WordPress.org

Make WordPress Core

Ticket #5405: wp-login.diff

File wp-login.diff, 27.6 KB (added by ryan, 10 years ago)
  • wp-login.php

     
    11<?php
    22require( dirname(__FILE__) . '/wp-config.php' );
    33
    4 $action = $_REQUEST['action'];
    5 $errors = array();
    6 
    7 if ( isset($_GET['key']) )
    8         $action = 'resetpass';
    9 
    10 nocache_headers();
    11 
    12 header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset'));
    13 
    14 if ( defined('RELOCATE') ) { // Move flag is set
    15         if ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != $_SERVER['PHP_SELF']) )
    16                 $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
    17 
    18         $schema = ( isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ) ? 'https://' : 'http://';
    19         if ( dirname($schema . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']) != get_option('siteurl') )
    20                 update_option('siteurl', dirname($schema . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']) );
    21 }
    22 
    23 //Set a cookie now to see if they are supported by the browser.
    24 setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
    25 if ( SITECOOKIEPATH != COOKIEPATH )
    26         setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
    27 
    284// Rather than duplicating this HTML all over the place, we'll stick it in function
    29 function login_header($title = 'Login', $message = '') {
    30         global $errors, $error;
     5function login_header($title = 'Login', $message = '', $wp_error = '') {
     6        global $error;
    317
     8        if ( empty($wp_error) )
     9                $wp_error = new WP_Error();
    3210        ?>
    3311<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    3412<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
     
    5028<?php
    5129        if ( !empty( $message ) ) echo apply_filters('login_message', $message) . "\n";
    5230
    53         // Incase a plugin uses $error rather than the $errors array
     31        // Incase a plugin uses $error rather than the $errors object
    5432        if ( !empty( $error ) ) {
    55                 $errors['error'] = $error;
     33                $wp_error->add('error', $error);
    5634                unset($error);
    5735        }
    5836
    59         if ( !empty( $errors ) ) {
    60                 if ( is_array( $errors ) ) {
    61                         $newerrors = "\n";
    62                         foreach ( $errors as $error ) $newerrors .= '   ' . $error . "<br />\n";
    63                         $errors = $newerrors;
    64                 }
     37        if ( $wp_error->get_error_code() ) {
     38                $errors = "\n";
     39                foreach ( $wp_error->get_error_messages() as $error )
     40                        $errors .= '    ' . $error . "<br />\n";
    6541
    6642                echo '<div id="login_error">' . apply_filters('login_errors', $errors) . "</div>\n";
    6743        }
    6844} // End of login_header()
    6945
     46function retrieve_password() {
     47        global $wpdb;
     48
     49        $errors = new WP_Error();
     50
     51        if ( empty( $_POST['user_login'] ) && empty( $_POST['user_email'] ) )
     52                $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));
     53
     54        if ( strstr($_POST['user_login'], '@') ) {
     55                $user_data = get_user_by_email(trim($_POST['user_login']));
     56                if ( empty($user_data) )
     57                        $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
     58        } else {
     59                $login = trim($_POST['user_login']);
     60                $user_data = get_userdatabylogin($login);
     61        }
     62
     63        do_action('lostpassword_post');
     64
     65        if ( $errors->get_error_code() )
     66                return $errors;
     67       
     68        if ( !$user_data ) {
     69                $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));
     70                return $errors;
     71        }
     72
     73        // redefining user_login ensures we return the right case in the email
     74        $user_login = $user_data->user_login;
     75        $user_email = $user_data->user_email;
     76
     77        do_action('retreive_password', $user_login);  // Misspelled and deprecated
     78        do_action('retrieve_password', $user_login);
     79
     80        // Generate something random for a key...
     81        $key = wp_generate_password();
     82        // Now insert the new md5 key into the db
     83        $wpdb->query("UPDATE $wpdb->users SET user_activation_key = '$key' WHERE user_login = '$user_login'");
     84        $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n";
     85        $message .= get_option('siteurl') . "\r\n\r\n";
     86        $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
     87        $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
     88        $message .= get_option('siteurl') . "/wp-login.php?action=rp&key=$key\r\n";
     89
     90        if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) )
     91                die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
     92
     93        return true;
     94}
     95
     96function reset_password($key) {
     97        global $wpdb;
     98
     99        $key = preg_replace('/[^a-z0-9]/i', '', $key);
     100
     101        if ( empty( $key ) )
     102                return new WP_Error('invalid_key', __('Invalid key'));
     103
     104        $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_activation_key = '$key'");
     105        if ( empty( $user ) )
     106                return new WP_Error('invalid_key', __('Invalid key'));
     107
     108        do_action('password_reset');
     109
     110        // Generate something random for a password...
     111        $new_pass = wp_generate_password();
     112        wp_set_password($new_pass, $user->ID);
     113        $message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
     114        $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
     115        $message .= get_option('siteurl') . "/wp-login.php\r\n";
     116
     117        if (  !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) )
     118                die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
     119
     120        // send a copy of password change notification to the admin
     121        // but check to see if it's the admin whose password we're changing, and skip this
     122        if ( $user->user_email != get_option('admin_email') ) {
     123                $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
     124                wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), get_option('blogname')), $message);
     125        }
     126
     127        return true;
     128}
     129
     130function register_new_user($user_login, $user_email) {
     131        $errors = new WP_Error();
     132
     133        $user_login = sanitize_user( $user_login );
     134        $user_email = apply_filters( 'user_registration_email', $user_email );
     135
     136        // Check the username
     137        if ( $user_login == '' )
     138                $errors->add('empty_username', __('<strong>ERROR</strong>: Please enter a username.'));
     139        elseif ( !validate_username( $user_login ) ) {
     140                $errors->add('invalid_username', __('<strong>ERROR</strong>: This username is invalid.  Please enter a valid username.'));
     141                $user_login = '';
     142        } elseif ( username_exists( $user_login ) )
     143                $errors->add('username_exists', __('<strong>ERROR</strong>: This username is already registered, please choose another one.'));
     144
     145        // Check the e-mail address
     146        if ($user_email == '') {
     147                $errors->add('empty_email', __('<strong>ERROR</strong>: Please type your e-mail address.'));
     148        } elseif ( !is_email( $user_email ) ) {
     149                $errors->add('invalid_email', __('<strong>ERROR</strong>: The email address isn&#8217;t correct.'));
     150                $user_email = '';
     151        } elseif ( email_exists( $user_email ) )
     152                $errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'));
     153
     154        do_action('register_post');
     155
     156        $errors = apply_filters( 'registration_errors', $errors );
     157
     158        if ( $errors->get_error_code() )
     159                return $errors;
     160
     161        $user_pass = wp_generate_password();
     162        $user_id = wp_create_user( $user_login, $user_pass, $user_email );
     163        if ( !$user_id ) {
     164                $errors->add('registerfail', sprintf(__('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:%s">webmaster</a> !'), get_option('admin_email')));
     165                return $errors;
     166        }
     167
     168        wp_new_user_notification($user_id, $user_pass);
     169
     170        return $user_id;
     171}
     172
     173//
     174// Main
     175//
     176
     177$action = $_REQUEST['action'];
     178$errors = new WP_Error();
     179
     180if ( isset($_GET['key']) )
     181        $action = 'resetpass';
     182
     183nocache_headers();
     184
     185header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset'));
     186
     187if ( defined('RELOCATE') ) { // Move flag is set
     188        if ( isset( $_SERVER['PATH_INFO'] ) && ($_SERVER['PATH_INFO'] != $_SERVER['PHP_SELF']) )
     189                $_SERVER['PHP_SELF'] = str_replace( $_SERVER['PATH_INFO'], '', $_SERVER['PHP_SELF'] );
     190
     191        $schema = ( isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on' ) ? 'https://' : 'http://';
     192        if ( dirname($schema . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']) != get_option('siteurl') )
     193                update_option('siteurl', dirname($schema . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']) );
     194}
     195
     196//Set a cookie now to see if they are supported by the browser.
     197setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
     198if ( SITECOOKIEPATH != COOKIEPATH )
     199        setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
     200
    70201$http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
    71202switch ($action) {
    72203
    73204case 'logout' :
    74205
    75         wp_clearcookie();
    76         do_action('wp_logout');
     206        wp_logout();
    77207
    78208        $redirect_to = 'wp-login.php?loggedout=true';
    79209        if ( isset( $_REQUEST['redirect_to'] ) )
     
    86216
    87217case 'lostpassword' :
    88218case 'retrievepassword' :
    89         $user_login = '';
    90         $user_pass = '';
    91 
    92219        if ( $http_post ) {
    93                 if ( empty( $_POST['user_login'] ) )
    94                         $errors['user_login'] = __('<strong>ERROR</strong>: The username field is empty.');
    95                 if ( empty( $_POST['user_email'] ) )
    96                         $errors['user_email'] = __('<strong>ERROR</strong>: The e-mail field is empty.');
    97 
    98                 do_action('lostpassword_post');
    99 
    100                 if ( empty( $errors ) ) {
    101                         $user_data = get_userdatabylogin(trim($_POST['user_login']));
    102                         // redefining user_login ensures we return the right case in the email
    103                         $user_login = $user_data->user_login;
    104                         $user_email = $user_data->user_email;
    105 
    106                         if (!$user_email || $user_email != $_POST['user_email']) {
    107                                 $errors['invalidcombo'] = __('<strong>ERROR</strong>: Invalid username / e-mail combination.');
    108                         } else {
    109                                 do_action('retreive_password', $user_login);  // Misspelled and deprecated
    110                                 do_action('retrieve_password', $user_login);
    111 
    112                                 // Generate something random for a key...
    113                                 $key = substr( md5( uniqid( microtime() ) ), 0, 8);
    114                                 // Now insert the new md5 key into the db
    115                                 $wpdb->query("UPDATE $wpdb->users SET user_activation_key = '$key' WHERE user_login = '$user_login'");
    116                                 $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n";
    117                                 $message .= get_option('siteurl') . "\r\n\r\n";
    118                                 $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
    119                                 $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
    120                                 $message .= get_option('siteurl') . "/wp-login.php?action=rp&key=$key\r\n";
    121 
    122                                 if (FALSE == wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message)) {
    123                                         die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
    124                                 } else {
    125                                         wp_redirect('wp-login.php?checkemail=confirm');
    126                                         exit();
    127                                 }
    128                         }
     220                $errors = retrieve_password();
     221                if ( !is_wp_error($errors) ) {
     222                        wp_redirect('wp-login.php?checkemail=confirm');
     223                        exit();
    129224                }
    130225        }
    131226
    132         if ( 'invalidkey' == $_GET['error'] ) $errors['invalidkey'] = __('Sorry, that key does not appear to be valid.');
     227        if ( 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.'));
    133228
    134229        do_action('lost_password');
    135         login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username and e-mail address. You will receive a new password via e-mail.') . '</p>');
     230        login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username and e-mail address. You will receive a new password via e-mail.') . '</p>', $errors);
    136231?>
    137232
    138233<form name="lostpasswordform" id="lostpasswordform" action="wp-login.php?action=lostpassword" method="post">
    139234        <p>
    140                 <label><?php _e('Username') ?><br />
     235                <label><?php _e('Username or E-mail:') ?><br />
    141236                <input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_login'])); ?>" size="20" tabindex="10" /></label>
    142237        </p>
    143         <p>
    144                 <label><?php _e('E-mail') ?><br />
    145                 <input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_email'])); ?>" size="25" tabindex="20" /></label>
    146         </p>
    147238<?php do_action('lostpassword_form'); ?>
    148239        <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Get New Password &raquo;'); ?>" tabindex="100" /></p>
    149240    <div><br clear="all" /></div>
     
    169260
    170261case 'resetpass' :
    171262case 'rp' :
    172         $key = preg_replace('/[^a-z0-9]/i', '', $_GET['key']);
    173         if ( empty( $key ) ) {
    174                 wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
    175                 exit();
    176         }
     263        $errors = reset_password($_GET['key']);
    177264
    178         $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_activation_key = '$key'");
    179         if ( empty( $user ) ) {
    180                 wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
     265        if ( ! is_wp_error($errors) ) {
     266                wp_redirect('wp-login.php?checkemail=newpass');
    181267                exit();
    182268        }
    183269
    184         do_action('password_reset');
     270        wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
     271        exit();
    185272
    186         // Generate something random for a password...
    187         $new_pass = wp_generate_password();
    188         wp_set_password($new_pass, $user->ID);
    189         $message  = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
    190         $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
    191         $message .= get_option('siteurl') . "/wp-login.php\r\n";
    192 
    193         if (FALSE == wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message)) {
    194                 die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
    195         } else {
    196                 // send a copy of password change notification to the admin
    197                 // but check to see if it's the admin whose password we're changing, and skip this
    198                 if ($user->user_email != get_option('admin_email')) {
    199                         $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n";
    200                         wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), get_option('blogname')), $message);
    201                 }
    202 
    203                 wp_redirect('wp-login.php?checkemail=newpass');
    204                 exit();
    205         }
    206273break;
    207274
    208275case 'register' :
    209         if ( FALSE == get_option('users_can_register') ) {
     276        if ( !get_option('users_can_register') ) {
    210277                wp_redirect('wp-login.php?registration=disabled');
    211278                exit();
    212279        }
    213280
     281        $user_login = '';
     282        $user_email = '';
    214283        if ( $http_post ) {
    215284                require_once( ABSPATH . WPINC . '/registration.php');
    216285
    217                 $user_login = sanitize_user( $_POST['user_login'] );
    218                 $user_email = apply_filters( 'user_registration_email', $_POST['user_email'] );
    219 
    220                 // Check the username
    221                 if ( $user_login == '' )
    222                         $errors['user_login'] = __('<strong>ERROR</strong>: Please enter a username.');
    223                 elseif ( !validate_username( $user_login ) ) {
    224                         $errors['user_login'] = __('<strong>ERROR</strong>: This username is invalid.  Please enter a valid username.');
    225                         $user_login = '';
    226                 } elseif ( username_exists( $user_login ) )
    227                         $errors['user_login'] = __('<strong>ERROR</strong>: This username is already registered, please choose another one.');
    228 
    229                 // Check the e-mail address
    230                 if ($user_email == '') {
    231                         $errors['user_email'] = __('<strong>ERROR</strong>: Please type your e-mail address.');
    232                 } elseif ( !is_email( $user_email ) ) {
    233                         $errors['user_email'] = __('<strong>ERROR</strong>: The email address isn&#8217;t correct.');
    234                         $user_email = '';
    235                 } elseif ( email_exists( $user_email ) )
    236                         $errors['user_email'] = __('<strong>ERROR</strong>: This email is already registered, please choose another one.');
    237 
    238                 do_action('register_post');
    239 
    240                 $errors = apply_filters( 'registration_errors', $errors );
    241 
    242                 if ( empty( $errors ) ) {
    243                         $user_pass = wp_generate_password();
    244 
    245                         $user_id = wp_create_user( $user_login, $user_pass, $user_email );
    246                         if ( !$user_id )
    247                                 $errors['registerfail'] = sprintf(__('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:%s">webmaster</a> !'), get_option('admin_email'));
    248                         else {
    249                                 wp_new_user_notification($user_id, $user_pass);
    250 
    251                                 wp_redirect('wp-login.php?checkemail=registered');
    252                                 exit();
    253                         }
     286                $user_login = $_POST['user_login'];
     287                $user_email = $_POST['user_email'];
     288                $errors = register_new_user($user_login, $user_email);
     289                if ( !is_wp_error($errors) ) {
     290                        wp_redirect('wp-login.php?checkemail=registered');
     291                        exit();
    254292                }
    255293        }
    256294
    257         login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>');
     295        login_header(__('Registration Form'), '<p class="message register">' . __('Register For This Site') . '</p>', $errors);
    258296?>
    259297
    260298<form name="registerform" id="registerform" action="wp-login.php?action=register" method="post">
     
    288326
    289327case 'login' :
    290328default:
    291         $user_login = '';
    292         $user_pass = '';
    293 
    294329        if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() )
    295330                $redirect_to = 'wp-admin/';
    296331        else
    297332                $redirect_to = $_REQUEST['redirect_to'];
    298333
    299         if ( $http_post ) {
    300                 // If cookies are disabled we can't log in even with a valid user+pass
    301                 if ( empty($_COOKIE[TEST_COOKIE]) )
    302                         $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.');
    303                
    304                 $user_login = $_POST['log'];
    305                 $user_login = sanitize_user( $user_login );
    306                 $user_pass  = $_POST['pwd'];
    307                 $rememberme = $_POST['rememberme'];
     334        $user = wp_signon();
    308335
    309                 do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass));
    310         } else {
    311                 $user = wp_validate_auth_cookie();
    312                 if ( !$user ) {
    313                         if ( empty($_GET['loggedout']) && !empty($_COOKIE[AUTH_COOKIE]) )
    314                                 $errors['expiredsession'] = __('Your session has expired.');
    315                 } else {
    316                         $user = new WP_User($user);
    317 
    318                         // If the user can't edit posts, send them to their profile.
    319                         if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
    320                                 $redirect_to = get_option('siteurl') . '/wp-admin/profile.php';
    321                         wp_safe_redirect($redirect_to);
    322                         exit();
    323                 }
    324         }
    325 
    326         if ( $user_login && $user_pass && empty( $errors ) ) {
    327                 $user = new WP_User(0, $user_login);
    328 
     336        if ( !is_wp_error($user) ) {
    329337                // If the user can't edit posts, send them to their profile.
    330338                if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) )
    331                         $redirect_to = get_option('siteurl') . '/wp-admin/profile.php';
    332 
    333                 if ( wp_login($user_login, $user_pass) ) {
    334                         wp_set_auth_cookie($user->ID, $rememberme);
    335                         do_action('wp_login', $user_login);
    336                         wp_safe_redirect($redirect_to);
    337                         exit();
    338                 }
     339                        $redirect_to = get_option('siteurl') . '/wp-admin/profile.php';
     340                wp_safe_redirect($redirect_to);
     341                exit();
    339342        }
     343       
     344        $errors = $user;
     345        // Clear errors if loggedout is set.
     346        if ( !empty($_GET['loggedout']) )
     347                $errors = new WP_Error();
    340348
    341         if ( $http_post && empty( $user_login ) )
    342                 $errors['user_login'] = __('<strong>ERROR</strong>: The username field is empty.');
    343         if ( $http_post && empty( $user_pass ) )
    344                 $errors['user_pass'] = __('<strong>ERROR</strong>: The password field is empty.');
     349        // If cookies are disabled we can't log in even with a valid user+pass
     350        if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) )
     351                $errors->add('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress."));
    345352
    346353        // Some parts of this script use the main login form to display a message
    347         if              ( TRUE == $_GET['loggedout'] )                  $errors['loggedout']            = __('You are now logged out.');
    348         elseif  ( 'disabled' == $_GET['registration'] ) $errors['registerdiabled']      = __('User registration is currently not allowed.');
    349         elseif  ( 'confirm' == $_GET['checkemail'] )    $errors['confirm']                      = __('Check your e-mail for the confirmation link.');
    350         elseif  ( 'newpass' == $_GET['checkemail'] )    $errors['newpass']                      = __('Check your e-mail for your new password.');
    351         elseif  ( 'registered' == $_GET['checkemail'] ) $errors['registered']           = __('Registration complete. Please check your e-mail.');
     354        if              ( TRUE == $_GET['loggedout'] )                  $errors->add('loggedout', __('You are now logged out.'));
     355        elseif  ( 'disabled' == $_GET['registration'] ) $errors->add('registerdiabled', __('User registration is currently not allowed.'));
     356        elseif  ( 'confirm' == $_GET['checkemail'] )    $errors->add('confirm', __('Check your e-mail for the confirmation link.'));
     357        elseif  ( 'newpass' == $_GET['checkemail'] )    $errors->add('newpass', __('Check your e-mail for your new password.'));
     358        elseif  ( 'registered' == $_GET['checkemail'] ) $errors->add('registered', __('Registration complete. Please check your e-mail.'));
    352359
    353         login_header(__('Login'));
     360        login_header(__('Login'), '', $errors);
    354361?>
    355362
    356363<form name="loginform" id="loginform" action="wp-login.php" method="post">
     
    368375        <p class="submit">
    369376                <input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Log in'); ?> &raquo;" tabindex="100" />
    370377                <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($redirect_to); ?>" />
     378                <input type="hidden" name="testcookie" value="1" />
    371379  <div><br clear="all" /></div>
    372380        </p>
    373381<?php else : ?>
  • wp-includes/pluggable.php

     
    413413}
    414414endif;
    415415
    416 if ( !function_exists('wp_login') ) :
    417416/**
    418  * wp_login() - Checks a users login information and logs them in if it checks out
     417 * wp_authenticate() - Checks a user's login information and logs them in if it checks out
     418 * @since 2.5
    419419 *
    420  * Use the global $error to get the reason why the login failed.
    421  * If the username is blank, no error will be set, so assume
    422  * blank username on that case.
    423  *
    424  * Plugins extending this function should also provide the global
    425  * $error and set what the error is, so that those checking the
    426  * global for why there was a failure can utilize it later.
    427  *
    428  * @since 1.2.2
    429  * @global string $error Error when false is returned
    430  *
    431420 * @param string $username User's username
    432421 * @param string $password User's password
    433  * @param bool $deprecated Not used
    434  * @return bool False on login failure, true on successful check
     422 * @return WP_Error|WP_User WP_User object if login successful, otherwise WP_Error object.
    435423 */
    436 function wp_login($username, $password, $deprecated = '') {
    437         global $error;
    438 
     424function wp_authenticate($username, $password) {
    439425        $username = sanitize_user($username);
    440426
    441427        if ( '' == $username )
    442                 return false;
     428                return new WP_Error('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
    443429
    444         if ( '' == $password ) {
    445                 $error = __('<strong>ERROR</strong>: The password field is empty.');
    446                 return false;
    447         }
     430        if ( '' == $password )
     431                return new WP_Error('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
    448432
    449433        $user = get_userdatabylogin($username);
    450434
    451         if ( !$user || ($user->user_login != $username) ) {
    452                 $error = __('<strong>ERROR</strong>: Invalid username.');
    453                 return false;
    454         }
     435        if ( !$user || ($user->user_login != $username) )
     436                return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Invalid username.'));
    455437
    456         if ( !wp_check_password($password, $user->user_pass) ) {
    457                 $error = __('<strong>ERROR</strong>: Incorrect password.');
    458                 return false;
    459         }
     438        if ( !wp_check_password($password, $user->user_pass) )
     439                return new WP_Error('incorrect_password', __('<strong>ERROR</strong>: Incorrect password.'));
    460440
    461441        // If using old md5 password, rehash.
    462442        if ( strlen($user->user_pass) <= 32 )
    463443                wp_set_password($password, $user->ID);
    464444
    465         return true;
     445        return new WP_User($user->ID);
    466446}
    467 endif;
    468447
     448/**
     449 * wp_logout() - Log the current user out
     450 * @since 2.5
     451 *
     452 */
     453function wp_logout() {
     454        wp_clear_auth_cookie();
     455        do_action('wp_logout');
     456}
     457
    469458if ( !function_exists('wp_validate_auth_cookie') ) :
    470459/**
    471460 * wp_validate_auth_cookie() - Validates authentication cookie
     
    12251214}
    12261215endif;
    12271216
     1217if ( !function_exists('wp_login') ) :
     1218/**
     1219 * wp_login() - Checks a users login information and logs them in if it checks out
     1220 *
     1221 * Use the global $error to get the reason why the login failed.
     1222 * If the username is blank, no error will be set, so assume
     1223 * blank username on that case.
     1224 *
     1225 * Plugins extending this function should also provide the global
     1226 * $error and set what the error is, so that those checking the
     1227 * global for why there was a failure can utilize it later.
     1228 *
     1229 * @since 1.2.2
     1230 * @deprecated Use wp_signin()
     1231 * @global string $error Error when false is returned
     1232 *
     1233 * @param string $username User's username
     1234 * @param string $password User's password
     1235 * @param bool $deprecated Not used
     1236 * @return bool False on login failure, true on successful check
     1237 */
     1238function wp_login($username, $password, $deprecated = '') {
     1239        global $error;
     1240
     1241        $user = wp_authenticate($username, $password);
     1242
     1243        if ( ! is_wp_error($user) )
     1244                return true;
     1245
     1246        $error = $user->get_error_message();
     1247        return false;
     1248}
     1249endif;
     1250
    12281251?>
  • wp-includes/user.php

     
    11<?php
    22
     3function wp_signon( $credentials = '' ) {
     4        if ( empty($credentials) ) {
     5                if ( ! empty($_POST['log']) )
     6                        $credentials['user_login'] = $_POST['log'];
     7                if ( ! empty($_POST['pwd']) )
     8                        $credentials['user_password'] = $_POST['pwd'];
     9                if ( ! empty($_POST['rememberme']) )
     10                        $credentials['remember'] = $_POST['rememberme'];
     11        }
     12
     13        if ( !empty($credentials['user_login']) )
     14                $credentials['user_login'] = sanitize_user($credentials['user_login']);
     15        if ( !empty($credentials['user_password']) )
     16                $credentials['user_password'] = trim($credentials['user_password']);
     17        if ( !empty($credentials['remember']) )
     18                $credentials['remember'] = true;
     19        else
     20                $credentials['remember'] = false;
     21
     22        // If no credential info provided, check cookie.
     23        if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
     24                        $user = wp_validate_auth_cookie();
     25                        if ( $user )
     26                                return new WP_User($user);
     27
     28                        if ( !empty($_COOKIE[AUTH_COOKIE]) )
     29                                return new WP_Error('expired_session', __('Your session has expired.'));
     30
     31                        // If the cookie is not set, be silent.
     32                        return new WP_Error();
     33        }
     34
     35        if ( empty($credentials['user_login']) || empty($credentials['user_password']) ) {
     36                $error = new WP_Error();
     37
     38                if ( empty($credentials['user_login']) )
     39                        $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
     40                if ( empty($credentials['user_password']) )
     41                        $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
     42                return $error;
     43        }
     44
     45        do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
     46
     47        $user = wp_authenticate($credentials['user_login'], $credentials['user_password']);
     48        if ( is_wp_error($user) )
     49                return $user;
     50
     51        wp_set_auth_cookie($user->ID);
     52        do_action('wp_login', $credentials['user_login']);
     53        return $user;
     54}
     55
    356function get_profile($field, $user = false) {
    457        global $wpdb;
    558        if ( !$user )
     
    1568
    1669// TODO: xmlrpc only.  Maybe move to xmlrpc.php.
    1770function user_pass_ok($user_login,$user_pass) {
    18         $userdata = get_userdatabylogin($user_login);
    19         return wp_check_password($user_pass, $userdata->user_pass);
     71        $user = wp_authenticate($user_login, $user_pass);
     72        if ( is_wp_error($user) )
     73                return false;
     74
     75        return true;
    2076}
    2177
    2278//