Skip to:
Content

BuddyPress.org

Changeset 13189


Ignore:
Timestamp:
12/16/2021 06:16:38 PM (3 years ago)
Author:
imath
Message:

Introduce a new constant/filter to enforce strong password in BP areas

You can now use the BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH constant or alternatively the 'bp_members_user_pass_required_strength' filter to force members to use password satisfying a strength score from 4 (strong) to 1 (weak). For instance use define ( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH', 4 ); to enforce strong passwords.

This setting will only be applied to these 2 BuddyPress specific areas:

  • the registration form,
  • the General User's front-end profile settings tab.

PS: this commit also removes completely the password-verify script from the BP Nouveau Template Pack which was deprecated since BuddyPress 5.0.

Props niftythree, dcavins

Fixes #8589

Location:
trunk/src
Files:
1 deleted
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-members/bp-members-functions.php

    r13170 r13189  
    37643764    return is_multisite() && in_array( bp_core_get_root_option( 'registration' ), $matches, true );
    37653765}
     3766
     3767/**
     3768 * Returns the strength score a password needs to have to be used by a member.
     3769 *
     3770 * Score => Allowed Strength.
     3771 * 0     => any passwords.
     3772 * 1     => at least short passwords.
     3773 * 2     => at least weak passwords.
     3774 * 3     => at least good passwords.
     3775 * 4     => at least strong passwords.
     3776 *
     3777 * @since 10.0.0
     3778 *
     3779 * @return int the strength score a password needs to have to be used by a member.
     3780 */
     3781function bp_members_user_pass_required_strength() {
     3782    $default_strength = 0;
     3783    if ( defined( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH' ) && BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH ) {
     3784        $default_strength = (int) BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH;
     3785    }
     3786
     3787    /**
     3788     * Filter here to raise the strength score user passwords need to reach to be allowed.
     3789     *
     3790     * @since 10.0.0
     3791     *
     3792     * @param int $default_strength The strength score user passwords need to reach to be allowed.
     3793     */
     3794    return (int) apply_filters( 'bp_members_user_pass_required_strength', $default_strength );
     3795}
  • trunk/src/bp-members/screens/register.php

    r13170 r13189  
    1616    $bp = buddypress();
    1717
    18     if ( ! bp_is_current_component( 'register' ) || bp_current_action() )
     18    if ( ! bp_is_current_component( 'register' ) || bp_current_action() ) {
    1919        return;
     20    }
    2021
    2122    // Not a directory.
     
    8889        }
    8990
    90         $signup_pass = '';
    91         if ( isset( $_POST['signup_password'] ) ) {
    92             $signup_pass = wp_unslash( $_POST['signup_password'] );
    93         }
    94 
    95         $signup_pass_confirm = '';
    96         if ( isset( $_POST['signup_password_confirm'] ) ) {
    97             $signup_pass_confirm = wp_unslash( $_POST['signup_password_confirm'] );
    98         }
    99 
    100         // Check the account password for problems.
    101         $account_password = bp_members_validate_user_password( $signup_pass, $signup_pass_confirm );
    102         $password_error   = $account_password->get_error_message();
     91        // Password strength check.
     92        $required_password_strength = bp_members_user_pass_required_strength();
     93        $current_password_strength  = null;
     94        if ( isset( $_POST['_password_strength_score'] ) ) {
     95            $current_password_strength = (int) $_POST['_password_strength_score'];
     96        }
     97
     98        if ( $required_password_strength && ! is_null( $current_password_strength ) && $required_password_strength > $current_password_strength ) {
     99            $account_password = new WP_Error(
     100                'not_strong_enough_password',
     101                __( 'Your password is not strong enougth to be allowed on this site. Please use a stronger password.', 'buddypress' )
     102            );
     103        } else {
     104            $signup_pass = '';
     105            if ( isset( $_POST['signup_password'] ) ) {
     106                $signup_pass = wp_unslash( $_POST['signup_password'] );
     107            }
     108
     109            $signup_pass_confirm = '';
     110            if ( isset( $_POST['signup_password_confirm'] ) ) {
     111                $signup_pass_confirm = wp_unslash( $_POST['signup_password_confirm'] );
     112            }
     113
     114            // Check the account password for problems.
     115            $account_password = bp_members_validate_user_password( $signup_pass, $signup_pass_confirm );
     116        }
     117
     118        $password_error = $account_password->get_error_message();
    103119
    104120        if ( $password_error ) {
  • trunk/src/bp-settings/actions/general.php

    r13090 r13189  
    7474            // User is changing email address.
    7575            if ( $old_user_email !== $user_email ) {
    76 
    7776                // Run some tests on the email address.
    7877                $email_checks = bp_core_validate_email_address( $user_email );
     
    135134            $pass         = wp_unslash( $_POST['pass1'] );
    136135            $pass_confirm = wp_unslash( $_POST['pass2'] );
    137             $pass_error   = bp_members_validate_user_password( $pass, $pass_confirm, $update_user );
    138 
    139             if ( ! $pass_error->get_error_message() ) {
    140                 // Password change attempt is successful.
    141                 if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
    142                     $update_user['user_pass'] = $_POST['pass1'];
    143                     $pass_error               = false;
    144                     $pass_changed             = true;
    145 
    146                 // The new password is the same as the current password.
    147                 } else {
    148                     $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
     136
     137            // Password strength check.
     138            $required_password_strength = bp_members_user_pass_required_strength();
     139            $current_password_strength  = null;
     140            if ( isset( $_POST['_password_strength_score'] ) ) {
     141                $current_password_strength = (int) $_POST['_password_strength_score'];
     142            }
     143
     144            if ( $required_password_strength && ! is_null( $current_password_strength ) && $required_password_strength > $current_password_strength ) {
     145                $pass_error = new WP_Error(
     146                    'not_strong_enough_password',
     147                    __( 'Your password is not strong enougth to be allowed on this site. Please use a stronger password.', 'buddypress' )
     148                );
     149            } else {
     150                $pass_error = bp_members_validate_user_password( $pass, $pass_confirm, $update_user );
     151
     152                if ( ! $pass_error->get_error_message() ) {
     153                    // Password change attempt is successful.
     154                    if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
     155                        $update_user['user_pass'] = $_POST['pass1'];
     156                        $pass_error               = false;
     157                        $pass_changed             = true;
     158
     159                    // The new password is the same as the current password.
     160                    } else {
     161                        $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
     162                    }
    149163                }
    150164            }
  • trunk/src/bp-templates/bp-legacy/buddypress-functions.php

    r13160 r13189  
    77 * @package BuddyPress
    88 * @subpackage BP_Theme_Compat
    9  * @version 3.1.0
     9 * @version 10.0.0
    1010 */
    1111
     
    338338
    339339            // Enqueue script.
    340             wp_enqueue_script( $asset['handle'] . '-password-verify', $asset['location'], $dependencies, $this->version);
     340            wp_enqueue_script( $asset['handle'] . '-password-verify', $asset['location'], $dependencies, $this->version );
     341            wp_localize_script(
     342                $asset['handle'] . '-password-verify',
     343                'bpPasswordVerify',
     344                array(
     345                    'tooWeakPasswordWarning' => __( 'Your password is too weak, please use a stronger password.', 'buddypress' ),
     346                    'requiredPassStrength'   => bp_members_user_pass_required_strength(),
     347                )
     348            );
    341349        }
    342350
  • trunk/src/bp-templates/bp-legacy/js/password-verify.js

    r12856 r13189  
    11/* jshint undef: false */
    22/* @since 1.7.0 */
    3 /* @version 8.0.0 */
     3/* @version 10.0.0 */
    44/* Password Verify */
    55( function( $ ){
    6     function check_pass_strength() {
     6    function check_pass_strength( event ) {
    77        var pass1 = $( '.password-entry' ).val(),
    88            pass2 = $( '.password-entry-confirm' ).val(),
    9             strength;
     9            currentForm = $( '.password-entry' ).closest( 'form' ),
     10            strength, requiredStrength;
     11
     12        if ( 'undefined' !== typeof window.bpPasswordVerify && window.bpPasswordVerify.requiredPassStrength ) {
     13            requiredStrength = parseInt( window.bpPasswordVerify.requiredPassStrength, 10 );
     14        }
    1015
    1116        // Reset classes and result text
     
    4045                break;
    4146        }
     47
     48        if ( requiredStrength && 4 >= requiredStrength ) {
     49            var passwordWarningContainer = $( currentForm ).find( '#password-warning' );
     50
     51                if ( strength < requiredStrength ) {
     52                    if ( ! $( passwordWarningContainer ).length ) {
     53                        $( event.currentTarget ).before(
     54                            $( '<p></p>' ).prop( 'id', 'password-warning' )
     55                                          .addClass( 'description' )
     56                        );
     57                    }
     58
     59                    $( passwordWarningContainer ).html( bpPasswordVerify.tooWeakPasswordWarning );
     60                } else if ( $( passwordWarningContainer ).length ) {
     61                    $( passwordWarningContainer ).remove();
     62                }
     63
     64            if ( ! $( currentForm ).find( '#password-strength-score' ).length ) {
     65                $( currentForm ).prepend(
     66                    $('<input></input>').prop( {
     67                        id: 'password-strength-score',
     68                        type: 'hidden',
     69                        'name': '_password_strength_score'
     70                    } )
     71                );
     72            }
     73
     74            $( '#password-strength-score' ).val( strength );
     75        }
    4276    }
    4377
  • trunk/src/bp-templates/bp-nouveau/buddypress-functions.php

    r13153 r13189  
    385385        }
    386386
    387         // Add The password verify if needed.
    388         if ( bp_is_active( 'settings' ) || bp_get_signup_allowed() ) {
    389             /**
    390              * BP Nouveau is now directly using the `wp-admin/js/user-profile.js` script.
    391              *
    392              * Setting the user password is now more consistent with how WordPress handles it.
    393              *
    394              * @deprecated 5.0.0
    395              */
    396             $scripts['bp-nouveau-password-verify'] = array(
    397                 'file'         => 'js/password-verify%s.js',
    398                 'dependencies' => array( 'bp-nouveau', 'password-strength-meter' ),
    399                 'footer'       => true,
    400             );
    401         }
    402 
    403387        foreach ( $scripts as $handle => $script ) {
    404388            if ( ! isset( $script['file'] ) ) {
     
    531515        if ( is_customize_preview() ) {
    532516            $params['customizer_settings'] = bp_nouveau_get_temporary_setting( 'any' );
     517        }
     518
     519        $required_password_strength = bp_members_user_pass_required_strength();
     520        if ( $required_password_strength ) {
     521            $params['bpPasswordVerify'] = array(
     522                'tooWeakPasswordWarning' => __( 'Your password is too weak, please use a stronger password.', 'buddypress' ),
     523                'requiredPassStrength'   => bp_members_user_pass_required_strength(),
     524            );
    533525        }
    534526
  • trunk/src/bp-templates/bp-nouveau/includes/template-tags.php

    r13145 r13189  
    23712371            ?>
    23722372            <label for="pass1"><?php esc_html_e( 'Choose a Password (required)', 'buddypress' ); ?></label>
     2373            <?php if ( isset( buddypress()->signup->errors['signup_password'] ) ) :
     2374                nouveau_error_template( buddypress()->signup->errors['signup_password'] );
     2375            endif; ?>
     2376
    23732377            <div class="user-pass1-wrap">
    23742378                <div class="wp-pwd">
  • trunk/src/bp-templates/bp-nouveau/js/buddypress-nouveau.js

    r13136 r13189  
    33/* jshint browser: true */
    44/* @since 3.0.0 */
    5 /* @version 8.0.0 */
     5/* @version 10.0.0 */
    66window.wp = window.wp || {};
    77window.bp = window.bp || {};
     
    469469            // Pagination.
    470470            $( '#buddypress [data-bp-list]' ).on( 'click', '[data-bp-pagination] a', this, this.paginateAction );
     471
     472            // Password updates.
     473            if ( BP_Nouveau.bpPasswordVerify && BP_Nouveau.bpPasswordVerify.requiredPassStrength ) {
     474                $( '#pass1' ).on( 'input pwupdate', this.checkPassStrength );
     475            }
    471476        },
    472477
     
    824829            // Request the page.
    825830            self.objectRequest( queryData );
     831        },
     832
     833        checkPassStrength: function( event ) {
     834            var bpPasswordVerify = BP_Nouveau.bpPasswordVerify, strength,
     835                requiredStrength = parseInt( bpPasswordVerify.requiredPassStrength, 10 ),
     836                pass1 = $( event.currentTarget ).val(), pass2 = $( '#pass2' ).val(),
     837                currentForm = $( event.currentTarget ).closest( 'form' );
     838
     839
     840            // wp.passwordStrength.userInputBlacklist() has been deprecated in WP 5.5.0.
     841            if ( 'function' === typeof wp.passwordStrength.userInputDisallowedList ) {
     842                strength = wp.passwordStrength.meter( pass1, wp.passwordStrength.userInputDisallowedList(), pass2 );
     843            } else {
     844                strength = wp.passwordStrength.meter( pass1, wp.passwordStrength.userInputBlacklist(), pass2 );
     845            }
     846
     847            if ( requiredStrength && 4 >= requiredStrength ) {
     848                var passwordWarningContainer = $( currentForm ).find( '#password-warning' );
     849
     850                if ( strength < requiredStrength ) {
     851                    if ( ! $( passwordWarningContainer ).length ) {
     852                        $( event.currentTarget ).before(
     853                            $( '<p></p>' ).prop( 'id', 'password-warning' )
     854                                          .addClass( 'description' )
     855                        );
     856                    }
     857
     858                    $( passwordWarningContainer ).html( bpPasswordVerify.tooWeakPasswordWarning );
     859                } else if ( $( passwordWarningContainer ).length ) {
     860                    $( passwordWarningContainer ).remove();
     861                }
     862
     863                if ( ! $( currentForm ).find( '#password-strength-score' ).length ) {
     864                    $( currentForm ).prepend(
     865                        $('<input></input>').prop( {
     866                            id: 'password-strength-score',
     867                            type: 'hidden',
     868                            'name': '_password_strength_score'
     869                        } )
     870                    );
     871                }
     872
     873                $( '#password-strength-score' ).val( strength );
     874
     875                if ( requiredStrength > strength ) {
     876                    $( '.pw-weak' ).remove();
     877                }
     878            }
    826879        }
    827880    };
Note: See TracChangeset for help on using the changeset viewer.