From b161cfc1ff2566c7be7425339b695aa404bf8dce Mon Sep 17 00:00:00 2001
From: Tonya Mork <hellofromtonya@git.wordpress.org>
Date: Tue, 21 Dec 2021 02:43:18 +0000
Subject: [PATCH] Application Passwords: Show HTTPS required message without
 filtering when not enabled or not in local environment.

When `add_filter( 'wp_is_application_passwords_available', '__return_false' )` exists, HTTPS requirement message is shown even if HTTPS is enabled on the site. This happens because `wp_is_application_passwords_available_for_user()` first invokes `wp_is_application_passwords_available()` which is filterable. The situation could happen if the `'wp_is_application_passwords_available_for_user'` filter returns `false`.

To fix this, the check for HTTPS (or if in a 'local' environment) is moved to a new function called `wp_is_application_passwords_supported()`. Then the return from this function is used as an OR condition for the Application Passwords section and for displaying the HTTPS required message.

Tests are included for both `wp_is_application_passwords_supported()` and `wp_is_application_passwords_available()`.

Follow-up to [51980], [51988].

Props davidbinda, SergeyBiryukov, ocean90, felipeelia, costdev, hellofromTonya.
Fixes #53658.

git-svn-id: https://develop.svn.wordpress.org/trunk@52398 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/user-edit.php                    |  4 +-
 src/wp-includes/load.php                      |  2 +-
 src/wp-includes/user.php                      | 20 ++++-
 .../rest-application-passwords-controller.php | 80 +++++++++++++++++++
 tests/qunit/fixtures/wp-api-generated.js      |  8 +-
 5 files changed, 107 insertions(+), 7 deletions(-)

diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
index 813c5eb5cd..64f81d68bc 100644
--- a/src/wp-admin/user-edit.php
+++ b/src/wp-admin/user-edit.php
@@ -733,6 +733,7 @@ endif;
 
 	</table>
 
+<?php if ( wp_is_application_passwords_available_for_user( $user_id ) || ! wp_is_application_passwords_supported() ) : // phpcs:disable Generic.WhiteSpace.ScopeIndent ?>
 	<div class="application-passwords hide-if-no-js" id="application-passwords-section">
 		<h2><?php _e( 'Application Passwords' ); ?></h2>
 		<p><?php _e( 'Application passwords allow authentication via non-interactive systems, such as XML-RPC or the REST API, without providing your actual password. Application passwords can be easily revoked. They cannot be used for traditional logins to your website.' ); ?></p>
@@ -796,7 +797,7 @@ endif;
 			$application_passwords_list_table->display();
 			?>
 		</div>
-		<?php else : ?>
+		<?php elseif ( ! wp_is_application_passwords_supported() ) : ?>
 			<p><?php _e( 'The application password feature requires HTTPS, which is not enabled on this site.' ); ?></p>
 			<p>
 				<?php
@@ -809,6 +810,7 @@ endif;
 			</p>
 		<?php endif; ?>
 	</div>
+<?php endif; // phpcs:enable Generic.WhiteSpace.ScopeIndent ?>
 
 		<?php
 		if ( IS_PROFILE_PAGE ) {
diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php
index 560c6d016c..7ef5171b4c 100644
--- a/src/wp-includes/load.php
+++ b/src/wp-includes/load.php
@@ -191,7 +191,7 @@ function wp_check_php_mysql_versions() {
 function wp_get_environment_type() {
 	static $current_env = '';
 
-	if ( $current_env ) {
+	if ( ! defined( 'WP_RUN_CORE_TESTS' ) && $current_env ) {
 		return $current_env;
 	}
 
diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 3604d94389..5b4624bc0a 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -4657,19 +4657,31 @@ function wp_get_user_request( $request_id ) {
 	return new WP_User_Request( $post );
 }
 
+/**
+ * Checks if Application Passwords is supported.
+ *
+ * Application Passwords is supported only by sites using SSL or local environments
+ * but may be made available using the {@see 'wp_is_application_passwords_available'} filter.
+ *
+ * @since 5.9.0
+ *
+ * @return bool
+ */
+function wp_is_application_passwords_supported() {
+	return is_ssl() || 'local' === wp_get_environment_type();
+}
+
 /**
  * Checks if Application Passwords is globally available.
  *
  * By default, Application Passwords is available to all sites using SSL or to local environments.
- * Use {@see 'wp_is_application_passwords_available'} to adjust its availability.
+ * Use the {@see 'wp_is_application_passwords_available'} filter to adjust its availability.
  *
  * @since 5.6.0
  *
  * @return bool
  */
 function wp_is_application_passwords_available() {
-	$available = is_ssl() || 'local' === wp_get_environment_type();
-
 	/**
 	 * Filters whether Application Passwords is available.
 	 *
@@ -4677,7 +4689,7 @@ function wp_is_application_passwords_available() {
 	 *
 	 * @param bool $available True if available, false otherwise.
 	 */
-	return apply_filters( 'wp_is_application_passwords_available', $available );
+	return apply_filters( 'wp_is_application_passwords_available', wp_is_application_passwords_supported() );
 }
 
 /**
diff --git a/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php b/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php
index cbfe965fa1..993dd2d7c0 100644
--- a/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php
@@ -946,6 +946,86 @@ class WP_Test_REST_Application_Passwords_Controller extends WP_Test_REST_Control
 		$this->assertErrorResponse( 'rest_application_password_not_found', $response, 500 );
 	}
 
+	/**
+	 * @ticket 53658
+	 *
+	 * @covers ::wp_is_application_passwords_supported
+	 */
+	public function test_wp_is_application_passwords_supported_with_https_only() {
+		$_SERVER['HTTPS'] = 'on';
+		$this->assertTrue( wp_is_application_passwords_supported() );
+	}
+
+	/**
+	 * @ticket 53658
+	 *
+	 * @covers ::wp_is_application_passwords_supported
+	 */
+	public function test_wp_is_application_passwords_supported_with_local_environment_only() {
+		putenv( 'WP_ENVIRONMENT_TYPE=local' );
+
+		$actual = wp_is_application_passwords_supported();
+
+		// Revert to default behaviour so that other tests are not affected.
+		putenv( 'WP_ENVIRONMENT_TYPE' );
+
+		$this->assertTrue( $actual );
+	}
+
+	/**
+	 * @dataProvider data_wp_is_application_passwords_available
+	 *
+	 * @ticket 53658
+	 *
+	 * @covers ::wp_is_application_passwords_available
+	 *
+	 * @param bool|string $expected The expected value.
+	 * @param string|null $callback Optional. The callback for the `wp_is_application_passwords_available` hook.
+	 *                              Default: null.
+	 */
+	public function test_wp_is_application_passwords_available( $expected, $callback = null ) {
+		remove_filter( 'wp_is_application_passwords_available', '__return_true' );
+
+		if ( $callback ) {
+			add_filter( 'wp_is_application_passwords_available', $callback );
+		}
+
+		if ( 'default' === $expected ) {
+			putenv( 'WP_ENVIRONMENT_TYPE=local' );
+			$expected = wp_is_application_passwords_supported();
+		}
+
+		$actual = wp_is_application_passwords_available();
+
+		if ( 'default' === $expected ) {
+			// Revert to default behaviour so that other tests are not affected.
+			putenv( 'WP_ENVIRONMENT_TYPE' );
+		}
+
+		$this->assertSame( $expected, $actual );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array
+	 */
+	public function data_wp_is_application_passwords_available() {
+		return array(
+			'availability not forced'   => array(
+				'expected' => 'default',
+			),
+			'availability forced true'  => array(
+				'expected' => true,
+				'callback' => '__return_true',
+			),
+			'availability forced false' => array(
+				'expected' => false,
+				'callback' => '__return_false',
+			),
+		);
+	}
+
 	/**
 	 * Sets up a REST API request to be authenticated using an App Password.
 	 *
diff --git a/tests/qunit/fixtures/wp-api-generated.js b/tests/qunit/fixtures/wp-api-generated.js
index 9b71d950fc..e565ddd7cb 100644
--- a/tests/qunit/fixtures/wp-api-generated.js
+++ b/tests/qunit/fixtures/wp-api-generated.js
@@ -18,7 +18,13 @@ mockedApiResponse.Schema = {
         "wp-site-health/v1",
         "wp-block-editor/v1"
     ],
-    "authentication": [],
+    "authentication": {
+        "application-passwords": {
+            "endpoints": {
+                "authorization": "http://example.org/wp-admin/authorize-application.php"
+            }
+        }
+    },
     "routes": {
         "/": {
             "namespace": "",