WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Users: Remove password reset links when the feature is not allowed for a specific user. 

This also introduces `wp_is_password_reset_allowed_for_user()` which returns `false` when password reset is not allowed for a specific user. This can be 
filtered by developers using the existing `allow_password_reset` hook.

Props ocean90, cshark, robinwpdeveloper, tahmina1du, kraftbj.
Fixes #58194.



Built from https://develop.svn.wordpress.org/trunk@56150


git-svn-id: http://core.svn.wordpress.org/trunk@55662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
audrasjb 2023-07-06 12:47:23 +00:00
parent 1729b7f6fc
commit e952b31145
4 changed files with 39 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
wp-admin/includes/class-wp-users-list-table.php
View File

@ -502,6 +502,7 @@ class WP_Users_List_Table extends WP_List_Table {
// Add a link to send the user a reset password link by email.
if ( get_current_user_id() !== $user_object->ID
&& current_user_can( 'edit_user', $user_object->ID )
&& true === wp_is_password_reset_allowed_for_user( $user_object )
) {
$actions['resetpassword'] = "<a class='resetpassword' href='" . wp_nonce_url( "users.php?action=resetpassword&amp;users=$user_object->ID", 'bulk-users' ) . "'>" . __( 'Send password reset' ) . '</a>';
}

2
wp-admin/user-edit.php
View File

@ -681,7 +681,7 @@ switch ( $action ) {
<?php endif; // End Show Password Fields. ?>
<?php // Allow admins to send reset password link. ?>
<?php if ( ! IS_PROFILE_PAGE ) : ?>
<?php if ( ! IS_PROFILE_PAGE && true === wp_is_password_reset_allowed_for_user( $profile_user ) ) : ?>
<tr class="user-generate-reset-link-wrap hide-if-no-js">
<th><?php _e( 'Password Reset' ); ?></th>
<td>

54
wp-includes/user.php
View File

@ -2897,25 +2897,11 @@ function get_password_reset_key( $user ) {
*/
do_action( 'retrieve_password', $user->user_login );
$allow = true;
if ( is_multisite() && is_user_spammy( $user ) ) {
$allow = false;
}
/**
* Filters whether to allow a password to be reset.
*
* @since 2.7.0
*
* @param bool $allow Whether to allow the password to be reset. Default true.
* @param int $user_id The ID of the user attempting to reset a password.
*/
$allow = apply_filters( 'allow_password_reset', $allow, $user->ID );
if ( ! $allow ) {
$password_reset_allowed = wp_is_password_reset_allowed_for_user( $user );
if ( ! $password_reset_allowed ) {
return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) );
} elseif ( is_wp_error( $allow ) ) {
return $allow;
} elseif ( is_wp_error( $password_reset_allowed ) ) {
return $password_reset_allowed;
}
// Generate something random for a password reset key.
@ -5037,3 +5023,35 @@ function wp_register_persisted_preferences_meta() {
function wp_cache_set_users_last_changed() {
wp_cache_set_last_changed( 'users' );
}
/**
* Checks if password reset is allowed for a specific user.
*
* @since 6.3.0
*
* @param int|WP_User $user The user to check.
* @return bool|WP_Error True if allowed, false or WP_Error otherwise.
*/
function wp_is_password_reset_allowed_for_user( $user ) {
if ( ! is_object( $user ) ) {
$user = get_userdata( $user );
}
if ( ! $user || ! $user->exists() ) {
return false;
}
$allow = true;
if ( is_multisite() && is_user_spammy( $user ) ) {
$allow = false;
}
/**
* Filters whether to allow a password to be reset.
*
* @since 2.7.0
*
* @param bool $allow Whether to allow the password to be reset. Default true.
* @param int $user_id The ID of the user attempting to reset a password.
*/
return apply_filters( 'allow_password_reset', $allow, $user->ID );
}

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.3-beta3-56149';
$wp_version = '6.3-beta3-56150';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.