Filterable Configuration

Change Details
---------------
Makes all the functions within Editor Tools package configurable via filters

packages/editor-tools/editor-tools.php

@@ -5,7 +5,7 @@
  * Version: 1.0.0
  * Author: BoxUK
  * Author URI: https://boxuk.com
- * 
+ *
  * @package Boxuk\BoxWpEditorTools
  */
 
@@ -16,5 +16,12 @@
 ( new Comments() )->init();
 ( new EditorCleanup() )->init();
 ( new PostTypes() )->init();
-( new TemplatePersistence() )->init(); 
-( new Security\Security() )->init();
+( new TemplatePersistence() )->init();
+( new Security\AuthorEnumeration() )->init();
+( new Security\Headers() )->init();
+( new Security\PasswordValidation() )->init();
+( new Security\UserSessions() )->init();
+( new Security\RestrictHTTPRequestMethods() )->init();
+( new Security\RSS() )->init();
+( new Security\SessionTimeoutModifier() )->init();
+( new Security\UserLogin() )->init();

packages/editor-tools/src/PostTypes.php

@@ -28,7 +28,10 @@ public function init(): void {
  */
  public function register_post_types(): void {
 
- $path = get_template_directory() . '/post-types.json';
+ $path = apply_filters(
+ 'boxuk_post_types_json_file_path',
+ get_template_directory() . '/post-types.json'
+ );
  if ( ! file_exists( $path ) ) {
  return;
  }

packages/editor-tools/src/Security/AuthorEnumeration.php

@@ -1,7 +1,7 @@
 <?php
 /**
  * Author Enumeration Prevention
- * 
+ *
  * @package Boxuk\BoxWpEditorTools\Security
  */
 
@@ -26,19 +26,23 @@ public function init(): void {
  * Returns a 404 instead of redirecting an author query (?author=1) to the pretty printed URL (/author/admin).
  *
  * @param string $redirect The pretty permalink URL.
- * 
+ *
  * @return ?string The pretty permalink URL or null if the author query is set.
  */
- public function prevent_author_enum( string $redirect ): ?string { 
+ public function prevent_author_enum( string $redirect ): ?string {
+ if ( false === apply_filters( 'boxuk_prevent_author_enum', true ) ) {
+ return $redirect;
+ }
+
  if ( get_query_var( 'author', false ) ) {
  global $wp_query;
  $wp_query->set_404();
- 
+
  add_filter( 'wp_title', array( $this, 'get_404_title' ), PHP_INT_MAX );
- 
+
  status_header( 404 );
  nocache_headers();
- 
+
  return null;
  } else {
  return $redirect;
@@ -47,7 +51,7 @@ public function prevent_author_enum( string $redirect ): ?string {
 
  /**
  * Get 404 Title
- * 
+ *
  * @return string
  */
  public function get_404_title(): string {
@@ -62,8 +66,12 @@ public function get_404_title(): string {
  */
  public function handle_rest_endpoints( array $endpoints ): array {
 
+ if ( false === apply_filters( 'boxuk_prevent_author_rest_endpoint', true ) ) {
+ return $endpoints;
+ }
+
  // Block editor requires this endpoint for getting user details for authors.
- if ( current_user_can( 'edit_posts' ) ) { 
+ if ( current_user_can( 'edit_posts' ) ) {
  return $endpoints;
  }
 

packages/editor-tools/src/Security/Headers.php

@@ -24,12 +24,14 @@ public function init(): void {
 
  /**
  * Hook the nosniff and frame option headers to the send_headers action.
- * 
+ *
  * @return void
  */
  public function send_headers(): void {
- add_action( 'send_headers', 'send_frame_options_header', 10, 0 );
- add_action( 'send_headers', 'send_nosniff_header', 10, 0 );
+ if ( true === apply_filters( 'boxuk_send_no_sniff_headers', true ) ) {
+ add_action( 'send_headers', 'send_frame_options_header', 10, 0 );
+ add_action( 'send_headers', 'send_nosniff_header', 10, 0 );
+ }
  }
 
  /**
@@ -39,7 +41,9 @@ public function send_headers(): void {
  * @return array<mixed>
  */
  public function remove_vip_headers( array $headers ): array {
- unset( $headers['X-hacker'], $headers['X-Powered-By'] );
+ if ( true === apply_filters( 'boxuk_remove_vip_headers', true ) ) {
+ unset( $headers['X-hacker'], $headers['X-Powered-By'] );
+ }
  return $headers;
  }
 }

packages/editor-tools/src/Security/PasswordValidation.php

@@ -39,7 +39,18 @@ public function init(): void {
  * @return void
  */
  public function user_profile_update_errors( \WP_Error $errors ): void {
+
+ if ( false === apply_filters( 'boxuk_validate_password', true ) ) {
+ return;
+ }
+
  $password = sanitize_text_field( $_POST['pass1'] ?? '' ); // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification is handled by WP core.
+
+ // Allow empty-password field if the user is just updating their profile.
+ if ( doing_action( 'user_profile_update_errors' ) && empty( $password ) ) {
+ return;
+ }
+
  $this->validate_password( $password, $errors );
  }
 
@@ -95,6 +106,9 @@ public function validate_password( string $password, \WP_Error &$errors ): void
  * @return string
  */
  public function password_hint( string $hint ): string {
+ if ( false === apply_filters( 'boxuk_validate_password', true ) ) {
+ return $hint;
+ }
 
  $hint = __( 'Hint: The password should be at least ten characters long, and include at least one upper case letter and one number. To make it stronger, use more upper and lower case letters, more numbers, and symbols like ! " ? $ % ^ & ).', 'boxuk' );
 

packages/editor-tools/src/Security/RSS.php

@@ -1,7 +1,7 @@
 <?php
 /**
  * RSS Disablement
- * 
+ *
  * @package Boxuk\BoxWpEditorTools\Security
  */
 
@@ -16,10 +16,14 @@ class RSS {
 
  /**
  * Init Hooks
- * 
+ *
  * @return void
  */
- public function init() { 
+ public function init() {
+ if ( false === apply_filters( 'boxuk_disable_rss', true ) ) {
+ return;
+ }
+
  add_action( 'do_feed', array( $this, 'send_404' ), 1 );
  add_action( 'do_feed_rdf', array( $this, 'send_404' ), 1 );
  add_action( 'do_feed_rss', array( $this, 'send_404' ), 1 );
@@ -36,7 +40,7 @@ public function init() {
 
  /**
  * Make sure all RSS feeds are blank.
- * 
+ *
  * @return void
  */
  public function send_404(): void {
@@ -45,10 +49,10 @@ public function send_404(): void {
  include get_query_template( '404' );
  $this->exit();
  }
- 
+
  /**
  * Feed content type
- * 
+ *
  * @return string
  */
  public function feed_content_type(): string {
@@ -57,11 +61,11 @@ public function feed_content_type(): string {
 
  /**
  * Exit
- * 
+ *
  * Test stub for `exit` function.
- * 
+ *
  * @codeCoverageIgnore -- we can't handle the `exit`.
- * 
+ *
  * @return void
  */
  public function exit(): void {

packages/editor-tools/src/Security/RestrictHTTPRequestMethods.php

@@ -44,8 +44,7 @@ public function init() {
  * @return void
  * */
  public function block_request_if_not_using_allowed_method() {
-
- if ( $this->is_cli() ) { 
+ if ( $this->is_cli() || ( ! apply_filters( 'boxuk_restrict_http_request_methods', true ) ) ) {
  return;
  }
 
@@ -57,7 +56,7 @@ public function block_request_if_not_using_allowed_method() {
 
  /**
  * Get the current method.
- * 
+ *
  * @return string The current method or empty string if it can't be determined.
  */
  public function get_method(): string {
@@ -66,12 +65,12 @@ public function get_method(): string {
 
  /**
  * Check if the request is from the command line.
- * 
+ *
  * @return bool Whether the request is from the command line.
- * 
+ *
  * @codeCoverageIgnore -- We can't mock constants.
  */
  public function is_cli(): bool {
- return defined( 'WP_CLI' ) && WP_CLI;
+ return defined( 'WP_CLI' ) && \WP_CLI;
  }
 }

packages/editor-tools/src/Security/SessionTimeoutModifier.php

@@ -24,7 +24,7 @@ public function init(): void {
  }
 
  /**
- * Modify the default session timeout value. 
+ * Modify the default session timeout value.
  *
  * @param int $wp_default_expiration the default WP session expiration timeout value, in seconds.
  * @param int $user_id the current user id.
@@ -33,6 +33,10 @@ public function init(): void {
  * @return int
  */
  public function auth_cookie_expiration_filter( int $wp_default_expiration, int $user_id, bool $remember_me ): int {
+ if ( false === apply_filters( 'boxuk_modify_session_timeout', true ) ) {
+ return $wp_default_expiration;
+ }
+
  if ( $remember_me ) {
  return $wp_default_expiration;
  }