oidc-wp · cs1m0n · Sep 7, 2020 · Sep 7, 2020 · Jan 13, 2021
@@ -173,6 +173,10 @@ public function admin_init() {
 					$callback = 'do_select';
 					break;
 
+				case 'textarea':
+					$callback = 'do_textarea';
+					break;
+
 				case 'text':
 				default:
 					$callback = 'do_text_field';
@@ -298,6 +302,18 @@ private function get_settings_fields() {
 				'type'        => 'checkbox',
 				'section'     => 'authorization_settings',
 			),
+			'unprotected_urls'   => array(
+				'title'       => __( 'Unprotected URLs', 'daggerhart-openid-connect-generic' ),
+				'description' => __( 'Skip privacy for the URLs in the list separated by comma.', 'daggerhart-openid-connect-generic'  ),
+				'type'        => 'textarea',
+				'section'     => 'authorization_settings'
+			),
+			'protected_urls'   => array(
+				'title'       => __( 'Protected URLs', 'daggerhart-openid-connect-generic' ),
+				'description' => __( 'Enforce privacy just for the URLs in the list separated by comma.', 'daggerhart-openid-connect-generic'  ),
+				'type'        => 'textarea',
+				'section'     => 'authorization_settings'
+			),
 			'alternate_redirect_uri'   => array(
 				'title'       => __( 'Alternate Redirect URI', 'daggerhart-openid-connect-generic' ),
 				'description' => __( 'Provide an alternative redirect route. Useful if your server is causing issues with the default admin-ajax method. You must flush rewrite rules after changing this setting. This can be done by saving the Permalinks settings page.', 'daggerhart-openid-connect-generic' ),
@@ -458,6 +474,19 @@ public function settings_page() {
 
 			<?php } ?>
 		</div>
+
+		<script>
+			if ( document.getElementById('enforce_privacy').checked )
+				jQuery('#protected_urls').closest('tr').hide();
+			else
+				jQuery('#unprotected_urls').closest('tr').hide();
+
+			jQuery('#enforce_privacy').click(function() {
+				jQuery("#protected_urls").closest('tr').toggle();
+				jQuery("#unprotected_urls").closest('tr').toggle();
+			});
+		</script>
+
 		<?php
 	}
 
@@ -480,6 +509,20 @@ class="large-text<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['
 		$this->do_field_description( $field );
 	}
 
+	/**
+	 * Output a standard textarea
+	 *
+	 * @param $field
+	 */
+	public function do_textarea( $field ) {
+		?>
+		<textarea id="<?php print esc_attr( $field['key'] ); ?>"
+		       class="large-text" rows="5"
+		       name="<?php print esc_attr( $field['name'] ); ?>"><?php print esc_attr( $this->settings->{ $field['key'] } ); ?></textarea>
+		<?php
+		$this->do_field_description( $field );
+	}
+
 	/**
 	 * Output a checkbox for a boolean setting.
 	 *  - hidden field is default value so we don't have to check isset() on save.

@@ -174,17 +174,61 @@ function init() {
 	}
 
 	/**
-	 * Check if privacy enforcement is enabled, and redirect users that aren't
-	 * logged in.
-	 *
-	 * @return void
+	 * Check the privacy enforcement setting and other conditions to redirect the user
 	 */
 	function enforce_privacy_redirect() {
-		if ( $this->settings->enforce_privacy && ! is_user_logged_in() ) {
-			// The client endpoint relies on the wp admind ajax endpoint.
-			if ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX || ! isset( $_GET['action'] ) || 'openid-connect-authorize' != $_GET['action'] ) {
-				auth_redirect();
-			}
+		if ( $this->settings->enforce_privacy
+		     && ! OpenID_Connect_Generic::is_unprotected_url()
+		     && ! is_user_logged_in() )
+			OpenID_Connect_Generic::redirect_to_login_page();
+
+		else if ( ! $this->settings->enforce_privacy
+		          && OpenID_Connect_Generic::is_protected_url()
+		          && ! is_user_logged_in() )
+			OpenID_Connect_Generic::redirect_to_login_page();
+	}
+
+	/**
+	 * Check if URL is on the list of unprotected URLs
+	 */
+	function is_unprotected_url() {
+		global $wp;
+
+		$url = home_url(add_query_arg(array($_GET), $wp->request));
+
+		$unprotected_urls = array_map('trim', 
+			apply_filters('openid-connect-generic-unprotected-urls', 
+				explode(",", $this->settings->unprotected_urls)
+			)
+		);
+
+		return in_array( $url, $unprotected_urls );
+	}
+
+	/**
+	 * Check if URL is on the list of protected URLs
+	 */
+	function is_protected_url() {
+		global $wp;
+
+		$url = home_url(add_query_arg(array($_GET), $wp->request));
+
+		$protected_urls = array_map('trim', 
+			apply_filters('openid-connect-generic-protected-urls', 
+				explode(",", $this->settings->protected_urls)
+			)
+		);
+
+		return in_array( $url, $protected_urls );
+	}
+
+	/**
+	 * Redirect to the authentication page
+	 */
+	function redirect_to_login_page() {
+		// The client endpoint relies on the wp admind ajax endpoint.
+		if ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX || ! isset( $_GET['action'] ) || 'openid-connect-authorize' != $_GET['action'] ) {
+			auth_redirect();
 		}
 	}
 
@@ -345,6 +389,8 @@ static public function bootstrap() {
 
 				// Plugin settings.
 				'enforce_privacy' => 0,
+				'unprotected_urls' => '',
+				'protected_urls' => '',
 				'alternate_redirect_uri' => 0,
 				'token_refresh_enable' => 1,
 				'link_existing_users' => 0,