user-passwords-leak__default-roles.ag

inc/spbc-auth.php

@@ -487,17 +487,19 @@ function spbc_passleak_change_password_form()
     $replacement =
         '<h3 style="text-align: center;margin: 0 0 10px 0;">' . esc_attr($spbc->data["wl_brandname"]) . '</h3>'
         . '<p id="spbc_2fa_wrapper" style="display: inline !important;">'
+        . '<div class="notice"><b>' . __('Due password leak risk, please, change your password.', 'security-malware-firewall') . '</b></div>'
         . '<label for="spbc_passleak_new">' . __('Set new password') . '</label>'
         . '<input type="password"   name="pass1" id="spbc_passleak_new" class="input" value="" size="20" />'
         . '<label for="spbc_passleak_confirm">' . __('Confirm new password') . '</label>'
         . '<input type="password"   name="pass2" id="spbc_passleak_confirm" class="input" value="" size="20" />'
-        . '<label for="spbc_passleak_current">' . __('Current password') . '</label>'
+        . '<label for="spbc_passleak_current">' . __('Your current password') . '</label>'
         . '<input type="password"   name="spbc_passleak_current" id="spbc_passleak_current" class="input" value="" size="20" />'
         . '<input type="hidden" name="spbc_passleak_user" class="input" value="' . esc_attr($user_name) . '" />'
-        . __('Please, change your password.', 'security-malware-firewall') . '<br><br>'
         . '</p>'
         . '<p class="submit" style="display: inline !important;">'
+        . '<div style="display: flex; justify-content: center; margin-top: 10px;">'
         . '<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Change Password">'
+        . '</div>'
         . '<input type="hidden" name="redirect_to" value="' . admin_url() . '">'
         . '<input type="hidden" name="testcookie" value="1">'
         . '<input type="hidden" name="nonce" value="' . wp_create_nonce('spbc_passleak_change_password') . '">'

inc/spbc-settings.php

@@ -25,6 +25,7 @@
 use CleantalkSP\Variables\Post;
 use CleantalkSP\Variables\Server;
 use CleantalkSP\SpbctWP\UploadDirPreventPhpExecutionModule\UploadDirPreventPhpExecution;
+use CleantalkSP\SpbctWP\UsersPassCheckModule\UserPassCheckView;
 
 // Prevent direct call
 if ( ! defined('ABSPATH') ) {
@@ -1982,37 +1983,10 @@ function spbc_field_2fa__roles()
 
 function spbc_field_check_pass__roles()
 {
-    global $spbc, $wp_roles;
-
-    $wp_roles = new \WP_Roles();
-    $roles_name = $wp_roles->get_names();
-
-    echo '<div class="spbc_wrapper_field spbc_sub_setting">';
-
-    echo '<span class="spbc_settings-field_title spbc_settings-field_title--field">'
-         . __('Roles that use checking the user\'s password for information leaks', 'security-malware-firewall')
-         . '</span>'
-         . '<br>';
-
-    echo '<div style="margin-bottom: 10px" class="spbc_settings_description">'
-         . __('Hold CTRL button to select multiple roles. Users with unselected roles keep log in to your website in a standard way with their logins and passwords.', 'security-malware-firewall')
-         . '</div>';
-
-    echo '<select multiple="multiple" id="spbc_setting_check_pass__roles" name="spbc_settings[check_pass__roles][]"'
-         . (! $spbc->settings['check_pass__enable'] ? ' disabled="disabled"' : '')
-         . ' size="' . (count($roles_name) - 1 < 6 ? count($roles_name) - 1 : 5) . '"'
-         . '>';
-
-    foreach ($roles_name as $role => $role_name) {
-        echo '<option'
-             . (in_array($role, (array) $spbc->settings['check_pass__roles']) ? ' selected="selected"' : '')
-             . ' value="' . $role . '"'
-             . '>' . $role_name . '</option>';
-    }
-
-    echo '</select>';
-
-    echo '</div>';
+    echo Escape::escKsesPreset(
+        UserPassCheckView::getRolesSelect(),
+        'spbc_user_pass_check_roles'
+    );
 }
 
 function spbc_field_security_logs__prepare_data(&$table)
@@ -4819,6 +4793,15 @@ function spbc_sanitize_settings($settings)
         }
     }
 
+    if (
+        isset($settings['check_pass__enable']) &&
+        $settings['check_pass__enable'] == '0' &&
+        empty($settings['check_pass__roles']) &&
+        ! empty($spbc->settings['check_pass__roles'])
+    ) {
+        $settings['check_pass__roles'] = $spbc->settings['check_pass__roles'];
+    }
+
     /**
      * Triggered before returning the settings
      */

js/src/spbc-settings.js

@@ -200,29 +200,39 @@ function spbcSettingsDependenciesbyId(settingsIDs, enable) { // eslint-disable-l
  */
 function spbcSettingsDependencies(settingNames, enable) { // eslint-disable-line no-unused-vars
     // Cast settingNames to array
+    const isRadio = event.target.type === 'radio';
+    const radioEnabled = isRadio && event.target.value == '1';
+    const targetEnableFlag = (isRadio && !radioEnabled) || +event.target.checked;
+    const doEnableFlag = typeof enable === 'undefined' ? targetEnableFlag : +enable;
+
     settingNames = typeof settingNames === 'string' ? settingNames.split(',') : settingNames;
-    enable = typeof enable === 'undefined' ? +event.target.checked : +enable;
 
     settingNames.forEach(function(settingName, i, arr) {
-        document.getElementsByName('spbc_settings['+settingName+']')
+        let elements = document.getElementsByName('spbc_settings['+settingName+']');
+        if (elements.length === 0) {
+            // multiple selector case
+            elements = document.getElementsByName('spbc_settings['+settingName+'][]');
+        }
+
+        elements
             .forEach(function( elem, i, arr ) {
                 let doDisable = function() {
                     elem.setAttribute('disabled', 'disabled');
                 };
                 let doEnable = function() {
                     elem.removeAttribute('disabled');
                 };
-                if (enable !== null) {
+                if (doEnableFlag !== null) {
                     // Set
-                    enable === 1 ? doEnable() : doDisable();
+                    doEnableFlag === 1 ? doEnable() : doDisable();
                 } else {
                     // Switch
                     elem.getAttribute('disabled') === null ? doDisable() : doEnable();
                 }
 
                 let children = elem.getAttribute('children');
                 if ( children !== null ) {
-                    spbcSettingsDependencies(children, enable && elem.checked);
+                    spbcSettingsDependencies(children, doEnableFlag && elem.checked);
                 }
             });
     });

lib/CleantalkSP/SpbctWP/AdminBannersModule/AdminBanners/AdminBannerPassLeak.php

@@ -40,7 +40,7 @@ public function __construct(AdminBannersHandler $banners_handler)
 
         $user_profile_link = get_edit_user_link($this->banners_handler->getUserId()) . '#password';
         $this->template_data = array(
-            'title'                => esc_html__('Your password has been leaked.', 'security-malware-firewall'),
+            'title'                => esc_html__('Security by Cleantalk: your password has been leaked.', 'security-malware-firewall'),
             'subtitle'             => sprintf(
                 esc_html__('Please change password in your %s', 'security-malware-firewall'),
                 '<a href="' . $user_profile_link . '">' . esc_html__('profile', 'security-malware-firewall') . '</a>'

lib/CleantalkSP/SpbctWP/Escape.php

@@ -169,7 +169,28 @@ public static function escKsesPreset($string, $preset = null, $_allowed_protocol
                 'ul' => array(
                     'style' => true,
                 ),
-            )
+            ),
+            'spbc_user_pass_check_roles' => array(
+                'div' => array(
+                    'class' => true,
+                    'style' => true,
+                ),
+                'span' => array(
+                    'class' => true,
+                ),
+                'br' => array(),
+                'select' => array(
+                    'id' => true,
+                    'name' => true,
+                    'multiple' => true,
+                    'size' => true,
+                    'disabled' => true,
+                ),
+                'option' => array(
+                    'value' => true,
+                    'selected' => true,
+                ),
+            ),
         );
 
         add_filter('safe_style_css', function ($styles) use ($allowed_style_props) {

lib/CleantalkSP/SpbctWP/State.php

@@ -39,7 +39,7 @@ class State extends \CleantalkSP\Common\State
         '2fa__enable'                       => 0,
         '2fa__roles'                        => array('administrator'),
         'check_pass__enable'                => 0,
-        'check_pass__roles'                 => array('administrator', 'editor'),
+        'check_pass__roles'                 => array(), //default is empty, will be generated due settings draw
         'bfp__allowed_wrong_auths'          => 5,
         'bfp__delay__1_fails'               => 3,    // Delay to sleep after 1 wrong auth
         'bfp__delay__5_fails'               => 10,   // Delay to sleep after 5 wrong auths

lib/CleantalkSP/SpbctWP/UsersPassCheckModule/UserPassCheckView.php

@@ -0,0 +1,106 @@
+<?php
+
+namespace CleantalkSP\SpbctWP\UsersPassCheckModule;
+
+class UserPassCheckView
+{
+    const VULNERABLE_CAPABILITIES = array(
+        //default wp editor role caps
+        'moderate_comments',
+        'manage_categories',
+        'manage_links',
+        'edit_others_posts',
+        'edit_pages',
+        'edit_others_pages',
+        'edit_published_pages',
+        'publish_pages',
+        'delete_pages',
+        'delete_others_pages',
+        'delete_published_pages',
+        'delete_others_posts',
+        'delete_private_posts',
+        'edit_private_posts',
+        'read_private_posts',
+        'delete_private_pages',
+        'edit_private_pages',
+        'read_private_pages',
+        //custom spbc caps
+        'manage_options',
+        'activate_plugins'
+    );
+
+    public static function getRolesSelect()
+    {
+        global $spbc, $wp_roles;
+        $wp_roles   = new \WP_Roles();
+        $roles_name = $wp_roles->get_names();
+
+        $select_size = count($roles_name) - 1 < 6 ? count($roles_name) - 1 : 5;
+        $is_disabled = ! $spbc->settings['check_pass__enable'] ? ' disabled="disabled"' : '';
+
+        // Generate options for select
+        $options_html = '';
+        foreach ( $roles_name as $role => $role_name ) {
+            $is_role_enabled = self::isRoleEnabled($role, (array)$spbc->settings['check_pass__roles'], $wp_roles);
+            $selected_chunk  = $is_role_enabled ? ' selected="selected"' : '';
+            $options_html .= sprintf(
+                '<option%s value="%s">%s</option>',
+                $selected_chunk,
+                esc_attr($role),
+                esc_html($role_name)
+            );
+        }
+
+        // Main template
+        $template = '
+            <div class="spbc_wrapper_field spbc_sub_setting">
+                <span class="spbc_settings-field_title spbc_settings-field_title--field">%s</span><br>
+                <div style="margin-bottom: 10px" class="spbc_settings_description">%s</div>
+                <select multiple="multiple" id="spbc_setting_check_pass__roles" name="spbc_settings[check_pass__roles][]"%s size="%d">%s</select>
+            </div>
+        ';
+
+        $out = sprintf(
+            $template,
+            esc_html__(
+                'Roles that use checking the user\'s password for information leaks',
+                'security-malware-firewall'
+            ),
+            esc_html__(
+                'Hold CTRL button to select multiple roles. Users with unselected roles keep log in to your website in a standard way with their logins and passwords.',
+                'security-malware-firewall'
+            ),
+            $is_disabled,
+            $select_size,
+            $options_html
+        );
+
+        return $out;
+    }
+
+    /**
+     * @param string $role
+     * @param array $spbc_settings_roles
+     * @param \WP_Roles $wp_roles
+     *
+     * @return bool
+     */
+    private static function isRoleEnabled($role, $spbc_settings_roles, $wp_roles)
+    {
+        $enabled_roles = !empty($spbc_settings_roles) ? $spbc_settings_roles : array();
+        // First run - show roles with capabilities higher than or equal to editor
+        if ( empty($enabled_roles) ) {
+            // Get roles that have at least one editor-level capability
+            foreach ( $wp_roles->roles as $role_slug => $role_data ) {
+                foreach ( static::VULNERABLE_CAPABILITIES as $cap ) {
+                    if ( isset($role_data['capabilities'][$cap]) && $role_data['capabilities'][$cap] ) {
+                        $enabled_roles[] = $role_slug;
+                        break;
+                    }
+                }
+            }
+        }
+
+        return in_array($role, $enabled_roles);
+    }
+}

lib/CleantalkSP/SpbctWP/UsersPassCheckModule/UsersPassCheckHandler.php

@@ -19,7 +19,7 @@ public static function addUserPass($user, $username, $password)
     {
         global $spbc;
 
-        if ($spbc->settings['check_pass__enable'] === false) {
+        if ($spbc->settings['check_pass__enable'] == '0') {
             return $user;
         }
 
@@ -87,7 +87,7 @@ public static function checkPassLeak()
 
         global $spbc;
 
-        if ($spbc->settings['check_pass__enable'] === false) {
+        if ($spbc->settings['check_pass__enable'] == '0') {
             wp_send_json_error(__('Password check is disabled', 'security-malware-firewall'));
         }
 

security-malware-firewall.php

@@ -315,7 +315,7 @@ function spbc_users_pass_check()
 {
     global $spbc;
 
-    if ($spbc->settings['check_pass__enable'] === false) {
+    if ($spbc->settings['check_pass__enable'] == '0') {
         return;
     }
 
@@ -331,7 +331,7 @@ function spbc_users_pass_check_worker()
 {
     global $spbc;
 
-    if ($spbc->settings['check_pass__enable'] === false) {
+    if ($spbc->settings['check_pass__enable'] == '0') {
         return;
     }