Changeset 11929 for trunk/wp-admin/includes/user.php
- Timestamp:
- 09/14/2009 01:57:48 PM (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-admin/includes/user.php
r11852 r11929 26 26 27 27 if ( isset( $_POST['role'] ) ) { 28 $new_role = sanitize_text_field( $_POST['role'] ); 28 29 // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 29 if ( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) {30 if ( $user_id != $current_user->id || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' ) ) { 30 31 // If the new role isn't editable by the logged-in user die with error 31 32 $editable_roles = get_editable_roles(); 32 if ( !$editable_roles[$_POST['role']])33 if ( !$editable_roles[$new_role] ) 33 34 wp_die(__('You can’t give users that role.')); 34 35 35 36 $user = new WP_User( $user_id ); 36 $user->set_role( $ _POST['role']);37 $user->set_role( $new_role ); 37 38 } 38 39 } … … 65 66 } 66 67 67 if ( isset( $_POST['user_login'] ))68 $user->user_login = esc_html( trim( $_POST['user_login'] ));68 if ( !$update && isset( $_POST['user_login'] ) ) 69 $user->user_login = sanitize_user($userdata['user_login'], true); 69 70 70 71 $pass1 = $pass2 = ''; … … 75 76 76 77 if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { 77 78 $new_role = sanitize_text_field( $_POST['role'] ); 78 79 // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 79 if( $user_id != $current_user->id || $wp_roles->role_objects[$ _POST['role']]->has_cap( 'edit_users' ))80 $user->role = $ _POST['role'];80 if( $user_id != $current_user->id || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' )) 81 $user->role = $new_role; 81 82 82 83 // If the new role isn't editable by the logged-in user die with error 83 84 $editable_roles = get_editable_roles(); 84 if ( !$editable_roles[$_POST['role']])85 if ( !$editable_roles[$new_role] ) 85 86 wp_die(__('You can’t give users that role.')); 86 87 } 87 88 88 89 if ( isset( $_POST['email'] )) 89 $user->user_email = esc_html( trim( $_POST['email'] ));90 $user->user_email = sanitize_text_field( $_POST['email'] ); 90 91 if ( isset( $_POST['url'] ) ) { 91 92 if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { 92 93 $user->user_url = ''; 93 94 } else { 94 $user->user_url = esc_url( trim( $_POST['url'] ));95 $user->user_url = sanitize_url( $_POST['url'] ); 95 96 $user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; 96 97 } 97 98 } 98 if ( isset( $_POST['first_name'] )) 99 $user->first_name = esc_html( trim( $_POST['first_name'] )); 100 if ( isset( $_POST['last_name'] )) 101 $user->last_name = esc_html( trim( $_POST['last_name'] )); 102 if ( isset( $_POST['nickname'] )) 103 $user->nickname = esc_html( trim( $_POST['nickname'] )); 104 if ( isset( $_POST['display_name'] )) 105 $user->display_name = esc_html( trim( $_POST['display_name'] )); 106 if ( isset( $_POST['description'] )) 99 if ( isset( $_POST['first_name'] ) ) 100 $user->first_name = sanitize_text_field( $_POST['first_name'] ); 101 if ( isset( $_POST['last_name'] ) ) 102 $user->last_name = sanitize_text_field( $_POST['last_name'] ); 103 if ( isset( $_POST['nickname'] ) ) 104 $user->nickname = sanitize_text_field( $_POST['nickname'] ); 105 if ( isset( $_POST['display_name'] ) ) 106 $user->display_name = sanitize_text_field( $_POST['display_name'] ); 107 108 if ( isset( $_POST['description'] ) ) 107 109 $user->description = trim( $_POST['description'] ); 108 $user_contactmethods = _wp_get_user_contactmethods(); 109 foreach ( $user_contactmethods as $method => $name) {110 111 foreach ( _wp_get_user_contactmethods() as $method => $name ) { 110 112 if ( isset( $_POST[$method] )) 111 $user->$method = esc_html( trim( $_POST[$method] ) ); 112 } 113 if ( !$update ) 114 $user->rich_editing = 'true'; // Default to true for new users. 115 else if ( isset( $_POST['rich_editing'] ) ) 116 $user->rich_editing = $_POST['rich_editing']; 117 else 118 $user->rich_editing = 'true'; 119 120 $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] )? $_POST['comment_shortcuts'] : ''; 113 $user->$method = sanitize_text_field( $_POST[$method] ); 114 } 115 116 if ( $update ) { 117 $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; 118 $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh'; 119 } 120 121 $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; 121 122 122 123 $user->use_ssl = 0; 123 124 if ( !empty($_POST['use_ssl']) ) 124 125 $user->use_ssl = 1; 125 126 if ( !$update )127 $user->admin_color = 'fresh'; // Default to fresh for new users.128 else if ( isset( $_POST['admin_color'] ) )129 $user->admin_color = $_POST['admin_color'];130 else131 $user->admin_color = 'fresh';132 126 133 127 $errors = new WP_Error(); … … 160 154 $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in the two password fields.' ), array( 'form-field' => 'pass1' ) ); 161 155 162 if ( !empty ( $pass1 ))156 if ( !empty( $pass1 ) ) 163 157 $user->user_pass = $pass1; 164 158 … … 166 160 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid. Please enter a valid username.' )); 167 161 168 if ( !$update && username_exists( $user->user_login ))162 if ( !$update && username_exists( $user->user_login ) ) 169 163 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' )); 170 164 171 165 /* checking e-mail address */ 172 if ( empty 166 if ( empty( $user->user_email ) ) { 173 167 $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please enter an e-mail address.' ), array( 'form-field' => 'email' ) ); 174 } elseif ( !is_email( $user->user_email ) ) {168 } elseif ( !is_email( $user->user_email ) ) { 175 169 $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: The e-mail address isn’t correct.' ), array( 'form-field' => 'email' ) ); 176 170 } elseif ( ( $owner_id = email_exists($user->user_email) ) && $owner_id != $user->ID ) { … … 178 172 } 179 173 180 // Allow plugins to return the reown errors.174 // Allow plugins to return their own errors. 181 175 do_action_ref_array('user_profile_update_errors', array ( &$errors, $update, &$user ) ); 182 176 … … 185 179 186 180 if ( $update ) { 187 $user_id = wp_update_user( get_object_vars( $user ) );181 $user_id = wp_update_user( get_object_vars( $user ) ); 188 182 } else { 189 $user_id = wp_insert_user( get_object_vars( $user ) );183 $user_id = wp_insert_user( get_object_vars( $user ) ); 190 184 wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' ); 191 185 } … … 371 365 function get_user_to_edit( $user_id ) { 372 366 $user = new WP_User( $user_id ); 373 $user->user_login = esc_attr($user->user_login);374 $user->user_email = esc_attr($user->user_email);375 $user->user_url = esc_url($user->user_url);376 $user->first_name = esc_attr($user->first_name);377 $user->last_name = esc_attr($user->last_name);378 $user->display_name = esc_attr($user->display_name);379 $user->nickname = esc_attr($user->nickname);380 367 381 368 $user_contactmethods = _wp_get_user_contactmethods(); 382 369 foreach ($user_contactmethods as $method => $name) { 383 $user->{$method} = isset( $user->{$method} ) && !empty( $user->{$method} ) ? esc_attr($user->{$method}) : ''; 384 } 385 386 $user->description = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : ''; 370 if ( empty( $user->{$method} ) ) 371 $user->{$method} = ''; 372 } 373 374 if ( empty($user->description) ) 375 $user->description = ''; 376 377 $user = sanitize_user_object($user, 'edit'); 387 378 388 379 return $user;
Note: See TracChangeset
for help on using the changeset viewer.