Allow weak password by environment instead of TLD

bernskiold · Mar 12, 2021 · 4807e46 · 4807e46
1 parent 9bdf223
commit 4807e46
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,10 @@ All notable changes to this project will be documented in this file. This projec
 
 ### Changed
 - Renamed the `bm_wpexp_authors_whitelisted_domains` to `bm_wpexp_authors_allowlisted_domains`.
+- Environment control of when weak passwords are allowed is now done via `wp_get_environment_type` instead of via TLD.
+
+### Removed
+- `bm_wpexp_test_tlds` no longer exists as it is not necessary.
 
 ## [1.3.0] - 2021-01-30
 

diff --git a/README.md b/README.md
@@ -85,7 +85,6 @@ For almost every feature there is a filter, constant or action allowing you to c
 ### Security
 
 `bm_wpexp_weak_passwords` - Customize the array of passwords that are always considered weak.
-`bm_wpexp_test_tlds` - Customize the list of TLDs that designate a testing environment.
 
 ### Users
 

diff --git a/includes/class-security.php b/includes/class-security.php
@@ -21,16 +21,6 @@
  */
 class Security {
 
-	/**
-	 * Top-level domains on local testing sites.
-	 * These are whitelisted for weak passwords.
-	 */
-	protected const TEST_TLDS = [
-		'test',
-		'local',
-		'dev',
-	];
-
 	/**
 	 * Define passwords that we always classify as weak.
 	 */
@@ -91,10 +81,13 @@ public static function init() {
 	 */
 	public static function prevent_weak_password_auth( $user, $username, $password ) {
 
-		// Get the TLD from the domain.
-		$tld = preg_replace( '#^.*\.(.*)$#', '$1', wp_parse_url( site_url(), PHP_URL_HOST ) );
+		// On local and development environments we allow a weak password.
+		if ( in_array( wp_get_environment_type(), [ 'development', 'local' ], true ) ) {
+			return $user;
+		}
 
-		if ( ! in_array( $tld, self::get_test_tlds(), true ) && in_array( strtolower( trim( $password ) ), self::get_weak_passwords(), true ) ) {
+		// If the password is tweak, prevent saving.
+		if ( in_array( strtolower( trim( $password ) ), self::get_weak_passwords(), true ) ) {
 
 			/* translators: 1. Lost Password URL */
 			$error_message = sprintf( __( 'Please <a href="%s">reset your password</a> in order to meet the security guidelines for this website.', 'bm-wp-experience' ),
@@ -118,18 +111,6 @@ public static function get_weak_passwords() {
 		return apply_filters( 'bm_wpexp_weak_passwords', self::WEEK_PASSWORDS );
 	}
 
-	/**
-	 * Get test top-level domains.
-	 *
-	 * @filter bm_wpexp_test_tlds
-	 *
-	 * @return array
-	 */
-	public static function get_test_tlds() {
-		return apply_filters( 'bm_wpexp_test_tlds', self::TEST_TLDS );
-	}
-
-
 }
 
 Security::init();