Skip to content

Commit

Permalink
Connection: allow provisioning using an application password (#40447)
Browse files Browse the repository at this point in the history 
Modify permission check for `/jetpack/v4/remote_provision` endpoint to allow application passwords.
  • Loading branch information
@sergeymitr
sergeymitr authored Dec 5, 2024
1 parent c3faf38 commit 5baf0a9
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 3 deletions.
4 changes: 4 additions & 0 deletions projects/packages/connection/changelog/add-connection-provision-via-app
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Significance: minor
Type: added

REST user provisioning with an app password.
23 changes: 20 additions & 3 deletions projects/packages/connection/src/class-rest-connector.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,9 +339,15 @@ public static function remote_authorize( $request ) {
*
* @return WP_Error|array
*/
public static function remote_provision( WP_REST_Request $request ) {
public function remote_provision( WP_REST_Request $request ) {
$request_data = $request->get_params();

if ( did_action( 'application_password_did_authenticate' ) && current_user_can( 'jetpack_connect_user' ) ) {
$request_data['local_user'] = get_current_user_id();
}

$xmlrpc_server = new Jetpack_XMLRPC_Server();
$result = $xmlrpc_server->remote_provision( $request );
$result = $xmlrpc_server->remote_provision( $request_data );

if ( is_a( $result, 'IXR_Error' ) ) {
$result = new WP_Error( $result->code, $result->message );
Expand Down Expand Up @@ -393,9 +399,20 @@ public function remote_register( WP_REST_Request $request ) {
/**
* Remote provision endpoint permission check.
*
* @param WP_REST_Request $request The request object.
*
* @return true|WP_Error
*/
public function remote_provision_permission_check() {
public function remote_provision_permission_check( WP_REST_Request $request ) {
// We allow the app password authentication only if 'local_user' is empty for security reasons.
if ( empty( $request['local_user'] ) && did_action( 'application_password_did_authenticate' ) ) {
if ( current_user_can( 'jetpack_connect_user' ) ) {
return true;
}

return new WP_Error( 'invalid_user_permission_remote_provision', self::get_user_permissions_error_msg(), array( 'status' => rest_authorization_required_code() ) );
}

return Rest_Authentication::is_signed_with_blog_token()
? true
: new WP_Error( 'invalid_permission_remote_provision', self::get_user_permissions_error_msg(), array( 'status' => rest_authorization_required_code() ) );
Expand Down

0 comments on commit 5baf0a9

Please sign in to comment.