Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
12/16/2021 06:16:38 PM (3 years ago)
Author:
imath
Message:

Introduce a new constant/filter to enforce strong password in BP areas

You can now use the BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH constant or alternatively the 'bp_members_user_pass_required_strength' filter to force members to use password satisfying a strength score from 4 (strong) to 1 (weak). For instance use define ( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH', 4 ); to enforce strong passwords.

This setting will only be applied to these 2 BuddyPress specific areas:

  • the registration form,
  • the General User's front-end profile settings tab.

PS: this commit also removes completely the password-verify script from the BP Nouveau Template Pack which was deprecated since BuddyPress 5.0.

Props niftythree, dcavins

Fixes #8589

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-settings/actions/general.php

    r13090 r13189  
    7474            // User is changing email address.
    7575            if ( $old_user_email !== $user_email ) {
    76 
    7776                // Run some tests on the email address.
    7877                $email_checks = bp_core_validate_email_address( $user_email );
     
    135134            $pass         = wp_unslash( $_POST['pass1'] );
    136135            $pass_confirm = wp_unslash( $_POST['pass2'] );
    137             $pass_error   = bp_members_validate_user_password( $pass, $pass_confirm, $update_user );
    138 
    139             if ( ! $pass_error->get_error_message() ) {
    140                 // Password change attempt is successful.
    141                 if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
    142                     $update_user['user_pass'] = $_POST['pass1'];
    143                     $pass_error               = false;
    144                     $pass_changed             = true;
    145 
    146                 // The new password is the same as the current password.
    147                 } else {
    148                     $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
     136
     137            // Password strength check.
     138            $required_password_strength = bp_members_user_pass_required_strength();
     139            $current_password_strength  = null;
     140            if ( isset( $_POST['_password_strength_score'] ) ) {
     141                $current_password_strength = (int) $_POST['_password_strength_score'];
     142            }
     143
     144            if ( $required_password_strength && ! is_null( $current_password_strength ) && $required_password_strength > $current_password_strength ) {
     145                $pass_error = new WP_Error(
     146                    'not_strong_enough_password',
     147                    __( 'Your password is not strong enougth to be allowed on this site. Please use a stronger password.', 'buddypress' )
     148                );
     149            } else {
     150                $pass_error = bp_members_validate_user_password( $pass, $pass_confirm, $update_user );
     151
     152                if ( ! $pass_error->get_error_message() ) {
     153                    // Password change attempt is successful.
     154                    if ( ( ! empty( $_POST['pwd'] ) && wp_unslash( $_POST['pwd'] ) !== $pass ) || is_super_admin() )  {
     155                        $update_user['user_pass'] = $_POST['pass1'];
     156                        $pass_error               = false;
     157                        $pass_changed             = true;
     158
     159                    // The new password is the same as the current password.
     160                    } else {
     161                        $pass_error->add( 'same_user_password', __( 'The new password must be different from the current password.', 'buddypress' ) );
     162                    }
    149163                }
    150164            }
Note: See TracChangeset for help on using the changeset viewer.