Changeset 3379010

Timestamp:

10/15/2025 03:37:26 PM (3 months ago)

Author:

Hakik

Message:

v1.0.8: * Fix: Security Vulnerability. * Update: Disallow profile.php for temporary users. * Tweak: Loads the scripts only on the plugin settings page. * Removed: load_plugin_textdomain() as this plugin is hosted on WordPress.org, so, it is no longer need to manually include this function call for translations under the plugin slug. WordPress will automatically load the translations as needed.

Location:

create-temporary-login/trunk

Files:

• admin/js/admin.js (modified) (1 diff)
• create-temporary-login.php (modified) (3 diffs)
• includes/class-admin.php (modified) (12 diffs)
• includes/class-create-temporary-login.php (modified) (3 diffs)
• includes/class-option.php (modified) (2 diffs)
• index.php (modified) (1 diff)
• languages/create-temporary-login.pot (modified) (3 diffs)
• readme.txt (modified) (2 diffs)
• uninstall.php (modified) (1 diff)

create-temporary-login/trunk/admin/js/admin.js

@@ -8 +8 @@
             url: ctl_admin_ajax_object.ajaxurl,
 
-            data: { action: 'ctl_create_link', create_user: "yes", ctl_security: ctl_admin_ajax_object.ctl_nonce_field },
+            data: { 
+                action: 'ctl_create_link', 
+                create_user: "yes", 
+                ctl_security: ctl_admin_ajax_object.ctl_nonce_field 
+            },
 
             beforeSend: function(response) {

create-temporary-login/trunk/create-temporary-login.php

@@ -1 +1 @@
 <?php
-/*
-Plugin Name:        WPBifröst - Instant Passwordless Temporary Login Links
-Plugin URI:         https://github.com/hakikz/create-temporary-login
-Description:        Create passwordless temporary login links to easily give access to your site's dashboard.
-Version:            1.0.7
-Author:             Hakik Zaman
-Author URI:         https://profiles.wordpress.org/users/hakik  
-License:            GPL v2 or later 
-License URI:        https://www.gnu.org/licenses/gpl-2.0.html 
-Text Domain:        create-temporary-login
-Domain Path:        /languages
-Requires at least:  6.2
-Tested up to:       6.8
-*/
+/**
+ * Plugin Name:        WPBifröst - Instant Passwordless Temporary Login Links
+ * Plugin URI:         https://github.com/hakikz/create-temporary-login
+ * Description:        Create passwordless temporary login links to easily give access to your site's dashboard.
+ * Version:            1.0.8
+ * Author:             Hakik Zaman
+ * Author URI:         https://profiles.wordpress.org/users/hakik   
+ * License:            GPL v2 or later 
+ * License URI:        https://www.gnu.org/licenses/gpl-2.0.html 
+ * Text Domain:        create-temporary-login
+ * Domain Path:        /languages
+ * Requires at least:  6.2
+ * Tested up to:       6.8
+ */
 
-defined( 'ABSPATH' ) || exit;
+defined( 'ABSPATH' ) || exit; // Prevent direct access.
 
 /**
- * Defining the constants
+ * Plugin version constant.
  */
 if ( ! defined( 'CTLAZ_TEMP_LOGIN_VERSION' ) ) {
-    define( 'CTLAZ_TEMP_LOGIN_VERSION', '1.0.7' );
+    define( 'CTLAZ_TEMP_LOGIN_VERSION', '1.0.8' );
 }
 
+/**
+ * Main plugin file path constant.
+ */
 if ( ! defined( 'CTLAZ_TEMP_LOGIN_FILE' ) ) {
     define( 'CTLAZ_TEMP_LOGIN_FILE', __FILE__ );
@@ -29 +32 @@
 
 /**
- * Include the main class.
+ * Load the core plugin class.
  */
 if ( ! class_exists( 'CTLAZ_Create_Temporary_Login', false ) ) {
@@ -35 +38 @@
 }
 
-
 /**
- * Creates a temporary login.
+ * Initializes the core plugin class.
  *
- * @return     <instance>  ( the core class )
+ * @return CTLAZ_Create_Temporary_Login The singleton instance of the core plugin class.
  */
 function ctlaz_create_temporary_login() {
-
     return CTLAZ_Create_Temporary_Login::instance();
 }
 
+// Boot the plugin after all plugins are loaded.
 add_action( 'plugins_loaded', 'ctlaz_create_temporary_login' );

create-temporary-login/trunk/includes/class-admin.php

@@ -8 +8 @@
 class CTLHZ_Admin{
 
+    /**
+     * Holds the singleton instance of the class.
+     *
+     * @var CTLHZ_Admin|null
+     */
     protected static $_instance = null;
 
-
-    public static function instance() {
-        if ( is_null( self::$_instance ) ) {
-            self::$_instance = new self();
-        }
-
-        return self::$_instance;
-    }
-    
-    // Construtct [Initial Function]
+    /**
+     * Returns the singleton instance of the class.
+     *
+     * Ensures only one instance is created throughout the lifecycle of the request.
+     *
+     * @return CTLHZ_Admin
+     */
+    public static function instance() {
+        if ( is_null( self::$_instance ) ) {
+            self::$_instance = new self();
+        }
+
+        return self::$_instance;
+    }
+    
+    /**
+     * CTLHZ_Admin constructor.
+     *
+     * Initializes the plugin by registering necessary hooks.
+     */
     public function __construct(){
         // Firing Hooks
@@ -26 +41 @@
 
     /**
-     * Hooks of the plugin
+     * Registers all WordPress hooks used by the plugin in the admin area.
+     *
+     * This includes:
+     * - Admin menu setup
+     * - Script enqueueing
+     * - AJAX handler for link creation
+     * - Dashboard redirect
+     * - Plugin action link
+     * - Password reset restriction
+     * - Authentication filtering
+     * - Admin init redirect logic
      */
     public function hooks(){
@@ -48 +73 @@
 
     /**
-     * Settings page
+     * Adds a submenu page under the "Users" menu in the WordPress admin.
+     *
+     * This page allows admins to manage and generate temporary login links.
      */
     public function setting_page(){
@@ -62 +89 @@
 
     /**
-     * Enqueue Scripts
+     * Enqueues admin scripts and styles for the plugin settings page.
+     *
+     * Only loads assets on the "Create Temporary Login" admin page.
      */
     public function enqueue_srcipts(){
-        wp_enqueue_style( 'ctl-admin', plugins_url( '/admin/css/admin.css', CTLAZ_TEMP_LOGIN_FILE ), array(), CTLAZ_TEMP_LOGIN_VERSION, 'all' );
-        wp_enqueue_script( 'ctl-admin',  plugins_url( '/admin/js/admin.js', CTLAZ_TEMP_LOGIN_FILE ), array('jquery'), CTLAZ_TEMP_LOGIN_VERSION, true );
-        wp_localize_script( 'ctl-admin', 'ctl_admin_ajax_object', array( 
-            'ajaxurl' => admin_url( 'admin-ajax.php' ),
-            'ctl_nonce_field' => wp_create_nonce( 'ctl-create-link' )
-        ) );
-    }
-
-    
-    /**
-     * Sets the header redirect.
+        $screen = get_current_screen();
+        if ( $screen && $screen->id === 'users_page_create-temporary-login' ) {
+            wp_enqueue_style( 'ctl-admin', plugins_url( '/admin/css/admin.css', CTLAZ_TEMP_LOGIN_FILE ), array(), CTLAZ_TEMP_LOGIN_VERSION, 'all' );
+            wp_enqueue_script( 'ctl-admin',  plugins_url( '/admin/js/admin.js', CTLAZ_TEMP_LOGIN_FILE ), array('jquery'), CTLAZ_TEMP_LOGIN_VERSION, true );
+            wp_localize_script( 'ctl-admin', 'ctl_admin_ajax_object', array( 
+                'ajaxurl' => admin_url( 'admin-ajax.php' ),
+                'ctl_nonce_field' => wp_create_nonce( 'ctl-create-link' )
+            ) );   
+        }
+    }
+
+    
+    /**
+     * Handles redirection based on query string actions.
+     *
+     * - Deletes a temporary user if `ctl_delete_link_nonce` and `user_id` are set and valid.
+     * - Extends a user's temporary login duration if `ctl_extend_link_nonce` is set.
+     * - Disallow temporary user to access the profile.php
+     * 
+     * @return void
      */
     public function set_header_redirect(){
+
         // If found a user_id as a get delete the user
-        if ( isset($_GET['ctl_delete_link_nonce']) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['ctl_delete_link_nonce'] ) ), 'ctl_delete_link') ){
+        if ( 
+            isset($_GET['ctl_delete_link_nonce']) && 
+            wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['ctl_delete_link_nonce'] ) ), 'ctl_delete_link') &&
+            current_user_can( 'manage_options' )
+        ){
             $delete_user = isset( $_GET['user_id'] ) ? wp_delete_user( sanitize_text_field( wp_unslash( $_GET['user_id'] ) ) ) : false;
             if( $delete_user ){
@@ -86 +129 @@
         }
 
-        // If found a user_id as a extend link for the user
-        if ( isset($_GET['ctl_extend_link_nonce']) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['ctl_extend_link_nonce'] ) ), 'ctl_extend_link') ){
+        // If found a user_id as an extend link for the user
+        if ( 
+            isset($_GET['ctl_extend_link_nonce']) && 
+            wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['ctl_extend_link_nonce'] ) ), 'ctl_extend_link') &&
+            current_user_can( 'manage_options' ) 
+        ){
             $extend_link = isset( $_GET['user_id'] ) ? ctlaz_create_temporary_login()->get_option()->extend_expiration( sanitize_text_field( wp_unslash( $_GET['user_id'] ) ) ) : false;
             if( $extend_link ){
@@ -93 +140 @@
             }
         }
-    }
-
-    /**
-     * Create Temporary Login Interface
+
+        // Disallow profile.php for temporary user
+        global $pagenow;
+
+        // Disallow access to profile.php
+        if ( $pagenow === 'profile.php' ) {
+            $user_id = get_current_user_id();
+
+            // Check for temporary user flag
+            if ( get_user_meta( $user_id, 'ctl_user', true ) === 'yes' ) {
+                wp_redirect( admin_url() ); // or use a custom page
+                exit;
+            }
+        }
+    }
+
+    /**
+     * Renders the plugin's admin page UI for generating and managing temporary login links.
+     *
+     * - Only accessible by non-temporary users.
+     * - Displays a list of all temporary users with options to copy, extend, or delete links.
+     * 
+     * @return void
      */
     public function create_temporary_login(){
@@ -185 +251 @@
     
     /**
-     * Creates a link.
+     * Handles AJAX request to create a new temporary user login.
+     *
+     * - Generates a unique user with an expiration timestamp.
+     * - Returns the new user ID if successful.
+     *
+     * @return void Outputs user ID or nothing. Dies immediately after output.
      */
     public function create_link(){
 
-        if ( isset( $_POST['create_user'] ) 
+        check_ajax_referer( 'ctl-create-link', 'ctl_security' );
+
+        if ( !current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( 'Permission denied.' );
+            wp_die();
+        }
+
+
+        if ( 
+            isset( $_POST['create_user'] ) 
             && $_POST['create_user'] === "yes" 
         ) {
-
-            check_ajax_referer( 'ctl-create-link', 'ctl_security' );
 
             // Getting the site url and passing it to `wp_parse_url` function to get the host name later.
             $url_parse = wp_parse_url( site_url() );
         
+            $random_str = wp_generate_password( 16, false );
+
             $uniqid = bin2hex( random_bytes(16) );
+
             $data = array(
-                'user_login'           => sanitize_text_field( 'ctl_user_'.$uniqid ), // the user's login username.
+                'user_login'           => sanitize_text_field( 'ctl_user_'.$random_str ), // the user's login username. We used a random string for the username. Removed the token from the username.
                 'user_pass'            => sanitize_text_field( 'ctl_password_'.$uniqid ), // not necessary to hash password ( The plain-text user password ).
                 'user_email'           => sanitize_email( 'ctl_email_' . $uniqid . '@' . $url_parse['host'] ),
@@ -211 +292 @@
                 )
             );
+
             $user_id = wp_insert_user( $data );
+
             if ( ! is_wp_error( $user_id ) ) {
         
@@ -225 +308 @@
 
     /**
-     * Redirect to dashboard
+     * Authenticates a user via a token and redirects to the admin dashboard.
+     *
+     * - Matches the `ctl_token` in the URL to a temporary user.
+     * - Verifies the user has not expired.
+     * - Sets login cookies and redirects to admin dashboard or home page.
+     *
+     * @return void
      */
     public function redirect_to_dashboard(){
@@ -233 +322 @@
         if( wp_verify_nonce( $nonce, 'ctl_login_user_nonce' ) && isset($_GET['ctl_token']) ) {
 
-            $user = get_user_by( 'login', sanitize_text_field( "ctl_user_".sanitize_key( $_GET['ctl_token'] ) ) );
+            // Getting the site url and passing it to `wp_parse_url` function to get the host name later.
+            $url_parse = wp_parse_url( site_url() );
+
+            $user = get_user_by( 'email', sanitize_email( 'ctl_email_' . sanitize_key( $_GET['ctl_token'] ) . '@' . $url_parse['host'] ) );
 
             if ( 
@@ -255 +347 @@
     
     /**
-     * Adding settings menu to the plugin list page
-     *
-     * @param      array  $links  The links
-     *
-     * @return     array  ( Array of the link to display in plugin list page under the plugin name )
+     * Adds a "Create Temporary Login" link to the plugin's action links on the plugin list page.
+     *
+     * @param array $links Existing plugin action links.
+     *
+     * @return array Modified list of plugin action links with the settings link prepended.
      */
     public function login_settings_link($links) { 
@@ -296 +388 @@
     
     /**
-     * Disallow Temporary Users to direct login to the site
-     *
-     * @param      object   The user
-     *
-     * @return     void     ( Sending an error to display for direct login attempt by temporary user )
+     * Prevents temporary users from resetting their password.
+     *
+     * @param bool $allow Whether to allow password reset.
+     * @param int  $user_ID The ID of the user attempting to reset the password.
+     *
+     * @return bool False if the user is a temporary user, unchanged otherwise.
      */
     public function disallow_temporary_user_login( $user ) {

create-temporary-login/trunk/includes/class-create-temporary-login.php

@@ -4 +4 @@
 
 /**
- * 
+ * Main class responsible for bootstrapping the Temporary Login plugin.
+ *
+ * Loads dependencies, initializes options and admin classes,
+ * and hooks into WordPress as needed.
  */
-class CTLAZ_Create_Temporary_Login{
+class CTLAZ_Create_Temporary_Login {
 
-    protected static $_instance = null;
+    /**
+     * The single instance of the class.
+     *
+     * @var CTLAZ_Create_Temporary_Login|null
+     */
+    protected static $_instance = null;
 
-
+    /**
+     * Main instance method (Singleton pattern).
+     *
+     * Ensures only one instance of the class is loaded or can be loaded.
+     *
+     * @return CTLAZ_Create_Temporary_Login
+     */
     public static function instance() {
         if ( is_null( self::$_instance ) ) {
@@ -19 +33 @@
     }
 
-    /*
-     * Construct of the Class.
+    /**
+     * Class constructor.
      *
+     * Includes required files and initializes plugin components.
      */
-
-    public function __construct(){
-
+    public function __construct() {
         $this->includes();
         $this->init();
-
     }
 
-    /*
-     * Includes files.
+    /**
+     * Includes required class files for the plugin.
      *
+     * @return void
      */
-
     public function includes() {
         require_once dirname( __FILE__ ) . '/class-option.php';
@@ -41 +53 @@
     }
 
-    /*
-     * Bootstraps the class and hooks required actions & filters.
+    /**
+     * Initializes plugin functionality.
      *
+     * Loads option and admin instances and sets up hooks.
+     *
+     * @return void
      */
     public function init() {
-
         $this->get_option();
         $this->get_admin();
         $this->set_hooks();
-    } 
-
-    /**
-     * Sets the hooks.
-     */
-    public function set_hooks(){
-        add_action( 'plugins_loaded', array( $this, 'load_textdomain' ), 10 );
     }
 
     /**
-     * Loads a textdomain.
+     * Sets up WordPress hooks used by the plugin.
+     *
+     * @return void
      */
-    public function load_textdomain() {
-        load_plugin_textdomain( 'create-temporary-login', false, basename( dirname( CTLAZ_TEMP_LOGIN_FILE ) )."/languages" );
+    public function set_hooks() {
+        
     }
 
     /**
+     * Gets the instance of the plugin option handler.
      *
-     * Option 
-     *
+     * @return CTLHZ_Option
      */
-
-    public function get_option(){
+    public function get_option() {
         return CTLHZ_Option::instance();
     }
 
     /**
+     * Gets the instance of the plugin admin handler.
      *
-     * Admin
-     *
+     * @return CTLHZ_Admin
      */
-
-    public function get_admin(){
+    public function get_admin() {
         return CTLHZ_Admin::instance();
     }
-
 }

create-temporary-login/trunk/includes/class-option.php

@@ -4 +4 @@
 
 /**
- * 
+ * Class CTLHZ_Option
+ *
+ * Handles temporary user logic such as expiration, identification, and capability control.
  */
-class CTLHZ_Option{
+class CTLHZ_Option {
 
-    protected static $_instance = null;
+    /**
+     * The single instance of the class (Singleton pattern).
+     *
+     * @var CTLHZ_Option|null
+     */
+    protected static $_instance = null;
 
-
+    /**
+     * Returns the single instance of the class.
+     *
+     * @return CTLHZ_Option
+     */
     public static function instance() {
         if ( is_null( self::$_instance ) ) {
@@ -18 +29 @@
         return self::$_instance;
     }
-    
-    // Construtct [Initial Function]
-    public function __construct(){
-        // Firing Hooks
-        $this->set_hooks();
-    }
 
-    /**
-     * Sets the hooks.
-     */
-    public function set_hooks(){
-        add_action( 'wp_dashboard_setup', array( $this, 'set_temporary_logged_in_user_permission' ), 10 );
-    }
+    /**
+     * Class constructor.
+     *
+     * Sets necessary WordPress hooks.
+     */
+    public function __construct() {
+        $this->set_hooks();
+    }
 
-    /**
-     * Determines whether the specified user id is temporary user.
-     *
-     * @param      int  $user_ID  The user id
-     *
-     * @return     bool    True if the specified user id is temporary user, False otherwise.
-     */
-    public function is_temporary_user( $user_ID ) : bool {
-        return (bool) get_user_meta( $user_ID, 'ctl_user', true );
-    }
+    /**
+     * Sets the necessary WordPress hooks.
+     *
+     * @return void
+     */
+    public function set_hooks() {
+        add_action( 'wp_dashboard_setup', array( $this, 'set_temporary_logged_in_user_permission' ), 10 );
+    }
 
-    /**
-     * Gets the maximum expired time.
-     *
-     * @return     int   The maximum expired time.
-     */
-    public function get_max_expired_time(): int {
-        return current_time( 'timestamp' ) + WEEK_IN_SECONDS;
-    }
+    /**
+     * Checks if a user is a temporary user.
+     *
+     * @param int $user_ID The user ID.
+     * @return bool True if the user is temporary, false otherwise.
+     */
+    public function is_temporary_user( $user_ID ) : bool {
+        return (bool) get_user_meta( $user_ID, 'ctl_user', true );
+    }
 
-    /**
-     * Determines whether the specified user id is user expired.
-     *
-     * @param      int  $user_ID  The user id
-     *
-     * @return     bool    True if the specified user id is user expired, False otherwise.
-     */
-    public function is_user_expired( $user_ID ): bool {
-        $expiration = $this->get_expiration( $user_ID );
+    /**
+     * Gets the maximum expiration timestamp (7 days from now).
+     *
+     * @return int The expiration timestamp.
+     */
+    public function get_max_expired_time() : int {
+        return current_time( 'timestamp' ) + WEEK_IN_SECONDS;
+    }
 
-        if ( empty( $expiration ) ) {
-            return true;
-        }
+    /**
+     * Checks if a user's temporary access has expired.
+     *
+     * @param int $user_ID The user ID.
+     * @return bool True if expired, false otherwise.
+     */
+    public function is_user_expired( $user_ID ) : bool {
+        $expiration = $this->get_expiration( $user_ID );
 
-        return current_time( 'timestamp' ) > $expiration;
-    }
+        if ( empty( $expiration ) ) {
+            return true;
+        }
 
-    /**
-     * Gets the expiration.
-     *
-     * @param      int  $user_ID  The user id
-     *
-     * @return     int | bool  Meta ID if the key didn’t exist, true on successful update, false on failure or if the value passed to the function is the same as the one that is already in the database.
-     */
-    public function get_expiration( $user_ID ) {
-        return get_user_meta( $user_ID, 'ctl_expiration', true );
-    }
+        return current_time( 'timestamp' ) > $expiration;
+    }
 
-    
-    
-    /**
-     * Gets the human readable link duration.
-     *
-     * @param      int  $user_ID  The user id
-     *
-     * @return     mixed  The human readable link duration.
-     */
-    public function get_human_readable_link_duration( $user_ID ){
-        if( $this->is_user_expired( $user_ID ) ){
-            return esc_html__( 'Expired', 'create-temporary-login' );
-        }
-        return sprintf( 
-            /* translators: %s: How many days remaining */
-             esc_html__( 'Will be expired after: %s', 'create-temporary-login' ),
-             wp_kses_post( human_time_diff( $this->get_expiration( $user_ID ), current_time('U') ) )
-         );
-    }
+    /**
+     * Gets the expiration timestamp for a user.
+     *
+     * @param int $user_ID The user ID.
+     * @return int|bool The expiration timestamp or false if not found.
+     */
+    public function get_expiration( $user_ID ) {
+        return get_user_meta( $user_ID, 'ctl_expiration', true );
+    }
 
-    /**
-     * Extends the expiration.
-     *
-     * @param      <int>  $user_ID  The user id
-     *
-     * @return     int | bool    Meta ID if the key didn’t exist, true on successful update, false on failure or if the value passed to the function is the same as the one that is already in the database.
-     */
-    public function extend_expiration( $user_ID ) {
-        $expiration = $this->get_expiration( $user_ID );
+    /**
+     * Gets a human-readable expiration message.
+     *
+     * @param int $user_ID The user ID.
+     * @return string Human-readable string showing time until expiration or 'Expired'.
+     */
+    public function get_human_readable_link_duration( $user_ID ) {
+        if ( $this->is_user_expired( $user_ID ) ) {
+            return esc_html__( 'Expired', 'create-temporary-login' );
+        }
 
-        if ( empty( $expiration ) ) {
-            return false;
-        }
+        return sprintf(
+            /* translators: %s: How many days remaining */
+            esc_html__( 'Will be expired after:&nbsp;%s', 'create-temporary-login' ),
+            wp_kses_post( human_time_diff( $this->get_expiration( $user_ID ), current_time( 'U' ) ) )
+        );
+    }
 
-        if ( $this->is_user_expired( $user_ID ) ) {
-            $expiration = current_time( 'timestamp' );
-        }
+    /**
+     * Extends a temporary user's expiration by 3 days (up to 7 days max).
+     *
+     * @param int $user_ID The user ID.
+     * @return int|bool Meta ID on success, false on failure.
+     */
+    public function extend_expiration( $user_ID ) {
+        $expiration = $this->get_expiration( $user_ID );
 
-        $expiration += 3 * DAY_IN_SECONDS;
+        if ( empty( $expiration ) ) {
+            return false;
+        }
 
-        $expiration = min( $expiration, $this->get_max_expired_time() );
+        if ( $this->is_user_expired( $user_ID ) ) {
+            $expiration = current_time( 'timestamp' );
+        }
 
-        return update_user_meta( $user_ID, 'ctl_expiration', $expiration );
-    }
+        $expiration += 3 * DAY_IN_SECONDS;
 
-    
-    /**
-     * Sets the temporary logged in user permission.
-     */
-    public function set_temporary_logged_in_user_permission(){
+        // Cap the expiration to not exceed the max expiration limit (7 days).
+        $expiration = min( $expiration, $this->get_max_expired_time() );
 
-        if( $this->is_temporary_user( get_current_user_id() ) ){
+        return update_user_meta( $user_ID, 'ctl_expiration', $expiration );
+    }
 
-            // Remove a capability from a specific user.
-            $user = new WP_User( get_current_user_id() );
-            /**
-             * @note `list_users` to revoke entire access of the user menus
-             * 
-             * To print the available capabilities for this current user- `print_r($user->get_role_caps());`
-             */
-            $user->add_cap( 'create_users', false );
-            $user->add_cap( 'list_users', false );
-            $user->add_cap( 'delete_users', false );
-            /**
+    /**
+     * Restricts permissions and UI for logged-in temporary users.
+     *
+     * Removes capabilities and menu pages for better control.
+     *
+     * @return void
+     */
+    public function set_temporary_logged_in_user_permission() {
+        if ( $this->is_temporary_user( get_current_user_id() ) ) {
+            $user = new WP_User( get_current_user_id() );
+
+            // Revoke key user management capabilities.
+            $user->add_cap( 'create_users', false );
+            $user->add_cap( 'list_users', false );
+            $user->add_cap( 'delete_users', false );
+
+            // Optionally remove menus for temporary users.
+
+            /**
              * @note for future use
              * Remove the User menu for temporary users
              * remove_menu_page( 'users.php' );
              */
-            remove_menu_page( 'users.php' );
-            remove_menu_page( 'profile.php' );
-        }
-        
-        
-
-    }
+            remove_menu_page( 'users.php' );
+            remove_menu_page( 'profile.php' );
+        }
+    }
 
 }

create-temporary-login/trunk/index.php

@@ -1 +1 @@
 <?php
+/**
+ * Silence is golden.
+ *
+ * Prevents direct access to plugin directory by displaying a simple message.
+ *
+ * @package WPBifrost
+ */
 
 echo "Keep silent! You silly Human";

create-temporary-login/trunk/languages/create-temporary-login.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: WPBifröst - Instant Passwordless Temporary Login Links 1.0.7\n"
+"Project-Id-Version: WPBifröst - Instant Passwordless Temporary Login Links 1.0.8\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/create-temporary-login\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
@@ -10 +10 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2025-05-18T08:17:13+00:00\n"
+"POT-Creation-Date: 2025-10-15T08:22:19+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.11.0\n"
@@ -40 +40 @@
 msgstr ""
 
-#: includes/class-admin.php:119
+#: includes/class-admin.php:185
 msgid "WPBifröst - Settings (Instant Passwordless Temporary Login Links)"
 msgstr ""
 
-#: includes/class-admin.php:121
+#: includes/class-admin.php:187
 msgid "Generate a link"
 msgstr ""
 
-#: includes/class-admin.php:160
+#: includes/class-admin.php:226
 msgid "Delete"
 msgstr ""
 
-#: includes/class-admin.php:162
+#: includes/class-admin.php:228
 msgid "Copied"
 msgstr ""
 
-#: includes/class-admin.php:166
+#: includes/class-admin.php:232
 msgid "Extend 3 days"
 msgstr ""
 
-#: includes/class-admin.php:175
+#: includes/class-admin.php:241
 msgid "Click to Copy!"
 msgstr ""
 
-#: includes/class-admin.php:271
+#: includes/class-admin.php:363
 msgid "Create Temporary Login"
 msgstr ""
 
-#: includes/class-admin.php:308
+#: includes/class-admin.php:401
 msgid "<strong>Error:</strong> The username is not registered on this site. If you are unsure of your username, try your email address instead."
 msgstr ""
 
-#: includes/class-option.php:93
+#: includes/class-option.php:103
 msgid "Expired"
 msgstr ""
 
 #. translators: %s: How many days remaining
-#: includes/class-option.php:97
+#: includes/class-option.php:108
 msgid "Will be expired after:&nbsp;%s"
 msgstr ""

create-temporary-login/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 6.2
 Tested up to: 6.8
-Stable tag: 1.0.7
+Stable tag: 1.0.8
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -89 +89 @@
 == Changelog ==
 
+= 1.0.8 =
+* Fix: Security Vulnerability.
+* Update: Disallow profile.php for temporary users.
+* Tweak: Loads the scripts only on the plugin settings page.
+* Removed: `load_plugin_textdomain()` as this plugin is hosted on WordPress.org, so, it is no longer need to manually include this function call for translations under the plugin slug. WordPress will automatically load the translations as needed.
+
 = 1.0.7 =
 * Fix: Show Toolbar when viewing site.

create-temporary-login/trunk/uninstall.php

@@ -1 +1 @@
 <?php
+/**
+ * Uninstall script for WPBifröst - Instant Passwordless Temporary Login Links plugin.
+ *
+ * This script deletes all temporary users created by the plugin when it is uninstalled.
+ *
+ * @package    WPBifrost
+ * @subpackage Uninstall
+ */
 
-// if uninstall.php is not called by WordPress, die
-if (!defined('WP_UNINSTALL_PLUGIN')) {
-    die;
+// If uninstall.php is not called by WordPress, exit.
+if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
+    exit;
 }
 
-// Get all users
+// Get all users.
 $ctl_users = get_users();
 
-foreach ($ctl_users as $key => $user) {
-    //Getting only ctl users
-    if( get_user_meta( $user->ID, 'ctl_user', true ) ){
-        wp_delete_user( sanitize_text_field( $user->ID ) );
-    }
+foreach ( $ctl_users as $user ) {
+    // Check if user is a temporary login user created by the plugin.
+    if ( get_user_meta( $user->ID, 'ctl_user', true ) ) {
+        wp_delete_user( intval( $user->ID ) );
+    }
 }
-