Changeset 12679 for trunk/src/bp-settings/actions/general.php

Timestamp:

07/04/2020 01:29:50 PM (6 years ago)

Author:

imath

Message:

BP Members: improve our password validation process

We're introducing a new function to validate the member's chosen password: bp_members_validate_user_password().

This function is primarly used to check the password is not empty, and to make sure the password confirmation matches the password. If it's the case, the function will return a WP_Error object with no error message. Otherwise this object will contain an error message.

Plugins can now use the bp_members_validate_user_password filter to add their own error messages according to a custom validation process. See the last unit tests of this commit for an example of use.

Props devnik, tharsheblows

Fixes #8066

File:

• trunk/src/bp-settings/actions/general.php (modified) (4 diffs)

trunk/src/bp-settings/actions/general.php

@@ -131 +131 @@
         /* Password Change Attempt ***************************************/
 
-        if ( !empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) {
-
-            if ( ( $_POST['pass1'] == $_POST['pass2'] ) && !strpos( " " . wp_unslash( $_POST['pass1'] ), "\\" ) ) {
-
+        if ( ! empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) {
+            $pass         = wp_unslash( $_POST['pass1'] );
+            $pass_confirm = wp_unslash( $_POST['pass2'] );
+            $pass_error   = bp_members_validate_user_password( $pass, $pass_confirm, $update_user );
+
+            if ( ! $pass_error->get_error_message() ) {
                 // Password change attempt is successful.
-                if ( ( ! empty( $_POST['pwd'] ) && $_POST['pwd'] != $_POST['pass1'] ) || is_super_admin() )  {
+                if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
                     $update_user->user_pass = $_POST['pass1'];
-                    $pass_changed = true;
+                    $pass_error             = false;
+                    $pass_changed           = true;
 
                 // The new password is the same as the current password.
                 } else {
-                    $pass_error = 'same';
+                    $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
                 }
-
-            // Password change attempt was unsuccessful.
-            } else {
-                $pass_error = 'mismatch';
             }
 
@@ -155 +154 @@
 
         // One of the password boxes was left empty.
-        } elseif ( ( empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) || ( !empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
-            $pass_error = 'empty';
+        } elseif ( ( empty( $_POST['pass1'] ) && ! empty( $_POST['pass2'] ) ) || ( ! empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
+            $pass_error = new WP_Error( 'empty_user_password', __( 'One of the password fields was empty.', 'buddypress' ) );
         }
 
@@ -181 +180 @@
     // Password Error.
     } else {
-        $pass_error = 'invalid';
+        $pass_error = new WP_Error( 'invalid_user_password', __( 'Your current password is invalid.', 'buddypress' ) );
     }
 
@@ -203 +202 @@
     }
 
-    // Password feedback.
-    switch ( $pass_error ) {
-        case 'invalid' :
-            $feedback['pass_error']    = __( 'Your current password is invalid.', 'buddypress' );
-            break;
-        case 'mismatch' :
-            $feedback['pass_mismatch'] = __( 'The new password fields did not match.', 'buddypress' );
-            break;
-        case 'empty' :
-            $feedback['pass_empty']    = __( 'One of the password fields was empty.', 'buddypress' );
-            break;
-        case 'same' :
-            $feedback['pass_same']     = __( 'The new password must be different from the current password.', 'buddypress' );
-            break;
-        case false :
-            // No change.
-            break;
+    if ( is_wp_error( $pass_error ) && $pass_error->get_error_message() ) {
+        $feedback[ $pass_error->get_error_code() ] = $pass_error->get_error_message();
     }