Commit Graph

154 Commits

Author SHA1 Message Date
John Blackbourn 9352de38ba Hardening: Use a properly generated hash for the `newbloguser` key instead of a determinate substring.
Merges [42258] to the 4.4 branch.

Built from https://develop.svn.wordpress.org/branches/4.4@42284


git-svn-id: http://core.svn.wordpress.org/branches/4.4@42113 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-29 16:28:31 +00:00
Dominik Schilling 9fb5c540bb Users: Allow to create users without sending an email to the new user.
This adds a checkbox to `wp-admin/user-new.php` to prevent sending an email with the username and a password reset link to the new user. Restores the behavior of pre-4.3.

Fixes #33504.
Props tharsheblows, SergeyBiryukov, DrewAPicture, ocean90.
Built from https://develop.svn.wordpress.org/trunk@35742


git-svn-id: http://core.svn.wordpress.org/trunk@35706 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-25 22:38:29 +00:00
Scott Taylor 0d8a80b14c Profile: on `user-new.php`, don't allow the password fields to be hidden. When hidden, you can't add a user.
Props coffee2code.
Fixes #15115.

Built from https://develop.svn.wordpress.org/trunk@34582


git-svn-id: http://core.svn.wordpress.org/trunk@34546 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-26 06:15:26 +00:00
Helen Hou-Sandí 48befcf361 Superglobals: Revert [34059] until further notice.
see #33837.

Built from https://develop.svn.wordpress.org/trunk@34265


git-svn-id: http://core.svn.wordpress.org/trunk@34229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-17 12:33:26 +00:00
Boone Gorges a7e229637e Improve validation of `user_login` and `user_nicename` length.
The `user_login` field only allows 60 characters, and `user_nicename` allows
50. However, there are no protections in the interface, and few in the code,
that prevent the creation of users with values in excess of these limits. Prior
to recent changes in `$wpdb`, users were generally created anyway, MySQL
having performed the necessary truncation. More recently, the `INSERT`s and
`UPDATE`s simply fail, with no real feedback on the nature of the failure.

This changeset addresses the issue in a number of ways:
* On the user-new.php and network/user-new.php panels, don't allow input in excess of the maximum field length.
* In `wp_insert_user()`, throw an error if the value provided for `'user_login'` or `'user_nicename'` exceeds the maximum field length.
* In `wp_insert_user()`, when using `'user_login'` to generate a default value for `'user_nicename'`, ensure that the nicename is properly truncated, even when suffixed for uniqueness (username-2, etc).

Props dipesh.kakadiya, utkarshpatel, tommarshall, boonebgorges.
Fixes #33793.
Built from https://develop.svn.wordpress.org/trunk@34218


git-svn-id: http://core.svn.wordpress.org/trunk@34182 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-15 22:14:26 +00:00
Scott Taylor cd7c0f0b0d Introduce `wp_validate_action( $action = '' )`, a helper function that checks `$_REQUEST` for `action` and returns it, or empty string if not present. If `$action` is passed, it checks to make sure they match before returning it, or an empty string. Strings are always returned to avoid returning multiple types.
Implementing this removes 27 uses of direct superglobal access in the admin.

For more reading:
https://codeclimate.com/github/WordPress/WordPress/wp-admin/edit-comments.php

See #33837.

Built from https://develop.svn.wordpress.org/trunk@34059


git-svn-id: http://core.svn.wordpress.org/trunk@34027 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 21:08:26 +00:00
Scott Taylor a40e30e7f4 Move 2 ad hoc user admin functions:
* Move `use_ssl_preference()` from `wp-admin/user-edit.php` to `wp-admin/includes/user.php`.
* Move `admin_created_user_email()` from `wp-admin/user-new.php` to `wp-admin/includes/user.php`.

See #33813.

Built from https://develop.svn.wordpress.org/trunk@34021


git-svn-id: http://core.svn.wordpress.org/trunk@33990 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-10 21:33:33 +00:00
Jeremy Felt d1f818a61d Multisite: Allow users with `manage_network_users` to edit network users.
Other users in a network can now be given capabilities to manage users without also having global super admin privileges.

* Users with `manage_network_users` can not edit super admins.
* Users with `manage_network_users` can not promote users to super admin.
* Uses of `is_super_admin()` in `user-new.php` are now updated to `manage_network_users`.

Props daniellandau, chriscct7.
Fixes #16860.

Built from https://develop.svn.wordpress.org/trunk@33988


git-svn-id: http://core.svn.wordpress.org/trunk@33957 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-10 03:34:23 +00:00
Andrea Fercia a49f9ef68f Bump H3 headings to H2 on the Network Add New User screen for better accessibility.
Props Cheffheid.
Fixes #33605.
Built from https://develop.svn.wordpress.org/trunk@33945


git-svn-id: http://core.svn.wordpress.org/trunk@33914 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-07 16:03:25 +00:00
Sergey Biryukov b4fbbf53cf Provide more helpful feedback than just "Cheatin' uh?" for permission errors in `wp-admin/user-new.php`.
props ericlewis, kraftbj, lukecarbis, mrmist.
fixes #33678. see #14530.
Built from https://develop.svn.wordpress.org/trunk@33884


git-svn-id: http://core.svn.wordpress.org/trunk@33853 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-03 08:46:52 +00:00
Helen Hou-Sandí 1f500055a6 Drop the hyphen from e-mail and standardize on email.
The AP Stylebook changed this in 2011, and we're woefully inconsistent, so let's go with the standard.

props morganestes, voldemortensen, niallkennedy (for patching on the previous AP style).
fixes #26156.

Built from https://develop.svn.wordpress.org/trunk@33774


git-svn-id: http://core.svn.wordpress.org/trunk@33742 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-28 03:17:21 +00:00
Sergey Biryukov 85d3345e05 Multisite: Add `'invite_user'` action that fires immediately after a user is invited to join a site, but before the notification is sent.
props ebinnion, MikeHansenMe, DrewAPicture.
fixes #33008.
Built from https://develop.svn.wordpress.org/trunk@33732


git-svn-id: http://core.svn.wordpress.org/trunk@33700 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 17:48:21 +00:00
Scott Taylor d92795db13 Passwords UI: clean up the new JS in `wp-admin/js/user-profile.js`.
Instead of wrapping `#pass1` in a `<span>` dynamically, add the `<span>` to the HTML in PHP. It currently has no styling.

Fixes #33145.

Built from https://develop.svn.wordpress.org/trunk@33450


git-svn-id: http://core.svn.wordpress.org/trunk@33417 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-27 21:25:25 +00:00
Mark Jaquith 5abcb6938c Toggle between dashicons-hidden and dashicons-visibility in the password hide/show button.
fixes #33135
Built from https://develop.svn.wordpress.org/trunk@33438


git-svn-id: http://core.svn.wordpress.org/trunk@33405 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-27 03:13:24 +00:00
Sergey Biryukov bd0f6a2132 Remove unused `pw-weak` ID attributes.
see #33077.
Built from https://develop.svn.wordpress.org/trunk@33419


git-svn-id: http://core.svn.wordpress.org/trunk@33387 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-26 00:58:24 +00:00
Mark Jaquith 1ef40251b9 Introduce a Cancel button and onUnload warning for password changes.
fixes #33079
props johnjamesjacoby
Built from https://develop.svn.wordpress.org/trunk@33364


git-svn-id: http://core.svn.wordpress.org/trunk@33336 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 18:36:24 +00:00
Mark Jaquith f08f12f7cc Fix up and normalize pw_weak/pw-weak IDs and labels.
props johnjamesjacoby
fixes #33077
Built from https://develop.svn.wordpress.org/trunk@33363


git-svn-id: http://core.svn.wordpress.org/trunk@33335 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 17:24:24 +00:00
Konstantin Obenland 45bfab3aa8 Passwords: Add password strength meter feedback for screen readers.
Also gives context to the show/hide button.

Props rianrietveld, afercia.
Fixes #33032.


Built from https://develop.svn.wordpress.org/trunk@33353


git-svn-id: http://core.svn.wordpress.org/trunk@33325 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-22 00:15:25 +00:00
Konstantin Obenland e4305c7b28 Passwords: Make show/hide toggle translatable.
See #32589.

Built from https://develop.svn.wordpress.org/trunk@33249


git-svn-id: http://core.svn.wordpress.org/trunk@33221 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-13 22:35:24 +00:00
Konstantin Obenland 7e3f0cf45e Passwords: New UI for install screen.
Also synchronises the use of `pw_weak` as an input name and removes trailing
periods from checkbox labels.

Props MikeHansenMe, adamsilverstein, obenland.
See #32589.


Built from https://develop.svn.wordpress.org/trunk@33246


git-svn-id: http://core.svn.wordpress.org/trunk@33218 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-13 22:22:24 +00:00
Konstantin Obenland d932607416 Passwords: Add trailing periods in new strings.
Props akibjorklund.
See #32589.


Built from https://develop.svn.wordpress.org/trunk@33208


git-svn-id: http://core.svn.wordpress.org/trunk@33180 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-13 18:30:24 +00:00
Jeremy Felt 0dbe4d6c95 Set autocapitalize to none, autocorrect to off for new username inputs on iOS.
This corrects both the standard wp-admin new user form and the network new user form.

Props @brad2dabone, @sunnnyratilal.
Fixes #32644.

Built from https://develop.svn.wordpress.org/trunk@33160


git-svn-id: http://core.svn.wordpress.org/trunk@33132 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-11 02:35:24 +00:00
Dominik Schilling 73d57e6c86 Add/Edit User: Move weak password label to the checkbox.
props paulwilde.
fixes #32908.
Built from https://develop.svn.wordpress.org/trunk@33137


git-svn-id: http://core.svn.wordpress.org/trunk@33108 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-08 21:28:25 +00:00
Mark Jaquith 504101460f Slow down on calling zxcvbn if it isn't loaded.
see #32589
Built from https://develop.svn.wordpress.org/trunk@33033


git-svn-id: http://core.svn.wordpress.org/trunk@33004 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-01 18:13:24 +00:00
Mark Jaquith 423a1a7ca4 New password change/set UI.
* Generate the password for the user
* More tightly integrate password strength meter
* Warn on weak passwords

see #32589

props MikeHansenMe, adamsilverstein, binarykitten
Built from https://develop.svn.wordpress.org/trunk@33023


git-svn-id: http://core.svn.wordpress.org/trunk@32994 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-01 14:48:24 +00:00
Konstantin Obenland 7dc1d06e64 Proper heading for admin screens.
First step towards restoring a good heading structure in wp-admin.
The previous `<h1>` contained the site title and a link to the front page and was removed with the toolbar refactoring in 3.2.

Props joedolson, afercia.
Fixes #31650.


Built from https://develop.svn.wordpress.org/trunk@32974


git-svn-id: http://core.svn.wordpress.org/trunk@32945 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-27 15:41:25 +00:00
Scott Taylor c6a4512b1b Add missing doc blocks to `wp-admin/includes/*`.
Fix some egregious uses of tabbing.
Some functions can simply return `apply_filters(...)` instead of setting a variable that is immediately returned.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32654


git-svn-id: http://core.svn.wordpress.org/trunk@32624 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-29 20:17:26 +00:00
Dominik Schilling 64fc7294b6 Use HTTPS URLs for codex.wordpress.org.
see #27115.
Built from https://develop.svn.wordpress.org/trunk@32116


git-svn-id: http://core.svn.wordpress.org/trunk@32095 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-12 21:29:32 +00:00
Helen Hou-Sandí d85f8fe326 Admin notices: Make (most) core notices dismissible.
These no longer return upon refreshing the page when JS is on and working, so users should be able to dismiss them. This is particularly important on the post edit screen when DFW is triggered, but pretty much all notices can be dismissed if needed. A post on Make/Core will follow with information on how this can be leveraged in plugins.

props valendesigns, afercia, paulwilde, adamsilverstein, helen.
fixes #31233. see #23367.

Built from https://develop.svn.wordpress.org/trunk@31973


git-svn-id: http://core.svn.wordpress.org/trunk@31952 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-04-01 22:06:28 +00:00
Sergey Biryukov 2c98f83b70 Remove duplicate label on Add New User screen.
props abhishekfdd.
fixes #31131.
Built from https://develop.svn.wordpress.org/trunk@31777


git-svn-id: http://core.svn.wordpress.org/trunk@31757 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-03-14 01:04:27 +00:00
Dominik Schilling 72229b25c8 Add New User: Remove trailing whitespace from button labels.
fixes #31175.
Built from https://develop.svn.wordpress.org/trunk@31298


git-svn-id: http://core.svn.wordpress.org/trunk@31279 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-29 14:54:21 +00:00
Scott Taylor 7f8b548df1 In HTML5, the `action` attribute is no longer required. Remove this attribute when empty.
The admin HTML is served with the HTML5 doctype.

"The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces." 
http://www.w3.org/html/wg/drafts/html/master/forms.html#attr-fs-action

Props voldemortensen.
Fixes #30126.

Built from https://develop.svn.wordpress.org/trunk@31200


git-svn-id: http://core.svn.wordpress.org/trunk@31181 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-01-16 04:16:24 +00:00
Andrew Nacin 741e0ec6de No need for wp_get_password_hint() to be prefixed as if it is private.
see #21243.

Built from https://develop.svn.wordpress.org/trunk@30855


git-svn-id: http://core.svn.wordpress.org/trunk@30845 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-15 08:34:23 +00:00
John Blackbourn bdd00b3902 Improve various hook and filter docs so they are correctly parsed for the code reference.
Fixes #30558
Props DrewAPicture

Built from https://develop.svn.wordpress.org/trunk@30754


git-svn-id: http://core.svn.wordpress.org/trunk@30744 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-12-06 21:32:24 +00:00
John Blackbourn d88ed475b0 Switch to a `403` response code in places where it is more appropriate than a `500` due to permissions errors.
Fixes #10551
Props nacin

Built from https://develop.svn.wordpress.org/trunk@30356


git-svn-id: http://core.svn.wordpress.org/trunk@30355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-16 06:16:22 +00:00
John Blackbourn b1ba80de87 Rename `_wp_password_hint()` to `_wp_get_password_hint()` to bring it inline with core terminology. Fixes #21243.
Built from https://develop.svn.wordpress.org/trunk@30033


git-svn-id: http://core.svn.wordpress.org/trunk@30033 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-26 23:30:18 +00:00
Jeremy Felt fd149bb220 Deprecate admin_created_user_subject()
When `admin_created_user_subjec()` was merged from MU, the accompanying filter was left behind. As it has never been used by WordPress core, and is not an otherwise useful function, it can be deprecated.

Fixes #29915

Built from https://develop.svn.wordpress.org/trunk@30005


git-svn-id: http://core.svn.wordpress.org/trunk@30005 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-24 04:49:20 +00:00
Boone Gorges 24babfddb3 Allow apostrophes in email addresses when adding users via the Dashboard.
Email addresses entered in a number of interfaces were not being stripslashed
properly, with the result that the emails were not being recognized as valid.

Fixes #18039.
Built from https://develop.svn.wordpress.org/trunk@29966


git-svn-id: http://core.svn.wordpress.org/trunk@29713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-19 20:30:19 +00:00
Sergey Biryukov 0eb758720a Move password hint text to a function. Add 'password_hint' filter.
props convissor.
fixes #21243.
Built from https://develop.svn.wordpress.org/trunk@29962


git-svn-id: http://core.svn.wordpress.org/trunk@29709 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-18 20:21:18 +00:00
Jeremy Felt 3a8676278d Do not send a welcome notification when noconfirmation has been flagged
When adding a new user to a site on the network, 2 emails are sent out - one for confirmation and one as a welcome. If the option for no confirmation is selected, neither should send.

props transom
Fixes #16235

Built from https://develop.svn.wordpress.org/trunk@29880


git-svn-id: http://core.svn.wordpress.org/trunk@29637 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-10-12 01:11:18 +00:00
Sergey Biryukov c4fce2f163 Reverse the order of roles in help text on Add New User screen to match [25695].
fixes #28914.
Built from https://develop.svn.wordpress.org/trunk@29233


git-svn-id: http://core.svn.wordpress.org/trunk@29017 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-18 23:48:15 +00:00
John Blackbourn be12ea968a Implement email and url input types where appropriate. Props Kau-Boy. Fixes #22183.
Built from https://develop.svn.wordpress.org/trunk@29030


git-svn-id: http://core.svn.wordpress.org/trunk@28818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-08 17:52:14 +00:00
Sergey Biryukov 4a11203b06 Clarify a string on Add New User screen.
props vancoder, collinsinternet.
fixes #27398.
Built from https://develop.svn.wordpress.org/trunk@29009


git-svn-id: http://core.svn.wordpress.org/trunk@28797 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-07-07 00:54:14 +00:00
Scott Taylor 9a286d75fd Don't use variable variables in `user-new.php`. Test by causing errors when creating a new user.
See #27881.

Built from https://develop.svn.wordpress.org/trunk@28745


git-svn-id: http://core.svn.wordpress.org/trunk@28559 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-06-11 19:54:13 +00:00
Sergey Biryukov df597224e5 Add paragraph tags to 'Add Existing User' section on 'Add New User' screen in multisite.
props jkudish, topher1kenobe.
fixes #20271.
Built from https://develop.svn.wordpress.org/trunk@28642


git-svn-id: http://core.svn.wordpress.org/trunk@28460 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-30 21:51:14 +00:00
Andrew Nacin 5851e00b93 Add a value to the password checkbox when creating a new user so the toggle is remembered.
props chriseverson, SergeyBiryukov.
fixes #27006.

Built from https://develop.svn.wordpress.org/trunk@27838


git-svn-id: http://core.svn.wordpress.org/trunk@27672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-29 06:23:17 +00:00
Andrew Nacin c3ca81ba94 Always decode special characters for email subjects.
props tlovett1, jeremyfelt.
fixes #25346.

Built from https://develop.svn.wordpress.org/trunk@27801


git-svn-id: http://core.svn.wordpress.org/trunk@27636 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-28 02:44:15 +00:00
Andrew Nacin dce0b9adea Use SSL when linking to WordPress.org. see #27115.
Built from https://develop.svn.wordpress.org/trunk@27469


git-svn-id: http://core.svn.wordpress.org/trunk@27314 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-03-08 04:14:15 +00:00
Sergey Biryukov 5d3e652c23 Add Oxford comma to password hint.
props trepmal.
fixes #26457.
Built from https://develop.svn.wordpress.org/trunk@27246


git-svn-id: http://core.svn.wordpress.org/trunk@27103 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-02-24 23:31:15 +00:00
Andrew Ozz 8d6059b383 Remove all screen_icon() calls and deprecate the functions, props TobiasBg, fixes #26119
Built from https://develop.svn.wordpress.org/trunk@26518


git-svn-id: http://core.svn.wordpress.org/trunk@26411 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-12-02 03:53:11 +00:00