[ Index ]

PHP Cross Reference of BuddyPress

title

Body

[close]

/src/bp-settings/actions/ -> general.php (source)

   1  <?php
   2  /**
   3   * Settings: Email address and password action handler
   4   *
   5   * @package BuddyPress
   6   * @subpackage SettingsActions
   7   * @since 3.0.0
   8   */
   9  
  10  /**
  11   * Handles the changing and saving of user email addresses and passwords.
  12   *
  13   * We do quite a bit of logic and error handling here to make sure that users
  14   * do not accidentally lock themselves out of their accounts. We also try to
  15   * provide as accurate of feedback as possible without exposing anyone else's
  16   * information to them.
  17   *
  18   * Special considerations are made for super admins that are able to edit any
  19   * users accounts already, without knowing their existing password.
  20   *
  21   * @since 1.6.0
  22   *
  23   * @global BuddyPress $bp
  24   */
  25  function bp_settings_action_general() {
  26      if ( ! bp_is_post_request() ) {
  27          return;
  28      }
  29  
  30      // Bail if no submit action.
  31      if ( ! isset( $_POST['submit'] ) ) {
  32          return;
  33      }
  34  
  35      // Bail if not in settings.
  36      if ( ! bp_is_settings_component() || ! bp_is_current_action( 'general' ) ) {
  37          return;
  38      }
  39  
  40      // 404 if there are any additional action variables attached
  41      if ( bp_action_variables() ) {
  42          bp_do_404();
  43          return;
  44      }
  45  
  46      // Define local defaults
  47      $bp            = buddypress(); // The instance
  48      $email_error   = false;        // invalid|blocked|taken|empty|nochange
  49      $pass_error    = false;        // invalid|mismatch|empty|nochange
  50      $pass_changed  = false;        // true if the user changes their password
  51      $email_changed = false;        // true if the user changes their email
  52      $feedback_type = 'error';      // success|error
  53      $feedback      = array();      // array of strings for feedback.
  54  
  55      // Nonce check.
  56      check_admin_referer('bp_settings_general');
  57  
  58      // Validate the user again for the current password when making a big change.
  59      if ( ( is_super_admin() ) || ( !empty( $_POST['pwd'] ) && wp_check_password( $_POST['pwd'], $bp->displayed_user->userdata->user_pass, bp_displayed_user_id() ) ) ) {
  60  
  61          $update_user = get_userdata( bp_displayed_user_id() );
  62  
  63          /* Email Change Attempt ******************************************/
  64  
  65          if ( !empty( $_POST['email'] ) ) {
  66  
  67              // What is missing from the profile page vs signup -
  68              // let's double check the goodies.
  69              $user_email     = sanitize_email( esc_html( trim( $_POST['email'] ) ) );
  70              $old_user_email = $bp->displayed_user->userdata->user_email;
  71  
  72              // User is changing email address.
  73              if ( $old_user_email != $user_email ) {
  74  
  75                  // Run some tests on the email address.
  76                  $email_checks = bp_core_validate_email_address( $user_email );
  77  
  78                  if ( true !== $email_checks ) {
  79                      if ( isset( $email_checks['invalid'] ) ) {
  80                          $email_error = 'invalid';
  81                      }
  82  
  83                      if ( isset( $email_checks['domain_banned'] ) || isset( $email_checks['domain_not_allowed'] ) ) {
  84                          $email_error = 'blocked';
  85                      }
  86  
  87                      if ( isset( $email_checks['in_use'] ) ) {
  88                          $email_error = 'taken';
  89                      }
  90                  }
  91  
  92                  // Store a hash to enable email validation.
  93                  if ( false === $email_error ) {
  94                      $hash = wp_generate_password( 32, false );
  95  
  96                      $pending_email = array(
  97                          'hash'     => $hash,
  98                          'newemail' => $user_email,
  99                      );
 100  
 101                      bp_update_user_meta( bp_displayed_user_id(), 'pending_email_change', $pending_email );
 102                      $verify_link = bp_displayed_user_domain() . bp_get_settings_slug() . '/?verify_email_change=' . $hash;
 103  
 104                      // Send the verification email.
 105                      $args = array(
 106                          'tokens' => array(
 107                              'displayname'    => bp_core_get_user_displayname( bp_displayed_user_id() ),
 108                              'old-user.email' => $old_user_email,
 109                              'user.email'     => $user_email,
 110                              'verify.url'     => esc_url( $verify_link ),
 111                          ),
 112                      );
 113                      bp_send_email( 'settings-verify-email-change', bp_displayed_user_id(), $args );
 114  
 115                      // We mark that the change has taken place so as to ensure a
 116                      // success message, even though verification is still required.
 117                      $_POST['email'] = $update_user->user_email;
 118                      $email_changed = true;
 119                  }
 120  
 121              // No change.
 122              } else {
 123                  $email_error = false;
 124              }
 125  
 126          // Email address cannot be empty.
 127          } else {
 128              $email_error = 'empty';
 129          }
 130  
 131          /* Password Change Attempt ***************************************/
 132  
 133          if ( !empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) {
 134  
 135              if ( ( $_POST['pass1'] == $_POST['pass2'] ) && !strpos( " " . wp_unslash( $_POST['pass1'] ), "\\" ) ) {
 136  
 137                  // Password change attempt is successful.
 138                  if ( ( ! empty( $_POST['pwd'] ) && $_POST['pwd'] != $_POST['pass1'] ) || is_super_admin() )  {
 139                      $update_user->user_pass = $_POST['pass1'];
 140                      $pass_changed = true;
 141  
 142                  // The new password is the same as the current password.
 143                  } else {
 144                      $pass_error = 'same';
 145                  }
 146  
 147              // Password change attempt was unsuccessful.
 148              } else {
 149                  $pass_error = 'mismatch';
 150              }
 151  
 152          // Both password fields were empty.
 153          } elseif ( empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) {
 154              $pass_error = false;
 155  
 156          // One of the password boxes was left empty.
 157          } elseif ( ( empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) || ( !empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
 158              $pass_error = 'empty';
 159          }
 160  
 161          // The structure of the $update_user object changed in WP 3.3, but
 162          // wp_update_user() still expects the old format.
 163          if ( isset( $update_user->data ) && is_object( $update_user->data ) ) {
 164              $update_user = $update_user->data;
 165              $update_user = get_object_vars( $update_user );
 166  
 167              // Unset the password field to prevent it from emptying out the
 168              // user's user_pass field in the database.
 169              // @see wp_update_user().
 170              if ( false === $pass_changed ) {
 171                  unset( $update_user['user_pass'] );
 172              }
 173          }
 174  
 175          // Clear cached data, so that the changed settings take effect
 176          // on the current page load.
 177          if ( ( false === $email_error ) && ( false === $pass_error ) && ( wp_update_user( $update_user ) ) ) {
 178              $bp->displayed_user->userdata = bp_core_get_core_userdata( bp_displayed_user_id() );
 179          }
 180  
 181      // Password Error.
 182      } else {
 183          $pass_error = 'invalid';
 184      }
 185  
 186      // Email feedback.
 187      switch ( $email_error ) {
 188          case 'invalid' :
 189              $feedback['email_invalid']  = __( 'That email address is invalid. Check the formatting and try again.', 'buddypress' );
 190              break;
 191          case 'blocked' :
 192              $feedback['email_blocked']  = __( 'That email address is currently unavailable for use.', 'buddypress' );
 193              break;
 194          case 'taken' :
 195              $feedback['email_taken']    = __( 'That email address is already taken.', 'buddypress' );
 196              break;
 197          case 'empty' :
 198              $feedback['email_empty']    = __( 'Email address cannot be empty.', 'buddypress' );
 199              break;
 200          case false :
 201              // No change.
 202              break;
 203      }
 204  
 205      // Password feedback.
 206      switch ( $pass_error ) {
 207          case 'invalid' :
 208              $feedback['pass_error']    = __( 'Your current password is invalid.', 'buddypress' );
 209              break;
 210          case 'mismatch' :
 211              $feedback['pass_mismatch'] = __( 'The new password fields did not match.', 'buddypress' );
 212              break;
 213          case 'empty' :
 214              $feedback['pass_empty']    = __( 'One of the password fields was empty.', 'buddypress' );
 215              break;
 216          case 'same' :
 217              $feedback['pass_same']        = __( 'The new password must be different from the current password.', 'buddypress' );
 218              break;
 219          case false :
 220              // No change.
 221              break;
 222      }
 223  
 224      // No errors so show a simple success message.
 225      if ( ( ( false === $email_error ) || ( false == $pass_error ) ) && ( ( true === $pass_changed ) || ( true === $email_changed ) ) ) {
 226          $feedback[]    = __( 'Your settings have been saved.', 'buddypress' );
 227          $feedback_type = 'success';
 228  
 229      // Some kind of errors occurred.
 230      } elseif ( ( ( false === $email_error ) || ( false === $pass_error ) ) && ( ( false === $pass_changed ) || ( false === $email_changed ) ) ) {
 231          if ( bp_is_my_profile() ) {
 232              $feedback['nochange'] = __( 'No changes were made to your account.', 'buddypress' );
 233          } else {
 234              $feedback['nochange'] = __( 'No changes were made to this account.', 'buddypress' );
 235          }
 236      }
 237  
 238      // Set the feedback.
 239      bp_core_add_message( implode( "\n", $feedback ), $feedback_type );
 240  
 241      /**
 242       * Fires after the general settings have been saved, and before redirect.
 243       *
 244       * @since 1.5.0
 245       */
 246      do_action( 'bp_core_general_settings_after_save' );
 247  
 248      // Redirect to prevent issues with browser back button.
 249      bp_core_redirect( trailingslashit( bp_displayed_user_domain() . bp_get_settings_slug() . '/general' ) );
 250  }
 251  add_action( 'bp_actions', 'bp_settings_action_general' );
 252  
 253  /**
 254   * Process email change verification or cancel requests.
 255   *
 256   * @since 2.1.0
 257   */
 258  function bp_settings_verify_email_change() {
 259      if ( ! bp_is_settings_component() ) {
 260          return;
 261      }
 262  
 263      if ( ! bp_is_my_profile() ) {
 264          return;
 265      }
 266  
 267      $redirect_to = trailingslashit( bp_displayed_user_domain() . bp_get_settings_slug() );
 268  
 269      // Email change is being verified.
 270      if ( isset( $_GET['verify_email_change'] ) ) {
 271          $pending_email = bp_get_user_meta( bp_displayed_user_id(), 'pending_email_change', true );
 272  
 273          // Bail if the hash provided doesn't match the one saved in the database.
 274          if ( ! hash_equals( urldecode( $_GET['verify_email_change'] ), $pending_email['hash'] ) ) {
 275              return;
 276          }
 277  
 278          $email_changed = wp_update_user( array(
 279              'ID'         => bp_displayed_user_id(),
 280              'user_email' => trim( $pending_email['newemail'] ),
 281          ) );
 282  
 283          if ( $email_changed ) {
 284  
 285              // Delete the pending email change key.
 286              bp_delete_user_meta( bp_displayed_user_id(), 'pending_email_change' );
 287  
 288              // Post a success message and redirect.
 289              bp_core_add_message( __( 'You have successfully verified your new email address.', 'buddypress' ) );
 290          } else {
 291              // Unknown error.
 292              bp_core_add_message( __( 'There was a problem verifying your new email address. Please try again.', 'buddypress' ), 'error' );
 293          }
 294  
 295          bp_core_redirect( $redirect_to );
 296          die();
 297  
 298      // Email change is being dismissed.
 299      } elseif ( ! empty( $_GET['dismiss_email_change'] ) ) {
 300          $nonce_check = isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), 'bp_dismiss_email_change' );
 301  
 302          if ( $nonce_check ) {
 303              bp_delete_user_meta( bp_displayed_user_id(), 'pending_email_change' );
 304              bp_core_add_message( __( 'You have successfully dismissed your pending email change.', 'buddypress' ) );
 305          }
 306  
 307          bp_core_redirect( $redirect_to );
 308          die();
 309      }
 310  }
 311  add_action( 'bp_actions', 'bp_settings_verify_email_change' );


Generated: Thu Nov 14 01:01:40 2019 Cross-referenced by PHPXref 0.7.1