jwt-auth icon indicating copy to clipboard operation
jwt-auth copied to clipboard

Published 20 hours ago verified publisher icon usefulteam

Issues with non-wordpress/custom profile pages

Open hayhurst opened this issue 1 year ago • 1 comments

If !is_admin is false, then the 'Connected Devices' shortcode returns nothing at all - leaving you with the 'Connected Devices' header, and no explanation to the end user as to why there isn't any content returned.

At the very least this should echo a text response explaining what the issue is?

But equally... we're implementing this on a profile page for end users outside of the wp-admin ecosystem, which is possibly why this hasn't been an issue before...

https://github.com/usefulteam/jwt-auth/blob/84087733a6ed087df2ca53e6b4be767854754eb5/class-devices.php#L341

		if (!is_admin()) {
			return '';
		}

		$atts = shortcode_atts(
			array(
				'user_id' => get_current_user_id(),
			),
			$atts,
			'jwt_auth_devices'
		);

		$user_id = absint($atts['user_id']);

		if (get_current_user_id() !== $user_id) {
			if (!current_user_can('administrator')) {
				return '';
			}
		}

The same goes for the below section where we've had to add in an or operator to the if statement to account for a custom profile page.

Originally upon installing this plugin, the die() function was running, killing any further rendering of this page. This seems like an unwarranted use of die which should really only be used for Ajax requests (and even then, wp_die() is preferable).

This should probably be changed to return echo 'No user id defined' so that it fails a little more gracefully.

		// If is current user's profile (profile.php).
		if (defined('IS_PROFILE_PAGE') && IS_PROFILE_PAGE) {
			$user_id = get_current_user_id();
		} elseif (!empty($_GET['user_id']) && is_numeric($_GET['user_id'])) { // phpcs:ignore
			// If is another user's profile page.
			$user_id = absint($_GET['user_id']); // phpcs:ignore
		} else {
			// Otherwise something is wrong.
			die( 'No user id defined.' );
		}

hayhurst avatar Mar 02 '23 20:03 hayhurst

Don't have permission to add a branch to offer a proposed solution to these two issues so are the changes I'd like to see in comment form...

Remove this to allow for the shortcode to work on non-'wp-admin' pages

https://github.com/usefulteam/jwt-auth/blob/84087733a6ed087df2ca53e6b4be767854754eb5/class-devices.php#L341-L343

Replace this

https://github.com/usefulteam/jwt-auth/blob/84087733a6ed087df2ca53e6b4be767854754eb5/class-devices.php#L322 With

			echo 'No user id defined.';
			return;

hayhurst avatar Mar 02 '23 20:03 hayhurst