Ticket #8066: 8066.2.patch

src/bp-members/bp-members-functions.php

@@ -1674 +1674 @@
         return apply_filters( 'bp_core_validate_user_signup', $result );
 }
 
+/**
+ * Validate a user password.
+ *
+ * @since 6.0.0
+ *
+ * @param string $pass         The password.
+ * @param string $confirm_pass The confirmed password.
+ * @return WP_Error A WP error object possibly containing error messages.
+ */
+function bp_members_validate_user_password( $pass, $confirm_pass ) {
+        $errors = new WP_Error();
+
+        if ( ! $pass || ! $confirm_pass ) {
+                $errors->add( 'missing_user_password', __( 'Please make sure you enter your password twice', 'buddypress' ) );
+        }
+
+        if ( $pass && $confirm_pass && $pass !== $confirm_pass ) {
+                $errors->add( 'mismatching_user_password', __( 'The passwords you entered do not match.', 'buddypress' ) );
+        }
+
+        /**
+         * Filter here to add password validate steps.
+         *
+         * @since 6.0.0
+         *
+         * @param WP_Error $errors       Password validation errors.
+         * @param string   $pass         The password.
+         * @param string   $confirm_pass The confirmed password.
+         */
+        return apply_filters( 'bp_members_validate_user_password', $errors, $pass, $confirm_pass );
+}
+
 /**
  * Validate blog URL and title provided at signup.
  *

src/bp-members/screens/register.php

@@ -59 +59 @@
                 $account_details = bp_core_validate_user_signup( $_POST['signup_username'], $_POST['signup_email'] );
 
                 // If there are errors with account details, set them for display.
-                if ( !empty( $account_details['errors']->errors['user_name'] ) )
+                if ( ! empty( $account_details['errors']->errors['user_name'] ) ) {
                         $bp->signup->errors['signup_username'] = $account_details['errors']->errors['user_name'][0];
+                }
 
-                if ( !empty( $account_details['errors']->errors['user_email'] ) )
+                if ( ! empty( $account_details['errors']->errors['user_email'] ) ) {
                         $bp->signup->errors['signup_email'] = $account_details['errors']->errors['user_email'][0];
+                }
 
-                // Check that both password fields are filled in.
-                if ( empty( $_POST['signup_password'] ) || empty( $_POST['signup_password_confirm'] ) )
-                        $bp->signup->errors['signup_password'] = __( 'Please make sure you enter your password twice', 'buddypress' );
+                $signup_pass = '';
+                if ( isset( $_POST['signup_password'] ) ) {
+                        $signup_pass = wp_unslash( $_POST['signup_password'] );
+                }
 
-                // Check that the passwords match.
-                if ( ( !empty( $_POST['signup_password'] ) && !empty( $_POST['signup_password_confirm'] ) ) && $_POST['signup_password'] != $_POST['signup_password_confirm'] )
-                        $bp->signup->errors['signup_password'] = __( 'The passwords you entered do not match.', 'buddypress' );
+                $signup_pass_confirm = '';
+                if ( isset( $_POST['signup_password_confirm'] ) ) {
+                        $signup_pass_confirm = wp_unslash( $_POST['signup_password_confirm'] );
+                }
+
+                // Check the account password for problems.
+                $account_password = bp_members_validate_user_password( $signup_pass, $signup_pass_confirm );
+                $password_error   = $account_password->get_error_message();
+
+                if ( $password_error ) {
+                        $bp->signup->errors['signup_password'] = $password_error;
+                }
 
                 if ( bp_signup_requires_privacy_policy_acceptance() && ! empty( $_POST['signup-privacy-policy-check'] ) && empty( $_POST['signup-privacy-policy-accept'] ) ) {
                         $bp->signup->errors['signup_privacy_policy'] = __( 'You must indicate that you have read and agreed to the Privacy Policy.', 'buddypress' );
@@ -237 +249 @@
          */
         bp_core_load_template( apply_filters( 'bp_core_template_register', array( 'register', 'registration/register' ) ) );
 }
-add_action( 'bp_screens', 'bp_core_screen_signup' );
- No newline at end of file
+add_action( 'bp_screens', 'bp_core_screen_signup' );

src/bp-settings/actions/general.php

@@ -130 +130 @@
 
                 /* Password Change Attempt ***************************************/
 
-                if ( !empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) {
-
-                        if ( ( $_POST['pass1'] == $_POST['pass2'] ) && !strpos( " " . wp_unslash( $_POST['pass1'] ), "\\" ) ) {
+                if ( ! empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) {
+                        $pass         = wp_unslash( $_POST['pass1'] );
+                        $pass_confirm = wp_unslash( $_POST['pass2'] );
+                        $pass_error   = bp_members_validate_user_password( $pass, $pass_confirm );
 
+                        if ( ! $pass_error->get_error_message() ) {
                                 // Password change attempt is successful.
-                                if ( ( ! empty( $_POST['pwd'] ) && $_POST['pwd'] != $_POST['pass1'] ) || is_super_admin() )  {
+                                if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
                                         $update_user->user_pass = $_POST['pass1'];
+                                        $pass_error   = false;
                                         $pass_changed = true;
 
                                 // The new password is the same as the current password.
                                 } else {
-                                        $pass_error = 'same';
+                                        $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
                                 }
-
-                        // Password change attempt was unsuccessful.
-                        } else {
-                                $pass_error = 'mismatch';
                         }
 
                 // Both password fields were empty.
@@ -154 +153 @@
                         $pass_error = false;
 
                 // One of the password boxes was left empty.
-                } elseif ( ( empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) || ( !empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
-                        $pass_error = 'empty';
+                } elseif ( ( empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) || ( ! empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
+                        $pass_error = new WP_Error( 'empty_user_password', __( 'One of the password fields was empty.', 'buddypress' ) );
                 }
 
                 // The structure of the $update_user object changed in WP 3.3, but
@@ -180 +179 @@
 
         // Password Error.
         } else {
-                $pass_error = 'invalid';
+                $pass_error = new WP_Error( 'invalid_user_password', __( 'Your current password is invalid.', 'buddypress' ) );
         }
 
         // Email feedback.
@@ -202 +201 @@
                         break;
         }
 
-        // Password feedback.
-        switch ( $pass_error ) {
-                case 'invalid' :
-                        $feedback['pass_error']    = __( 'Your current password is invalid.', 'buddypress' );
-                        break;
-                case 'mismatch' :
-                        $feedback['pass_mismatch'] = __( 'The new password fields did not match.', 'buddypress' );
-                        break;
-                case 'empty' :
-                        $feedback['pass_empty']    = __( 'One of the password fields was empty.', 'buddypress' );
-                        break;
-                case 'same' :
-                        $feedback['pass_same']     = __( 'The new password must be different from the current password.', 'buddypress' );
-                        break;
-                case false :
-                        // No change.
-                        break;
+        if ( is_wp_error( $pass_error ) && $pass_error->get_error_message() ) {
+                $feedback[ $pass_error->get_error_code() ] = $pass_error->get_error_message();
         }
 
         // No errors so show a simple success message.

tests/phpunit/testcases/members/functions.php

@@ -495 +495 @@
                 $this->assertSame( bp_get_signup_page(), wp_registration_url() );
         }
 
+        /**
+         * @group bp_members_validate_user_password
+         */
+        public function test_bp_members_validate_user_password() {
+                $validate = bp_members_validate_user_password( 'foobar', 'foobar' );
+
+                $this->assertEmpty( $validate->get_error_message() );
+        }
+
+        /**
+         * @group bp_members_validate_user_password
+         */
+        public function test_bp_members_validate_user_password_missing() {
+                $validate = bp_members_validate_user_password( '', '' );
+
+                $this->assertEquals( 'missing_user_password', $validate->get_error_code() );
+
+                $validate = bp_members_validate_user_password( 'foobar', '' );
+
+                $this->assertEquals( 'missing_user_password', $validate->get_error_code() );
+
+                $validate = bp_members_validate_user_password( '', 'foobar' );
+
+                $this->assertEquals( 'missing_user_password', $validate->get_error_code() );
+        }
+
+        /**
+         * @group bp_members_validate_user_password
+         */
+        public function test_bp_members_validate_user_password_mismatching() {
+                $validate = bp_members_validate_user_password( 'foobar', 'barfoo' );
+
+                $this->assertEquals( 'mismatching_user_password', $validate->get_error_code() );
+        }
+
         /**
          * @group bp_core_activate_signup
          */