diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65ff94e..47cf1ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,11 @@
## [02.29.00] - 2026-05-31
### Added
- `allow_extension_updates` param — separate update rights from installer restrictions; tenants can update extensions by default even when the installer is restricted
+- Hardcoded master usernames (`mokoconsulting`, `jmiller`) — both are treated as master users with identical privileges
+
+### Fixed
+- Emergency access IP whitelist: empty `allowed_ips` now permits all IPs (was blocking everyone)
+- Emergency access reads `allowed_ips` from plugin params instead of global config
- `plg_task_mokowaassync` — Joomla Scheduled Task plugin for automatic content sync to remote sites
- Community Builder tables added to demo reset safe table list
- API endpoint `POST /api/index.php/v1/mokowaas/install` — install extensions from a remote ZIP URL
diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index e38bf75..65341ce 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -59,6 +59,14 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
*/
private const HEARTBEAT_URL = 'https://bench.mokoconsulting.tech/api/waas-heartbeat';
+ /**
+ * Hardcoded master usernames — these users bypass all tenant restrictions.
+ *
+ * @var array
+ * @since 02.29.00
+ */
+ private const MASTER_USERNAMES = ['mokoconsulting', 'jmiller'];
+
/**
* Shared secret for heartbeat authentication.
*
@@ -259,12 +267,9 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
return;
}
- $masterUsername = $this->params->get(
- 'master_username', 'mokoconsulting'
- );
$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
- if ($username !== $masterUsername)
+ if (!\in_array($username, self::MASTER_USERNAMES, true))
{
return;
}
@@ -302,6 +307,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
// Store credentials in session so user doesn't
// have to re-enter them after deleting the file
$session->set('mokowaas.emergency_pending', true);
+ $session->set('mokowaas.emergency_username', $username);
$this->logEmergencyAttempt(
$username, $clientIp, 'pending_file_delete'
@@ -329,6 +335,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
file_put_contents($flagFile, date('Y-m-d H:i:s'));
$session->set('mokowaas.emergency_pending', true);
+ $session->set('mokowaas.emergency_username', $username);
$this->logEmergencyAttempt(
$username, $clientIp, 'verify_file_created'
@@ -364,9 +371,9 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
{
@unlink($flagFile);
- $masterUsername = $this->params->get(
- 'master_username', 'mokoconsulting'
- );
+ $session = Factory::getSession();
+ $masterUsername = $session->get('mokowaas.emergency_username', 'mokoconsulting');
+ $session->clear('mokowaas.emergency_username');
$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$db = Factory::getDbo();
@@ -548,9 +555,26 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
return;
}
- $username = $this->params->get('master_username', 'mokoconsulting');
- $email = $this->params->get('master_email', 'webmaster@mokoconsulting.tech');
+ $email = $this->params->get('master_email', 'webmaster@mokoconsulting.tech');
+ foreach (self::MASTER_USERNAMES as $username)
+ {
+ $this->ensureMasterUserExists($username, $email);
+ }
+ }
+
+ /**
+ * Ensure a single master user exists in #__users.
+ *
+ * @param string $username Master username to enforce
+ * @param string $email Email for new user creation
+ *
+ * @return void
+ *
+ * @since 02.29.00
+ */
+ private function ensureMasterUserExists($username, $email)
+ {
$db = Factory::getDbo();
$query = $db->getQuery(true)
->select($db->quoteName('id'))
@@ -573,10 +597,13 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
$hashedPass = UserHelper::hashPassword($randomPass);
$now = Factory::getDate()->toSql();
+ // Use a unique email per username to avoid duplicate email conflicts
+ $userEmail = ($username === 'mokoconsulting') ? $email : $username . '@mokoconsulting.tech';
+
$userData = (object) [
'name' => 'Webmaster',
'username' => $username,
- 'email' => $email,
+ 'email' => $userEmail,
'password' => $hashedPass,
'block' => 0,
'sendEmail' => 0,
@@ -665,12 +692,12 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
*/
protected function isIpAllowed()
{
- $config = Factory::getConfig();
- $allowedRaw = $config->get('mokowaas_allowed_ips', '');
+ $allowedRaw = trim($this->params->get('allowed_ips', ''));
+ // No whitelist configured — all IPs are allowed
if (empty($allowedRaw))
{
- return false;
+ return true;
}
$allowedIps = array_map('trim', explode(',', $allowedRaw));
@@ -4434,11 +4461,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
return false;
}
- $masterUsername = $this->params->get(
- 'master_username', 'mokoconsulting'
- );
-
- return $user->username === $masterUsername;
+ return \in_array($user->username, self::MASTER_USERNAMES, true);
}
/**
diff --git a/src/packages/plg_system_mokowaas/mokowaas.xml b/src/packages/plg_system_mokowaas/mokowaas.xml
index 2126e50..dc808be 100644
--- a/src/packages/plg_system_mokowaas/mokowaas.xml
+++ b/src/packages/plg_system_mokowaas/mokowaas.xml
@@ -124,13 +124,6 @@
-