Comments (10)
All right, here's an example that should work:
class SecureUpdateServer extends Wpup_UpdateServer {
protected function filterMetadata($meta, $request) {
$meta = parent::filterMetadata($meta, $request);
$licenseKey = $request->param('license_key');
//Only include the download URL if the license is valid.
if ( $licenseKey && $this->isValidLicense($licenseKey) ) {
//Append the license key or to the download URL.
$args = array('license_key' => $licenseKey);
$meta['download_url'] = self::addQueryArg($args, $meta['download_url']);
} else {
//No license = no download link.
unset($meta['download_url']);
}
return $meta;
}
protected function checkAuthorization($request) {
parent::checkAuthorization($request);
//Prevent download if the user doesn't have a valid license.
$licenseKey = $request->param('license_key');
if ( $request->action === 'download' && ! ($licenseKey && $this->isValidLicense($licenseKey)) ) {
if ( empty($licenseKey) ) {
$message = 'You must provide a license key to download this plugin.';
} else {
$message = 'Sorry, your license is not valid.';
}
$this->exitWithError($message, 403);
}
}
protected function isValidLicense($licenseKey) {
return ($licenseKey === 'totallyvalid');
}
}
This example only shows the download link when the update request includes a &license_key=totallyvalid
parameter. When someone tries to download an update, it only allows the download if the download link also includes the same query parameter.
from wp-update-server.
Check the PHP error log, it might have more information about the error. If it doesn't, see if there's anything in the web server's own error log.
from wp-update-server.
PHP Warning: Missing argument 1 for SecureUpdateServer::__construct(), called in /var/www/mysite.com/htdocs/index.php on line 3 and defined in /var/www/mysite.com/htdocs/includes/SecureUpdateServer.php on line 5
from wp-update-server.
The SecureUpdateServer
class in that post is just an example. It's not a complete solution, and it is not intended to be used as-is; it won't work.
If you need to extend the Wpup_UpdateServer
class, you can use the example code as a guideline, but you'll have to write your own implementation.
from wp-update-server.
Is there a possibility you can make a simple example that works ?
from wp-update-server.
Why do we have to check the license at two places? checkAuthorization and filterMetadata.
Isn't it enough to check in filterMetadata?
from wp-update-server.
I check in two places because I want to show update notifications to all users, even those who don't have a license key or whose key has expired. If you don't need that, you could check only in checkAuthorization
and reject any request that doesn't include a valid key.
from wp-update-server.
Thanks for the quick reply.
Since we want to show update notifications to every one, can we not skip checkAuthorization?
filterMetadata already takes care of restricting the updates to users without a valid license, I don't see the purpose of checkAuthorization. What am I missing?
from wp-update-server.
filterMetadata already takes care of restricting the updates to users without a valid license [...]
Not quite. If you skip checkAuthorization
, anyone who knows how the update server works will be able to download any update by easily guessing the download URL. All download URLs have the same general structure:
https://example.com/update-server/?action=download&slug=plugin-slug
Even if you don't show the user the URL, they can figure it out based on this.
from wp-update-server.
Makes sense. Thanks a lot.
My update server is finally working as expected :)
from wp-update-server.
Related Issues (20)
- Issue with the latest wp-update-server version HOT 5
- Critical Error Upon Setup HOT 4
- PHP8 deprecation notices HOT 4
- Sudenly I get: Update failed: You have the latest version of the plugin. HOT 10
- Handling alpha and beta plugin versions HOT 2
- Problem connecting server with checker library HOT 1
- Is it possible to add a list of domains to update? HOT 5
- How about implementing WordPress Code Standards? HOT 4
- Server maintenance questions. HOT 4
- PHP 8.2.7 Deprecated warnings on Server returning metadata (WP_DEBUG true) HOT 3
- Extension for packages list HOT 4
- Need a little help with extends Wpup_UpdateServer HOT 5
- What's going on here? HOT 3
- Can you change it to a remote zip URL? HOT 2
- guidance HOT 1
- Forbidden HOT 13
- Update Packagist HOT 2
- where I have to put example-theme.zip and which class is correct ? HOT 9
- unexpected error HOT 1
- Secure download link error message HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wp-update-server.