Ticket #17904: 17904.7.diff
File 17904.7.diff, 19.3 KB (added by , 8 years ago) |
---|
-
src/wp-admin/includes/user.php
20 20 /** 21 21 * Edit user settings based on contents of $_POST 22 22 * 23 * Used on user-edit.php and profile.php to manage and process user options, passwords etc.23 * Used on user-edit.php, user-new.php, and profile.php to manage and process user options, passwords etc. 24 24 * 25 25 * @since 2.0.0 26 26 * … … 39 39 $update = false; 40 40 } 41 41 42 if ( !$update && isset( $_POST['user_login'] ) )43 $user->user_login = sanitize_user($_POST['user_login'], true);44 45 42 $pass1 = $pass2 = ''; 46 43 if ( isset( $_POST['pass1'] ) ) 47 44 $pass1 = $_POST['pass1']; … … 114 111 115 112 $errors = new WP_Error(); 116 113 117 /* checking that username has been typed*/118 if ( $user->user_login == '' )119 $ errors->add( 'user_login', __( '<strong>ERROR</strong>: Please enter a username.' ) );114 /* Validate the user_login when not updating the user */ 115 if ( ! $update ) { 116 $user->user_login = ''; 120 117 118 if ( isset( $_POST['user_login'] ) ) { 119 $user->user_login = $_POST['user_login']; 120 } 121 122 wp_validate_user_login( $user->user_login, $errors ); 123 } 124 121 125 /* checking that nickname has been typed */ 122 126 if ( $update && empty( $user->nickname ) ) { 123 127 $errors->add( 'nickname', __( '<strong>ERROR</strong>: Please enter a nickname.' ) ); … … 152 156 if ( !empty( $pass1 ) ) 153 157 $user->user_pass = $pass1; 154 158 155 if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )156 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));157 158 if ( !$update && username_exists( $user->user_login ) )159 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ));160 161 159 /** This filter is documented in wp-includes/user.php */ 162 160 $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() ); 163 161 -
src/wp-includes/ms-default-filters.php
30 30 add_action( 'network_site_new_created_user', 'wp_send_new_user_notifications' ); 31 31 add_action( 'network_site_users_created_user', 'wp_send_new_user_notifications' ); 32 32 add_action( 'network_user_new_created_user', 'wp_send_new_user_notifications' ); 33 add_filter( 'sanitize_user', 'strtolower' );34 33 35 34 // Blogs 36 35 add_filter( 'wpmu_validate_blog_signup', 'signup_nonce_check' ); -
src/wp-includes/ms-functions.php
403 403 * 404 404 * @global wpdb $wpdb WordPress database abstraction object. 405 405 * 406 * @param string $user_ nameThe login name provided by the user.406 * @param string $user_login The login name provided by the user. 407 407 * @param string $user_email The email provided by the user. 408 408 * @return array Contains username, email, and error messages. 409 409 */ 410 function wpmu_validate_user_signup( $user_name, $user_email) {410 function wpmu_validate_user_signup( $user_login, $user_email ) { 411 411 global $wpdb; 412 412 413 413 $errors = new WP_Error(); 414 $orig_userlogin = $user_login; 415 wp_validate_user_login( $user_login, $errors ); 414 416 415 $orig_username = $user_name;416 $user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );417 418 if ( $user_name != $orig_username || preg_match( '/[^a-z0-9]/', $user_name ) ) {419 $errors->add( 'user_name', __( 'Usernames can only contain lowercase letters (a-z) and numbers.' ) );420 $user_name = $orig_username;421 }422 423 417 $user_email = sanitize_email( $user_email ); 424 418 425 if ( empty( $user_name ) )426 $errors->add('user_name', __( 'Please enter a username.' ) );427 428 $illegal_names = get_site_option( 'illegal_names' );429 if ( ! is_array( $illegal_names ) ) {430 $illegal_names = array( 'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );431 add_site_option( 'illegal_names', $illegal_names );432 }433 if ( in_array( $user_name, $illegal_names ) ) {434 $errors->add( 'user_name', __( 'Sorry, that username is not allowed.' ) );435 }436 437 /** This filter is documented in wp-includes/user.php */438 $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() );439 440 if ( in_array( strtolower( $user_name ), array_map( 'strtolower', $illegal_logins ) ) ) {441 $errors->add( 'user_name', __( 'Sorry, that username is not allowed.' ) );442 }443 444 419 if ( is_email_address_unsafe( $user_email ) ) 445 420 $errors->add('user_email', __('You cannot use that email address to signup. We are having problems with them blocking some of our email. Please use another email provider.')); 446 421 447 if ( strlen( $user_name ) < 4 )448 $errors->add('user_name', __( 'Username must be at least 4 characters.' ) );449 450 if ( strlen( $user_name ) > 60 ) {451 $errors->add( 'user_name', __( 'Username may not be longer than 60 characters.' ) );452 }453 454 // all numeric?455 if ( preg_match( '/^[0-9]*$/', $user_name ) )456 $errors->add('user_name', __('Sorry, usernames must have letters too!'));457 458 422 if ( !is_email( $user_email ) ) 459 423 $errors->add('user_email', __( 'Please enter a valid email address.' ) ); 460 424 … … 466 430 } 467 431 } 468 432 469 // Check if the username has been used already.470 if ( username_exists($user_name) )471 $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) );472 473 433 // Check if the email address has been used already. 474 434 if ( email_exists($user_email) ) 475 435 $errors->add( 'user_email', __( 'Sorry, that email address is already used!' ) ); 476 436 477 // Has someone already signed up for this username?478 $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_name) );479 if ( $signup != null ) {480 $registered_at = mysql2date('U', $signup->registered);481 $now = current_time( 'timestamp', true );482 $diff = $now - $registered_at;483 // If registered more than two days ago, cancel registration and let this signup go through.484 if ( $diff > 2 * DAY_IN_SECONDS )485 $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_name ) );486 else487 $errors->add('user_name', __('That username is currently reserved but may be available in a couple of days.'));488 }489 490 437 $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_email = %s", $user_email) ); 491 438 if ( $signup != null ) { 492 439 $diff = current_time( 'timestamp', true ) - mysql2date('U', $signup->registered); … … 497 444 $errors->add('user_email', __('That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing.')); 498 445 } 499 446 500 $result = array( 'user_name' => $user_name, 'orig_username' => $orig_username, 'user_email' => $user_email, 'errors' => $errors);447 $result = array( 'user_name' => $user_login, 'orig_username' => $orig_userlogin, 'user_email' => $user_email, 'errors' => $errors ); 501 448 502 449 /** 503 450 * Filters the validated user registration details. … … 717 664 global $wpdb; 718 665 719 666 // Format data 720 $user = preg_replace( '/\s +/', '', sanitize_user( $user, true ) );667 $user = preg_replace( '/\s\s+/', ' ', sanitize_user( $user, true ) ); 721 668 $user_email = sanitize_email( $user_email ); 722 669 $key = substr( md5( time() . rand() . $user_email ), 0, 16 ); 723 670 $meta = serialize($meta); … … 1047 994 * @return int|false Returns false on failure, or int $user_id on success 1048 995 */ 1049 996 function wpmu_create_user( $user_name, $password, $email ) { 1050 $user_name = preg_replace( '/\s +/', '', sanitize_user( $user_name, true ) );997 $user_name = preg_replace( '/\s\s+/', ' ', sanitize_user( $user_name, true ) ); 1051 998 1052 999 $user_id = wp_create_user( $user_name, $password, $email ); 1053 1000 if ( is_wp_error( $user_id ) ) -
src/wp-includes/user.php
2243 2243 } 2244 2244 2245 2245 /** 2246 * Validate a provided user_login 2247 * 2248 * user_login requirements: 2249 * - minimum of 4 characters 2250 * - maximum of 60 characters 2251 * - only contains (case-insensitive) characters: a-z 0-9 _ . - @ 2252 * - no whitespace 2253 * - not on blacklist of illegal names 2254 * - contains at least one letter 2255 * - must be unique 2256 * - not pending signup already 2257 * 2258 * @since TBD 2259 * 2260 * @param string $user_login The user_login value to be be validated. 2261 * 2262 * @return True|WP_Error True if the user login is valid, WP_Error otherwise. 2263 */ 2264 function wp_validate_user_login( $user_login = '', $errors = null ) { 2265 global $wpdb; 2266 $original_user_login = $user_login; 2267 2268 if ( ! is_wp_error( $errors ) ) { 2269 $errors = new WP_Error(); 2270 } 2271 2272 // User login cannot be empty 2273 if ( empty( $user_login ) ) { 2274 $errors->add( 'user_name', __( 'Please enter a username.' ) ); 2275 } 2276 2277 // User login must be less than 60 characters 2278 if ( strlen( $user_login ) > 60 ) { 2279 $errors->add( 'user_name', __( 'Username may not be longer than 60 characters.' ) ); 2280 } 2281 2282 // Check if the login passes sanitize_user() which doesn't strip whitespace 2283 $user_login = sanitize_user( $user_login, true ); 2284 2285 // If the previous operation generated a different value, the username is invalid 2286 if ( $user_login !== $original_user_login ) { 2287 $errors->add( 'user_name', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) ); 2288 } 2289 2290 if ( is_multisite() ) { 2291 // Check the user_login against an array of illegal names 2292 $illegal_logins = get_site_option( 'illegal_names' ); 2293 if ( false == is_array( $illegal_logins ) ) { 2294 $illegal_logins = array( 'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' ); 2295 add_site_option( 'illegal_names', $illegal_logins ); 2296 } 2297 if ( in_array( $user_login, $illegal_logins ) ) { 2298 $errors->add( 'user_name', __( 'Sorry, that username is not allowed.' ) ); 2299 } 2300 } 2301 2302 /** This filter is documented in wp-includes/user.php */ 2303 $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() ); 2304 2305 if ( in_array( strtolower( $user_login ), array_map( 'strtolower', $illegal_logins ) ) ) { 2306 if ( is_multisite() ) { 2307 $errors->add( 'user_name', __( 'Sorry, that username is not allowed.' ) ); 2308 } else { 2309 $errors->add( 'invalid_username', __( 'Sorry, that username is not allowed.' ) ); 2310 } 2311 } 2312 2313 if ( is_multisite() ) { 2314 // User login must have at least one letter 2315 if ( ! preg_match( '/[a-zA-Z]+/', $user_login ) ) { 2316 $errors->add( 'user_name', __( 'Sorry, usernames must have letters too!' ) ); 2317 } 2318 } 2319 2320 // Check if the username has been used already. 2321 if ( username_exists( $user_login ) ) { 2322 $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) ); 2323 } 2324 2325 if ( is_multisite() ) { 2326 // Has someone already signed up for this username? 2327 $signup = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_login ) ); 2328 if ( $signup != null ) { 2329 $registered_at = mysql2date( 'U', $signup->registered ); 2330 $now = current_time( 'timestamp', true ); 2331 $diff = $now - $registered_at; 2332 // If registered more than two days ago, cancel registration and let this signup go through. 2333 if ( $diff > 2 * DAY_IN_SECONDS ) 2334 $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_login ) ); 2335 else 2336 $errors->add( 'user_name', __( 'That username is currently reserved but may be available in a couple of days.' ) ); 2337 } 2338 } 2339 2340 /** 2341 * Filter whether the provided user_login is valid or not. 2342 * 2343 * @since 2.0.1 2344 * 2345 * @param bool $valid Whether given user_login is valid. 2346 * @param string $user_login user_login to check. 2347 */ 2348 $valid = apply_filters( 'validate_username', true, $user_login ); 2349 if ( ! $valid ) { 2350 $errors->add( 'user_name', __( 'Sorry, that username is invalid.' ) ); 2351 } 2352 2353 /** 2354 * Validate a user_login. A user_login can be invalidated by adding an error 2355 * to the WP_Error. 2356 * 2357 * @since TBD 2358 * 2359 * @param WP_Error $errors 2360 * @param string $user_login The user_login to validate. 2361 */ 2362 do_action( 'wp_validate_user_login', $errors, $user_login ); 2363 2364 if ( $errors->errors ) { 2365 return $errors; 2366 } else { 2367 return true; 2368 } 2369 } 2370 2371 /** 2246 2372 * Handles registering a new user. 2247 2373 * 2248 2374 * @since 2.5.0 … … 2254 2380 function register_new_user( $user_login, $user_email ) { 2255 2381 $errors = new WP_Error(); 2256 2382 2257 $sanitized_user_login = sanitize_user( $user_login );2258 2383 /** 2259 2384 * Filters the email address of a user being registered. 2260 2385 * … … 2264 2389 */ 2265 2390 $user_email = apply_filters( 'user_registration_email', $user_email ); 2266 2391 2267 // Check the username 2268 if ( $sanitized_user_login == '' ) { 2269 $errors->add( 'empty_username', __( '<strong>ERROR</strong>: Please enter a username.' ) ); 2270 } elseif ( ! validate_username( $user_login ) ) { 2271 $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) ); 2272 $sanitized_user_login = ''; 2273 } elseif ( username_exists( $sanitized_user_login ) ) { 2274 $errors->add( 'username_exists', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ) ); 2392 // Validate the username 2393 wp_validate_user_login( $user_login, $errors ); 2275 2394 2276 } else {2277 /** This filter is documented in wp-includes/user.php */2278 $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );2279 if ( in_array( strtolower( $sanitized_user_login ), $illegal_user_logins ) ) {2280 $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: Sorry, that username is not allowed.' ) );2281 }2282 }2283 2284 2395 // Check the email address 2285 2396 if ( $user_email == '' ) { 2286 2397 $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please type your email address.' ) ); … … 2296 2407 * 2297 2408 * @since 2.1.0 2298 2409 * 2299 * @param string $ sanitized_user_login The submitted username after being sanitized.2300 * @param string $user_email 2301 * @param WP_Error $errors 2302 * 2303 * 2410 * @param string $user_login The submitted username after being sanitized. 2411 * @param string $user_email The submitted email. 2412 * @param WP_Error $errors Contains any errors with submitted username and email, 2413 * e.g., an empty field, an invalid username or email, 2414 * or an existing username or email. 2304 2415 */ 2305 do_action( 'register_post', $ sanitized_user_login, $user_email, $errors );2416 do_action( 'register_post', $user_login, $user_email, $errors ); 2306 2417 2307 2418 /** 2308 2419 * Filters the errors encountered when a new user is being registered. … … 2315 2426 * 2316 2427 * @since 2.1.0 2317 2428 * 2318 * @param WP_Error $errors 2319 * 2320 * @param string $ sanitized_user_login User's username after it has been sanitized.2321 * @param string $user_email 2429 * @param WP_Error $errors A WP_Error object containing any errors encountered 2430 * during registration. 2431 * @param string $user_login User's username. 2432 * @param string $user_email User's email. 2322 2433 */ 2323 $errors = apply_filters( 'registration_errors', $errors, $ sanitized_user_login, $user_email );2434 $errors = apply_filters( 'registration_errors', $errors, $user_login, $user_email ); 2324 2435 2325 2436 if ( $errors->get_error_code() ) 2326 2437 return $errors; 2327 2438 2328 2439 $user_pass = wp_generate_password( 12, false ); 2329 $user_id = wp_create_user( $ sanitized_user_login, $user_pass, $user_email );2440 $user_id = wp_create_user( $user_login, $user_pass, $user_email ); 2330 2441 if ( ! $user_id || is_wp_error( $user_id ) ) { 2331 2442 $errors->add( 'registerfail', sprintf( __( '<strong>ERROR</strong>: Couldn’t register you… please contact the <a href="mailto:%s">webmaster</a> !' ), get_option( 'admin_email' ) ) ); 2332 2443 return $errors; -
wp-signup.php
659 659 $errors = $filtered_results['errors']; 660 660 661 661 if ( empty($blogname) ) 662 $blogname = $user_name;662 $blogname = preg_replace( '|[ _.\-@]|i', '', strtolower($user_name) ); 663 663 ?> 664 664 <form id="setupform" method="post" action="wp-signup.php"> 665 665 <input type="hidden" name="stage" value="validate-blog-signup" /> -
tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
9 9 /** 10 10 * @dataProvider data_user_name 11 11 */ 12 public function test_user_name( $user_ name, $error_message ) {13 $v = wpmu_validate_user_signup( $user_ name, 'foo@example.com' );12 public function test_user_name( $user_login, $error_message ) { 13 $v = wpmu_validate_user_signup( $user_login, 'foo@example.com' ); 14 14 $this->assertContains( 'user_name', $v['errors']->get_error_codes(), $error_message ); 15 15 } 16 16 … … 18 18 return array( 19 19 array( 'contains spaces', 'User names with spaces are not allowed.' ), 20 20 array( 'ContainsCaps', 'User names with capital letters are not allowed.' ), 21 array( 'contains_underscores', 'User names with underscores are not allowed.' ),22 21 array( 'contains%^*()junk', 'User names with non-alphanumeric characters are not allowed.' ), 23 22 array( '', 'Empty user names are not allowed.' ), 24 array( 'foo', 'User names of 3 characters are not allowed.' ),25 array( 'fo', 'User names of 2 characters are not allowed.' ),26 array( 'f', 'User names of 1 characters are not allowed.' ),27 array( 'f', 'User names of 1 characters are not allowed.' ),28 23 array( '12345', 'User names consisting only of numbers are not allowed.' ), 29 24 array( 'thisusernamecontainsenoughcharacterstobelongerthan60characters', 'User names longer than 60 characters are not allowed.' ), 30 25 );