Merge pull request #14 from MatthewC/password-removal

Fixes #12, and fixes #13
MatthewC · May 4, 2022 · 7b00b54 · 7b00b54
2 parents 61b6c79 + 5a2bf85
commit 7b00b54
Showing 1 changed file with 46 additions and 30 deletions.
diff --git a/plugin.php b/plugin.php
@@ -1,11 +1,11 @@
 <?php
 /*
 Plugin Name: YOURLSs Password Protection
-Plugin URI: https://mateoc.net/b_plugin/yourls_PasswordProtection/
+Plugin URI: https://matc.io/yourls-password
 Description: This plugin enables the feature of password protecting your short URLs!
-Version: 1.3
+Version: 1.4
 Author: Matthew
-Author URI: https://mateoc.net/
+Author URI: https://matc.io
 */
 
 // No direct call
@@ -31,17 +31,21 @@ function warning_redirection( $args ) {
 	$matthew_pwprotection_short = end( $matthew_pwprotection_pathFragments );
 
 	if( array_key_exists( $matthew_pwprotection_short, (array)$matthew_pwprotection_array ) ){
-		if( isset( $_POST[ 'password' ] ) && $_POST[ 'password' ] == $matthew_pwprotection_array[ $matthew_pwprotection_short ] ){ //Check if password is submited, and if it matches the DB
+		// Check if password is submited, and if it matches the DB
+		if( isset( $_POST[ 'password' ] ) && password_verify( $_POST[ 'password' ], $matthew_pwprotection_array[ $matthew_pwprotection_short ]) ){
 			$url = $args[ 0 ];
-			header("Location: $url"); //Redirects client
+
+			// Redirect client
+			header("Location: $url");
+
 			die();
 		} else {
 			$error = ( isset( $_POST[ 'password' ] ) ? "<script>alertify.error(\"Incorrect Password, try again\")</script>" : "");
-			$matthew_ppu =    yourls__( "Password Protected URL",                       "matthew_pwp" ); //Translate Password Title
-			$matthew_ph =     yourls__( "Password"                                    , "matthew_pwp" ); //Translate the word Password
-			$matthew_sm =     yourls__( "Please enter the password below to continue.", "matthew_pwp" ); //Translate the main message
-			$matthew_submit = yourls__( "Send!"                                       , "matthew_pwp" ); //Translate the Submit button
-			//Displays main "Insert Password" area
+			$matthew_ppu =    yourls__( "Password Protected URL",                       "matthew_pwp" ); // Translate Password Title
+			$matthew_ph =     yourls__( "Password"                                    , "matthew_pwp" ); // Translate the word Password
+			$matthew_sm =     yourls__( "Please enter the password below to continue.", "matthew_pwp" ); // Translate the main message
+			$matthew_submit = yourls__( "Send!"                                       , "matthew_pwp" ); // Translate the Submit button
+			// Displays main "Insert Password" area
 			echo <<<PWP
 			<html>
 				<head>
@@ -211,29 +215,39 @@ function matthew_pwprotection_display_page() {
 
 // Set/Delete password from DB
 function matthew_pwprotection_process_new() {
-	if( isset( $_POST[ 'checked' ] ) ){
-		yourls_update_option( 'matthew_pwprotection', json_encode( $_POST[ 'password' ] ) );
-	}
-	if( isset( $_POST[ 'unchecked' ] ) ){
-		$matthew_pwprotection_array = json_decode(yourls_get_option('matthew_pwprotection'), true); //Get's array of currently active Password Protected URLs
-		foreach ( $_POST[ 'unchecked' ] as $matthew_pwprotection_unchecked ){
-			unset($matthew_pwprotection_array[ $matthew_pwprotection_unchecked ]);
+	// Verify nonce token.
+	yourls_verify_nonce( "matthew_pwprotection_update" );
+
+	$matthew_pwprotection_array =  json_decode(yourls_get_option('matthew_pwprotection'), true);
+
+	foreach( $_POST[ 'password' ] as $url => $url_password) {
+		if($url_password != "DONOTCHANGE_8fggwrFrRXvqndzw") {
+			$_POST[ 'password' ][ $url ] = password_hash($url_password, PASSWORD_BCRYPT);
+		} else {
+			$_POST[ 'password' ][ $url ] = $matthew_pwprotection_array[ $url ];
 		}
-		yourls_update_option( 'matthew_pwprotection', json_encode( $_POST[ 'password' ] ) );
 	}
+
+	// Update database
+	yourls_update_option( 'matthew_pwprotection', json_encode( $_POST[ 'password' ] ) );
+
 	echo "<p style='color: green'>Success!</p>";
 }
 
-//Display Form
+// Display Form
 function matthew_pwprotection_process_display() {
-	global $ydb;
+	$ydb = yourls_get_db();
 
 	$table = YOURLS_DB_TABLE_URL;
-	$query = $ydb->get_results( "SELECT * FROM `$table` WHERE 1=1" );
+	$sql = "SELECT * FROM `$table` WHERE 1=1";
+	$query = $ydb->fetchAll( $sql );
 
-	$matthew_su = yourls__( "Short URL"   , "matthew_pwp" ); //Translate "Short URL"
-	$matthew_ou = yourls__( "Original URL", "matthew_pwp" ); //Translate "Original URL"
-	$matthew_pw = yourls__( "Password"    , "matthew_pwp" ); //Translate "Password"
+	$matthew_su = yourls__( "Short URL"   , "matthew_pwp" ); // Translate "Short URL"
+	$matthew_ou = yourls__( "Original URL", "matthew_pwp" ); // Translate "Original URL"
+	$matthew_pw = yourls__( "Password"    , "matthew_pwp" ); // Translate "Password"
+
+	// Protect action with nonce
+	$matthew_pwprotection_noncefield = yourls_nonce_field( "matthew_pwprotection_update" );
 
 	echo <<<TB
 	<style>
@@ -259,18 +273,19 @@ function matthew_pwprotection_process_display() {
 					<th>$matthew_pw</th>
 				</tr>
 TB;
+
 	foreach( $query as $link ) { // Displays all shorturls in the YOURLS DB
-		$short = $link->keyword;
-		$url = $link->url;
-		$matthew_pwprotection_array =  json_decode(yourls_get_option('matthew_pwprotection'), true); //Get's array of currently active Password Protected URLs
-		if( strlen( $url ) > 51 ) { //If URL is too long it will shorten it
+		$short = $link["keyword"];
+		$url = $link["url"];
+		$matthew_pwprotection_array =  json_decode(yourls_get_option('matthew_pwprotection'), true); // Get array of currently active Password Protected URLs
+		if( strlen( $url ) > 51 ) { // If URL is too long, shorten it with '...'
 			$sURL = substr( $url, 0, 30 ). "...";
 		} else {
 			$sURL = $url;
 		}
-		if( array_key_exists( $short, (array)$matthew_pwprotection_array ) ){ //Check's if URL is currently password protected or not
+		if( array_key_exists( $short, (array)$matthew_pwprotection_array ) ){ // Check if URL is currently password protected or not
 			$text = yourls__( "Enable?" );
-			$password = $matthew_pwprotection_array[ $short ];
+			$password = "DONOTCHANGE_8fggwrFrRXvqndzw";
 			$checked = " checked";
 			$unchecked = '';
 			$style = '';
@@ -298,6 +313,7 @@ function matthew_pwprotection_process_display() {
 	}
 	echo <<<END
 			</table>
+			$matthew_pwprotection_noncefield
 			<input type="submit" value="Submit">
 		</form>
 	</div>