Merge remote-tracking branch 'origin' into feature/9/caching-404s

alleyinteractive · Jan 15, 2024 · 70fff9a · 70fff9a
2 parents 681cc8e + f8cca70
commit 70fff9a
Show file tree

Hide file tree

Showing 19 changed files with 547 additions and 52 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -6,6 +6,11 @@ As titled.
 
 None.
 
+## Other Information
+
+- [ ] I updated the `README.md` file for any new/updated features.
+- [ ] I updated the `CHANGELOG.md` file for any new/updated features.
+
 ## Changelog entries
 
 ### Added

diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml
@@ -9,7 +9,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        php: [ 8.0 ]
+        php: [ 8.3 ]
     steps:
       - name: Cancel previous runs of this workflow (pull requests only)
         if: ${{ github.event_name == 'pull_request' }}

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -8,7 +8,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        php: [ 8.2, 8.1, 8.0 ]
+        php: [ 8.0, 8.1, 8.2, 8.3 ]
         wp_version: [ "latest" ]
         multisite: [ false, true ]
     name: WordPress ${{ matrix.wp_version }} @ PHP ${{ matrix.php }} (WP_MULTISITE=${{ matrix.multisite }})

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,36 @@
 
 This library adheres to [Semantic Versioning](https://semver.org/) and [Keep a CHANGELOG](https://keepachangelog.com/en/1.0.0/).
 
+## 2.3.1
+
+### Changed
+
+* `login_nonce`: make sure the nonce lifetime is run only for the login action
+  as to not affect the other `wp-login.php` actions, e.g: logout.
+
+## 2.3.0
+
+### Added
+
+* `disable_attachment_routing`: Added a feature to disable attachment routing.
+* `disable_custom_fields_meta_box`: Added a feature to disable the custom fields meta box.
+* `disable_password_change_notification`: Added a feature that disables sending password change notification emails to site admins.
+
+### Changed
+
+* `disable_comments`: Removes the `commentstatusdiv` meta box when comments are
+  disabled. Previously, only `commentsdiv` was removed.
+
+## 2.2.1
+
+### Added
+
+* `login_nonce`: Added a feature to add a nonce to wp-login
+
+### Changed
+
+* `disable_comments`: Akismet: Removed the comment spam queue section from the WP dashboard
+
 ## 2.2.0
 
 ### Added

diff --git a/README.md b/README.md
@@ -32,14 +32,26 @@ Each feature's handle is listed below, along with a description of what it does.
 
 This feature removes selected nodes from the admin bar.
 
+### `disable_attachment_routing`
+
+This feature disables WordPress attachment pages entirely from the front end of the site.
+
 ### `disable_comments`
 
 This feature disables WordPress comments entirely, including the ability to post, view, edit, list, count, modify settings for, or access URLs that are related to comments completely.
 
+### `disable_custom_fields_meta_box`
+
+This feature removes the custom fields meta box from the post editor.
+
 ### `disable_dashboard_widgets`
 
 This feature removes clutter from the dashboard.
 
+### `disable_password_change_notification`
+
+This feature disables sending password change notification emails to site admins.
+
 ### `disable_sticky_posts`
 
 This feature disables WordPress sticky posts entirely, including the ability to set and query sticky posts.

diff --git a/composer.json b/composer.json
@@ -29,9 +29,14 @@
   },
   "scripts": {
     "fixer": "php-cs-fixer -v fix --allow-risky=yes",
+    "lint": "@phpcs",
     "phpcbf": "phpcbf",
     "phpcs": "phpcs",
-    "phpunit": "phpunit --testdox"
+    "phpunit": "phpunit --testdox",
+    "test": [
+      "@phpcs",
+      "@phpunit"
+    ]
   },
   "extra": {
     "wordpress-autoloader": {

diff --git a/src/alley/wp/alleyvate/features/class-disable-attachment-routing.php b/src/alley/wp/alleyvate/features/class-disable-attachment-routing.php
@@ -0,0 +1,87 @@
+<?php
+/**
+ * Class file for Disable_Attachment_Routing
+ *
+ * (c) Alley <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package wp-alleyvate
+ */
+
+namespace Alley\WP\Alleyvate\Features;
+
+use Alley\WP\Alleyvate\Feature;
+
+/**
+ * Disable attachment routing.
+ */
+final class Disable_Attachment_Routing implements Feature {
+	/**
+	 * Boot the feature.
+	 */
+	public function boot(): void {
+		add_filter( 'pre_option_wp_attachment_pages_enabled', '__return_zero', 100 );
+		add_filter( 'rewrite_rules_array', [ self::class, 'filter__rewrite_rules_array' ] );
+		add_filter( 'attachment_link', [ self::class, 'filter__attachment_link' ] );
+		add_action( 'pre_get_posts', [ self::class, 'action__pre_get_posts' ] );
+		add_action( 'admin_bar_menu', [ self::class, 'action__admin_bar_menu' ], 100 );
+	}
+
+	/**
+	 * Remove support for the attachment rewrite rule.
+	 *
+	 * @param array $rules Rewrite rules.
+	 * @return array
+	 */
+	public static function filter__rewrite_rules_array( $rules ): array {
+		foreach ( $rules as $regex => $query ) {
+			if ( strpos( $regex, 'attachment' ) || strpos( $query, 'attachment' ) ) {
+				unset( $rules[ $regex ] );
+			}
+		}
+
+		return $rules;
+	}
+
+	/**
+	 * Remove the attachment link.
+	 *
+	 * @param string $link Attachment link.
+	 * @return string
+	 */
+	public static function filter__attachment_link( $link ): string {
+		return '';
+	}
+
+	/**
+	 * Ensure attachment pages return 404s.
+	 *
+	 * @param WP_Query $query WP_Query object.
+	 */
+	public static function action__pre_get_posts( $query ) {
+		if ( is_admin() || ! $query->is_main_query() ) {
+			return;
+		}
+
+		if (
+			$query->queried_object instanceof \WP_Post
+			&& 'attachment' === get_post_type( $query->get_queried_object_id() )
+		) {
+			$query->set_404();
+			status_header( 404 );
+		}
+	}
+
+	/**
+	 * Remove attachment link from admin bar.
+	 *
+	 * @param \WP_Admin_Bar $wp_admin_bar Admin bar class.
+	 */
+	public static function action__admin_bar_menu( $wp_admin_bar ): void {
+		if ( 'attachment' === get_post_type() ) {
+			$wp_admin_bar->remove_node( 'view' );
+		}
+	}
+}
diff --git a/src/alley/wp/alleyvate/features/class-disable-comments.php b/src/alley/wp/alleyvate/features/class-disable-comments.php
@@ -42,6 +42,7 @@ public function boot(): void {
 	 */
 	public static function action__add_meta_boxes( string $post_type ): void {
 		remove_meta_box( 'commentsdiv', $post_type, 'normal' );
+		remove_meta_box( 'commentstatusdiv', $post_type, 'normal' );
 	}
 
 	/**
@@ -74,9 +75,11 @@ public static function action__admin_menu(): void {
 	}
 
 	/**
-	 * Removes post type support for comments and filters REST responses for each post type to remove comment support.
+	 * Add actions and filters to run on the init hook.
 	 */
 	public static function action__init(): void {
+
+		// Removes post type support for comments and filters REST responses for each post type to remove comment support.
 		foreach ( get_post_types() as $post_type ) {
 			if ( post_type_supports( $post_type, 'comments' ) ) {
 				remove_post_type_support( $post_type, 'comments' );
@@ -85,6 +88,9 @@ public static function action__init(): void {
 			// The REST API filters don't have a generic form, so they need to be registered for each post type.
 			add_filter( "rest_prepare_{$post_type}", [ self::class, 'filter__rest_prepare' ], 9999 );
 		}
+
+		// Removes the Akismet comments section from the dashboard.
+		remove_action( 'rightnow_end', [ 'Akismet_Admin', 'rightnow_stats' ] );
 	}
 
 	/**

diff --git a/src/alley/wp/alleyvate/features/class-disable-custom-fields-meta-box.php b/src/alley/wp/alleyvate/features/class-disable-custom-fields-meta-box.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * Class file for Disable_Custom_Fields_Meta_Box
+ *
+ * (c) Alley <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package wp-alleyvate
+ */
+
+namespace Alley\WP\Alleyvate\Features;
+
+use Alley\WP\Alleyvate\Feature;
+
+/**
+ * Disable the custom fields meta box.
+ */
+final class Disable_Custom_Fields_Meta_Box implements Feature {
+	/**
+	 * Boot the feature.
+	 */
+	public function boot(): void {
+		add_action( 'add_meta_boxes', [ self::class, 'action__add_meta_boxes' ], 9999 );
+	}
+
+	/**
+	 * Remove the "Custom Fields" meta box.
+	 *
+	 * It generates an expensive query and is almost never used in practice.
+	 */
+	public static function action__add_meta_boxes(): void {
+		remove_meta_box( 'postcustom', null, 'normal' );
+	}
+}
diff --git a/src/alley/wp/alleyvate/features/class-disable-password-change-notification.php b/src/alley/wp/alleyvate/features/class-disable-password-change-notification.php
@@ -0,0 +1,27 @@
+<?php
+/**
+ * Class file for Disable_Password_Change_Notification
+ *
+ * (c) Alley <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package wp-alleyvate
+ */
+
+namespace Alley\WP\Alleyvate\Features;
+
+use Alley\WP\Alleyvate\Feature;
+
+/**
+ * Fully disables password change notifications.
+ */
+final class Disable_Password_Change_Notification implements Feature {
+	/**
+	 * Boot the feature.
+	 */
+	public function boot(): void {
+		remove_action( 'after_password_reset', 'wp_password_change_notification' );
+	}
+}
diff --git a/src/alley/wp/alleyvate/features/class-login-nonce.php b/src/alley/wp/alleyvate/features/class-login-nonce.php
@@ -48,9 +48,8 @@ final class Login_Nonce implements Feature {
 	 * Boot the feature.
 	 */
 	public function boot(): void {
-		add_action( 'login_init', [ self::class, 'action__add_nonce_life_filter' ] );
+		add_action( 'login_form_login', [ self::class, 'action__add_nonce_life_filter' ] );
 		add_action( 'login_head', [ self::class, 'action__add_meta_refresh' ] );
-		add_action( 'login_form', [ self::class, 'action__add_nonce_to_form' ] );
 		add_action( 'after_setup_theme', [ self::class, 'action__pre_validate_login_nonce' ], 9999 );
 	}
 
@@ -63,16 +62,24 @@ public static function action__add_meta_refresh(): void {
 
 	/**
 	 * Add the nonce field to the form.
+	 *
+	 * @see action__add_nonce_life_filter()
 	 */
 	public static function action__add_nonce_to_form(): void {
 		wp_nonce_field( self::NONCE_ACTION, self::NONCE_NAME );
 	}
 
 	/**
-	 * Initializes the nonce fields. Is only run on `login_init` to restrict nonce data to login page.
+	 * Add a filter to change the nonce lifetime.
+	 *
+	 * Changing the lifetime of the nonce changes the actual nonce value. It all comes down to how WordPress actually generates the nonce.
+	 * So only run on `login_form_login` to restrict to the login action, without affecting other wp-login actions.
+	 *
+	 * @see <https://github.com/WordPress/wordpress-develop/blob/94b70f1ae065f10937c22b2d4b180ceade1ddeee/src/wp-login.php#L482-L495>
 	 */
 	public static function action__add_nonce_life_filter(): void {
 		add_filter( 'nonce_life', [ __CLASS__, 'nonce_life_filter' ] );
+		add_action( 'login_form', [ __CLASS__, 'action__add_nonce_to_form' ] );
 	}
 
 	/**

diff --git a/src/alley/wp/alleyvate/load.php b/src/alley/wp/alleyvate/load.php
@@ -19,17 +19,20 @@
  */
 function available_features(): array {
 	return [
-		'clean_admin_bar'               => new Features\Clean_Admin_Bar(),
-		'disable_comments'              => new Features\Disable_Comments(),
-		'disable_dashboard_widgets'     => new Features\Disable_Dashboard_Widgets(),
-		'disable_sticky_posts'          => new Features\Disable_Sticky_Posts(),
-		'disable_trackbacks'            => new Features\Disable_Trackbacks(),
-		'disallow_file_edit'            => new Features\Disallow_File_Edit(),
-		'login_nonce'                   => new Features\Login_Nonce(),
-		'redirect_guess_shortcircuit'   => new Features\Redirect_Guess_Shortcircuit(),
-		'site_health'                   => new Features\Site_Health(),
-		'user_enumeration_restrictions' => new Features\User_Enumeration_Restrictions(),
-		'full_page_cache_404'           => new Features\Full_Page_Cache_404(),
+		'clean_admin_bar'                      => new Features\Clean_Admin_Bar(),
+		'disable_attachment_routing'           => new Features\Disable_Attachment_Routing(),
+		'disable_comments'                     => new Features\Disable_Comments(),
+		'disable_custom_fields_meta_box'       => new Features\Disable_Custom_Fields_Meta_Box(),
+		'disable_dashboard_widgets'            => new Features\Disable_Dashboard_Widgets(),
+		'disable_password_change_notification' => new Features\Disable_Password_Change_Notification(),
+		'disable_sticky_posts'                 => new Features\Disable_Sticky_Posts(),
+		'disable_trackbacks'                   => new Features\Disable_Trackbacks(),
+		'disallow_file_edit'                   => new Features\Disallow_File_Edit(),
+		'login_nonce'                          => new Features\Login_Nonce(),
+		'redirect_guess_shortcircuit'          => new Features\Redirect_Guess_Shortcircuit(),
+		'site_health'                          => new Features\Site_Health(),
+		'user_enumeration_restrictions'        => new Features\User_Enumeration_Restrictions(),
+		'full_page_cache_404'                  => new Features\Full_Page_Cache_404(),
 	];
 }