Skip to:
Content

BuddyPress.org

Changeset 12679


Ignore:
Timestamp:
07/04/2020 01:29:50 PM (4 years ago)
Author:
imath
Message:

BP Members: improve our password validation process

We're introducing a new function to validate the member's chosen password: bp_members_validate_user_password().

This function is primarly used to check the password is not empty, and to make sure the password confirmation matches the password. If it's the case, the function will return a WP_Error object with no error message. Otherwise this object will contain an error message.

Plugins can now use the bp_members_validate_user_password filter to add their own error messages according to a custom validation process. See the last unit tests of this commit for an example of use.

Props devnik, tharsheblows

Fixes #8066

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-members/bp-members-functions.php

    r12665 r12679  
    17701770
    17711771/**
     1772 * Validate a user password.
     1773 *
     1774 * @since 7.0.0
     1775 *
     1776 * @param string       $pass         The password.
     1777 * @param string       $confirm_pass The confirmed password.
     1778 * @param null|WP_User $userdata     Null or the userdata object when a member updates their password from front-end.
     1779 * @return WP_Error A WP error object possibly containing error messages.
     1780 */
     1781function bp_members_validate_user_password( $pass, $confirm_pass, $userdata = null ) {
     1782    $errors = new WP_Error();
     1783
     1784    if ( ! $pass || ! $confirm_pass ) {
     1785        $errors->add( 'missing_user_password', __( 'Please make sure you enter your password twice', 'buddypress' ) );
     1786    }
     1787
     1788    if ( $pass && $confirm_pass && $pass !== $confirm_pass ) {
     1789        $errors->add( 'mismatching_user_password', __( 'The passwords you entered do not match.', 'buddypress' ) );
     1790    }
     1791
     1792    /**
     1793     * Filter here to add password validation errors.
     1794     *
     1795     * @since 7.0.0
     1796     *
     1797     * @param WP_Error     $errors       Password validation errors.
     1798     * @param string       $pass         The password.
     1799     * @param string       $confirm_pass The confirmed password.
     1800     * @param null|WP_User $userdata     Null or the userdata object when a member updates their password from front-end.
     1801     */
     1802    return apply_filters( 'bp_members_validate_user_password', $errors, $pass, $confirm_pass, $userdata );
     1803}
     1804
     1805/**
    17721806 * Validate blog URL and title provided at signup.
    17731807 *
  • trunk/src/bp-members/screens/register.php

    r12178 r12679  
    6060
    6161        // If there are errors with account details, set them for display.
    62         if ( !empty( $account_details['errors']->errors['user_name'] ) )
     62        if ( ! empty( $account_details['errors']->errors['user_name'] ) ) {
    6363            $bp->signup->errors['signup_username'] = $account_details['errors']->errors['user_name'][0];
    64 
    65         if ( !empty( $account_details['errors']->errors['user_email'] ) )
     64        }
     65
     66        if ( ! empty( $account_details['errors']->errors['user_email'] ) ) {
    6667            $bp->signup->errors['signup_email'] = $account_details['errors']->errors['user_email'][0];
    67 
    68         // Check that both password fields are filled in.
    69         if ( empty( $_POST['signup_password'] ) || empty( $_POST['signup_password_confirm'] ) )
    70             $bp->signup->errors['signup_password'] = __( 'Please make sure you enter your password twice', 'buddypress' );
    71 
    72         // Check that the passwords match.
    73         if ( ( !empty( $_POST['signup_password'] ) && !empty( $_POST['signup_password_confirm'] ) ) && $_POST['signup_password'] != $_POST['signup_password_confirm'] )
    74             $bp->signup->errors['signup_password'] = __( 'The passwords you entered do not match.', 'buddypress' );
     68        }
     69
     70        $signup_pass = '';
     71        if ( isset( $_POST['signup_password'] ) ) {
     72            $signup_pass = wp_unslash( $_POST['signup_password'] );
     73        }
     74
     75        $signup_pass_confirm = '';
     76        if ( isset( $_POST['signup_password_confirm'] ) ) {
     77            $signup_pass_confirm = wp_unslash( $_POST['signup_password_confirm'] );
     78        }
     79
     80        // Check the account password for problems.
     81        $account_password = bp_members_validate_user_password( $signup_pass, $signup_pass_confirm );
     82        $password_error   = $account_password->get_error_message();
     83
     84        if ( $password_error ) {
     85            $bp->signup->errors['signup_password'] = $password_error;
     86        }
    7587
    7688        if ( bp_signup_requires_privacy_policy_acceptance() && ! empty( $_POST['signup-privacy-policy-check'] ) && empty( $_POST['signup-privacy-policy-accept'] ) ) {
  • trunk/src/bp-settings/actions/general.php

    r12603 r12679  
    131131        /* Password Change Attempt ***************************************/
    132132
    133         if ( !empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) {
    134 
    135             if ( ( $_POST['pass1'] == $_POST['pass2'] ) && !strpos( " " . wp_unslash( $_POST['pass1'] ), "\\" ) ) {
    136 
     133        if ( ! empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) {
     134            $pass         = wp_unslash( $_POST['pass1'] );
     135            $pass_confirm = wp_unslash( $_POST['pass2'] );
     136            $pass_error   = bp_members_validate_user_password( $pass, $pass_confirm, $update_user );
     137
     138            if ( ! $pass_error->get_error_message() ) {
    137139                // Password change attempt is successful.
    138                 if ( ( ! empty( $_POST['pwd'] ) && $_POST['pwd'] != $_POST['pass1'] ) || is_super_admin() )  {
     140                if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
    139141                    $update_user->user_pass = $_POST['pass1'];
    140                     $pass_changed = true;
     142                    $pass_error             = false;
     143                    $pass_changed           = true;
    141144
    142145                // The new password is the same as the current password.
    143146                } else {
    144                     $pass_error = 'same';
     147                    $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
    145148                }
    146 
    147             // Password change attempt was unsuccessful.
    148             } else {
    149                 $pass_error = 'mismatch';
    150149            }
    151150
     
    155154
    156155        // One of the password boxes was left empty.
    157         } elseif ( ( empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) || ( !empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
    158             $pass_error = 'empty';
     156        } elseif ( ( empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) || ( ! empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
     157            $pass_error = new WP_Error( 'empty_user_password', __( 'One of the password fields was empty.', 'buddypress' ) );
    159158        }
    160159
     
    181180    // Password Error.
    182181    } else {
    183         $pass_error = 'invalid';
     182        $pass_error = new WP_Error( 'invalid_user_password', __( 'Your current password is invalid.', 'buddypress' ) );
    184183    }
    185184
     
    203202    }
    204203
    205     // Password feedback.
    206     switch ( $pass_error ) {
    207         case 'invalid' :
    208             $feedback['pass_error']    = __( 'Your current password is invalid.', 'buddypress' );
    209             break;
    210         case 'mismatch' :
    211             $feedback['pass_mismatch'] = __( 'The new password fields did not match.', 'buddypress' );
    212             break;
    213         case 'empty' :
    214             $feedback['pass_empty']    = __( 'One of the password fields was empty.', 'buddypress' );
    215             break;
    216         case 'same' :
    217             $feedback['pass_same']     = __( 'The new password must be different from the current password.', 'buddypress' );
    218             break;
    219         case false :
    220             // No change.
    221             break;
     204    if ( is_wp_error( $pass_error ) && $pass_error->get_error_message() ) {
     205        $feedback[ $pass_error->get_error_code() ] = $pass_error->get_error_message();
    222206    }
    223207
  • trunk/tests/phpunit/testcases/members/functions.php

    r12665 r12679  
    579579    public function test_wp_registration_url_should_return_bp_register_page_when_register_page_is_configured_properly() {
    580580        $this->assertSame( bp_get_signup_page(), wp_registration_url() );
     581    }
     582
     583    /**
     584     * @group bp_members_validate_user_password
     585     */
     586    public function test_bp_members_validate_user_password() {
     587        $validate = bp_members_validate_user_password( 'foobar', 'foobar' );
     588
     589        $this->assertEmpty( $validate->get_error_message() );
     590    }
     591
     592    /**
     593     * @group bp_members_validate_user_password
     594     */
     595    public function test_bp_members_validate_user_password_missing() {
     596        $validate = bp_members_validate_user_password( '', '' );
     597
     598        $this->assertEquals( 'missing_user_password', $validate->get_error_code() );
     599
     600        $validate = bp_members_validate_user_password( 'foobar', '' );
     601
     602        $this->assertEquals( 'missing_user_password', $validate->get_error_code() );
     603
     604        $validate = bp_members_validate_user_password( '', 'foobar' );
     605
     606        $this->assertEquals( 'missing_user_password', $validate->get_error_code() );
     607    }
     608
     609    /**
     610     * @group bp_members_validate_user_password
     611     */
     612    public function test_bp_members_validate_user_password_mismatching() {
     613        $validate = bp_members_validate_user_password( 'foobar', 'barfoo' );
     614
     615        $this->assertEquals( 'mismatching_user_password', $validate->get_error_code() );
     616    }
     617
     618    /**
     619     * @group bp_members_validate_user_password
     620     */
     621    public function test_bp_members_validate_user_password_too_short() {
     622        add_filter( 'bp_members_validate_user_password', array( $this, 'filter_bp_members_validate_user_password' ), 10, 2 );
     623
     624        $validate = bp_members_validate_user_password( 'one', 'one' );
     625
     626        remove_filter( 'bp_members_validate_user_password', array( $this, 'filter_bp_members_validate_user_password' ), 10, 2 );
     627
     628        $this->assertEquals( 'too_short_user_password', $validate->get_error_code() );
     629    }
     630
     631    function filter_bp_members_validate_user_password( $errors, $pass ) {
     632        if ( 4 > strlen( $pass ) ) {
     633            $errors->add( 'too_short_user_password', __( 'Your password is too short.', 'buddypress' ) );
     634        }
     635
     636        return $errors;
    581637    }
    582638
Note: See TracChangeset for help on using the changeset viewer.