Commit Graph

128 Commits

Author SHA1 Message Date
John Blackbourn f345c93563 Hardening: Use a properly generated hash for the `newbloguser` key instead of a determinate substring.
Merges [42258] to the 4.2 branch.

Built from https://develop.svn.wordpress.org/branches/4.2@42292


git-svn-id: http://core.svn.wordpress.org/branches/4.2@42121 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:33:25 +00:00
Dominik Schilling 64fc7294b6 Use HTTPS URLs for codex.wordpress.org.
see #27115.
Built from https://develop.svn.wordpress.org/trunk@32116


git-svn-id: http://core.svn.wordpress.org/trunk@32095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-12 21:29:32 +00:00
Helen Hou-Sandí d85f8fe326 Admin notices: Make (most) core notices dismissible.
These no longer return upon refreshing the page when JS is on and working, so users should be able to dismiss them. This is particularly important on the post edit screen when DFW is triggered, but pretty much all notices can be dismissed if needed. A post on Make/Core will follow with information on how this can be leveraged in plugins.

props valendesigns, afercia, paulwilde, adamsilverstein, helen.
fixes #31233. see #23367.

Built from https://develop.svn.wordpress.org/trunk@31973


git-svn-id: http://core.svn.wordpress.org/trunk@31952 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-01 22:06:28 +00:00
Sergey Biryukov 2c98f83b70 Remove duplicate label on Add New User screen.
props abhishekfdd.
fixes #31131.
Built from https://develop.svn.wordpress.org/trunk@31777


git-svn-id: http://core.svn.wordpress.org/trunk@31757 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-14 01:04:27 +00:00
Dominik Schilling 72229b25c8 Add New User: Remove trailing whitespace from button labels.
fixes #31175.
Built from https://develop.svn.wordpress.org/trunk@31298


git-svn-id: http://core.svn.wordpress.org/trunk@31279 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-29 14:54:21 +00:00
Scott Taylor 7f8b548df1 In HTML5, the `action` attribute is no longer required. Remove this attribute when empty.
The admin HTML is served with the HTML5 doctype.

"The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces." 
http://www.w3.org/html/wg/drafts/html/master/forms.html#attr-fs-action

Props voldemortensen.
Fixes #30126.

Built from https://develop.svn.wordpress.org/trunk@31200


git-svn-id: http://core.svn.wordpress.org/trunk@31181 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 04:16:24 +00:00
Andrew Nacin 741e0ec6de No need for wp_get_password_hint() to be prefixed as if it is private.
see #21243.

Built from https://develop.svn.wordpress.org/trunk@30855


git-svn-id: http://core.svn.wordpress.org/trunk@30845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-15 08:34:23 +00:00
John Blackbourn bdd00b3902 Improve various hook and filter docs so they are correctly parsed for the code reference.
Fixes #30558
Props DrewAPicture

Built from https://develop.svn.wordpress.org/trunk@30754


git-svn-id: http://core.svn.wordpress.org/trunk@30744 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-06 21:32:24 +00:00
John Blackbourn d88ed475b0 Switch to a `403` response code in places where it is more appropriate than a `500` due to permissions errors.
Fixes #10551
Props nacin

Built from https://develop.svn.wordpress.org/trunk@30356


git-svn-id: http://core.svn.wordpress.org/trunk@30355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-16 06:16:22 +00:00
John Blackbourn b1ba80de87 Rename `_wp_password_hint()` to `_wp_get_password_hint()` to bring it inline with core terminology. Fixes #21243.
Built from https://develop.svn.wordpress.org/trunk@30033


git-svn-id: http://core.svn.wordpress.org/trunk@30033 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-26 23:30:18 +00:00
Jeremy Felt fd149bb220 Deprecate admin_created_user_subject()
When `admin_created_user_subjec()` was merged from MU, the accompanying filter was left behind. As it has never been used by WordPress core, and is not an otherwise useful function, it can be deprecated.

Fixes #29915

Built from https://develop.svn.wordpress.org/trunk@30005


git-svn-id: http://core.svn.wordpress.org/trunk@30005 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-24 04:49:20 +00:00
Boone Gorges 24babfddb3 Allow apostrophes in email addresses when adding users via the Dashboard.
Email addresses entered in a number of interfaces were not being stripslashed
properly, with the result that the emails were not being recognized as valid.

Fixes #18039.
Built from https://develop.svn.wordpress.org/trunk@29966


git-svn-id: http://core.svn.wordpress.org/trunk@29713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-19 20:30:19 +00:00
Sergey Biryukov 0eb758720a Move password hint text to a function. Add 'password_hint' filter.
props convissor.
fixes #21243.
Built from https://develop.svn.wordpress.org/trunk@29962


git-svn-id: http://core.svn.wordpress.org/trunk@29709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-18 20:21:18 +00:00
Jeremy Felt 3a8676278d Do not send a welcome notification when noconfirmation has been flagged
When adding a new user to a site on the network, 2 emails are sent out - one for confirmation and one as a welcome. If the option for no confirmation is selected, neither should send.

props transom
Fixes #16235

Built from https://develop.svn.wordpress.org/trunk@29880


git-svn-id: http://core.svn.wordpress.org/trunk@29637 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-12 01:11:18 +00:00
Sergey Biryukov c4fce2f163 Reverse the order of roles in help text on Add New User screen to match [25695].
fixes #28914.
Built from https://develop.svn.wordpress.org/trunk@29233


git-svn-id: http://core.svn.wordpress.org/trunk@29017 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-18 23:48:15 +00:00
John Blackbourn be12ea968a Implement email and url input types where appropriate. Props Kau-Boy. Fixes #22183.
Built from https://develop.svn.wordpress.org/trunk@29030


git-svn-id: http://core.svn.wordpress.org/trunk@28818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-08 17:52:14 +00:00
Sergey Biryukov 4a11203b06 Clarify a string on Add New User screen.
props vancoder, collinsinternet.
fixes #27398.
Built from https://develop.svn.wordpress.org/trunk@29009


git-svn-id: http://core.svn.wordpress.org/trunk@28797 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-07 00:54:14 +00:00
Scott Taylor 9a286d75fd Don't use variable variables in `user-new.php`. Test by causing errors when creating a new user.
See #27881.

Built from https://develop.svn.wordpress.org/trunk@28745


git-svn-id: http://core.svn.wordpress.org/trunk@28559 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-11 19:54:13 +00:00
Sergey Biryukov df597224e5 Add paragraph tags to 'Add Existing User' section on 'Add New User' screen in multisite.
props jkudish, topher1kenobe.
fixes #20271.
Built from https://develop.svn.wordpress.org/trunk@28642


git-svn-id: http://core.svn.wordpress.org/trunk@28460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-30 21:51:14 +00:00
Andrew Nacin 5851e00b93 Add a value to the password checkbox when creating a new user so the toggle is remembered.
props chriseverson, SergeyBiryukov.
fixes #27006.

Built from https://develop.svn.wordpress.org/trunk@27838


git-svn-id: http://core.svn.wordpress.org/trunk@27672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-29 06:23:17 +00:00
Andrew Nacin c3ca81ba94 Always decode special characters for email subjects.
props tlovett1, jeremyfelt.
fixes #25346.

Built from https://develop.svn.wordpress.org/trunk@27801


git-svn-id: http://core.svn.wordpress.org/trunk@27636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-28 02:44:15 +00:00
Andrew Nacin dce0b9adea Use SSL when linking to WordPress.org. see #27115.
Built from https://develop.svn.wordpress.org/trunk@27469


git-svn-id: http://core.svn.wordpress.org/trunk@27314 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-08 04:14:15 +00:00
Sergey Biryukov 5d3e652c23 Add Oxford comma to password hint.
props trepmal.
fixes #26457.
Built from https://develop.svn.wordpress.org/trunk@27246


git-svn-id: http://core.svn.wordpress.org/trunk@27103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-24 23:31:15 +00:00
Andrew Ozz 8d6059b383 Remove all screen_icon() calls and deprecate the functions, props TobiasBg, fixes #26119
Built from https://develop.svn.wordpress.org/trunk@26518


git-svn-id: http://core.svn.wordpress.org/trunk@26411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-02 03:53:11 +00:00
Drew Jaynes ee8aa9ee4c Inline documentation for hooks in wp-admin/user-new.php & wp-admin/user-edit.php.
Also fixes one parameter type in wp-includes/user.php.

Fixes #25726.

Built from https://develop.svn.wordpress.org/trunk@26493


git-svn-id: http://core.svn.wordpress.org/trunk@26387 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-01 01:35:10 +00:00
Andrew Nacin 70fd806759 Revert r25824:25875 from the core.svn.wordpress.org repository.
These commits were accidentally re-synced commits from develop.svn.wordpress.org due to a race condition. Thankfully, the history of this repository matters fairly little. It also happened only for trunk.


git-svn-id: http://core.svn.wordpress.org/trunk@25876 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-25 02:29:52 +00:00
Andrew Nacin 5361a8abca Spell out duplicate hook locations.
props DrewAPicture.
fixes #25658.

Built from https://develop.svn.wordpress.org/trunk@25868


git-svn-id: http://core.svn.wordpress.org/trunk@25868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:59:20 +00:00
Andrew Nacin 8ae8e01b67 Remove the old wp_auto_updates_maybe_update cron event. Schedule the new wp_maybe_auto_update event at 7 a.m. and 7 p.m. in the site's timezone.
see #27704.

Built from https://develop.svn.wordpress.org/trunk@25825


git-svn-id: http://core.svn.wordpress.org/trunk@25825 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:53:14 +00:00
Ryan Boren b87d4b77e5 Pinking shears
Built from https://develop.svn.wordpress.org/trunk@25880


git-svn-id: http://core.svn.wordpress.org/trunk@25792 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-23 14:38:10 +00:00
Andrew Nacin 74488bdcb0 Spell out duplicate hook locations.
props DrewAPicture.
fixes #25658.

Built from https://develop.svn.wordpress.org/trunk@25868


git-svn-id: http://core.svn.wordpress.org/trunk@25780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-22 17:22:11 +00:00
Helen Hou-Sandí 6cee949cab Add a `user_new_form` hook, with context. props johnjamesjacoby, strangerstudios, jeremyfelt, DrewAPicture. fixes #18709.
Built from https://develop.svn.wordpress.org/trunk@25629


git-svn-id: http://core.svn.wordpress.org/trunk@25546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-26 01:48:10 +00:00
Andrew Nacin fd57b239d2 Don't rely on include_path to include files.
Always use dirname() or, once available, ABSPATH.

props ketwaroo, hakre.
fixes #17092.

Built from https://develop.svn.wordpress.org/trunk@25616


git-svn-id: http://core.svn.wordpress.org/trunk@25533 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-25 00:18:11 +00:00
Sergey Biryukov 637fa4f1af Inline documentation for hooks in wp-admin/user-new.php.
props bftrick.
see #25229.
Built from https://develop.svn.wordpress.org/trunk@25470


git-svn-id: http://core.svn.wordpress.org/trunk@25391 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-17 08:33:10 +00:00
Ryan Boren dd7a9120df Bestow sentience upon users. Level up their pronoun.
Props johnbillion
fixes #24513


git-svn-id: http://core.svn.wordpress.org/trunk@24992 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-06 16:04:07 +00:00
Mark Jaquith bd94dc655c Combat Chrome's insanely aggressive user/pass autofilling ಠ_ಠ
Chrome now ignores `autocomplete="off"` in <input>, so this hack uses
a hidden, non-named, non-empty input, right before the password field.

see #24364. props azaozz, nacin, bobbingwide, aaroncampbell.

git-svn-id: http://core.svn.wordpress.org/trunk@24552 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-03 21:24:02 +00:00
Mark Jaquith 5b8aad1039 Rejigger some whitespace in anticipation of a fix for #24364.
see #24364

git-svn-id: http://core.svn.wordpress.org/trunk@24551 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-03 21:23:55 +00:00
Dominik Schilling 2446c80c49 Add a label to the second password field on User New and User Edit screen. props MikeHansenMe. fixes #20294.
git-svn-id: http://core.svn.wordpress.org/trunk@24531 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-30 11:13:34 +00:00
Andrew Nacin cfa947193f Revert [24291] pending further discussion and sleuthing. see #24364.
git-svn-id: http://core.svn.wordpress.org/trunk@24317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-22 18:37:43 +00:00
Andrew Ozz dbda48bd2a Fix Chrome disregarding autocomplete="off" for password fields. Add autocomplete="off" to forms where the users can choose new password. Fixes #24364.
git-svn-id: http://core.svn.wordpress.org/trunk@24291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-18 22:56:21 +00:00
Sergey Biryukov 4471620636 Fix copy/paste error in user-new.php. props tivnet. fixes #24022.
git-svn-id: http://core.svn.wordpress.org/trunk@23950 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-04-10 16:13:59 +00:00
Ryan Boren 15a06a35ab Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #WP21767


git-svn-id: http://core.svn.wordpress.org/trunk@23591 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-03 16:30:38 +00:00
Ryan Boren 43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Ryan Boren cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Sergey Biryukov 08269aa6b0 Remove unused error string. props pavelevap. fixes #22107.
git-svn-id: http://core.svn.wordpress.org/trunk@23412 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 05:36:28 +00:00
Andrew Ozz cbd737470c Kill use of colons in class names, props SergeyBiryukov, fixes #21152
git-svn-id: http://core.svn.wordpress.org/trunk@22396 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-06 01:01:52 +00:00
ryan 104b50cf58 s/newuserconfimation/newuserconfirmation/
Props Jayjdk, lesteph
fixes #21415


git-svn-id: http://core.svn.wordpress.org/trunk@21362 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-30 16:13:18 +00:00
ryan 5ac8a32840 Translate role names in the new user notification email. Props obenland. fixes #20764
git-svn-id: http://core.svn.wordpress.org/trunk@21316 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-24 17:32:40 +00:00
nacin 3ebea2f218 Remove user/site suggestions (autocompletion) from search inputs, as the UX isn't proper.
* Removes all instances of site-search, so away it goes. Sidesteps a number of bugs with site-search.
 * Renames user-search to user-suggest, which means it better describes the current behavior (autocompletion) while allowing for future behavior (instant search).
 * Ties user suggestions to a single .wp-suggest-user class.

with help from markjaquith, helenyhou, wonderboymusic. 
fixes #20835.



git-svn-id: http://core.svn.wordpress.org/trunk@21003 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-05 18:51:33 +00:00
nacin 4ffc5dd0f4 After adding a user, take them back to users.php with an 'Edit user' link in the message.
This removes the (possibly ineffective) search from the redirect, as well as the URL hash that will get covered up by the toolbar.

fixes #19470. props merty and SergeyBiryukov for initial patches.



git-svn-id: http://svn.automattic.com/wordpress/trunk@20631 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-04-27 23:13:39 +00:00
nacin 81407efd05 Clean up cap checks for autocompletes for sites and users in a network. see #19810.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20332 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-03-30 21:04:48 +00:00