- Timestamp:
- 04/06/2018 07:09:53 PM (6 years ago)
- Location:
- trunk/src
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/user.php
r42827 r42964 2816 2816 * @since 5.0.0 2817 2817 * 2818 * @param string $action_name Name of the action that is being confirmed. 2819 * @param string $action_description User facing description of the action they will be confirming. 2820 * @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address. 2821 * 2822 * @return WP_ERROR|bool Will return true/false based on the success of sending the email, or a WP_Error object. 2823 */ 2824 function send_confirm_account_action_email( $action_name, $action_description = '', $email = '' ) { 2818 * @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address. 2819 * @param string $action_name Name of the action that is being confirmed. Defaults to 'confirm_email'. 2820 * @param string $action_description User facing description of the action they will be confirming. Defaults to "confirm your email address". 2821 * @param array $request_data Misc data you want to send with the verification request and pass to the actions once the request is confirmed. 2822 * @return WP_Error|bool Will return true/false based on the success of sending the email, or a WP_Error object. 2823 */ 2824 function wp_send_account_verification_key( $email = '', $action_name = '', $action_description = '', $request_data = array() ) { 2825 if ( ! function_exists( 'wp_get_current_user' ) ) { 2826 return new WP_Error( 'invalid', __( 'This function cannot be used before init.' ) ); 2827 } 2828 2825 2829 $action_name = sanitize_key( $action_name ); 2826 2830 $action_description = wp_kses_post( $action_description ); 2827 2831 2828 2832 if ( empty( $action_name ) ) { 2829 return new WP_Error( 'invalid_action', __( 'Invalid action' ) ); 2833 $action_name = 'confirm_email'; 2834 } 2835 2836 if ( empty( $action_description ) ) { 2837 $action_description = __( 'Confirm your email address.' ); 2830 2838 } 2831 2839 … … 2847 2855 } 2848 2856 2857 $confirm_key = wp_get_account_verification_key( $email, $action_name, $request_data ); 2858 2859 if ( is_wp_error( $confirm_key ) ) { 2860 return $confirm_key; 2861 } 2862 2849 2863 // We could be dealing with a registered user account, or a visitor. 2850 2864 $is_registered_user = $user && ! is_wp_error( $user ); 2851 $uid = $is_registered_user ? $user->ID : hash( 'sha256', $email ); 2852 $confirm_key = get_confirm_account_action_key( $action_name, $email ); 2853 2854 if ( is_wp_error( $confirm_key ) ) { 2855 return $confirm_key; 2856 } 2857 2858 // Prepare the email content. 2859 if ( ! $action_description ) { 2860 $action_description = $action_name; 2865 2866 if ( $is_registered_user ) { 2867 $uid = $user->ID; 2868 } else { 2869 // Generate a UID for this email address so we don't send the actual email in the query string. Hash is not supported on all systems. 2870 $uid = function_exists( 'hash' ) ? hash( 'sha256', $email ) : sha1( $email ); 2861 2871 } 2862 2872 … … 2865 2875 'Howdy, 2866 2876 2867 An account linked to your email address has requested to perform 2868 the following action: 2877 A request has been made to perform the following action on your account: 2869 2878 2870 2879 ###DESCRIPTION### 2871 2880 2872 To confirm this action, please click on the following link:2881 To confirm this, please click on the following link: 2873 2882 ###CONFIRM_URL### 2874 2883 … … 2888 2897 'description' => $action_description, 2889 2898 'confirm_url' => add_query_arg( array( 2890 'action' => ' emailconfirm',2899 'action' => 'verifyaccount', 2891 2900 'confirm_action' => $action_name, 2892 2901 'uid' => $uid, … … 2908 2917 * ###SITEURL### The URL to the site. 2909 2918 * 2919 * @since 5.0.0 2920 * 2910 2921 * @param string $email_text Text in the email. 2911 2922 * @param array $email_data { … … 2920 2931 * } 2921 2932 */ 2922 $content = apply_filters( ' confirm_account_action_email_content', $email_text, $email_data );2933 $content = apply_filters( 'account_verification_email_content', $email_text, $email_data ); 2923 2934 2924 2935 $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); … … 2929 2940 2930 2941 /* translators: %s Site name. */ 2931 return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Ac count Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );2942 return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content ); 2932 2943 } 2933 2944 … … 2937 2948 * @since 5.0.0 2938 2949 * 2939 * @param string $ action_name Name of the action this key is being generated for.2940 * @param string $ email User email address. This can be the address of a registered or non-registered user.2941 * 2950 * @param string $email User email address. This can be the address of a registered or non-registered user. 2951 * @param string $action_name Name of the action this key is being generated for. 2952 * @param array $request_data Misc data you want to send with the verification request and pass to the actions once the request is confirmed. 2942 2953 * @return string|WP_Error Confirmation key on success. WP_Error on error. 2943 2954 */ 2944 function get_confirm_account_action_key( $action_name, $email) {2955 function wp_get_account_verification_key( $email, $action_name, $request_data = array() ) { 2945 2956 global $wp_hasher; 2946 2957 … … 2968 2979 2969 2980 $hashed_key = $wp_hasher->HashPassword( $key ); 2981 $value = array( 2982 'action' => $action_name, 2983 'time' => time(), 2984 'hash' => $hashed_key, 2985 'email' => $email, 2986 'request_data' => $request_data, 2987 ); 2970 2988 2971 2989 if ( $is_registered_user ) { 2972 $key_saved = (bool) update_user_meta( $user->ID, '_ account_action_' . $action_name, implode( ':', array( time(), $hashed_key )) );2990 $key_saved = (bool) update_user_meta( $user->ID, '_verify_action_' . $action_name, wp_json_encode( $value ) ); 2973 2991 } else { 2974 $key_saved = (bool) update_site_option( '_account_action_' . hash( 'sha256', $email ) . '_' . $action_name, implode( ':', array( time(), $hashed_key, $email ) ) ); 2992 $uid = function_exists( 'hash' ) ? hash( 'sha256', $email ) : sha1( $email ); 2993 $key_saved = (bool) update_site_option( '_verify_action_' . $action_name . '_' . $uid, wp_json_encode( $value ) ); 2975 2994 } 2976 2995 2977 2996 if ( false === $key_saved ) { 2978 return new WP_Error( 'no_ confirm_account_action_key_update', __( 'Could not save confirm account action key to database.' ) );2997 return new WP_Error( 'no_account_verification_key_update', __( 'Could not save confirm account action key to database.' ) ); 2979 2998 } 2980 2999 … … 2987 3006 * @since 5.0.0 2988 3007 * 2989 * @param string $action_name Name of the action this key is being generated for.2990 3008 * @param string $key Key to confirm. 2991 3009 * @param string $uid Email hash or user ID. 2992 * 3010 * @param string $action_name Name of the action this key is being generated for. 2993 3011 * @return array|WP_Error WP_Error on failure, action name and user email address on success. 2994 3012 */ 2995 function check_confirm_account_action_key( $action_name, $key, $uid) {3013 function wp_check_account_verification_key( $key, $uid, $action_name ) { 2996 3014 global $wp_hasher; 2997 3015 2998 if ( ! empty( $action_name ) && ! empty( $key ) && ! empty( $uid ) ) { 2999 $user = false; 3000 3001 if ( is_numeric( $uid ) ) { 3002 $user = get_user_by( 'id', absint( $uid ) ); 3003 } 3004 3005 // We could be dealing with a registered user account, or a visitor. 3006 $is_registered_user = $user && ! is_wp_error( $user ); 3007 $key_request_time = ''; 3008 $saved_key = ''; 3009 $email = ''; 3010 3011 if ( empty( $wp_hasher ) ) { 3012 require_once ABSPATH . WPINC . '/class-phpass.php'; 3013 $wp_hasher = new PasswordHash( 8, true ); 3014 } 3015 3016 // Get the saved key from the database. 3017 if ( $is_registered_user ) { 3018 $confirm_action_data = get_user_meta( $user->ID, '_account_action_' . $action_name, true ); 3019 $email = $user->user_email; 3020 3021 if ( false !== strpos( $confirm_action_data, ':' ) ) { 3022 list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 ); 3023 } 3024 } else { 3025 $confirm_action_data = get_site_option( '_account_action_' . $uid . '_' . $action_name, '' ); 3026 3027 if ( false !== strpos( $confirm_action_data, ':' ) ) { 3028 list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 ); 3029 } 3030 } 3031 3032 if ( ! $saved_key ) { 3033 return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 3034 } 3035 3036 /** 3037 * Filters the expiration time of confirm keys. 3038 * 3039 * @param int $expiration The expiration time in seconds. 3040 */ 3041 $expiration_duration = apply_filters( 'account_action_expiration', DAY_IN_SECONDS ); 3042 $expiration_time = $key_request_time + $expiration_duration; 3043 3044 if ( $wp_hasher->CheckPassword( $key, $saved_key ) ) { 3045 if ( $expiration_time && time() < $expiration_time ) { 3046 $return = array( 3047 'action' => $action_name, 3048 'email' => $email, 3049 ); 3050 } else { 3051 $return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) ); 3052 } 3053 3054 // Clean up stored keys. 3055 if ( $is_registered_user ) { 3056 delete_user_meta( $user->ID, '_account_action_' . $action_name ); 3057 } else { 3058 delete_site_option( '_account_action_' . $uid . '_' . $action_name ); 3059 } 3060 3061 return $return; 3062 } 3063 } 3064 3065 return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 3066 } 3016 if ( empty( $action_name ) || empty( $key ) || empty( $uid ) ) { 3017 return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 3018 } 3019 3020 $user = false; 3021 3022 if ( is_numeric( $uid ) ) { 3023 $user = get_user_by( 'id', absint( $uid ) ); 3024 } 3025 3026 // We could be dealing with a registered user account, or a visitor. 3027 $is_registered_user = ( $user && ! is_wp_error( $user ) ); 3028 $key_request_time = ''; 3029 $saved_key = ''; 3030 $email = ''; 3031 3032 if ( empty( $wp_hasher ) ) { 3033 require_once ABSPATH . WPINC . '/class-phpass.php'; 3034 $wp_hasher = new PasswordHash( 8, true ); 3035 } 3036 3037 // Get the saved key from the database. 3038 if ( $is_registered_user ) { 3039 $raw_data = get_user_meta( $user->ID, '_verify_action_' . $action_name, true ); 3040 $email = $user->user_email; 3041 3042 if ( false !== strpos( $confirm_action_data, ':' ) ) { 3043 list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 ); 3044 } 3045 } else { 3046 $raw_data = get_site_option( '_verify_action_' . $action_name . '_' . $uid, '' ); 3047 3048 if ( false !== strpos( $confirm_action_data, ':' ) ) { 3049 list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 ); 3050 } 3051 } 3052 3053 $data = json_decode( $raw_data, true ); 3054 $key_request_time = (int) isset( $data['time'] ) ? $data['time'] : 0; 3055 $saved_key = isset( $data['hash'] ) ? $data['hash'] : ''; 3056 $email = sanitize_email( isset( $data['email'] ) ? $data['email'] : '' ); 3057 $request_data = isset( $data['request_data'] ) ? $data['request_data'] : array(); 3058 3059 if ( ! $saved_key ) { 3060 return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 3061 } 3062 3063 if ( ! $key_request_time || ! $email ) { 3064 return new WP_Error( 'invalid_key', __( 'Invalid action' ) ); 3065 } 3066 3067 /** 3068 * Filters the expiration time of confirm keys. 3069 * 3070 * @since 5.0.0 3071 * 3072 * @param int $expiration The expiration time in seconds. 3073 */ 3074 $expiration_duration = apply_filters( 'account_verification_expiration', DAY_IN_SECONDS ); 3075 $expiration_time = $key_request_time + $expiration_duration; 3076 3077 if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) { 3078 return new WP_Error( 'invalid_key', __( 'Invalid key' ) ); 3079 } 3080 3081 if ( $expiration_time && time() < $expiration_time ) { 3082 $return = array( 3083 'action' => $action_name, 3084 'email' => $email, 3085 'request_data' => $request_data, 3086 ); 3087 } else { 3088 $return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) ); 3089 } 3090 3091 // Clean up stored keys. 3092 if ( $is_registered_user ) { 3093 delete_user_meta( $user->ID, '_verify_action_' . $action_name ); 3094 } else { 3095 delete_site_option( '_verify_action_' . $action_name . '_' . $uid ); 3096 } 3097 3098 return $return; 3099 } -
trunk/src/wp-login.php
r42892 r42964 428 428 429 429 // validate action so as to default to the login screen 430 if ( ! in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', ' emailconfirm' ), true ) && false === has_filter( 'login_form_' . $action ) ) {430 if ( ! in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'verifyaccount' ), true ) && false === has_filter( 'login_form_' . $action ) ) { 431 431 $action = 'login'; 432 432 } … … 859 859 break; 860 860 861 case ' emailconfirm' :861 case 'verifyaccount' : 862 862 if ( isset( $_GET['confirm_action'], $_GET['confirm_key'], $_GET['uid'] ) ) { 863 $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );864 863 $key = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) ); 865 864 $uid = sanitize_text_field( wp_unslash( $_GET['uid'] ) ); 866 $result = check_confirm_account_action_key( $action_name, $key, $uid ); 865 $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) ); 866 $result = wp_check_account_verification_key( $key, $uid, $action_name ); 867 867 } else { 868 868 $result = new WP_Error( 'invalid_key', __( 'Invalid key' ) );
Note: See TracChangeset
for help on using the changeset viewer.