Change the token check to use the passed user_id #6451
Conversation
The wpcom servers do not always retrieve the master user_id when signing requests. When the wrong user_id is sent over, the request will fail. This change uses the user_id that is encoded in the token format to check requests.
jeherve
added
General
[Type] Bug
There was a problem hiding this comment.
I think this is just one more (the last?) holdover from when only one user per Jetpack site could be connected to WordPress.com.
As you point out, on WordPress.com, we sometimes look for any non-blog token to sign the request. This ensures that the site is fully connected. (Having only a blog token could mean the site is in some half-way state.) In ye olde times, looking for any non-blog token would always return nothing or the master user's token. So on the Jetpack side, we could always check JETPACK_MASTER_USER.
Those days are long gone, and we can't depend on any specific behavior when looking for "any non-blog token".
This change makes sense, though it feels a little odd to use an arbitrary (even if now consistent) user token to do all this. I don't think it has any security concerns, though. Something may break if the Jetpack site loses its half of the connection for that user, though, and WP.com still tries to sign things with that user's details.
@lezama, @ebinnion, I take it SSO and this patch play nicely together?
At any rate, looks good to me.
There was a problem hiding this comment.
OK, so I think that I'm either testing it incorrectly, or there's a problem. My setup is that I have a Jetpack site with two connected administrators. One of them is the master user, the other one is just an administrator.
So when I try to publish a document from StackEdit.io, it works with the master user, but doesn't work with the second user. By using error_log in class.jetpack.php I can say that $environment seems to always have 1 as the user ID, therefore get_access_token always returns the token for the master user.
Can you tell me if my testing is wrong, or is it a problem with the code?
zinigor
added
[Status] Ready to Merge
matticbot
removed
the
[Status] Ready to Merge
* Changelog: update stable tag and move changelog to changelog.txt Also remove old releases from readme.txt to keep the changelog tab short. * Changelog: add #5883 Also update the filter's docblock to match new version. * Changelog: add #5938 * Changelog: add #6298 * Changelog: add #3405 * Changelog: add #5941 * Changelog: add #6239 * Changelog: add #6281 * Changelog: add #6303 * Changelog: add #6018 * Changelog: add #6300 * Changelog: add #6296 * Changelog: add #6130 * Changelog: add #6292 * Readme: remove extra "on". * Changelog: add #6307 * Changelog: add #3297 * Changelog: add #6275 * Changelog: add #6321 * Changelog: add #6297 * Readme: update the support forum link anchor. Anchor changed when WordPress.org forums were updated to bbPress 2 * Readme: update list of a12s, it wasn't up to date anymore! * Changelog: add #6338 * Changelog: add #6337 * Changelog: add #6335 * Changelog: add #6333 * Testing List: first version of the 4.7 testing list. * Changelog: add #6332 * Changelog: add #6325 * Changelog: add #6326 * Changelog: add #6339 * Changelog: add #6342 * Changelog: add #6343 * Changelog: add #6346 * Changelog: add #6347 * Changelog: add #6279 * Changelog: add #6306 * Changelog: add #6312 * Changelog: add #6316 * Changelog: add #6171 * Changelog: add #6317 * Changelog: add #6246 * Changelog: add #6263 * Changelog: add #4220 * Changelog: add #5888 * Changelog: add #3406 * Changelog: add #3637 * Changelog: add #6320 * Changelog: add #5992 * Changelog: add #6322 * Changelog: add #6324 * Changelog: add #6352 * Changelog: add #6355 * Changelog: add #6360 * Changelog: add #6362 * Changelog: add #6369, #6382 * Changelog: add #6370 * Changelog: add #6375 * Changelog: add #6383 * Changelog: add #6384 * Changelog: add #6386 * Changelog: add #6395 * Changelog: add #6403 * Changelog: add #6406 * Changelog: add #6418 * Changelog: add #6419 * Changelog: add #6434 * Changelog: add #6446 * Changelog: add #6006 * Changelog: add #6096 * Changelog: add #6399 * Changelog: fix typo. @see #6331 (comment) * Changelog: add #6440 * Changelog: add #6443 * Changelog: add #6445 * Changelog: add #6463 * Changelog: add #6468 * Changelog: add #6471 * Changelog: add #6474 * Changelog: add #6480 * Changelog: add #6497 * Changelog: add #6499 * Changelog: add #6514 * Changelog: add #6267 * Changelog: add #5940 * Changelog: add #6492 * Changelog: add #5281 * Changelog: add #6327 * Changelog: add #6451 * Changelog: add #6525 * Changelog: add #6530
The wpcom servers do not always retrieve the master user_id when signing requests. When the wrong user_id is sent over, the request will fail. During the oauth connection flow, this would result
This change uses the user_id that is encoded in the token format to check requests.
Fixes #5847
Changes proposed in this Pull Request:
master_usertokenTesting instructions:
Jetpack_Options::get_option( 'master_user' );is not the same as the id returned by public-api'sJetpack_Data::get_access_token_by_blog_id_user_id( $someBlogId, JETPACK__ANY_USER_TOKEN )Proposed changelog entry for your changes: