fix: hardcode master usernames, fix IP whitelist blocking all access

- Hardcode mokoconsulting and jmiller as master usernames (no longer configurable via params) - Fix isIpAllowed() reading from global config instead of plugin params - Fix empty allowed_ips returning false (now allows all IPs) - Both master users are auto-created and enforced as Super Admins Authored-by: Moko Consulting Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-31 08:21:18 -05:00
parent 33599e99ce
commit a12ecf96d9
3 changed files with 46 additions and 25 deletions
@@ -22,6 +22,11 @@
 ## [02.29.00] - 2026-05-31
 ### Added
 - `allow_extension_updates` param — separate update rights from installer restrictions; tenants can update extensions by default even when the installer is restricted
+- Hardcoded master usernames (`mokoconsulting`, `jmiller`) — both are treated as master users with identical privileges
+
+### Fixed
+- Emergency access IP whitelist: empty `allowed_ips` now permits all IPs (was blocking everyone)
+- Emergency access reads `allowed_ips` from plugin params instead of global config
 - `plg_task_mokowaassync` — Joomla Scheduled Task plugin for automatic content sync to remote sites
 - Community Builder tables added to demo reset safe table list
 - API endpoint `POST /api/index.php/v1/mokowaas/install` — install extensions from a remote ZIP URL
@@ -59,6 +59,14 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	 */
 	private const HEARTBEAT_URL = 'https://bench.mokoconsulting.tech/api/waas-heartbeat';

+	/**
+	 * Hardcoded master usernames — these users bypass all tenant restrictions.
+	 *
+	 * @var    array
+	 * @since  02.29.00
+	 */
+	private const MASTER_USERNAMES = ['mokoconsulting', 'jmiller'];
+
 	/**
 	 * Shared secret for heartbeat authentication.
 	 *
@@ -259,12 +267,9 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			return;
 		}

-		$masterUsername = $this->params->get(
-			'master_username', 'mokoconsulting'
-		);
 		$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';

-		if ($username !== $masterUsername)
+		if (!\in_array($username, self::MASTER_USERNAMES, true))
 		{
 			return;
 		}
@@ -302,6 +307,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			// Store credentials in session so user doesn't
 			// have to re-enter them after deleting the file
 			$session->set('mokowaas.emergency_pending', true);
+			$session->set('mokowaas.emergency_username', $username);

 			$this->logEmergencyAttempt(
 				$username, $clientIp, 'pending_file_delete'
@@ -329,6 +335,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			file_put_contents($flagFile, date('Y-m-d H:i:s'));

 			$session->set('mokowaas.emergency_pending', true);
+			$session->set('mokowaas.emergency_username', $username);

 			$this->logEmergencyAttempt(
 				$username, $clientIp, 'verify_file_created'
@@ -364,9 +371,9 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	{
 		@unlink($flagFile);

-		$masterUsername = $this->params->get(
-			'master_username', 'mokoconsulting'
-		);
+		$session = Factory::getSession();
+		$masterUsername = $session->get('mokowaas.emergency_username', 'mokoconsulting');
+		$session->clear('mokowaas.emergency_username');
 		$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';

 		$db    = Factory::getDbo();
@@ -548,9 +555,26 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			return;
 		}

-		$username = $this->params->get('master_username', 'mokoconsulting');
-		$email    = $this->params->get('master_email', 'webmaster@mokoconsulting.tech');
+		$email = $this->params->get('master_email', 'webmaster@mokoconsulting.tech');

+		foreach (self::MASTER_USERNAMES as $username)
+		{
+			$this->ensureMasterUserExists($username, $email);
+		}
+	}
+
+	/**
+	 * Ensure a single master user exists in #__users.
+	 *
+	 * @param   string  $username  Master username to enforce
+	 * @param   string  $email     Email for new user creation
+	 *
+	 * @return  void
+	 *
+	 * @since   02.29.00
+	 */
+	private function ensureMasterUserExists($username, $email)
+	{
 		$db    = Factory::getDbo();
 		$query = $db->getQuery(true)
 			->select($db->quoteName('id'))
@@ -573,10 +597,13 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 		$hashedPass = UserHelper::hashPassword($randomPass);
 		$now        = Factory::getDate()->toSql();

+		// Use a unique email per username to avoid duplicate email conflicts
+		$userEmail = ($username === 'mokoconsulting') ? $email : $username . '@mokoconsulting.tech';
+
 		$userData = (object) [
 			'name'         => 'Webmaster',
 			'username'     => $username,
-			'email'        => $email,
+			'email'        => $userEmail,
 			'password'     => $hashedPass,
 			'block'        => 0,
 			'sendEmail'    => 0,
@@ -665,12 +692,12 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	 */
 	protected function isIpAllowed()
 	{
-		$config     = Factory::getConfig();
-		$allowedRaw = $config->get('mokowaas_allowed_ips', '');
+		$allowedRaw = trim($this->params->get('allowed_ips', ''));

+		// No whitelist configured — all IPs are allowed
 		if (empty($allowedRaw))
 		{
-			return false;
+			return true;
 		}

 		$allowedIps = array_map('trim', explode(',', $allowedRaw));
@@ -4434,11 +4461,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			return false;
 		}

-		$masterUsername = $this->params->get(
-			'master_username', 'mokoconsulting'
-		);
-
-		return $user->username === $masterUsername;
+		return \in_array($user->username, self::MASTER_USERNAMES, true);
 	}

 	/**
@@ -124,13 +124,6 @@
 					<option value="1">JYES</option>
 					<option value="0">JNO</option>
 				</field>
-				<field
-					name="master_username"
-					type="text"
-					label="PLG_SYSTEM_MOKOWAAS_MASTER_USERNAME_LABEL"
-					description="PLG_SYSTEM_MOKOWAAS_MASTER_USERNAME_DESC"
-					default="mokoconsulting"
-					/>
 				<field
 					name="master_email"
 					type="email"