Ticket #38474: 38474.4.patch
| File 38474.4.patch, 11.8 KB (added by , 4 years ago) |
|---|
-
wp-activate.php
81 81 <label for="key"><?php _e('Activation Key:') ?></label> 82 82 <br /><input type="text" name="key" id="key" value="" size="50" /> 83 83 </p> 84 <p> 85 <label for="key"><?php _e( 'Signup ID:' ) ?></label> 86 <br /><input type="number" name="signup_id" id="signup_id" value="" size="50" /> 87 </p> 84 88 <p class="submit"> 85 89 <input id="submit" type="submit" name="Submit" class="submit" value="<?php esc_attr_e('Activate') ?>" /> 86 90 </p> … … 88 92 89 93 <?php } else { 90 94 91 $key = !empty($_GET['key']) ? $_GET['key'] : $_POST['key']; 92 $result = wpmu_activate_signup( $key ); 95 $key = ! empty( $_GET['key'] ) ? $_GET['key'] : $_POST['key']; 96 $signup_id = ! empty( $_GET['signup_id'] ) ? $_GET['signup_id'] : $_POST['signup_id']; 97 $result = wpmu_activate_signup( $key, $signup_id ); 93 98 if ( is_wp_error($result) ) { 94 99 if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) { 95 100 $signup = $result->get_error_data(); -
wp-admin/user-new.php
158 158 } 159 159 wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) ); 160 160 if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) { 161 $ key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_keyFROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );162 $new_user = wpmu_activate_signup( $ key);161 $row = $wpdb->get_row( $wpdb->prepare( "SELECT activation_key, signup_id FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) ); 162 $new_user = wpmu_activate_signup( $row['activation_key'], $row['signup_id'] ); 163 163 if ( is_wp_error( $new_user ) ) { 164 164 $redirect = add_query_arg( array( 'update' => 'addnoconfirmation' ), 'user-new.php' ); 165 165 } elseif ( ! is_user_member_of_blog( $new_user['user_id'] ) ) { -
wp-includes/ms-default-filters.php
26 26 add_action( 'wpmu_new_user', 'newuser_notify_siteadmin' ); 27 27 add_action( 'wpmu_activate_user', 'add_new_user_to_blog', 10, 3 ); 28 28 add_action( 'wpmu_activate_user', 'wpmu_welcome_user_notification', 10, 3 ); 29 add_action( 'after_signup_user', 'wpmu_signup_user_notification', 10, 4);29 add_action( 'after_signup_user', 'wpmu_signup_user_notification', 10, 5 ); 30 30 add_action( 'network_site_new_created_user', 'wp_send_new_user_notifications' ); 31 31 add_action( 'network_site_users_created_user', 'wp_send_new_user_notifications' ); 32 32 add_action( 'network_user_new_created_user', 'wp_send_new_user_notifications' ); … … 40 40 add_action( 'wpmu_new_blog', 'wpmu_log_new_registrations', 10, 2 ); 41 41 add_action( 'wpmu_new_blog', 'newblog_notify_siteadmin', 10, 2 ); 42 42 add_action( 'wpmu_activate_blog', 'wpmu_welcome_notification', 10, 5 ); 43 add_action( 'after_signup_site', 'wpmu_signup_blog_notification', 10, 7);43 add_action( 'after_signup_site', 'wpmu_signup_blog_notification', 10, 8 ); 44 44 45 45 // Register Nonce 46 46 add_action( 'signup_hidden_fields', 'signup_nonce_fields' ); -
wp-includes/ms-functions.php
704 704 * @param array $meta Optional. Signup meta data. By default, contains the requested privacy setting and lang_id. 705 705 */ 706 706 function wpmu_signup_blog( $domain, $path, $title, $user, $user_email, $meta = array() ) { 707 global $wpdb ;707 global $wpdb, $wp_hasher; 708 708 709 709 $key = substr( md5( time() . wp_rand() . $domain ), 0, 16 ); 710 710 711 if ( empty( $wp_hasher ) ) { 712 require_once ABSPATH . WPINC . '/class-phpass.php'; 713 $wp_hasher = new PasswordHash( 8, true ); 714 } 715 716 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 717 711 718 /** 712 719 * Filters the metadata for a site signup. 713 720 * … … 722 729 * @param string $user The user's requested login name. 723 730 * @param string $user_email The user's email address. 724 731 * @param string $key The user's activation key. 732 * @param string $hashed The user's hashed activation key. 725 733 */ 726 $meta = apply_filters( 'signup_site_meta', $meta, $domain, $path, $title, $user, $user_email, $key );734 $meta = apply_filters( 'signup_site_meta', $meta, $domain, $path, $title, $user, $user_email, $key, $hashed ); 727 735 728 736 $wpdb->insert( $wpdb->signups, array( 729 737 'domain' => $domain, … … 732 740 'user_login' => $user, 733 741 'user_email' => $user_email, 734 742 'registered' => current_time('mysql', true), 735 'activation_key' => $ key,743 'activation_key' => $hashed, 736 744 'meta' => serialize( $meta ) 737 745 ) ); 738 746 … … 748 756 * @param string $user_email The user's email address. 749 757 * @param string $key The user's activation key. 750 758 * @param array $meta Signup meta data. By default, contains the requested privacy setting and lang_id. 759 * @param int $signup_id Signup ID. 760 * @param string $hashed The user's hashed activation key. 751 761 */ 752 do_action( 'after_signup_site', $domain, $path, $title, $user, $user_email, $key, $meta );762 do_action( 'after_signup_site', $domain, $path, $title, $user, $user_email, $key, $meta, $wpdb->insert_id, $hashed ); 753 763 } 754 764 755 765 /** … … 767 777 * @param array $meta Optional. Signup meta data. Default empty array. 768 778 */ 769 779 function wpmu_signup_user( $user, $user_email, $meta = array() ) { 770 global $wpdb ;780 global $wpdb, $wp_hasher; 771 781 772 782 // Format data 773 783 $user = preg_replace( '/\s+/', '', sanitize_user( $user, true ) ); … … 774 784 $user_email = sanitize_email( $user_email ); 775 785 $key = substr( md5( time() . wp_rand() . $user_email ), 0, 16 ); 776 786 787 if ( empty( $wp_hasher ) ) { 788 require_once ABSPATH . WPINC . '/class-phpass.php'; 789 $wp_hasher = new PasswordHash( 8, true ); 790 } 791 792 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 793 777 794 /** 778 795 * Filters the metadata for a user signup. 779 796 * … … 785 802 * @param string $user The user's requested login name. 786 803 * @param string $user_email The user's email address. 787 804 * @param string $key The user's activation key. 805 * @param string $hashed The user's hashed activation key. 788 806 */ 789 $meta = apply_filters( 'signup_user_meta', $meta, $user, $user_email, $key );807 $meta = apply_filters( 'signup_user_meta', $meta, $user, $user_email, $key, $hashed ); 790 808 791 809 $wpdb->insert( $wpdb->signups, array( 792 810 'domain' => '', … … 795 813 'user_login' => $user, 796 814 'user_email' => $user_email, 797 815 'registered' => current_time('mysql', true), 798 'activation_key' => $ key,816 'activation_key' => $hashed, 799 817 'meta' => serialize( $meta ) 800 818 ) ); 801 819 … … 808 826 * @param string $user_email The user's email address. 809 827 * @param string $key The user's activation key. 810 828 * @param array $meta Signup meta data. Default empty array. 829 * @param int $signup_id Signup ID. 830 * @param string $hashed The user's hashed activation key. 811 831 */ 812 do_action( 'after_signup_user', $user, $user_email, $key, $meta );832 do_action( 'after_signup_user', $user, $user_email, $key, $meta, $wpdb->insert_id, $hashed ); 813 833 } 814 834 815 835 /** … … 835 855 * @param string $user_email The user's email address. 836 856 * @param string $key The activation key created in wpmu_signup_blog() 837 857 * @param array $meta Optional. Signup meta data. By default, contains the requested privacy setting and lang_id. 858 * @param int $signup_id Signup ID. 838 859 * @return bool 839 860 */ 840 function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array() ) {861 function wpmu_signup_blog_notification( $domain, $path, $title, $user_login, $user_email, $key, $meta = array(), $signup_id ) { 841 862 /** 842 863 * Filters whether to bypass the new site email notification. 843 864 * … … 857 878 858 879 // Send email with activation link. 859 880 if ( !is_subdomain_install() || get_current_network_id() != 1 ) 860 $activate_url = network_site_url( "wp-activate.php?key=$key");881 $activate_url = network_site_url( "wp-activate.php?key=$key&signup_id=$signup_id" ); 861 882 else 862 $activate_url = "http://{$domain}{$path}wp-activate.php?key=$key "; // @todo use *_url() API883 $activate_url = "http://{$domain}{$path}wp-activate.php?key=$key&signup_id=$signup_id"; // @todo use *_url() API 863 884 864 885 $activate_url = esc_url($activate_url); 865 886 $admin_email = get_site_option( 'admin_email' ); … … 949 970 * @param string $user_email The user's email address. 950 971 * @param string $key The activation key created in wpmu_signup_user() 951 972 * @param array $meta Optional. Signup meta data. Default empty array. 973 * @param int $signup_id Signup ID. 952 974 * @return bool 953 975 */ 954 function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array() ) {976 function wpmu_signup_user_notification( $user_login, $user_email, $key, $meta = array(), $signup_id ) { 955 977 /** 956 978 * Filters whether to bypass the email notification for new user sign-up. 957 979 * … … 992 1014 __( "To activate your user, please click the following link:\n\n%s\n\nAfter you activate, you will receive *another email* with your login." ), 993 1015 $user_login, $user_email, $key, $meta 994 1016 ), 995 site_url( "wp-activate.php?key=$key " )1017 site_url( "wp-activate.php?key=$key&signup_id=$signup_id" ) 996 1018 ); 997 1019 // TODO: Don't hard code activation link. 998 1020 $subject = sprintf( … … 1037 1059 * @global wpdb $wpdb WordPress database abstraction object. 1038 1060 * 1039 1061 * @param string $key The activation key provided to the user. 1062 * @param int $signup_id The Signup ID. 1040 1063 * @return array|WP_Error An array containing information about the activated user and/or blog 1041 1064 */ 1042 function wpmu_activate_signup( $key) {1043 global $wpdb ;1065 function wpmu_activate_signup( $key, $signup_id ) { 1066 global $wpdb, $wp_hasher; 1044 1067 1045 $signup = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE activation_key = %s", $key) );1068 $signup = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE activation_key = %s OR signup_id = %d", $key, $signup_id ) ); 1046 1069 1047 if ( empty( $signup ) ) 1070 if ( empty( $signup ) ) { 1071 return new WP_Error( 'invalid_id', __( 'Invalid signup ID.' ) ); 1072 } 1073 1074 // If the key requested matches the actual key in the database, it's a legacy one. 1075 if ( $key === $signup->activation_key ) { 1076 return new WP_Error( 'expired_key', __( 'Invalid key' ) ); 1077 } 1078 1079 // The format of the new keys is <timestamp>:<hashed_key>. 1080 if ( false === strpos( $signup->activation_key, ':' ) ) { 1048 1081 return new WP_Error( 'invalid_key', __( 'Invalid activation key.' ) ); 1082 } 1049 1083 1084 if ( empty( $wp_hasher ) ) { 1085 require_once ABSPATH . WPINC . '/class-phpass.php'; 1086 $wp_hasher = new PasswordHash( 8, true ); 1087 } 1088 1089 list( $pass_request_time, $signup_key ) = explode( ':', $signup->activation_key, 2 ); 1090 1091 if ( ! $wp_hasher->CheckPassword( $key, $signup_key ) ) { 1092 return new WP_Error( 'invalid_key', __( 'Invalid activation key.' ) ); 1093 } 1094 1095 /** 1096 * Filters the expiration time of signup activation keys. 1097 * 1098 * @since 5.0 1099 * 1100 * @param int $expiration_duration The expiration time in seconds. 1101 */ 1102 $expiration_duration = apply_filters( 'activate_signup_expiration', DAY_IN_SECONDS ); 1103 $expiration_time = $pass_request_time + $expiration_duration; 1104 1105 if ( time() > $expiration_time ) { 1106 return new WP_Error( 'expired_key', __( 'Invalid key' ) ); 1107 } 1108 1050 1109 if ( $signup->active ) { 1051 1110 if ( empty( $signup->domain ) ) 1052 1111 return new WP_Error( 'already_active', __( 'The user is already active.' ), $signup );