Bypass

  • Resolved aaronstpierre

    (@aaronstpierre)


    3 years, 2 months ago

    Hi,

    I’m having an issue with Force Login and bypass. Here is my code: 

    add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass', 10, 2 );
function my_forcelogin_bypass( $bypass ) {
    //Get visited URL without query string
    //

    $request_uri = $_SERVER['REQUEST_URI'];
    $url_path = preg_replace('/\?.*/', '', $request_uri);

    // Allow URL
    if ( '/lostpassword/' === $url_path ) {
       $bypass = true;
    }

    if ( '/resetpass/' === $url_path ) {
       $bypass = true;
    }

    return $bypass;
}

    The bypass is working as intended but for some reason when I try to reset my password the force login plugin is redirecting from:

    Something like:

    https://mysite.com/resetpass/?key=SMUApSYyoWJAHDdcsJlK&login=blah

    to

    https://mysite.com/resetpass

    And this is resulting in an invalid key error.

    I’ve ensured it’s not caching as these URI’s are removed from the caching system.

    I’ve also confirmed this via headers:

    x-frame-optionsSAMEORIGIN
    x-kinsta-cacheBYPASS
    x-redirect-byWordPress

    I am using theme my login and that’s what is responsible for the non-standard links (/resetpass/ /lostpassword/)

    Please let me know if you have any suggestions.

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Kevin Vess

    (@kevinvess)

    Hi– thanks for using Force Login!

    First, I want to address your sample code. It looks like you’re not passing the expected second parameter from the filter to your my_forcelogin_bypass() function. Let’s clean up that code to be like this:

    /**
 * Bypass Force Login to allow for exceptions.
 *
 * @param bool $bypass Whether to disable Force Login. Default false.
 * @param string $visited_url The visited URL.
 * @return bool
 */
function my_forcelogin_bypass( $bypass, $visited_url ) {
  // Allow these absolute URLs
  $allowed = array(
    home_url( '/lostpassword/' ),
    home_url( '/resetpass/' ),
    home_url( '/resetpass/?' . $_SERVER['QUERY_STRING'] ),
  );
  if ( ! $bypass ) {
    $bypass = in_array( $visited_url, $allowed );
  }

  return $bypass;
}
add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass', 10, 2 );

    If those TML action URLs (slugs) are actual WP pages, you might be able to use this logic instead of the absolute URL example above.

    if ( is_page( array( 'lostpassword', 'resetpass' ) ) ) {
  $bypass = true;
}

    Second, there is likely a more elegant solution to determine how/when to bypass Force Login using functions from the Theme My Login plugin. For example, this untested code:

    /**
 * Bypass Force Login to allow for exceptions.
 *
 * @param bool $bypass Whether to disable Force Login. Default false.
 * @param string $visited_url The visited URL.
 * @return bool
 */
function my_forcelogin_bypass( $bypass ) {
  // Allow TML action pages
  if ( function_exists('tml_is_action') ) {
    $bypass = tml_is_action();
  }
  return $bypass;
}
add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass', 10 );

    Or–?try writing a conditional statement using their tml_get_action_url( $action ) function.

    Good luck!

    Thread Starter aaronstpierre

    (@aaronstpierre)

    Good morning Kevin,

    The code I used above came from the Force Login Wiki:

    https://github.com/kevinvess/wp-force-login/wiki/Bypass-Dynamic-URLs

    It was the first example changed for my environment.

    I’ll give the other suggestions a try and write back to let you know if they worked.

    Thank you!

    Thread Starter aaronstpierre

    (@aaronstpierre)

    Well that was easy!

    The more elegant solution using tml_is_action() worked fine!

    Thank you for your help.

    I am curious to know about the wiki though is that documentation just old?

    Thanks!

    Plugin Author Kevin Vess

    (@kevinvess)

    Great- I’m glad that worked!

    Be sure to rate and review my plugin to let others know how you like it.

    The wiki documentation is still valid and those examples should work. Your shared code was mostly fine, except where you specified two (2) parameters when calling the filter:

    add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass', 10, 2 );

    But then your code only passed one parameter ($bypass):

    function my_forcelogin_bypass( $bypass ) {

    The original wiki code for Method 1 looks like this:

    add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass' );

    As for why your shared code didn’t exactly work; I would check to see what the actual value of $url_path becomes when it tries to match to the /resetpass/ string in your conditional statement. Maybe the variable didn’t include a forward slash someplace?

    You said “the bypass was working as intended,” except when you try to reset your password.

    For some reason, /resetpass/ does not equal $url_path when you hit the password reset URL and it did not bypass the page in Force Login.

    Thread Starter aaronstpierre

    (@aaronstpierre)

    Thanks! Review added! Thank you again for the great support!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Bypass’ is closed to new replies.