WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: Shibboleth] Username at risk of breaking permalinks with %author% (13 posts)

  1. guychisholm
    Member
    Posted 4 years ago #

    If you choose to map the shib 'eppn' as the worpdress 'Username', then any permalink urls containing the %author% are at risk of breaking. The shibboleth plugin, unlike the standard wordpress user signup, does not produce a "sanitized" (http://codex.wordpress.org/Function_Reference/sanitize_title) version for the user_nicename field. Solution: add a filter (as suggested at http://wordpress.org/extend/plugins/shibboleth/faq/), I use:
    add_filter( 'shibboleth_user_nicename', 'sanitize_title');

  2. Zooney
    Member
    Posted 4 years ago #

    Hrrm, do you have a working solution in place for something like this?

    It's something I've been looking into myself, I just haven't had time to devote to it.

    I've actually just disabled the %author% urls in my theme for the time being.

  3. guychisholm
    Member
    Posted 4 years ago #

    Zooney,

    My solution is to add the filter I mentioned in my original post:
    add_filter( 'shibboleth_user_nicename', 'sanitize_title');
    You can either create a single plugin with this line, or, to keep it simple, you can just add it in the shibboleth.php code.

    I've added mine just above
    $shib_headers = shibboleth_get_option('shibboleth_headers');
    inside the shibboleth_update_user_data function.

    Hopefully this can be integrated into future releases.

  4. @guychisholm, this is mitcho, the new committer on the Shibboleth WP plugin.

    I'm interested in adding a sanitize filter to the nicename, as you suggest, but I'm not sure why you're using sanitize_title. Why not the sanitize_name command?

  5. guychisholm
    Member
    Posted 4 years ago #

    @mitcho, long time ago now, but I suspect I picked sanitize_title because of wp-includes/registration.php#L132.

    I assume you mean sanitize_user, rather than sanitize_name? If this is the case then, I would agree that this is more appropriate than sanitize_title. Interesting that this method is not used in the core registration...

  6. guychisholm
    Member
    Posted 4 years ago #

    ...oh wait! They do :-) My bad

  7. Zooney
    Member
    Posted 4 years ago #

    Woo-hoo! We have a maintainer!

    Question though about this fix... does this filter need to be in place prior to the generation of accounts?

    ...or, are you adding a filter using apply_filters as well?

    Any help would be hugely appreciated here! =)

  8. Zooney
    Member
    Posted 4 years ago #

    I'm beginning to see the issue here.

    I already have a wp_users table with the entire user_nicename column filled in with unsanitized user_nicenames due to using the shibboleth plugin without this filter.

    @guychisholm does the filter method you use work when there are pre-existing user accounts?

    Also, I'm wondering how this works at all seeing that, given the logic in shibboleth_update_user_data and the structure of the 'shibboleth_headers' array, user_nicename will never be updated unless $force_update is true, since it has no 'managed' key in the 'shibboleth_headers' array.

    @mitcho is it possible to suggest as part of an upgrade, the ability to fix previously entered user_nicenames created by the shibboleth plugin? If not I'll have to run some kind of script on my database myself to clean this up...

    Although, thanks to both of you for the huge leg up in finally locating what the issue here actually was... :)

  9. guychisholm
    Member
    Posted 4 years ago #

    @Zooney Yes, this fix only runs at account generation time. No reason why you shouldn't update the database to fix the existing users.

  10. Zooney
    Member
    Posted 4 years ago #

    @guychisholm Gotcha, actually, I can switch that $force_update parameter in the shibboleth_authenticate_user function, but, the likelyhood that I can get everyone to re-log to make sure they all get fixed is pretty slim. =)

    I'll just run the script.

    Incidentally, its essentially impossible to change user_login after it's been created in WordPress, right? My guess is that wp_update_user can't touch that.

    If so, I wish I had known about these filters before I started using the plugin. =)

    Oh well... live and learn.

  11. Zooney
    Member
    Posted 4 years ago #

    @mitcho I apologize for just thinking out loud here, but, I think I see why sanitize_title is a better choice than sanitize_user.

    sanitize_user seems to still allow the '@' and '.' characters (I'm assuming for an LDAP-style username) and that character will cause problems with the %author% links.

    sanitize_title seems to strip out '@' along with '.' and other characters, which seem to be what's keeping the %author% links from working.

    This is particularly important with shibboleth since EPPNs tend to be of the form username@domain.name

  12. Zooney
    Member
    Posted 4 years ago #

    ...I suppose I should use some other attribute for the username, but I've found that adding something like:

    if( $shib_headers['username']['name'] == 'eppn' ) {
      $username = sanitize_title( $username );
    }

    ...after line 272 in shibboleth.php (in shibboleth_authenticate_user) is useful in making a friendlier username from the eppn.

    So, would it be possible to add a filter for $username, or some other way of modifying the username supplied by the headers before it's used to actually create the account? It'd be useful to have some control over the form of usernames in wordpress after they're taken from the Shibboleth headers.

  13. ewendland
    Member
    Posted 3 years ago #

    So excited to see a new Shib plugin version. Thanks guys!

    I do have a question though. I see that one of the fixes is:
    "now applies sanitize_name() to the Shibboleth user's nicename column"

    According to this thread shouldn't that be 'sanitize_title()'? We tried the new plugin and new Shibboleth users still have a nicename like foo@bar.com instead of something that works like foobar-com. If I change the plugin to use sanitize_title I get my desired result (i.e. the Authors plugin works).

    Am I confused? Thanks again!

Topic Closed

This topic has been closed to new replies.

About this Topic