'Please have an administor change your username in order to meet current security measures.', 'tenup' ) diff --git a/includes/classes/SupportMonitor/ActivityLog.php b/includes/classes/SupportMonitor/ActivityLog.php index 0c19649..bb04893 100644 --- a/includes/classes/SupportMonitor/ActivityLog.php +++ b/includes/classes/SupportMonitor/ActivityLog.php @@ -134,10 +134,11 @@ public function updated_user_meta( $meta_id, $user_id, $meta_key ) { * @param array $userdata The raw array of data passed to wp_insert_user(). */ public function user_register( $user_id, $userdata ) { + $role = ( ! empty( $userdata['role'] ) ) ? $userdata['role'] : 'Subscriber'; Monitor::instance()->log( [ 'action' => 'user_register', - 'summary' => 'User ' . $user_id . ' created with role ' . $userdata['role'], + 'summary' => 'User ' . $user_id . ' created with role ' . $role, ], 'users' ); diff --git a/package.json b/package.json index 5dc5a27..d64202a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "10up-experience", - "version": "1.9.0", + "version": "1.10.1", "description": "The 10up Experience plugin configures WordPress to better protect and inform clients, aligned to 10up’s best practices.", "homepage": "https://10up.com", "repository": {