WordPress.org

Make WordPress Core

Changeset 34923


Ignore:
Timestamp:
10/08/2015 12:10:41 AM (4 years ago)
Author:
SergeyBiryukov
Message:

Reset Password: Move the code for creating password reset key into a new function, get_password_reset_key(), and use it in retrieve_password().

Previously: [25231].

Props DH-Shredder.
Fixes #34180.

Location:
trunk/src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user-functions.php

    r34919 r34923  
    18711871
    18721872/**
     1873 * Creates, stores, then returns a password reset key for user.
     1874 *
     1875 * @since 4.4.0
     1876 *
     1877 * @global wpdb         $wpdb      WordPress database abstraction object.
     1878 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
     1879 *
     1880 * @param WP_User $user User to retrieve password reset key for.
     1881 *
     1882 * @return string|WP_Error Password reset key on success. WP_Error on error.
     1883 */
     1884function get_password_reset_key( $user ) {
     1885    global $wpdb, $wp_hasher;
     1886
     1887    /**
     1888     * Fires before a new password is retrieved.
     1889     *
     1890     * @since 1.5.0
     1891     * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
     1892     *
     1893     * @param string $user_login The user login name.
     1894     */
     1895    do_action( 'retreive_password', $user->user_login );
     1896
     1897    /**
     1898     * Fires before a new password is retrieved.
     1899     *
     1900     * @since 1.5.1
     1901     *
     1902     * @param string $user_login The user login name.
     1903     */
     1904    do_action( 'retrieve_password', $user->user_login );
     1905
     1906    /**
     1907     * Filter whether to allow a password to be reset.
     1908     *
     1909     * @since 2.7.0
     1910     *
     1911     * @param bool true           Whether to allow the password to be reset. Default true.
     1912     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     1913     */
     1914    $allow = apply_filters( 'allow_password_reset', true, $user->ID );
     1915
     1916    if ( ! $allow ) {
     1917        return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) );
     1918    } elseif ( is_wp_error( $allow ) ) {
     1919        return $allow;
     1920    }
     1921
     1922    // Generate something random for a password reset key.
     1923    $key = wp_generate_password( 20, false );
     1924
     1925    /**
     1926     * Fires when a password reset key is generated.
     1927     *
     1928     * @since 2.5.0
     1929     *
     1930     * @param string $user_login The username for the user.
     1931     * @param string $key        The generated password reset key.
     1932     */
     1933    do_action( 'retrieve_password_key', $user->user_login, $key );
     1934
     1935    // Now insert the key, hashed, into the DB.
     1936    if ( empty( $wp_hasher ) ) {
     1937        require_once ABSPATH . WPINC . '/class-phpass.php';
     1938        $wp_hasher = new PasswordHash( 8, true );
     1939    }
     1940    $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     1941    $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) );
     1942    if ( false === $key_saved ) {
     1943        return WP_Error( 'no_password_key_update', __( 'Could not save password reset key to database.' ) );
     1944    }
     1945
     1946    return $key;
     1947}
     1948
     1949/**
    18731950 * Retrieves a user row based on password reset key and login
    18741951 *
  • trunk/src/wp-login.php

    r34910 r34923  
    314314    $user_login = $user_data->user_login;
    315315    $user_email = $user_data->user_email;
    316 
    317     /**
    318      * Fires before a new password is retrieved.
    319      *
    320      * @since 1.5.0
    321      * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead.
    322      *
    323      * @param string $user_login The user login name.
    324      */
    325     do_action( 'retreive_password', $user_login );
    326 
    327     /**
    328      * Fires before a new password is retrieved.
    329      *
    330      * @since 1.5.1
    331      *
    332      * @param string $user_login The user login name.
    333      */
    334     do_action( 'retrieve_password', $user_login );
    335 
    336     /**
    337      * Filter whether to allow a password to be reset.
    338      *
    339      * @since 2.7.0
    340      *
    341      * @param bool true           Whether to allow the password to be reset. Default true.
    342      * @param int  $user_data->ID The ID of the user attempting to reset a password.
    343      */
    344     $allow = apply_filters( 'allow_password_reset', true, $user_data->ID );
    345 
    346     if ( ! $allow ) {
    347         return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') );
    348     } elseif ( is_wp_error( $allow ) ) {
    349         return $allow;
    350     }
    351 
    352     // Generate something random for a password reset key.
    353     $key = wp_generate_password( 20, false );
    354 
    355     /**
    356      * Fires when a password reset key is generated.
    357      *
    358      * @since 2.5.0
    359      *
    360      * @param string $user_login The username for the user.
    361      * @param string $key        The generated password reset key.
    362      */
    363     do_action( 'retrieve_password_key', $user_login, $key );
    364 
    365     // Now insert the key, hashed, into the DB.
    366     if ( empty( $wp_hasher ) ) {
    367         require_once ABSPATH . WPINC . '/class-phpass.php';
    368         $wp_hasher = new PasswordHash( 8, true );
    369     }
    370     $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
    371     $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
     316    $key = get_password_reset_key( $user_data );
     317
     318    if ( is_wp_error( $key ) ) {
     319        return $key;
     320    }
    372321
    373322    $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
Note: See TracChangeset for help on using the changeset viewer.