Merge pull request #192 from pantheon-systems/191-allow-redirect-wp-l…

…ogin Allow redirecting back to `wp-login.php` while avoiding redirect loop
pantheon-systems · May 26, 2020 · bd06228 · bd06228
2 parents f4d8c7b + 712c205
commit bd06228
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 58 deletions.
diff --git a/README.md b/README.md
@@ -277,6 +277,9 @@ There is no third step. Because SimpleSAMLphp loads WordPress, which has WP Nati
 
 ## Changelog ##
 
+### 1.0.1 (May 26, 2020) ###
+* Allows redirecting back to `wp-login.php` while avoiding redirect loop [[#192](https://github.com/pantheon-systems/wp-saml-auth/pull/192)].
+
 ### 1.0.0 (March 2, 2020) ###
 * Plugin is stable.
 

diff --git a/composer.lock b/composer.lock
diff --git a/inc/class-wp-saml-auth.php b/inc/class-wp-saml-auth.php
@@ -243,16 +243,23 @@ public function do_saml_authentication() {
 					// Translators: Includes error reason from OneLogin.
 					return new WP_Error( 'wp_saml_auth_unauthenticated', sprintf( __( 'User is not authenticated with SAML IdP. Reason: %s', 'wp-saml-auth' ), $this->provider->getLastErrorReason() ) );
 				}
-				$attributes  = $this->provider->getAttributes();
-				$redirect_to = filter_input( INPUT_POST, 'RelayState', FILTER_SANITIZE_URL );
-				if ( $redirect_to && false === stripos( $redirect_to, parse_url( wp_login_url(), PHP_URL_PATH ) ) ) {
-					add_filter(
-						'login_redirect',
-						function() use ( $redirect_to ) {
-							return $redirect_to;
-						},
-						1
-					);
+				$attributes      = $this->provider->getAttributes();
+				$redirect_to     = filter_input( INPUT_POST, 'RelayState', FILTER_SANITIZE_URL );
+				$permit_wp_login = self::get_option( 'permit_wp_login' );
+				if ( $redirect_to ) {
+					// When $permit_wp_login=true, we only care about accidentially triggering the redirect
+					// to the IDP. However, when $permit_wp_login=false, hitting wp-login will always
+					// trigger the IDP redirect.
+					if ( ( $permit_wp_login && false === stripos( $redirect_to, 'action=wp-saml-auth' ) )
+						|| ( ! $permit_wp_login && false === stripos( $redirect_to, parse_url( wp_login_url(), PHP_URL_PATH ) ) ) ) {
+						add_filter(
+							'login_redirect',
+							function() use ( $redirect_to ) {
+								return $redirect_to;
+							},
+							1
+						);
+					}
 				}
 			} else {
 				$redirect_to = filter_input( INPUT_GET, 'redirect_to', FILTER_SANITIZE_URL );

diff --git a/languages/wp-saml-auth.pot b/languages/wp-saml-auth.pot
@@ -2,14 +2,14 @@
 # This file is distributed under the same license as the WP SAML Auth plugin.
 msgid ""
 msgstr ""
-"Project-Id-Version: WP SAML Auth 0.8.3\n"
+"Project-Id-Version: WP SAML Auth 1.0.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wp-saml-auth\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2020-02-03T23:02:50+00:00\n"
+"POT-Creation-Date: 2020-05-26T12:03:20+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.4.0\n"
 "X-Domain: wp-saml-auth\n"
@@ -209,19 +209,19 @@ msgstr ""
 msgid "User is not authenticated with SAML IdP. Reason: %s"
 msgstr ""
 
-#: inc/class-wp-saml-auth.php:290
+#: inc/class-wp-saml-auth.php:297
 msgid "Invalid provider specified for SAML authentication"
 msgstr ""
 
-#: inc/class-wp-saml-auth.php:315
+#: inc/class-wp-saml-auth.php:322
 msgid "No attributes were present in SAML response. Attributes are used to create and fetch users. Please contact your administrator"
 msgstr ""
 
 #. Translators: Communicates how the user is fetched based on the SAML response.
-#: inc/class-wp-saml-auth.php:322
+#: inc/class-wp-saml-auth.php:329
 msgid "\"%1$s\" attribute is expected, but missing, in SAML response. Attribute is used to fetch existing user by \"%2$s\". Please contact your administrator."
 msgstr ""
 
-#: inc/class-wp-saml-auth.php:337
+#: inc/class-wp-saml-auth.php:344
 msgid "No WordPress user exists for your account. Please contact your administrator."
 msgstr ""
diff --git a/readme.txt b/readme.txt
@@ -277,6 +277,9 @@ There is no third step. Because SimpleSAMLphp loads WordPress, which has WP Nati
 
 == Changelog ==
 
+= 1.0.1 (May 26, 2020) =
+* Allows redirecting back to `wp-login.php` while avoiding redirect loop [[#192](https://github.com/pantheon-systems/wp-saml-auth/pull/192)].
+
 = 1.0.0 (March 2, 2020) =
 * Plugin is stable.
 

diff --git a/wp-saml-auth.php b/wp-saml-auth.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * Plugin Name: WP SAML Auth
- * Version: 1.0.0
+ * Version: 1.0.1
  * Description: SAML authentication for WordPress, using SimpleSAMLphp.
  * Author: Pantheon
  * Author URI: https://pantheon.io