[wp-hackers] Hooking into WP theme/plugin update

Jeremy Hough jeremy at digitalbrands.com
Wed Mar 21 16:06:45 UTC 2012

Thanks Otto and Dion. I had looked through the source before asking and 
was considering using GET urlparams to do the job, but wasn't sure if 
there was any type of hooks that could perhaps handle it better.

In that light, pre_http_request might be the route to go should I need 
that complexity. Alternatively, I can always fall back on passing the 
token with the GET request.

Intercepting updates on this level I am sure would bring frightening 
code samples if people had hooks to (mis)use.

Thanks again,

Jeremy Hough

> Date: Wed, 21 Mar 2012 10:57:08 +1100
> From: "Dion Hulse (dd32)"<wordpress at dd32.id.au>
> Subject: Re: [wp-hackers] Hooking into WP theme/plugin update
> 	downloading
> To:wp-hackers at lists.automattic.com
> Message-ID:
> 	<CAL4EHfm6zEvdJT49zV53u-At5pd8O5XSjc7two6tj=3uBYr3Zg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> You've got 2 options: As otto says: Authenticate the install, and on
> the transient save hooks, insert url's with a token (Only needs to be
> valid for ~12hours).
> If that's not good enough, You can hook inside WP_HTTP on
> pre_http_request
> (http://core.trac.wordpress.org/browser/trunk/wp-includes/class-http.php#L115)
> match a specific URL destination, and perform any type of request (You
> can even redirect the request to a different server, define https
> handling, add oauth headers, whatever, just make sure you respect the
> 'stream' arguement that's passed to the filter).
> basically, add_filter( 'pre_http_request', function() { return
> wp_remote_get('http://google.com/'); } ); to redirect ALL outgoing
> requests to google..
> On 21 March 2012 09:13, Otto<otto at ottodestruct.com>  wrote:
>> The upgrade code always uses wp_remote_get to get the ZIP file, and
>> offers no hooks to change that or modify the parameters to it.
>> However, this doesn't stop you from returning a different URL for the
>> ZIP file to any given requester based on your own criteria. For oauth,
>> you could conceivably pass the token in the GET request. Such as
>> https://example.com/plugin.zip?auth=abc123  and so on. Then if the auth
>> token isn't valid, return a 401 Unauthorized Error to fail the
>> download process.
>> -Otto
>> On Tue, Mar 20, 2012 at 4:23 PM, Jeremy Hough<jeremy at digitalbrands.com>  wrote:
>>> I have a working (and extended) setup of Jeremy Clark's Self-Hosted Plugin
>>> Update API (https://github.com/jeremyclark13/automatic-theme-plugin-update).
>>> I am setting up my update server to force/require https connections to
>>> encrypt transmissions. I am wanting to use oAuth for authentication (and
>>> provide access to restricted content).
>>> Is there any type of hook in wordpress I can use so that when an update is
>>> instantiated, the download behavior can be redefined so that the provided
>>> update zip url will be downloaded using an oAuth-signed request?
>>> Thanks for any insight,
>>> Jeremy Hough
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list