WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/02/2018 01:00:46 AM (2 years ago)
Author:
SergeyBiryukov
Message:

Privacy: update the method to confirm user requests by email. Use a single CPT to store the requests and to allow logging/audit trail.

Props mikejolley.
Merges [43008] to the 4.9 branch.
See #43443.

Location:
branches/4.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-login.php

    r43070 r43083  
    414414
    415415// validate action so as to default to the login screen
    416 if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'verifyaccount' ), true ) && false === has_filter( 'login_form_' . $action ) )
     416if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'confirmaction' ), true ) && false === has_filter( 'login_form_' . $action ) )
    417417    $action = 'login';
    418418
     
    839839break;
    840840
    841 case 'verifyaccount' :
    842     if ( isset( $_GET['confirm_action'], $_GET['confirm_key'], $_GET['uid'] ) ) {
    843         $key         = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
    844         $uid         = sanitize_text_field( wp_unslash( $_GET['uid'] ) );
    845         $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );
    846         $result      = wp_check_account_verification_key( $key, $uid, $action_name );
     841case 'confirmaction' :
     842    if ( ! isset( $_GET['request_id'] ) ) {
     843        wp_die( __( 'Invalid request' ) );
     844    }
     845
     846    $request_id = (int) $_GET['request_id'];
     847
     848    if ( isset( $_GET['confirm_key'] ) ) {
     849        $key    = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
     850        $result = wp_validate_user_request_key( $request_id, $key );
    847851    } else {
    848852        $result = new WP_Error( 'invalid_key', __( 'Invalid key' ) );
     
    850854
    851855    if ( is_wp_error( $result ) ) {
    852         /**
    853          * Fires an action hook when the account action was not confirmed.
    854          *
    855          * After running this action hook the page will die.
    856          *
    857          * @param WP_Error $result Error object.
    858          */
    859         do_action( 'account_action_failed', $result );
    860 
    861856        wp_die( $result );
    862857    }
     
    868863     * clicking on the link in the confirmation email.
    869864     *
    870      * After firing this action hook the page will redirect to wp-login a callback 
     865     * After firing this action hook the page will redirect to wp-login a callback
    871866     * redirects or exits first.
    872      *
    873      * @param array $result {
    874      *     Data about the action which was confirmed.
    875      *
    876      *     @type string $action Name of the action that was confirmed.
    877      *     @type string $email  Email of the user who confirmed the action.
    878      * }
    879      */
    880     do_action( 'account_action_confirmed', $result );
    881 
    882     $message = '<p class="message">' . __( 'Action has been confirmed.' ) . '</p>';
    883     login_header( '', $message );
     867     *
     868     * @param int $request_id Request ID.
     869     */
     870    do_action( 'user_request_action_confirmed', $request_id );
     871
     872    $message = apply_filters( 'user_request_action_confirmed_message', '<p class="message">' . __( 'Action has been confirmed.' ) . '</p>', $request_id );
     873
     874    login_header( __( 'User action confirmed.' ), $message );
    884875    login_footer();
    885876    exit;
Note: See TracChangeset for help on using the changeset viewer.