Ticket #34180: password_reset_key.diff
File password_reset_key.diff, 4.9 KB (added by , 9 years ago) |
---|
-
src/wp-includes/user-functions.php
diff --git a/src/wp-includes/user-functions.php b/src/wp-includes/user-functions.php index ec00edc..6752bfc 100644
a b function wp_destroy_all_sessions() { 2145 2145 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 2146 2146 $manager->destroy_all(); 2147 2147 } 2148 2149 /** 2150 * Creates, stores, then returns a password reset key for user. 2151 * 2152 * @since 4.4.0 2153 * 2154 * @global wpdb $wpdb WordPress database abstraction object. 2155 * @global PasswordHash $wp_hasher Portable PHP password hashing framework. 2156 * 2157 * @param WP_User $user User to retrieve password reset key for. 2158 * 2159 * @return string|WP_Error Key if successful. WP_Error on error. 2160 */ 2161 function get_password_reset_key( $user ) { 2162 global $wpdb, $wp_hasher; 2163 2164 /** 2165 * Fires before a new password is retrieved. 2166 * 2167 * @since 1.5.0 2168 * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead. 2169 * 2170 * @param string $user_login The user login name. 2171 */ 2172 do_action( 'retreive_password', $user->user_login ); 2173 2174 /** 2175 * Fires before a new password is retrieved. 2176 * 2177 * @since 1.5.1 2178 * 2179 * @param string $user_login The user login name. 2180 */ 2181 do_action( 'retrieve_password', $user->user_login ); 2182 2183 /** 2184 * Filter whether to allow a password to be reset. 2185 * 2186 * @since 2.7.0 2187 * 2188 * @param bool true Whether to allow the password to be reset. Default true. 2189 * @param int $user_data->ID The ID of the user attempting to reset a password. 2190 */ 2191 $allow = apply_filters( 'allow_password_reset', true, $user->ID ); 2192 2193 if ( ! $allow ) { 2194 return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') ); 2195 } elseif ( is_wp_error( $allow ) ) { 2196 return $allow; 2197 } 2198 2199 // Generate something random for a password reset key. 2200 $key = wp_generate_password( 20, false ); 2201 2202 /** 2203 * Fires when a password reset key is generated. 2204 * 2205 * @since 2.5.0 2206 * 2207 * @param string $user_login The username for the user. 2208 * @param string $key The generated password reset key. 2209 */ 2210 do_action( 'retrieve_password_key', $user->user_login, $key ); 2211 2212 // Now insert the key, hashed, into the DB. 2213 if ( empty( $wp_hasher ) ) { 2214 require_once ABSPATH . WPINC . '/class-phpass.php'; 2215 $wp_hasher = new PasswordHash( 8, true ); 2216 } 2217 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 2218 $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) ); 2219 if ( false === $key_saved ) { 2220 return WP_Error( 'no_password_key_update', __('Could not save password reset key to database.') ); 2221 } 2222 2223 return $key; 2224 } -
src/wp-login.php
diff --git a/src/wp-login.php b/src/wp-login.php index 8f676d7..8a20836 100644
a b function retrieve_password() { 313 313 // Redefining user_login ensures we return the right case in the email. 314 314 $user_login = $user_data->user_login; 315 315 $user_email = $user_data->user_email; 316 $key = get_password_reset_key( $user_data ); 316 317 317 /** 318 * Fires before a new password is retrieved. 319 * 320 * @since 1.5.0 321 * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead. 322 * 323 * @param string $user_login The user login name. 324 */ 325 do_action( 'retreive_password', $user_login ); 326 327 /** 328 * Fires before a new password is retrieved. 329 * 330 * @since 1.5.1 331 * 332 * @param string $user_login The user login name. 333 */ 334 do_action( 'retrieve_password', $user_login ); 335 336 /** 337 * Filter whether to allow a password to be reset. 338 * 339 * @since 2.7.0 340 * 341 * @param bool true Whether to allow the password to be reset. Default true. 342 * @param int $user_data->ID The ID of the user attempting to reset a password. 343 */ 344 $allow = apply_filters( 'allow_password_reset', true, $user_data->ID ); 345 346 if ( ! $allow ) { 347 return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') ); 348 } elseif ( is_wp_error( $allow ) ) { 349 return $allow; 350 } 351 352 // Generate something random for a password reset key. 353 $key = wp_generate_password( 20, false ); 354 355 /** 356 * Fires when a password reset key is generated. 357 * 358 * @since 2.5.0 359 * 360 * @param string $user_login The username for the user. 361 * @param string $key The generated password reset key. 362 */ 363 do_action( 'retrieve_password_key', $user_login, $key ); 364 365 // Now insert the key, hashed, into the DB. 366 if ( empty( $wp_hasher ) ) { 367 require_once ABSPATH . WPINC . '/class-phpass.php'; 368 $wp_hasher = new PasswordHash( 8, true ); 318 if ( is_wp_error( $key ) ) { 319 return $key; 369 320 } 370 $hashed = time() . ':' . $wp_hasher->HashPassword( $key );371 $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );372 321 373 322 $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n"; 374 323 $message .= network_home_url( '/' ) . "\r\n\r\n";