WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/02/2018 01:03:53 AM (2 years ago)
Author:
SergeyBiryukov
Message:

Privacy: update and enhance the method to confirm user requests by email. Introduce WP_User_Request to hold all request vars similarly to WP_Post.

Props mikejolley, desrosj.
Merges [43011] and [43014] to the 4.9 branch.
See #43443.

Location:
branches/4.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-includes/user.php

    r43083 r43084  
    27632763    }
    27642764
    2765     if ( ! in_array( $request_data['status'], array( 'request-pending', 'request-failed' ), true ) ) {
     2765    if ( ! in_array( $request_data->status, array( 'request-pending', 'request-failed' ), true ) ) {
    27662766        return;
    27672767    }
     
    27692769    update_post_meta( $request_id, '_wp_user_request_confirmed_timestamp', time() );
    27702770    wp_update_post( array(
    2771         'ID'          => $request_data['request_id'],
     2771        'ID'          => $request_id,
    27722772        'post_status' => 'request-confirmed',
    27732773    ) );
     
    27852785    $request = wp_get_user_request_data( $request_id );
    27862786
    2787     if ( $request && in_array( $request['action'], _wp_privacy_action_request_types(), true ) ) {
     2787    if ( $request && in_array( $request->action_name, _wp_privacy_action_request_types(), true ) ) {
    27882788        $message = '<p class="message">' . __( 'Action has been confirmed.' ) . '</p>';
    27892789        $message .= __( 'The site administrator has been notified and will fulfill your request as soon as possible.' );
     
    28232823    // Check for duplicates.
    28242824    $requests_query = new WP_Query( array(
    2825         'post_type'   => 'user_request',
    2826         'title'       => $action_name,
    2827         'post_status' => 'any',
    2828         'fields'      => 'ids',
    2829         'meta_query'  => array(
    2830             array(
    2831                 'key'     => '_wp_user_request_user_email',
    2832                 'value'   => $email_address,
    2833             ),
    2834         ),
     2825        'post_type'     => 'user_request',
     2826        'post_name__in' => array( $action_name ),  // Action name stored in post_name column.
     2827        'title'         => $email_address, // Email address stored in post_title column.
     2828        'post_status'   => 'any',
     2829        'fields'        => 'ids',
    28352830    ) );
    28362831
     
    28412836    $request_id = wp_insert_post( array(
    28422837        'post_author'   => $user_id,
    2843         'post_title'    => $action_name,
     2838        'post_name'     => $action_name,
     2839        'post_title'    => $email_address,
    28442840        'post_content'  => wp_json_encode( $request_data ),
    28452841        'post_status'   => 'request-pending',
     
    28482844        'post_date_gmt' => current_time( 'mysql', true ),
    28492845    ), true );
    2850 
    2851     if ( is_wp_error( $request_id ) ) {
    2852         return $request_id;
    2853     }
    2854 
    2855     update_post_meta( $request_id, '_wp_user_request_user_email', $email_address );
    2856     update_post_meta( $request_id, '_wp_user_request_confirmed_timestamp', false );
    28572846
    28582847    return $request_id;
     
    28842873     * Filters the user action description.
    28852874     *
     2875     * @since 4.9.6
     2876     *
    28862877     * @param string $description The default description.
    28872878     * @param string $action_name The name of the request.
    2888      */             
     2879     */
    28892880    return apply_filters( 'user_request_action_description', $description, $action_name );
    28902881}
     
    29022893function wp_send_user_request( $request_id ) {
    29032894    $request_id = absint( $request_id );
    2904     $request    = get_post( $request_id );
    2905 
    2906     if ( ! $request || 'user_request' !== $request->post_type ) {
     2895    $request    = wp_get_user_request_data( $request_id );
     2896
     2897    if ( ! $request ) {
    29072898        return new WP_Error( 'user_request_error', __( 'Invalid request.' ) );
    29082899    }
    29092900
    2910     if ( 'request-pending' !== $request->post_status ) {
    2911         wp_update_post( array(
    2912             'ID'            => $request_id,
    2913             'post_status'   => 'request-pending',
    2914             'post_date'     => current_time( 'mysql', false ),
    2915             'post_date_gmt' => current_time( 'mysql', true ),
    2916         ) );
    2917     }
    2918 
    29192901    $email_data = array(
    2920         'action_name' => $request->post_title,
    2921         'email'       => get_post_meta( $request->ID, '_wp_user_request_user_email', true ),
    2922         'description' => wp_user_request_action_description( $request->post_title ),
     2902        'email'       => $request->email,
     2903        'description' => wp_user_request_action_description( $request->action_name ),
    29232904        'confirm_url' => add_query_arg( array(
    29242905            'action'      => 'confirmaction',
     
    29682949     *     Data relating to the account action email.
    29692950     *
    2970      *     @type string $action_name Name of the action being performed.
    2971      *     @type string $email       The email address this is being sent to.
    2972      *     @type string $description Description of the action being performed so the user knows what the email is for.
    2973      *     @type string $confirm_url The link to click on to confirm the account action.
    2974      *     @type string $sitename    The site name sending the mail.
    2975      *     @type string $siteurl     The site URL sending the mail.
     2951     *     @type WP_User_Request $request User request object.
     2952     *     @type string          $email       The email address this is being sent to.
     2953     *     @type string          $description Description of the action being performed so the user knows what the email is for.
     2954     *     @type string          $confirm_url The link to click on to confirm the account action.
     2955     *     @type string          $sitename    The site name sending the mail.
     2956     *     @type string          $siteurl     The site URL sending the mail.
    29762957     * }
    29772958     */
     
    29892970
    29902971/**
    2991  * Returns a confirmation key for a user action and stores the hashed version.
     2972 * Returns a confirmation key for a user action and stores the hashed version for future comparison.
    29922973 *
    29932974 * @since 4.9.6
     
    30082989    }
    30092990
    3010     update_post_meta( $request_id, '_wp_user_request_confirm_key', $wp_hasher->HashPassword( $key ) );
    3011     update_post_meta( $request_id, '_wp_user_request_confirm_key_timestamp', time() );
     2991    wp_update_post( array(
     2992        'ID'                => $request_id,
     2993        'post_status'       => 'request-pending',
     2994        'post_password'     => $wp_hasher->HashPassword( $key ),
     2995        'post_modified'     => current_time( 'mysql', false ),
     2996        'post_modified_gmt' => current_time( 'mysql', true ),
     2997    ) );
    30122998
    30132999    return $key;
     
    30333019    }
    30343020
    3035     if ( ! in_array( $request['status'], array( 'request-pending', 'request-failed' ), true ) ) {
     3021    if ( ! in_array( $request->status, array( 'request-pending', 'request-failed' ), true ) ) {
    30363022        return __( 'This link has expired.' );
    30373023    }
     
    30463032    }
    30473033
    3048     $key_request_time = $request['confirm_key_timestamp'];
    3049     $saved_key        = $request['confirm_key'];
     3034    $key_request_time = $request->modified_timestamp;
     3035    $saved_key        = $request->confirm_key;
    30503036
    30513037    if ( ! $saved_key ) {
     
    30883074function wp_get_user_request_data( $request_id ) {
    30893075    $request_id = absint( $request_id );
    3090     $request    = get_post( $request_id );
    3091 
    3092     if ( ! $request || 'user_request' !== $request->post_type ) {
     3076    $post       = get_post( $request_id );
     3077
     3078    if ( ! $post || 'user_request' !== $post->post_type ) {
    30933079        return false;
    30943080    }
    30953081
    3096     return array(
    3097         'request_id'            => $request->ID,
    3098         'user_id'               => $request->post_author,
    3099         'email'                 => get_post_meta( $request->ID, '_wp_user_request_user_email', true ),
    3100         'action'                => $request->post_title,
    3101         'requested_timestamp'   => strtotime( $request->post_date_gmt ),
    3102         'confirmed_timestamp'   => get_post_meta( $request->ID, '_wp_user_request_confirmed_timestamp', true ),
    3103         'completed_timestamp'   => get_post_meta( $request->ID, '_wp_user_request_completed_timestamp', true ),
    3104         'request_data'          => json_decode( $request->post_content, true ),
    3105         'status'                => $request->post_status,
    3106         'confirm_key'           => get_post_meta( $request_id, '_wp_user_request_confirm_key', true ),
    3107         'confirm_key_timestamp' => get_post_meta( $request_id, '_wp_user_request_confirm_key_timestamp', true ),
    3108     );
    3109 }
     3082    return new WP_User_Request( $post );
     3083}
     3084
     3085/**
     3086 * WP_User_Request class.
     3087 *
     3088 * Represents user request data loaded from a WP_Post object.
     3089 *
     3090 * @since 4.9.6
     3091 */
     3092final class WP_User_Request {
     3093    /**
     3094     * Request ID.
     3095     *
     3096     * @var int
     3097     */
     3098    public $ID = 0;
     3099
     3100    /**
     3101     * User ID.
     3102     *
     3103     * @var int
     3104     */
     3105
     3106    public $user_id = 0;
     3107
     3108    /**
     3109     * User email.
     3110     *
     3111     * @var int
     3112     */
     3113    public $email = '';
     3114
     3115    /**
     3116     * Action name.
     3117     *
     3118     * @var string
     3119     */
     3120    public $action_name = '';
     3121
     3122    /**
     3123     * Current status.
     3124     *
     3125     * @var string
     3126     */
     3127    public $status = '';
     3128
     3129    /**
     3130     * Timestamp this request was created.
     3131     *
     3132     * @var int|null
     3133     */
     3134    public $created_timestamp = null;
     3135
     3136    /**
     3137     * Timestamp this request was last modified.
     3138     *
     3139     * @var int|null
     3140     */
     3141    public $modified_timestamp = null;
     3142
     3143    /**
     3144     * Timestamp this request was confirmed.
     3145     *
     3146     * @var int
     3147     */
     3148    public $confirmed_timestamp = null;
     3149
     3150    /**
     3151     * Timestamp this request was completed.
     3152     *
     3153     * @var int
     3154     */
     3155    public $completed_timestamp = null;
     3156
     3157    /**
     3158     * Misc data assigned to this request.
     3159     *
     3160     * @var array
     3161     */
     3162    public $request_data = array();
     3163
     3164    /**
     3165     * Key used to confirm this request.
     3166     *
     3167     * @var string
     3168     */
     3169    public $confirm_key = '';
     3170
     3171    /**
     3172     * Constructor.
     3173     *
     3174     * @since 4.9.6
     3175     *
     3176     * @param WP_Post|object $post Post object.
     3177     */
     3178    public function __construct( $post ) {
     3179        $this->ID                  = $post->ID;
     3180        $this->user_id             = $post->post_author;
     3181        $this->email               = $post->post_title;
     3182        $this->action_name         = $post->post_name;
     3183        $this->status              = $post->post_status;
     3184        $this->created_timestamp   = strtotime( $post->post_date_gmt );
     3185        $this->modified_timestamp  = strtotime( $post->post_modified_gmt );
     3186        $this->confirmed_timestamp = (int) get_post_meta( $post->ID, '_wp_user_request_confirmed_timestamp', true );
     3187        $this->completed_timestamp = (int) get_post_meta( $post->ID, '_wp_user_request_completed_timestamp', true );
     3188        $this->request_data        = json_decode( $post->post_content, true );
     3189        $this->confirm_key         = $post->post_password;
     3190    }
     3191}
Note: See TracChangeset for help on using the changeset viewer.