Skip to:
Content

BuddyPress.org

Changeset 13031


Ignore:
Timestamp:
08/04/2021 08:29:17 PM (3 years ago)
Author:
imath
Message:

Settings: Make sure changing pwd from the General Screen encrypts it

Using a WP_User object to set the password to update was misleading WordPress wp_update_user() function. The new password was interpreted as the current password and was not encrypted.

Passing a regular array to the wp_update_user() function avoids the risk of messing with WP User object cache.

Props mandro

See #8539 (branch 9.0)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/9.0/src/bp-settings/actions/general.php

    r12679 r13031  
    5959    if ( ( is_super_admin() ) || ( !empty( $_POST['pwd'] ) && wp_check_password( $_POST['pwd'], $bp->displayed_user->userdata->user_pass, bp_displayed_user_id() ) ) ) {
    6060
    61         $update_user = get_userdata( bp_displayed_user_id() );
     61        $update_user = array(
     62            'ID' => (int) bp_displayed_user_id(),
     63        );
    6264
    6365        /* Email Change Attempt ******************************************/
    6466
    65         if ( !empty( $_POST['email'] ) ) {
     67        if ( ! empty( $_POST['email'] ) ) {
    6668
    6769            // What is missing from the profile page vs signup -
     
    7173
    7274            // User is changing email address.
    73             if ( $old_user_email != $user_email ) {
     75            if ( $old_user_email !== $user_email ) {
    7476
    7577                // Run some tests on the email address.
     
    115117                    // We mark that the change has taken place so as to ensure a
    116118                    // success message, even though verification is still required.
    117                     $_POST['email'] = $update_user->user_email;
    118119                    $email_changed = true;
    119120                }
     
    139140                // Password change attempt is successful.
    140141                if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
    141                     $update_user->user_pass = $_POST['pass1'];
    142                     $pass_error             = false;
    143                     $pass_changed           = true;
     142                    $update_user['user_pass'] = $_POST['pass1'];
     143                    $pass_error               = false;
     144                    $pass_changed             = true;
    144145
    145146                // The new password is the same as the current password.
     
    158159        }
    159160
    160         // The structure of the $update_user object changed in WP 3.3, but
    161         // wp_update_user() still expects the old format.
    162         if ( isset( $update_user->data ) && is_object( $update_user->data ) ) {
    163             $update_user = $update_user->data;
    164             $update_user = get_object_vars( $update_user );
    165 
    166             // Unset the password field to prevent it from emptying out the
    167             // user's user_pass field in the database.
    168             // @see wp_update_user().
    169             if ( false === $pass_changed ) {
    170                 unset( $update_user['user_pass'] );
    171             }
     161        // Unset the password field to prevent it from emptying out the
     162        // user's user_pass field in the database.
     163        if ( false === $pass_changed ) {
     164            unset( $update_user['user_pass'] );
    172165        }
    173166
Note: See TracChangeset for help on using the changeset viewer.