Add a method to confirm user requests by email. First run.
Props mikejolley. See #43443. Built from https://develop.svn.wordpress.org/trunk@42791 git-svn-id: http://core.svn.wordpress.org/trunk@42621 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
6a4b2a022a
commit
791b11bc3f
|
@ -1370,9 +1370,9 @@ function clean_user_cache( $user ) {
|
|||
|
||||
/**
|
||||
* Determines whether the given username exists.
|
||||
*
|
||||
*
|
||||
* For more information on this and similar theme functions, check out
|
||||
* the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
|
||||
* the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
|
||||
* Conditional Tags} article in the Theme Developer Handbook.
|
||||
*
|
||||
* @since 2.0.0
|
||||
|
@ -1400,9 +1400,9 @@ function username_exists( $username ) {
|
|||
|
||||
/**
|
||||
* Determines whether the given email exists.
|
||||
*
|
||||
*
|
||||
* For more information on this and similar theme functions, check out
|
||||
* the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
|
||||
* the {@link https://developer.wordpress.org/themes/basics/conditional-tags/
|
||||
* Conditional Tags} article in the Theme Developer Handbook.
|
||||
*
|
||||
* @since 2.1.0
|
||||
|
@ -2809,3 +2809,258 @@ function new_user_email_admin_notice() {
|
|||
echo '<div class="notice notice-info"><p>' . sprintf( __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), '<code>' . esc_html( $email['newemail'] ) . '</code>' ) . '</p></div>';
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Send a confirmation request email to confirm an action.
|
||||
*
|
||||
* @since 5.0.0
|
||||
*
|
||||
* @param string $action_name Name of the action that is being confirmed.
|
||||
* @param string $action_description User facing description of the action they will be confirming.
|
||||
* @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address.
|
||||
*
|
||||
* @return WP_ERROR|bool Will return true/false based on the success of sending the email, or a WP_Error object.
|
||||
*/
|
||||
function send_confirm_account_action_email( $action_name, $action_description = '', $email = '' ) {
|
||||
$action_name = sanitize_key( $action_name );
|
||||
$action_description = wp_kses_post( $action_description );
|
||||
|
||||
if ( empty( $action_name ) ) {
|
||||
return new WP_Error( 'invalid_action', __( 'Invalid action' ) );
|
||||
}
|
||||
|
||||
if ( empty( $email ) ) {
|
||||
$user = wp_get_current_user();
|
||||
$email = $user->ID ? $user->user_email : '';
|
||||
} else {
|
||||
$user = false;
|
||||
}
|
||||
|
||||
$email = sanitize_email( $email );
|
||||
|
||||
if ( ! is_email( $email ) ) {
|
||||
return new WP_Error( 'invalid_email', __( 'Invalid email address' ) );
|
||||
}
|
||||
|
||||
if ( ! $user ) {
|
||||
$user = get_user_by( 'email', $email );
|
||||
}
|
||||
|
||||
// We could be dealing with a registered user account, or a visitor.
|
||||
$is_registered_user = $user && ! is_wp_error( $user );
|
||||
$uid = $is_registered_user ? $user->ID : hash( 'sha256', $email );
|
||||
$confirm_key = get_confirm_account_action_key( $action_name, $email );
|
||||
|
||||
if ( is_wp_error( $confirm_key ) ) {
|
||||
return $confirm_key;
|
||||
}
|
||||
|
||||
// Prepare the email content.
|
||||
if ( ! $action_description ) {
|
||||
$action_description = $action_name;
|
||||
}
|
||||
|
||||
/* translators: Do not translate DESCRIPTION, CONFIRM_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
|
||||
$email_text = __(
|
||||
'Howdy,
|
||||
|
||||
An account linked to your email address has requested to perform
|
||||
the following action:
|
||||
|
||||
###DESCRIPTION###
|
||||
|
||||
To confirm this action, please click on the following link:
|
||||
###CONFIRM_URL###
|
||||
|
||||
You can safely ignore and delete this email if you do not want to
|
||||
take this action.
|
||||
|
||||
This email has been sent to ###EMAIL###.
|
||||
|
||||
Regards,
|
||||
All at ###SITENAME###
|
||||
###SITEURL###'
|
||||
);
|
||||
|
||||
$email_data = array(
|
||||
'action_name' => $action_name,
|
||||
'email' => $email,
|
||||
'description' => $action_description,
|
||||
'confirm_url' => add_query_arg( array(
|
||||
'action' => 'emailconfirm',
|
||||
'confirm_action' => $action_name,
|
||||
'uid' => $uid,
|
||||
'confirm_key' => $confirm_key,
|
||||
), site_url( 'wp-login.php' ) ),
|
||||
'sitename' => is_multisite() ? get_site_option( 'site_name' ) : get_option( 'blogname' ),
|
||||
'siteurl' => network_home_url(),
|
||||
);
|
||||
|
||||
/**
|
||||
* Filters the text of the email sent when an account action is attempted.
|
||||
*
|
||||
* The following strings have a special meaning and will get replaced dynamically:
|
||||
* ###USERNAME### The user's username, if the user has an account. Prefixed with single space. Otherwise left blank.
|
||||
* ###DESCRIPTION### Description of the action being performed so the user knows what the email is for.
|
||||
* ###CONFIRM_URL### The link to click on to confirm the account action.
|
||||
* ###EMAIL### The email we are sending to.
|
||||
* ###SITENAME### The name of the site.
|
||||
* ###SITEURL### The URL to the site.
|
||||
*
|
||||
* @param string $email_text Text in the email.
|
||||
* @param array $email_data {
|
||||
* Data relating to the account action email.
|
||||
*
|
||||
* @type string $action_name Name of the action being performed.
|
||||
* @type string $email The email address this is being sent to.
|
||||
* @type string $description Description of the action being performed so the user knows what the email is for.
|
||||
* @type string $confirm_url The link to click on to confirm the account action.
|
||||
* @type string $sitename The site name sending the mail.
|
||||
* @type string $siteurl The site URL sending the mail.
|
||||
* }
|
||||
*/
|
||||
$content = apply_filters( 'confirm_account_action_email_content', $email_text, $email_data );
|
||||
|
||||
$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
|
||||
$content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
|
||||
$content = str_replace( '###EMAIL###', $email_data['email'], $content );
|
||||
$content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
|
||||
$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
|
||||
|
||||
/* translators: %s Site name. */
|
||||
return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Account Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates, stores, then returns a confirmation key for an account action.
|
||||
*
|
||||
* @since 5.0.0
|
||||
*
|
||||
* @param string $action_name Name of the action this key is being generated for.
|
||||
* @param string $email User email address. This can be the address of a registered or non-registered user.
|
||||
*
|
||||
* @return string|WP_Error Confirmation key on success. WP_Error on error.
|
||||
*/
|
||||
function get_confirm_account_action_key( $action_name, $email ) {
|
||||
global $wp_hasher;
|
||||
|
||||
if ( ! is_email( $email ) ) {
|
||||
return new WP_Error( 'invalid_email', __( 'Invalid email address' ) );
|
||||
}
|
||||
|
||||
if ( empty( $action_name ) ) {
|
||||
return new WP_Error( 'invalid_action', __( 'Invalid action' ) );
|
||||
}
|
||||
|
||||
$user = get_user_by( 'email', $email );
|
||||
|
||||
// We could be dealing with a registered user account, or a visitor.
|
||||
$is_registered_user = $user && ! is_wp_error( $user );
|
||||
|
||||
// Generate something random for a confirmation key.
|
||||
$key = wp_generate_password( 20, false );
|
||||
|
||||
// Now insert the key, hashed, into the DB.
|
||||
if ( empty( $wp_hasher ) ) {
|
||||
require_once ABSPATH . WPINC . '/class-phpass.php';
|
||||
$wp_hasher = new PasswordHash( 8, true );
|
||||
}
|
||||
|
||||
$hashed_key = $wp_hasher->HashPassword( $key );
|
||||
|
||||
if ( $is_registered_user ) {
|
||||
$key_saved = (bool) update_user_meta( $user->ID, '_account_action_' . $action_name, implode( ':', array( time(), $hashed_key ) ) );
|
||||
} else {
|
||||
$key_saved = (bool) update_site_option( '_account_action_' . hash( 'sha256', $email ) . '_' . $action_name, implode( ':', array( time(), $hashed_key, $email ) ) );
|
||||
}
|
||||
|
||||
if ( false === $key_saved ) {
|
||||
return new WP_Error( 'no_confirm_account_action_key_update', __( 'Could not save confirm account action key to database.' ) );
|
||||
}
|
||||
|
||||
return $key;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a key is valid and handles the action based on this.
|
||||
*
|
||||
* @since 5.0.0
|
||||
*
|
||||
* @param string $action_name Name of the action this key is being generated for.
|
||||
* @param string $key Key to confirm.
|
||||
* @param string $uid Email hash or user ID.
|
||||
*
|
||||
* @return array|WP_Error WP_Error on failure, action name and user email address on success.
|
||||
*/
|
||||
function check_confirm_account_action_key( $action_name, $key, $uid ) {
|
||||
global $wp_hasher;
|
||||
|
||||
if ( ! empty( $action_name ) && ! empty( $key ) && ! empty( $uid ) ) {
|
||||
$user = false;
|
||||
|
||||
if ( is_numeric( $uid ) ) {
|
||||
$user = get_user_by( 'id', absint( $uid ) );
|
||||
}
|
||||
|
||||
// We could be dealing with a registered user account, or a visitor.
|
||||
$is_registered_user = $user && ! is_wp_error( $user );
|
||||
$key_request_time = '';
|
||||
$saved_key = '';
|
||||
$email = '';
|
||||
|
||||
if ( empty( $wp_hasher ) ) {
|
||||
require_once ABSPATH . WPINC . '/class-phpass.php';
|
||||
$wp_hasher = new PasswordHash( 8, true );
|
||||
}
|
||||
|
||||
// Get the saved key from the database.
|
||||
if ( $is_registered_user ) {
|
||||
$confirm_action_data = get_user_meta( $user->ID, '_account_action_' . $action_name, true );
|
||||
$email = $user->user_email;
|
||||
|
||||
if ( false !== strpos( $confirm_action_data, ':' ) ) {
|
||||
list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 );
|
||||
}
|
||||
} else {
|
||||
$confirm_action_data = get_site_option( '_account_action_' . $uid . '_' . $action_name, '' );
|
||||
|
||||
if ( false !== strpos( $confirm_action_data, ':' ) ) {
|
||||
list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 );
|
||||
}
|
||||
}
|
||||
|
||||
if ( ! $saved_key ) {
|
||||
return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
|
||||
}
|
||||
|
||||
/**
|
||||
* Filters the expiration time of confirm keys.
|
||||
*
|
||||
* @param int $expiration The expiration time in seconds.
|
||||
*/
|
||||
$expiration_duration = apply_filters( 'account_action_expiration', DAY_IN_SECONDS );
|
||||
$expiration_time = $key_request_time + $expiration_duration;
|
||||
|
||||
if ( $wp_hasher->CheckPassword( $key, $saved_key ) ) {
|
||||
if ( $expiration_time && time() < $expiration_time ) {
|
||||
$return = array(
|
||||
'action' => $action_name,
|
||||
'email' => $email,
|
||||
);
|
||||
} else {
|
||||
$return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) );
|
||||
}
|
||||
|
||||
// Clean up stored keys.
|
||||
if ( $is_registered_user ) {
|
||||
delete_user_meta( $user->ID, '_account_action_' . $action_name );
|
||||
} else {
|
||||
delete_site_option( '_account_action_' . $uid . '_' . $action_name );
|
||||
}
|
||||
|
||||
return $return;
|
||||
}
|
||||
}
|
||||
|
||||
return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
|
||||
}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '5.0-alpha-42790';
|
||||
$wp_version = '5.0-alpha-42791';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
|
48
wp-login.php
48
wp-login.php
|
@ -427,7 +427,7 @@ if ( isset( $_GET['key'] ) ) {
|
|||
}
|
||||
|
||||
// validate action so as to default to the login screen
|
||||
if ( ! in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) ) {
|
||||
if ( ! in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'emailconfirm' ), true ) && false === has_filter( 'login_form_' . $action ) ) {
|
||||
$action = 'login';
|
||||
}
|
||||
|
||||
|
@ -858,6 +858,52 @@ switch ( $action ) {
|
|||
|
||||
break;
|
||||
|
||||
case 'emailconfirm' :
|
||||
if ( isset( $_GET['confirm_action'], $_GET['confirm_key'], $_GET['uid'] ) ) {
|
||||
$action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );
|
||||
$key = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
|
||||
$uid = sanitize_text_field( wp_unslash( $_GET['uid'] ) );
|
||||
$result = check_confirm_account_action_key( $action_name, $key, $uid );
|
||||
} else {
|
||||
$result = new WP_Error( 'invalid_key', __( 'Invalid key' ) );
|
||||
}
|
||||
|
||||
if ( is_wp_error( $result ) ) {
|
||||
/**
|
||||
* Fires an action hook when the account action was not confirmed.
|
||||
*
|
||||
* After running this action hook the page will die.
|
||||
*
|
||||
* @param WP_Error $result Error object.
|
||||
*/
|
||||
do_action( 'account_action_failed', $result );
|
||||
|
||||
wp_die( $result );
|
||||
}
|
||||
|
||||
/**
|
||||
* Fires an action hook when the account action has been confirmed by the user.
|
||||
*
|
||||
* Using this you can assume the user has agreed to perform the action by
|
||||
* clicking on the link in the confirmation email.
|
||||
*
|
||||
* After firing this action hook the page will redirect to wp-login a callback
|
||||
* redirects or exits first.
|
||||
*
|
||||
* @param array $result {
|
||||
* Data about the action which was confirmed.
|
||||
*
|
||||
* @type string $action Name of the action that was confirmed.
|
||||
* @type string $email Email of the user who confirmed the action.
|
||||
* }
|
||||
*/
|
||||
do_action( 'account_action_confirmed', $result );
|
||||
|
||||
$message = '<p class="message">' . __( 'Action has been confirmed.' ) . '</p>';
|
||||
login_header( '', $message );
|
||||
login_footer();
|
||||
exit;
|
||||
|
||||
case 'login':
|
||||
default:
|
||||
$secure_cookie = '';
|
||||
|
|
Loading…
Reference in New Issue