Site Health: Conditionally run Authorization header test.

Clorith · Clorith · commit 9991a80cca60 · 2021-06-02T00:50:53.000Z
The test to confirm if Authorization headers can be used and recognized by WordPress needs to include a username and password combination that WordPress can compare against during the testing phase. The inclusion of credentials here would unfortunately also invalidate any existing basic auth session for the site, for example if the user had added this as an extra layer of security on their back-end. This test is now skipped if the `wp_is_site_protected_by_basic_auth()` function detects that basic auth is being used, since the act of using basic auth to access the site confirms that this feature is working as expected in the first place. Props WebDragon, TimothyBlynJacobs, costdev. Fixes #52642. git-svn-id: https://develop.svn.wordpress.org/trunk@51057 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-admin/includes/class-wp-site-health.php b/src/wp-admin/includes/class-wp-site-health.php
@@ -2348,15 +2348,21 @@ public static function get_tests() {
 					'has_rest'          => true,
 					'async_direct_test' => array( WP_Site_Health::get_instance(), 'get_test_https_status' ),
 				),
-				'authorization_header' => array(
+			),
+		);
+
+		// Conditionally include Authorization header test if the site isn't protected by Basic Auth.
+		if ( function_exists( 'wp_is_site_protected_by_basic_auth' ) ) {
+			if ( ! wp_is_site_protected_by_basic_auth() ) {
+				$tests['async']['authorization_header'] = array(
 					'label'     => __( 'Authorization header' ),
 					'test'      => rest_url( 'wp-site-health/v1/tests/authorization-header' ),
 					'has_rest'  => true,
 					'headers'   => array( 'Authorization' => 'Basic ' . base64_encode( 'user:pwd' ) ),
 					'skip_cron' => true,
-				),
-			),
-		);
+				);
+			}
+		}
 
 		// Conditionally include REST rules if the function for it exists.
 		if ( function_exists( 'rest_url' ) ) {
