[wp-trac] [WordPress Trac] #47192: Allow users to enter recovery mode via their registered email
WordPress Trac
noreply at wordpress.org
Thu Jan 2 04:02:53 UTC 2020
#47192: Allow users to enter recovery mode via their registered email
----------------------------------+------------------------------
Reporter: spacedmonkey | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Site Health | Version: 5.2
Severity: normal | Resolution:
Keywords: servehappy has-patch | Focuses:
----------------------------------+------------------------------
Comment (by TimothyBlynJacobs):
@spacedmonkey, @dd32, @miss_jwo and I discussed this feature at WordCamp
US to try and find a way forward without introducing any security issues.
The crux of the issue is that for the request an email form to work when
the site is experiencing a fatal error, execution needs to be handled
before plugins are loaded. This poses a problem because we don't want any
user to be able to request a link to enter recovery mode, only users who
can `resume_plugins` or `resume_themes`. Doing permission checks before
WordPress has been able to load plugins may not be safe.
The solution the four of us came up with is to "cache" the list of email
addresses that have permission to perform this action, and when the link
is requested, check if the provided email address is contained within the
allow list. That list is then updated when a user logs in, has a role
changed, or the user is updated.
When a user requests a recovery mode link, we no longer have access to the
fatal error that occurred and the context of the page is different.
Additionally, we no longer need to rate limit it since the email isn't
sent automatically on an error. So I've introduced a second email method
that has less content.
The UI is currently all handled using `wp_die()`. We can't easily use the
wp-login.php styles because we'd have to wait for plugins to load to gain
access to the `login_header()` and `login_footer()` functions. However, if
we wanted to, I suppose we could move those functions to a separate file
that can be selectively included. If we did reuse the login styles,
though, we might run into an issue that site owners won't be able to
easily style the page since plugins like Theme My Login wouldn't have run
yet.
I've uploaded a patch that does this for people to play around with. The
styling and language is all very primitive, but it is hopefully enough to
get an idea of how it might work.
Visit `/wp-login.php?action=request_rm` to see the page and initiate the
flow.
{{{
Howdy!
You requested a link to enter Recovery Mode.
First, visit your website (http://trunk.test/) and check for any visible
issues. Next, visit the page where the error was caught and check for any
visible issues.
Please contact your host for assistance with investigating this issue
further.
If your site appears broken and you can't access your dashboard normally,
WordPress now has a special "recovery mode". This lets you safely login to
your dashboard and investigate further.
http://trunk.test/wp-
login.php?action=enter_recovery_mode&rm_token=04TVkFeEt9aGSlC1B0ZXei&rm_key=5JmVtMgiEuYMno6PuIxxRI
To keep your site safe, this link will expire in 1 day. Don't worry about
that, though: you can request a new link at any time.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47192#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list