HEX
Server: nginx
System: Linux pool195-106-36.bur.atomicsites.net 6.12.57+deb12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.57-1~bpo12+1 (2025-11-17) x86_64
User: (0)
PHP: 8.3.32
Disabled: pcntl_fork
Upload Files
File: //wordpress/plugins/wp-cloud-client/1.1.7/src/Access/LoginPageGuard.php
<?php

declare(strict_types=1);

namespace VPlugins\WPCloudClient\Access;

use VPlugins\WPCloudClient\Settings\SettingsRepository;

class LoginPageGuard {

	/**
	 * Login-page actions that must always reach native handling, even when the
	 * login page is hidden (logout, lost-password and reset-password flows).
	 *
	 * @var string[]
	 */
	private const ALLOWED_ACTIONS = [ 'logout', 'lostpassword', 'rp', 'resetpass' ];

	/**
	 * Construct the login page guard.
	 *
	 * @param SettingsRepository $settings Settings repository.
	 */
	public function __construct(
		private readonly SettingsRepository $settings,
	) {}

	/**
	 * Hooked to `init`. Redirects unauthenticated visitors away from
	 * wp-login.php when the login page is hidden.
	 *
	 * Mirrors the bootstrapper's WSP_EXPOSE_WP_LOGIN behaviour: the native
	 * login page is hidden by default and direct access is redirected to the
	 * manager URL (falling back to the site home). One-click login, logout and
	 * password-reset flows are always allowed through.
	 *
	 * @return void
	 */
	public function handle(): void {
		if ( ( $GLOBALS['pagenow'] ?? '' ) !== 'wp-login.php' ) {
			return;
		}

		// Authenticated users keep full access to the login page.
		if ( is_user_logged_in() ) {
			return;
		}

		// Manager has explicitly exposed the login page — do nothing.
		if ( $this->settings->isLoginExposed() ) {
			return;
		}

		// One-click login (handled by LoginInterceptor on the same hook).
		if ( isset( $_GET['wpcc_login_token'] ) ) {
			return;
		}

		// Logout and password-reset flows must continue to work.
		$action = isset( $_REQUEST['action'] )
			? sanitize_key( wp_unslash( $_REQUEST['action'] ) )
			: '';
		if ( in_array( $action, self::ALLOWED_ACTIONS, true ) ) {
			return;
		}

		$target = $this->settings->getManagerUrl();
		if ( '' === $target ) {
			$target = home_url();
		}

		// External host, so wp_redirect (not wp_safe_redirect), matching the
		// bootstrapper's redirect to the Portal. esc_url_raw() guards against a
		// malformed or javascript:-scheme URL supplied via the wpcc_manager_url filter.
		wp_redirect( esc_url_raw( $target ) );
		exit;
	}
}