Allow admins to configure U2F keys for other users (#349)

WordPress · Apr 30, 2020 · 2b4ce5c · 2b4ce5c
1 parent 121993c
commit 2b4ce5c
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 14 deletions.
diff --git a/class-two-factor-core.php b/class-two-factor-core.php
@@ -242,6 +242,24 @@ public static function is_valid_user_action( $user_id, $action ) {
 		);
 	}
 
+	/**
+	 * Get the ID of the user being edited.
+	 *
+	 * @return integer
+	 */
+	public static function current_user_being_edited() {
+		// Try to resolve the user ID from the request first.
+		if ( ! empty( $_REQUEST['user_id'] ) ) {
+			$user_id = intval( $_REQUEST['user_id'] );
+
+			if ( current_user_can( 'edit_user', $user_id ) ) {
+				return $user_id;
+			}
+		}
+
+		return get_current_user_id();
+	}
+
 	/**
 	 * Trigger our custom update action if a valid
 	 * action request is detected and passes the nonce check.
@@ -250,11 +268,7 @@ public static function is_valid_user_action( $user_id, $action ) {
 	 */
 	public static function trigger_user_settings_action() {
 		$action = filter_input( INPUT_GET, self::USER_SETTINGS_ACTION_QUERY_VAR, FILTER_SANITIZE_STRING );
-		$user_id = filter_input( INPUT_GET, 'user_id', FILTER_SANITIZE_NUMBER_INT );
-
-		if ( empty( $user_id ) && is_user_logged_in() ) {
-			$user_id = get_current_user_id();
-		}
+		$user_id = self::current_user_being_edited();
 
 		if ( ! empty( $action ) && self::is_valid_user_action( $user_id, $action ) ) {
 			/**

diff --git a/providers/class.two-factor-fido-u2f-admin-list-table.php b/providers/class.two-factor-fido-u2f-admin-list-table.php
@@ -115,8 +115,6 @@ public function inline_edit() {
 					<td colspan="<?php echo esc_attr( $this->get_column_count() ); ?>" class="colspanchange">
 						<fieldset>
 							<div class="inline-edit-col">
-								<h4><?php esc_html_e( 'Quick Edit', 'two-factor' ); ?></h4>
-
 								<label>
 									<span class="title"><?php esc_html_e( 'Name', 'two-factor' ); ?></span>
 									<span class="input-text-wrap"><input type="text" name="name" class="ptitle" value="" /></span>

diff --git a/providers/class.two-factor-fido-u2f-admin.php b/providers/class.two-factor-fido-u2f-admin.php
@@ -48,7 +48,11 @@ public static function enqueue_assets( $hook ) {
 			return;
 		}
 
-		$user_id = get_current_user_id();
+		$user_id = Two_Factor_Core::current_user_being_edited();
+		if ( ! $user_id ) {
+			return;
+		}
+
 		$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
 
 		// @todo Ensure that scripts don't fail because of missing u2fL10n.
@@ -81,6 +85,7 @@ public static function enqueue_assets( $hook ) {
 		 */
 
 		$translation_array = array(
+			'user_id'  => $user_id,
 			'register' => array(
 				'request' => $req,
 				'sigs' => $sigs,
@@ -255,9 +260,11 @@ public static function catch_submission( $user_id ) {
 	 * @static
 	 */
 	public static function catch_delete_security_key() {
-		$user_id = get_current_user_id();
-		if ( ! empty( $_REQUEST['delete_security_key'] ) ) {
+		$user_id = Two_Factor_Core::current_user_being_edited();
+
+		if ( ! empty( $user_id ) && ! empty( $_REQUEST['delete_security_key'] ) ) {
 			$slug = $_REQUEST['delete_security_key'];
+
 			check_admin_referer( "delete_security_key-{$slug}", '_nonce_delete_security_key' );
 
 			Two_Factor_FIDO_U2F::delete_security_key( $user_id, $slug );
@@ -316,8 +323,7 @@ public static function wp_ajax_inline_save() {
 			wp_die();
 		}
 
-		$user_id = get_current_user_id();
-
+		$user_id = Two_Factor_Core::current_user_being_edited();
 		$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
 		if ( ! $security_keys ) {
 			wp_die();

diff --git a/providers/class.two-factor-fido-u2f.php b/providers/class.two-factor-fido-u2f.php
@@ -34,7 +34,7 @@ class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
 	 *
 	 * @var string
 	 */
-	const U2F_ASSET_VERSION = '0.2.0';
+	const U2F_ASSET_VERSION = '0.2.1';
 
 	/**
 	 * Ensures only one instance of this class exists in memory at any one time.

diff --git a/providers/js/fido-u2f-admin-inline-edit.js b/providers/js/fido-u2f-admin-inline-edit.js
@@ -80,7 +80,8 @@ var inlineEditKey;
 
 			params = {
 				action: 'inline-save-key',
-				keyHandle: id
+				keyHandle: id,
+				user_id: window.u2fL10n.user_id
 			};
 
 			fields = $( '#edit-' + id ).find( ':input' ).serialize();