Make WordPress Core

Changeset 56150


Ignore:
Timestamp:
07/06/2023 12:45:45 PM (11 months ago)
Author:
audrasjb
Message:

Users: Remove password reset links when the feature is not allowed for a specific user.

This also introduces wp_is_password_reset_allowed_for_user() which returns false when password reset is not allowed for a specific user. This can be
filtered by developers using the existing allow_password_reset hook.

Props ocean90, cshark, robinwpdeveloper, tahmina1du, kraftbj.
Fixes #58194.

Location:
trunk/src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-users-list-table.php

    r55971 r56150  
    503503            if ( get_current_user_id() !== $user_object->ID
    504504                && current_user_can( 'edit_user', $user_object->ID )
     505                && true === wp_is_password_reset_allowed_for_user( $user_object )
    505506            ) {
    506507                $actions['resetpassword'] = "<a class='resetpassword' href='" . wp_nonce_url( "users.php?action=resetpassword&amp;users=$user_object->ID", 'bulk-users' ) . "'>" . __( 'Send password reset' ) . '</a>';
  • trunk/src/wp-admin/user-edit.php

    r56008 r56150  
    682682
    683683                            <?php // Allow admins to send reset password link. ?>
    684                             <?php if ( ! IS_PROFILE_PAGE ) : ?>
     684                            <?php if ( ! IS_PROFILE_PAGE && true === wp_is_password_reset_allowed_for_user( $profile_user ) ) : ?>
    685685                                <tr class="user-generate-reset-link-wrap hide-if-no-js">
    686686                                    <th><?php _e( 'Password Reset' ); ?></th>
  • trunk/src/wp-includes/user.php

    r56071 r56150  
    28982898    do_action( 'retrieve_password', $user->user_login );
    28992899
    2900     $allow = true;
    2901     if ( is_multisite() && is_user_spammy( $user ) ) {
    2902         $allow = false;
    2903     }
    2904 
    2905     /**
    2906      * Filters whether to allow a password to be reset.
    2907      *
    2908      * @since 2.7.0
    2909      *
    2910      * @param bool $allow   Whether to allow the password to be reset. Default true.
    2911      * @param int  $user_id The ID of the user attempting to reset a password.
    2912      */
    2913     $allow = apply_filters( 'allow_password_reset', $allow, $user->ID );
    2914 
    2915     if ( ! $allow ) {
     2900    $password_reset_allowed = wp_is_password_reset_allowed_for_user( $user );
     2901    if ( ! $password_reset_allowed ) {
    29162902        return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) );
    2917     } elseif ( is_wp_error( $allow ) ) {
    2918         return $allow;
     2903    } elseif ( is_wp_error( $password_reset_allowed ) ) {
     2904        return $password_reset_allowed;
    29192905    }
    29202906
     
    50385024    wp_cache_set_last_changed( 'users' );
    50395025}
     5026
     5027/**
     5028 * Checks if password reset is allowed for a specific user.
     5029 *
     5030 * @since 6.3.0
     5031 *
     5032 * @param int|WP_User $user The user to check.
     5033 * @return bool|WP_Error True if allowed, false or WP_Error otherwise.
     5034 */
     5035function wp_is_password_reset_allowed_for_user( $user ) {
     5036    if ( ! is_object( $user ) ) {
     5037        $user = get_userdata( $user );
     5038    }
     5039
     5040    if ( ! $user || ! $user->exists() ) {
     5041        return false;
     5042    }
     5043    $allow = true;
     5044    if ( is_multisite() && is_user_spammy( $user ) ) {
     5045        $allow = false;
     5046    }
     5047
     5048    /**
     5049     * Filters whether to allow a password to be reset.
     5050     *
     5051     * @since 2.7.0
     5052     *
     5053     * @param bool $allow   Whether to allow the password to be reset. Default true.
     5054     * @param int  $user_id The ID of the user attempting to reset a password.
     5055     */
     5056    return apply_filters( 'allow_password_reset', $allow, $user->ID );
     5057}
Note: See TracChangeset for help on using the changeset viewer.