[ Index ]

PHP Cross Reference of BuddyPress

title

Body

[close]

/src/bp-settings/actions/ -> general.php (source)

   1  <?php
   2  /**
   3   * Settings: Email address and password action handler
   4   *
   5   * @package BuddyPress
   6   * @subpackage SettingsActions
   7   * @since 3.0.0
   8   */
   9  
  10  /**
  11   * Handles the changing and saving of user email addresses and passwords.
  12   *
  13   * We do quite a bit of logic and error handling here to make sure that users
  14   * do not accidentally lock themselves out of their accounts. We also try to
  15   * provide as accurate of feedback as possible without exposing anyone else's
  16   * information to them.
  17   *
  18   * Special considerations are made for super admins that are able to edit any
  19   * users accounts already, without knowing their existing password.
  20   *
  21   * @since 1.6.0
  22   *
  23   * @global BuddyPress $bp
  24   */
  25  function bp_settings_action_general() {
  26      if ( ! bp_is_post_request() ) {
  27          return;
  28      }
  29  
  30      // Bail if no submit action.
  31      if ( ! isset( $_POST['submit'] ) ) {
  32          return;
  33      }
  34  
  35      // Bail if not in settings.
  36      if ( ! bp_is_settings_component() || ! bp_is_current_action( 'general' ) ) {
  37          return;
  38      }
  39  
  40      // 404 if there are any additional action variables attached
  41      if ( bp_action_variables() ) {
  42          bp_do_404();
  43          return;
  44      }
  45  
  46      // Define local defaults
  47      $bp            = buddypress(); // The instance
  48      $email_error   = false;        // invalid|blocked|taken|empty|nochange
  49      $pass_error    = false;        // invalid|mismatch|empty|nochange
  50      $pass_changed  = false;        // true if the user changes their password
  51      $email_changed = false;        // true if the user changes their email
  52      $feedback_type = 'error';      // success|error
  53      $feedback      = array();      // array of strings for feedback.
  54  
  55      // Nonce check.
  56      check_admin_referer('bp_settings_general');
  57  
  58      // Validate the user again for the current password when making a big change.
  59      if ( ( is_super_admin() ) || ( !empty( $_POST['pwd'] ) && wp_check_password( $_POST['pwd'], $bp->displayed_user->userdata->user_pass, bp_displayed_user_id() ) ) ) {
  60  
  61          $update_user = get_userdata( bp_displayed_user_id() );
  62  
  63          /* Email Change Attempt ******************************************/
  64  
  65          if ( !empty( $_POST['email'] ) ) {
  66  
  67              // What is missing from the profile page vs signup -
  68              // let's double check the goodies.
  69              $user_email     = sanitize_email( esc_html( trim( $_POST['email'] ) ) );
  70              $old_user_email = $bp->displayed_user->userdata->user_email;
  71  
  72              // User is changing email address.
  73              if ( $old_user_email != $user_email ) {
  74  
  75                  // Run some tests on the email address.
  76                  $email_checks = bp_core_validate_email_address( $user_email );
  77  
  78                  if ( true !== $email_checks ) {
  79                      if ( isset( $email_checks['invalid'] ) ) {
  80                          $email_error = 'invalid';
  81                      }
  82  
  83                      if ( isset( $email_checks['domain_banned'] ) || isset( $email_checks['domain_not_allowed'] ) ) {
  84                          $email_error = 'blocked';
  85                      }
  86  
  87                      if ( isset( $email_checks['in_use'] ) ) {
  88                          $email_error = 'taken';
  89                      }
  90                  }
  91  
  92                  // Store a hash to enable email validation.
  93                  if ( false === $email_error ) {
  94                      $hash = wp_generate_password( 32, false );
  95  
  96                      $pending_email = array(
  97                          'hash'     => $hash,
  98                          'newemail' => $user_email,
  99                      );
 100  
 101                      bp_update_user_meta( bp_displayed_user_id(), 'pending_email_change', $pending_email );
 102                      $verify_link = bp_displayed_user_domain() . bp_get_settings_slug() . '/?verify_email_change=' . $hash;
 103  
 104                      // Send the verification email.
 105                      $args = array(
 106                          'tokens' => array(
 107                              'displayname'    => bp_core_get_user_displayname( bp_displayed_user_id() ),
 108                              'old-user.email' => $old_user_email,
 109                              'user.email'     => $user_email,
 110                              'verify.url'     => esc_url( $verify_link ),
 111                          ),
 112                      );
 113                      bp_send_email( 'settings-verify-email-change', $user_email, $args );
 114  
 115                      // We mark that the change has taken place so as to ensure a
 116                      // success message, even though verification is still required.
 117                      $_POST['email'] = $update_user->user_email;
 118                      $email_changed = true;
 119                  }
 120  
 121              // No change.
 122              } else {
 123                  $email_error = false;
 124              }
 125  
 126          // Email address cannot be empty.
 127          } else {
 128              $email_error = 'empty';
 129          }
 130  
 131          /* Password Change Attempt ***************************************/
 132  
 133          if ( ! empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) {
 134              $pass         = wp_unslash( $_POST['pass1'] );
 135              $pass_confirm = wp_unslash( $_POST['pass2'] );
 136              $pass_error   = bp_members_validate_user_password( $pass, $pass_confirm, $update_user );
 137  
 138              if ( ! $pass_error->get_error_message() ) {
 139                  // Password change attempt is successful.
 140                  if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
 141                      $update_user->user_pass = $_POST['pass1'];
 142                      $pass_error             = false;
 143                      $pass_changed           = true;
 144  
 145                  // The new password is the same as the current password.
 146                  } else {
 147                      $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
 148                  }
 149              }
 150  
 151          // Both password fields were empty.
 152          } elseif ( empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) {
 153              $pass_error = false;
 154  
 155          // One of the password boxes was left empty.
 156          } elseif ( ( empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) || ( ! empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
 157              $pass_error = new WP_Error( 'empty_user_password', __( 'One of the password fields was empty.', 'buddypress' ) );
 158          }
 159  
 160          // The structure of the $update_user object changed in WP 3.3, but
 161          // wp_update_user() still expects the old format.
 162          if ( isset( $update_user->data ) && is_object( $update_user->data ) ) {
 163              $update_user = $update_user->data;
 164              $update_user = get_object_vars( $update_user );
 165  
 166              // Unset the password field to prevent it from emptying out the
 167              // user's user_pass field in the database.
 168              // @see wp_update_user().
 169              if ( false === $pass_changed ) {
 170                  unset( $update_user['user_pass'] );
 171              }
 172          }
 173  
 174          // Clear cached data, so that the changed settings take effect
 175          // on the current page load.
 176          if ( ( false === $email_error ) && ( false === $pass_error ) && ( wp_update_user( $update_user ) ) ) {
 177              $bp->displayed_user->userdata = bp_core_get_core_userdata( bp_displayed_user_id() );
 178          }
 179  
 180      // Password Error.
 181      } else {
 182          $pass_error = new WP_Error( 'invalid_user_password', __( 'Your current password is invalid.', 'buddypress' ) );
 183      }
 184  
 185      // Email feedback.
 186      switch ( $email_error ) {
 187          case 'invalid' :
 188              $feedback['email_invalid']  = __( 'That email address is invalid. Check the formatting and try again.', 'buddypress' );
 189              break;
 190          case 'blocked' :
 191              $feedback['email_blocked']  = __( 'That email address is currently unavailable for use.', 'buddypress' );
 192              break;
 193          case 'taken' :
 194              $feedback['email_taken']    = __( 'That email address is already taken.', 'buddypress' );
 195              break;
 196          case 'empty' :
 197              $feedback['email_empty']    = __( 'Email address cannot be empty.', 'buddypress' );
 198              break;
 199          case false :
 200              // No change.
 201              break;
 202      }
 203  
 204      if ( is_wp_error( $pass_error ) && $pass_error->get_error_message() ) {
 205          $feedback[ $pass_error->get_error_code() ] = $pass_error->get_error_message();
 206      }
 207  
 208      // No errors so show a simple success message.
 209      if ( ( ( false === $email_error ) || ( false == $pass_error ) ) && ( ( true === $pass_changed ) || ( true === $email_changed ) ) ) {
 210          $feedback[]    = __( 'Your settings have been saved.', 'buddypress' );
 211          $feedback_type = 'success';
 212  
 213      // Some kind of errors occurred.
 214      } elseif ( ( ( false === $email_error ) || ( false === $pass_error ) ) && ( ( false === $pass_changed ) || ( false === $email_changed ) ) ) {
 215          if ( bp_is_my_profile() ) {
 216              $feedback['nochange'] = __( 'No changes were made to your account.', 'buddypress' );
 217          } else {
 218              $feedback['nochange'] = __( 'No changes were made to this account.', 'buddypress' );
 219          }
 220      }
 221  
 222      // Set the feedback.
 223      bp_core_add_message( implode( "\n", $feedback ), $feedback_type );
 224  
 225      /**
 226       * Fires after the general settings have been saved, and before redirect.
 227       *
 228       * @since 1.5.0
 229       */
 230      do_action( 'bp_core_general_settings_after_save' );
 231  
 232      // Redirect to prevent issues with browser back button.
 233      bp_core_redirect( trailingslashit( bp_displayed_user_domain() . bp_get_settings_slug() . '/general' ) );
 234  }
 235  add_action( 'bp_actions', 'bp_settings_action_general' );
 236  
 237  /**
 238   * Process email change verification or cancel requests.
 239   *
 240   * @since 2.1.0
 241   */
 242  function bp_settings_verify_email_change() {
 243      if ( ! bp_is_settings_component() ) {
 244          return;
 245      }
 246  
 247      if ( ! bp_is_my_profile() ) {
 248          return;
 249      }
 250  
 251      $redirect_to = trailingslashit( bp_displayed_user_domain() . bp_get_settings_slug() );
 252  
 253      // Email change is being verified.
 254      if ( isset( $_GET['verify_email_change'] ) ) {
 255          $pending_email = bp_get_user_meta( bp_displayed_user_id(), 'pending_email_change', true );
 256  
 257          // Bail if the hash provided doesn't match the one saved in the database.
 258          if ( ! hash_equals( urldecode( $_GET['verify_email_change'] ), $pending_email['hash'] ) ) {
 259              return;
 260          }
 261  
 262          $email_changed = wp_update_user( array(
 263              'ID'         => bp_displayed_user_id(),
 264              'user_email' => trim( $pending_email['newemail'] ),
 265          ) );
 266  
 267          if ( $email_changed ) {
 268  
 269              // Delete the pending email change key.
 270              bp_delete_user_meta( bp_displayed_user_id(), 'pending_email_change' );
 271  
 272              // Post a success message and redirect.
 273              bp_core_add_message( __( 'You have successfully verified your new email address.', 'buddypress' ) );
 274          } else {
 275              // Unknown error.
 276              bp_core_add_message( __( 'There was a problem verifying your new email address. Please try again.', 'buddypress' ), 'error' );
 277          }
 278  
 279          bp_core_redirect( $redirect_to );
 280          die();
 281  
 282      // Email change is being dismissed.
 283      } elseif ( ! empty( $_GET['dismiss_email_change'] ) ) {
 284          $nonce_check = isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), 'bp_dismiss_email_change' );
 285  
 286          if ( $nonce_check ) {
 287              bp_delete_user_meta( bp_displayed_user_id(), 'pending_email_change' );
 288              bp_core_add_message( __( 'You have successfully dismissed your pending email change.', 'buddypress' ) );
 289          }
 290  
 291          bp_core_redirect( $redirect_to );
 292          die();
 293      }
 294  }
 295  add_action( 'bp_actions', 'bp_settings_verify_email_change' );


Generated: Sat Nov 28 01:01:39 2020 Cross-referenced by PHPXref 0.7.1