WordPress.org

Make WordPress Core

Ticket #34180: password_reset_key.diff

File password_reset_key.diff, 4.9 KB (added by mikeschroder, 4 years ago)

First Pass

  • src/wp-includes/user-functions.php

    diff --git a/src/wp-includes/user-functions.php b/src/wp-includes/user-functions.php
    index ec00edc..6752bfc 100644
    a b function wp_destroy_all_sessions() { 
    21452145        $manager = WP_Session_Tokens::get_instance( get_current_user_id() );
    21462146        $manager->destroy_all();
    21472147}
     2148
     2149/**
     2150 * Creates, stores, then returns a password reset key for user.
     2151 *
     2152 * @since 4.4.0
     2153 *
     2154 * @global wpdb         $wpdb      WordPress database abstraction object.
     2155 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
     2156 *
     2157 * @param WP_User $user User to retrieve password reset key for.
     2158 *
     2159 * @return string|WP_Error Key if successful. WP_Error on error.
     2160 */
     2161function get_password_reset_key( $user ) {
     2162        global $wpdb, $wp_hasher;
     2163
     2164        /**
     2165         * Fires before a new password is retrieved.
     2166         *
     2167         * @since 1.5.0
     2168         * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     2169         *
     2170         * @param string $user_login The user login name.
     2171         */
     2172        do_action( 'retreive_password', $user->user_login );
     2173
     2174        /**
     2175         * Fires before a new password is retrieved.
     2176         *
     2177         * @since 1.5.1
     2178         *
     2179         * @param string $user_login The user login name.
     2180         */
     2181        do_action( 'retrieve_password', $user->user_login );
     2182
     2183        /**
     2184         * Filter whether to allow a password to be reset.
     2185         *
     2186         * @since 2.7.0
     2187         *
     2188         * @param bool true           Whether to allow the password to be reset. Default true.
     2189         * @param int  $user_data->ID The ID of the user attempting to reset a password.
     2190         */
     2191        $allow = apply_filters( 'allow_password_reset', true, $user->ID );
     2192
     2193        if ( ! $allow ) {
     2194                return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') );
     2195        } elseif ( is_wp_error( $allow ) ) {
     2196                return $allow;
     2197        }
     2198
     2199        // Generate something random for a password reset key.
     2200        $key = wp_generate_password( 20, false );
     2201
     2202        /**
     2203         * Fires when a password reset key is generated.
     2204         *
     2205         * @since 2.5.0
     2206         *
     2207         * @param string $user_login The username for the user.
     2208         * @param string $key        The generated password reset key.
     2209         */
     2210        do_action( 'retrieve_password_key', $user->user_login, $key );
     2211
     2212        // Now insert the key, hashed, into the DB.
     2213        if ( empty( $wp_hasher ) ) {
     2214                require_once ABSPATH . WPINC . '/class-phpass.php';
     2215                $wp_hasher = new PasswordHash( 8, true );
     2216        }
     2217        $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     2218        $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) );
     2219        if ( false === $key_saved ) {
     2220                return WP_Error( 'no_password_key_update', __('Could not save password reset key to database.') );
     2221        }
     2222
     2223        return $key;
     2224}
  • src/wp-login.php

    diff --git a/src/wp-login.php b/src/wp-login.php
    index 8f676d7..8a20836 100644
    a b function retrieve_password() { 
    313313        // Redefining user_login ensures we return the right case in the email.
    314314        $user_login = $user_data->user_login;
    315315        $user_email = $user_data->user_email;
     316        $key = get_password_reset_key( $user_data );
    316317
    317         /**
    318          * Fires before a new password is retrieved.
    319          *
    320          * @since 1.5.0
    321          * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
    322          *
    323          * @param string $user_login The user login name.
    324          */
    325         do_action( 'retreive_password', $user_login );
    326 
    327         /**
    328          * Fires before a new password is retrieved.
    329          *
    330          * @since 1.5.1
    331          *
    332          * @param string $user_login The user login name.
    333          */
    334         do_action( 'retrieve_password', $user_login );
    335 
    336         /**
    337          * Filter whether to allow a password to be reset.
    338          *
    339          * @since 2.7.0
    340          *
    341          * @param bool true           Whether to allow the password to be reset. Default true.
    342          * @param int  $user_data->ID The ID of the user attempting to reset a password.
    343          */
    344         $allow = apply_filters( 'allow_password_reset', true, $user_data->ID );
    345 
    346         if ( ! $allow ) {
    347                 return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') );
    348         } elseif ( is_wp_error( $allow ) ) {
    349                 return $allow;
    350         }
    351 
    352         // Generate something random for a password reset key.
    353         $key = wp_generate_password( 20, false );
    354 
    355         /**
    356          * Fires when a password reset key is generated.
    357          *
    358          * @since 2.5.0
    359          *
    360          * @param string $user_login The username for the user.
    361          * @param string $key        The generated password reset key.
    362          */
    363         do_action( 'retrieve_password_key', $user_login, $key );
    364 
    365         // Now insert the key, hashed, into the DB.
    366         if ( empty( $wp_hasher ) ) {
    367                 require_once ABSPATH . WPINC . '/class-phpass.php';
    368                 $wp_hasher = new PasswordHash( 8, true );
     318        if ( is_wp_error( $key ) ) {
     319                return $key;
    369320        }
    370         $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
    371         $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
    372321
    373322        $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
    374323        $message .= network_home_url( '/' ) . "\r\n\r\n";