Bug report: admin bar links to wrong wp-admin URLs (mapped domain, possibly also SSO problem)

NB: I see that there have been some other similar posts on the subject, but it's not clear that those cases are exactly the same as this one since they seemed to be opened a while ago. Apologies if this is a dupe. In any case, maybe I can shed a bit more light on the problem.

Somewhere between v4.3.0.4 and v4.4.0.1, links (eg to edit post) in the admin bar (ie, as seen from the mapped domain) have somehow gotten broken. Note: Our site is set to force SSL for login and wp-admin, therefore we force the original domain for wp-admin in order to avoid SSL certificate CN mismatches.

Example:
• the original domain is original.domain.com
• domain mapped.domain.com is mapped to original.domain.com/mapped (we're using the subdir mode of WPMS)

With v4.3.04, the admin bar edit link points to https://original.domain.com/mapped/wp-admin/post.php?post=87&action=edit, which is correct and works just fine.

With v4.4.0.1, the admin bar edit link points to https://mapped.domain.com/wp-admin/post.php?post=87&action=edit. Immediately this is a problem for SSL because although the plugin should redirect to the correct URL, the browser will first hit the CN mismatch (we happen to have a wildcard certificate, but in the general case this will break, especially if the mapped domain is completely different, which would be the general case).

Clicking on this link bounces me to a login redirect, which is weird because we have SSO/cross-domain autologin turned on, so there may be a bug related to SSO also.

After logging in again, I am redirected to https://original.domain.com/wp-admin/post.php?post=87&action=edit; note the missing site slug, the correct URL should be https://original.domain.com/mapped/wp-admin/post.php?post=87&action=edit

This might be one bug, two separate bugs, or two related bugs. This is a complex plugin and I am overcommitted right now, but I will help diagnose the problem just as soon as I am free from my current task.

For now, I have reverted to v4.3.0.4 on our production site, but I have v4.4.0.1 installed on our staging site if any of your devs want to look into this. I will assist in debugging where I can.

This is an urgent problem to solve because of the recent XSS fixes contained in v4.4.0.1.

  • Michael Bissett
    • Recruit

    Hey @David King, hope you're doing well today! :slight_smile:

    We'll want to have a closer look at your staging site here, could you please send in the following via our secure contact form:

    - Mark to my attention, the subject line should contain only: ATTN: Michael Bissett
    - Do not include anything else in the subject line, doing so may delay our response due to how email filtering works.
    - Link back to this thread
    - Include WordPress network admin access details (login address, username & password)
    - Include FTP log-in details (hostname, username & password)
    - Include cPanel access details
    - Include any relevant URLs for your site (e.g. the subsite where you were running into this issue)

    On the contact form (linked to below), please select "I have a different question", this ensures it comes through and gets assigned to me.

    https://premium.wpmudev.org/contact/

    Thanks a bunch! :slight_smile:

    Kind Regards,
    Michael

  • Michael Bissett
    • Recruit

    Hey @David King, thanks for your patience here! :slight_smile:

    We just released an update that should help with what's going on, could you try updating on your test site please? (I'd have done it, but my user doesn't presently have the permissions to do so)

    If it doesn't though, then via email, could you send in the access details for the chrooted sFTP & phpMyAdmin access you mentioned in your email please?

    Thanks! :slight_smile:

    Kind Regards,
    Michael

    • David King
      • Site Builder, Child of Zeus

      You're a network admin, so you should be able to upgrade it — unless it's that WPMU dashboard users thing, in which case I have just set WPMUDEV_LIMIT_TO_USER in wp-config.php with your user ID.

      I've upgraded to the current version, but the problem is still there: the edit link points to https://mapped.domain.com/wp-admin/post.php?post=XXX&action=edit

      Re. credentials, please email me an RSA pubkey (I'd rather not transmit a private key by email) and I'll create the necessary unix account with the necessary permissions etc and email you the details.

  • Michael Bissett
    • Recruit

    Hey @David King,

    Just sent the RSA pubkey your way, please let me know if there's any issues with that. :slight_smile:

    Oh, and regarding this:

    You're a network admin, so you should be able to upgrade it — unless it's that WPMU dashboard users thing, in which case I have just set WPMUDEV_LIMIT_TO_USER in wp-config.php with your user ID.

    Yep, that was it, thanks for taking care of that. :slight_smile:

    Kind Regards,
    Michael

  • David King
    • Site Builder, Child of Zeus

    Hi Michael,

    I see there's a new release, 4.4.0.3 and that you've installed it on the staging site (thanks) — but the problem apparently remains... is that what you're seeing, or does it appear "fixed" for you?

    BTW, in case my email didn't get passed on to you, all those other things are fixed and now in place, should you need them.

  • Michael Bissett
    • Recruit

    Hey @David King,

    I'm still seeing the same thing you are, and it seems like the problem we're running into here is that the setting for "Administration mapping" isn't being respected on the front end (given the notes that you've offered, plus my own research on the matter).

    We'll want to bring this to the developer's attention here, as he'd be the most qualified to look into the matter. :slight_smile:

    Kind Regards,
    Michael

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.