Support » Plugin: Force Login » Feature : Allow whitelisting to ignore url query params

  • Resolved haxxxton

    (@haxxxton)


    Rather than have to list every permutation of a url that contains query params in the whitelist, it would be super handy to have either a flag, or the ability to add regex patterns to the whitelist.

    my current work around has been to alter the !in_array($url, $whitelist) section of the redirect conditional check to

    !in_array(preg_replace('/\?.*/', '', $url), $whitelist)

    Im not sure if there are any times you would want to whitelist only SOME urls with specific query params, but this solution works nicely when coupled with something like the WP JSON API; allowing all /wp-json/ end points to be excluded from the force login redirect

    https://wordpress.org/plugins/wp-force-login/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Kevin Vess

    (@kevinvess)

    There are a few options for whitelisting dynamic URLs without having to alter the plugin source code, try using one of the methods below:

    Option #1

    function my_forcelogin_whitelist( $whitelist ) {
      // Get visited URL without query string
      $url_path = preg_replace('/\?.*/', '', $_SERVER['REQUEST_URI']);
    
      // Whitelist URLs
      if( '/page-name/' === $url_path ) {
        $whitelist[] = site_url($_SERVER['REQUEST_URI']);
      }
      if( '/page-name.php' === $url_path ) {
        $whitelist[] = site_url($_SERVER['REQUEST_URI']);
      }
      return $whitelist;
    }
    add_filter('v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 1);

    Option #2

    function my_forcelogin_whitelist( $whitelist ) {
      $whitelist[] = site_url( '/page-name/?' . $_SERVER['QUERY_STRING'] );
      $whitelist[] = site_url( '/page-name.php?' . $_SERVER['QUERY_STRING'] );
      return $whitelist;
    }
    add_filter('v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 1);

    Option #3

    function my_forcelogin_whitelist( $whitelist ) {
      // whitelist URL if query string contains 'parameter'
      if( isset($_GET['parameter']) ) {
        $whitelist[] = site_url($_SERVER['REQUEST_URI']);
      }
      // whitelist URL where 'value' is equal to query string 'parameter'
      if( $_GET['parameter'] == 'value' ) {
        $whitelist[] = site_url($_SERVER['REQUEST_URI']);
      }
      return $whitelist;
    }
    add_filter('v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 1);

    Option #4

    function my_forcelogin_whitelist( $whitelist ) {
      // add any page URL within a specified directory to my whitelist
      if( in_array('page-directory', explode('/', $_SERVER['REQUEST_URI'])) ) {
        $whitelist[] = site_url($_SERVER['REQUEST_URI']);
      }
      return $whitelist;
    }
    add_filter('v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 1);

    ah wonderful, i hadnt thought about the ability to use the $_SERVER variable in the whitelist code. Thank you!

    This…

    
    if( in_array('page-directory', explode('/', $_SERVER['REQUEST_URI'])) ) {
      $whitelist[] = site_url($_SERVER['REQUEST_URI']);
    }
    

    …is a really bad idea. On some (all?) web servers, this will allow you to append ?/page-directory/ to a URL to bypass login on any page.

    • This reply was modified 3 years, 1 month ago by davidbenton.
    • This reply was modified 3 years, 1 month ago by davidbenton.
    Plugin Author Kevin Vess

    (@kevinvess)

    @davidbenton – good catch, you may use the following code instead to ensure visitors can’t bypass the login on any page with the directory as part of the query string:

    function my_forcelogin_whitelist( $whitelist ) {
      // Get visited URL without query string
      $url_path = preg_replace('/\?.*/', '', $_SERVER['REQUEST_URI']);
    
      // add any page URL within a specified directory to my whitelist
      if( in_array('page-directory', explode('/', $url_path)) ) {
        $whitelist[] = site_url($_SERVER['REQUEST_URI']);
      }
      return $whitelist;
    }
    add_filter('v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 1);
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Feature : Allow whitelisting to ignore url query params’ is closed to new replies.