Changeset 14071

Timestamp:

11/03/2024 06:44:17 PM (5 months ago)

Author:

espellcaste

Message:

Misc changes to the signups and pending accounts.

We are improving how signups and pending accounts are handled in BuddyPress.

• activation emails resend are blocked for one hour, by default;
• emails are checked if they are already in use in a signup;
• signup endpoint (​https://developer.buddypress.org/bp-rest-api/reference/signup/) returns a useful error when feature is disabled;
• Signup::resend: Added the ability to resend to a single ID, instead of an array of IDs.

Props niftythree and imath.

Closes ​https://github.com/buddypress/buddypress/pull/396
See #9229 and #9145
Fixes #9137

Location:

trunk

Files:

• src/bp-core/bp-core-rest-api.php (modified) (1 diff)
• src/bp-members/bp-members-functions.php (modified) (7 diffs)
• src/bp-members/bp-members-template.php (modified) (1 diff)
• src/bp-members/classes/class-bp-members-signup-rest-controller.php (modified) (4 diffs)
• src/bp-members/classes/class-bp-signup.php (modified) (8 diffs)
• tests/phpunit/testcases/members/class-bp-signup.php (modified) (6 diffs)
• tests/phpunit/testcases/members/functions.php (modified) (1 diff)
• tests/phpunit/testcases/members/test-signup-controller.php (modified) (5 diffs)

trunk/src/bp-core/bp-core-rest-api.php

@@ -393 +393 @@
 }
 add_filter( 'rest_pre_dispatch', 'bp_rest_api_v1_dispatch_error', 10, 3 );
+
+/**
+ * Filter the WP REST API response to return a 403 if the signup feature is disabled.
+ *
+ * @since 15.0.0
+ *
+ * @param mixed           $result Response to replace the requested version with. Can be anything
+ *                                a normal endpoint can return, or null to not hijack the request.
+ * @param WP_REST_Server  $server Server instance.
+ * @param WP_REST_Request $request Request used to generate the response.
+ *
+ * @return mixed
+ */
+function bp_rest_api_signup_disabled_feature_dispatch_error( $result, $server, $request ) {
+
+    // Bail early if the BP REST plugin is active.
+    if ( bp_rest_is_plugin_active() ) {
+        return $result;
+    }
+
+    $route = $request->get_route();
+
+    if ( empty( $route ) || ! str_contains( $route, 'buddypress/v2/signup' ) ) {
+        return $result;
+    }
+
+    // Bail early if signups are allowed.
+    if ( bp_get_signup_allowed() ) {
+        return $result;
+    }
+
+    return new WP_Error(
+        'rest_no_route',
+        __( 'BuddyPress: The user signup feature is currently disabled. Please activate this feature to proceed.', 'buddypress' ),
+        array( 'status' => 403 )
+    );
+}
+add_filter( 'rest_pre_dispatch', 'bp_rest_api_signup_disabled_feature_dispatch_error', 10, 3 );

trunk/src/bp-members/bp-members-functions.php

@@ -1593 +1593 @@
  * Performs the following checks:
  *   - Is the email address well-formed?
- *   - Is the email address already used?
+ *   - Is the email address already used in a user?
+ *   - Is the email address already used in a signup?
  *   - If there are disallowed email domains, is the current domain among them?
- *   - If there's an email domain whitelist, is the current domain on it?
+ *   - If there's an email domain allowlist, is the current domain on it?
  *
  * @since 1.6.2
+ * @since 15.0.0 Check if the email address is already used in a signup.
  *
  * @param string $user_email The email being checked.
@@ -1630 +1632 @@
     }
 
-    // Is the email already in use?
+    // Is the email already in use in a user?
     if ( email_exists( $user_email ) ) {
         $errors['in_use'] = 1;
+    }
+
+    // Is the email already in use in a signup?
+    if ( ! isset( $errors['in_use'] ) ) {
+        $signups = BP_Signup::get(
+            array( 'user_email' => $user_email )
+        );
+
+        $signup = isset( $signups['signups'] ) && ! empty( $signups['signups'][0] );
+
+        if ( $signup ) {
+            $errors['in_use'] = 1;
+        }
     }
 
@@ -1749 +1764 @@
         // Check into signups.
         $signups = BP_Signup::get(
-            array(
-                'user_login' => $user_name,
-            )
+            array( 'user_login' => $user_name )
         );
 
-        $signup = isset( $signups['signups'] ) && ! empty( $signups['signups'][0] ) ? $signups['signups'][0] : false;
+        $signup           = isset( $signups['signups'] ) && ! empty( $signups['signups'][0] );
+        $user_name_exists = ( empty( $signup ) && username_exists( $user_name ) ) || ! empty( $signup );
 
         // Check if the username has been used already.
-        if ( username_exists( $user_name ) || ! empty( $signup ) ) {
+        if ( true === $user_name_exists ) {
             $errors->add( 'user_name', __( 'Sorry, that username already exists!', 'buddypress' ) );
         }
 
-        // Validate the email address and process the validation results into
-        // error messages.
-        $validate_email = bp_core_validate_email_address( $user_email );
-        bp_core_add_validation_error_messages( $errors, $validate_email );
+        // Validate the email address.
+        bp_core_add_validation_error_messages(
+            $errors,
+            bp_core_validate_email_address( $user_email )
+        );
 
         // Assemble the return array.
@@ -1773 +1788 @@
         );
 
-        // Apply WPMU legacy filter.
+        /** This filter is documented in wp-includes/ms-functions.php */
         $result = apply_filters( 'wpmu_validate_user_signup', $result );
     }
@@ -2487 +2502 @@
  *
  * @since 2.0.0
+ * @since 15.0.0 Return an error when the activation email resend has been blocked temporarily.
  *
  * @global string $error The error message.
@@ -2500 +2516 @@
 
     // Verify nonce.
-    if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'bp-resend-activation' ) ) {
-        die( 'Security check' );
-    }
-
-    $signup_id = (int) $_GET['id'];
+    if ( ! wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), 'bp-resend-activation' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+        wp_die( esc_html__( 'There was a problem performing this action. Please try again.', 'buddypress' ) );
+    }
+
+    $signups = BP_Signup::get(
+        array( 'include' => (int) $_GET['id'] )
+    );
+
+    // phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited
+
+    if ( empty( $signups['signups'] ) || ! is_array( $signups['signups'] ) || empty( $signups['signups'][0] ) ) {
+        $error = __( '<strong>Error</strong>: Invalid signup id.', 'buddypress' );
+        return;
+    }
+
+    $signup = $signups['signups'][0];
+
+    if ( false === BP_Signup::allow_activation_resend( $signup ) ) {
+        $error = __( '<strong>Error</strong>: You\'ve reached the limit for resending your account activation email. Please wait a few minutes and try again. If you continue to experience issues, contact support for assistance.', 'buddypress' );
+        return;
+    }
 
     // Resend the activation email.
     // also updates the 'last sent' and '# of emails sent' values.
-    $resend = BP_Signup::resend( array( $signup_id ) );
+    $resend = BP_Signup::resend( $signup->id );
 
     // Add feedback message.
@@ -2516 +2548 @@
         $error = __( 'Activation email resent! Please check your inbox or spam folder.', 'buddypress' );
     }
+
+    // phpcs:enable WordPress.WP.GlobalVariablesOverride.Prohibited
 }
 add_action( 'login_form_bp-resend-activation', 'bp_members_login_resend_activation_email' );

trunk/src/bp-members/bp-members-template.php

@@ -3066 +3066 @@
 
         /**
-         * Filters whether or not new signups are allowed.
+         * Filters whether new signups are allowed.
          *
          * @since 1.5.0

trunk/src/bp-members/classes/class-bp-members-signup-rest-controller.php

@@ -765 +765 @@
      */
     public function signup_resend_activation_email( $request ) {
-        $signup_id = $request->get_param( 'id' );
-        $send      = \BP_Signup::resend( array( $signup_id ) );
+        $signup = $this->get_signup_object( $request->get_param( 'id' ) );
+        $send   = $signup::resend( $signup->id );
+
+        if ( empty( $send ) ) {
+            return new WP_Error(
+                'bp_rest_signup_resend_activation_email_fail',
+                __( 'There was a problem performing this action. Please try again.', 'buddypress' ),
+                array( 'status' => 500 )
+            );
+        }
 
         if ( ! empty( $send['errors'] ) ) {
@@ -772 +780 @@
                 'bp_rest_signup_resend_activation_email_fail',
                 __( 'Your account has already been activated.', 'buddypress' ),
-                array(
-                    'status' => 500,
-                )
+                array( 'status' => 500 )
             );
         }
@@ -809 +815 @@
                 'bp_rest_invalid_id',
                 __( 'Invalid signup id.', 'buddypress' ),
-                array(
-                    'status' => 404,
-                )
+                array( 'status' => 404 )
+            );
+        }
+
+        if ( true === $retval && false === BP_Signup::allow_activation_resend( $signup ) ) {
+            $retval = new WP_Error(
+                'bp_rest_signup_resend_activation_email_fail',
+                __( 'You\'ve reached the limit for resending your account activation email. Please wait a few minutes and try again. If you continue to experience issues, contact support for assistance.', 'buddypress' ),
+                array( 'status' => 500 )
             );
         }
@@ -976 +988 @@
         $password = (string) $value;
 
-        if ( empty( $password ) || false !== strpos( $password, '\\' ) ) {
+        if ( empty( $password ) || str_contains( $password, '\\' ) ) {
             return new WP_Error(
                 'rest_user_invalid_password',

trunk/src/bp-members/classes/class-bp-signup.php

@@ -4 +4 @@
  *
  * @package BuddyPress
- * @subpackage coreClasses
+ * @subpackage Signup
  * @since 2.0.0
  */
@@ -160 +160 @@
      * @since 2.0.0
      *
-     * @param integer $signup_id The ID for the signup being queried.
+     * @param int $signup_id The ID for the signup being queried.
      */
     public function __construct( $signup_id = 0 ) {
@@ -249 +249 @@
          * was sent in the last day.
          */
-        $this->recently_sent = $this->count_sent && ( $diff < 1 * DAY_IN_SECONDS );
-
+        $this->recently_sent = $this->count_sent && ( $diff < DAY_IN_SECONDS );
     }
 
@@ -827 +826 @@
      *
      * @since 2.0.0
-     *
-     * @param array $signup_ids Single ID or list of IDs to resend.
+     * @since 15.0.0 Added the ability to resend to a single ID.
+     *
+     * @param array|int $signup_ids Single ID or list of IDs to resend.
      * @return array
      */
     public static function resend( $signup_ids = array() ) {
-        if ( empty( $signup_ids ) || ! is_array( $signup_ids ) ) {
-            return false;
+        if ( empty( $signup_ids ) ) {
+            return array();
+        }
+
+        if ( ! is_array( $signup_ids ) ) {
+            $signup_ids = array( $signup_ids );
         }
 
         $to_resend = self::get(
             array(
-                'include' => $signup_ids,
+                'include' => wp_parse_id_list( $signup_ids ),
             )
         );
 
-        if ( ! $signups = $to_resend['signups'] ) {
-            return false;
+        $signups = $to_resend['signups'];
+
+        if ( ! $signups ) {
+            return array();
         }
 
@@ -876 +882 @@
                 $user_id = email_exists( $signup->user_email );
 
-                if ( ! empty( $user_id ) && 2 != self::check_user_status( $user_id ) ) {
+                if ( ! empty( $user_id ) && 2 !== self::check_user_status( $user_id ) ) {
 
                     // Status is not 2, so user's account has been activated.
@@ -886 +892 @@
                     continue;
 
-                // Send the validation email.
+                    // Send the validation email.
                 } else {
                     $salutation = $signup->user_login;
@@ -907 +913 @@
 
         /**
-         * Fires after activation emails are resent.
+         * Fires after activation email(s) are/is resent.
          *
          * @since 2.0.0
@@ -924 +930 @@
          */
         return apply_filters( 'bp_core_signup_resend', $result );
+    }
+
+    /**
+     * Check if an activation email can be resent.
+     *
+     * @since 15.0.0
+     *
+     * @param BP_Signup $signup The signup object.
+     * @return bool
+     */
+    public static function allow_activation_resend( $signup ) {
+
+        // Bail if the signup is not a BP_Signup object.
+        if ( ! $signup instanceof BP_Signup ) {
+            return false;
+        }
+
+        // Allow the activation email to be sent if not already.
+        if ( ! $signup->recently_sent || ! $signup->count_sent ) {
+            return true;
+        }
+
+        $sent_at = mysql2date( 'U', $signup->date_sent );
+        $now     = time();
+        $diff    = $now - $sent_at;
+
+        /**
+         * Filters the lock time for the resend activation.
+         *
+         * @since 15.0.0
+         *
+         * @param float|int $lock_time The lock time for the resend activation. Default: 1 hour.
+         * @param BP_Signup $signup The signup object.
+         */
+        $lock_time = apply_filters( 'bp_core_signup_resend_activation_lock_time', HOUR_IN_SECONDS, $signup );
+
+        // If the activation email was sent less than the lock time ago.
+        return false === ( $diff < $lock_time );
     }
 

trunk/tests/phpunit/testcases/members/class-bp-signup.php

@@ -51 +51 @@
         );
 
-        $signup = BP_Signup::add( $args );
+        $signup = self::factory()->signup->create( $args );
         $this->assertNotEmpty( $signup );
 
@@ -70 +70 @@
 
         // Add new signup without a custom field visibility set for field_1.
-        $signup = BP_Signup::add( array(
+        $signup = self::factory()->signup->create( array(
             'title' => 'Foo bar',
             'user_login' => 'user1',
@@ -484 +484 @@
             ),
         );
-        $s1 = BP_Signup::add( $args );
+        $s1 = self::factory()->signup->create( $args );
 
         $args['meta']['field_1'] = 'Fozz';
-        $s2 = BP_Signup::add( $args );
+        $s2 = self::factory()->signup->create( $args );
 
         // Should find both.
@@ -533 +533 @@
             ),
         );
-        $s1 = BP_Signup::add( $args );
+        $s1 = self::factory()->signup->create( $args );
 
         $args['meta']['field_1'] = 'Fozz';
-        $s2 = BP_Signup::add( $args );
+        $s2 = self::factory()->signup->create( $args );
 
         // Should find both.
@@ -637 +637 @@
     }
 
+    /**
+     * @group resend
+     */
     public function test_bp_core_signup_send_validation_email_should_increment_sent_count() {
         $activation_key = wp_generate_password( 32, false );
         $user_email     = 'accountone@example.com';
-        $s1             = self::factory()->signup->create( array(
+        $s1             = self::factory()->signup->create_and_get( array(
             'user_login'     => 'accountone',
             'user_email'     => $user_email,
@@ -646 +649 @@
         ) );
 
-        $signup = new BP_Signup( $s1 );
-        $this->assertEquals( 0, $signup->count_sent );
+        $this->assertEquals( 0, $s1->count_sent );
 
         bp_core_signup_send_validation_email( 0, $user_email, $activation_key );
 
-        $signup = new BP_Signup( $s1 );
+        $signup = new BP_Signup( $s1->id );
         $this->assertEquals( 1, $signup->count_sent );
     }
+
+    /**
+     * @ticket BP9137
+     * @group resend
+     */
+    public function test_bp_core_signup_resend_email_activation() {
+        $s1 = self::factory()->signup->create_and_get(
+            array(
+                'user_login'     => 'user' . wp_rand( 1, 20 ),
+                'user_email'     => sprintf( 'user%d@example.com', wp_rand( 1, 20 ) ),
+                'registered'     => bp_core_current_time(),
+                'activation_key' => wp_generate_password( 32, false ),
+                'meta'           => array(
+                    'field_1' => 'Foo Bar',
+                ),
+            )
+        );
+
+        BP_Signup::resend( $s1->id );
+
+        $this->assertFalse( BP_Signup::allow_activation_resend( 0 ) );
+        $this->assertFalse( BP_Signup::allow_activation_resend( '' ) );
+        $this->assertTrue( BP_Signup::allow_activation_resend( $s1 ) );
+
+        $s1->count_sent = 0;
+        $this->assertTrue( BP_Signup::allow_activation_resend( $s1 ) );
+
+        $s1->count_sent = 1;
+        $s1->recently_sent = true;
+        $this->assertFalse( BP_Signup::allow_activation_resend( $s1 ) );
+
+        add_filter( 'bp_core_signup_resend_activation_lock_time', '__return_zero' );
+        $this->assertTrue( BP_Signup::allow_activation_resend( $s1 ) );
+        remove_filter( 'bp_core_signup_resend_activation_lock_time', '__return_zero' );
+    }
 }

trunk/tests/phpunit/testcases/members/functions.php

@@ -848 +848 @@
 
     /**
-     * Provider for the test_bp_core_validate_user_signup() test.
+     * Provider for the test_bp_core_validate_user_signup_errors() test.
      *
      * @return array[]

trunk/tests/phpunit/testcases/members/test-signup-controller.php

@@ -210 +210 @@
      * @group create_item
      */
+    public function test_creating_multiple_pending_accounts_with_different_usernames() {
+        $request = new WP_REST_Request( 'POST', $this->endpoint_url );
+
+        $params = $this->set_signup_data( array( 'user_login' => 'user1' ) );
+        $request->set_body_params( $params );
+        $request->set_param( 'context', 'edit' );
+        $response = $this->server->dispatch( $request );
+
+        $this->assertEquals( 200, $response->get_status() );
+
+        $signup = $response->get_data();
+
+        $this->assertSame( $signup['user_login'], $params['user_login'] );
+        $this->assertSame( $signup['user_email'], $params['user_email'] );
+        $this->assertTrue( ! isset( $signup['activation_key'] ) );
+
+        // Test with the same email.
+        $params = $this->set_signup_data( array( 'user_login' => 'user2' ) );
+        $request->set_body_params( $params );
+        $request->set_param( 'context', 'edit' );
+        $response = $this->server->dispatch( $request );
+
+        $this->assertErrorResponse( 'bp_rest_signup_validation_failed', $response, 500, 'This user\'s email is already registered.' );
+
+        // Test with a different email.
+        $params = $this->set_signup_data( array( 'user_login' => 'user2', 'user_email' => 'user2@example.com' ) );
+        $request->set_body_params( $params );
+        $request->set_param( 'context', 'edit' );
+        $response = $this->server->dispatch( $request );
+
+        $this->assertEquals( 200, $response->get_status() );
+    }
+
+    /**
+     * @group create_item
+     */
     public function test_create_item_with_signup_fields() {
         $g1 = $this->bp::factory()->xprofile_group->create();
@@ -664 +700 @@
      * @group resend_item
      */
-    public function test_resend_acivation_email_to_active_signup() {
+    public function test_resend_activation_email_to_active_signup() {
         $signup_id = $this->create_signup();
         $signup    = new BP_Signup( $signup_id );
@@ -689 +725 @@
      * @group resend_item
      */
+    public function test_resend_activation_email_to_locked_signup() {
+        $signup_id = $this->create_signup();
+
+        BP_Signup::resend( $signup_id );
+
+        $request = new WP_REST_Request( 'PUT', $this->endpoint_url . '/resend' );
+        $request->set_param( 'id', $signup_id );
+        $request->set_param( 'context', 'edit' );
+        $response = $this->server->dispatch( $request );
+
+        $this->assertEquals( 500, $response->get_status() );
+
+        $error_code = 'bp_rest_signup_resend_activation_email_fail';
+        $error      = $response->as_error();
+        $message    = $error->get_error_message( $error_code );
+
+        $this->assertErrorResponse( $error_code, $response, 500 );
+        $this->assertSame(
+            $message,
+            "You've reached the limit for resending your account activation email. Please wait a few minutes and try again. If you continue to experience issues, contact support for assistance."
+        );
+    }
+
+    /**
+     * @group resend_item
+     */
+    public function test_resend_activation_email_to_locked_signup_with_hook() {
+        $signup_id = $this->create_signup();
+
+        BP_Signup::resend( $signup_id );
+
+        add_filter( 'bp_core_signup_resend_activation_lock_time', '__return_zero' );
+
+        $request = new WP_REST_Request( 'PUT', $this->endpoint_url . '/resend' );
+        $request->set_param( 'id', $signup_id );
+        $request->set_param( 'context', 'edit' );
+        $response = $this->server->dispatch( $request );
+
+        $this->assertEquals( 200, $response->get_status() );
+
+        $all_data = $response->get_data();
+
+        $this->assertTrue( $all_data['sent'] );
+
+        remove_filter( 'bp_core_signup_resend_activation_lock_time', '__return_zero' );
+    }
+
+    /**
+     * @group resend_item
+     */
     public function test_resend_activation_email_invalid_signup_id() {
         $request = new WP_REST_Request( 'PUT', $this->endpoint_url . '/resend' );
@@ -734 +820 @@
 
     protected function create_signup() {
-        return BP_Signup::add(
+        return $this->bp::factory()->signup->create(
             array(
                 'user_login'     => 'user' . wp_rand( 1, 20 ),
@@ -805 +891 @@
         $this->assertEquals( array( 'view', 'edit' ), $data['endpoints'][0]['args']['context']['enum'] );
     }
+
+    public function test_bp_rest_api_signup_disabled_feature_dispatch_error() {
+        // Disable signups registration.
+        bp_update_option( 'users_can_register', 0 );
+
+        if  ( is_multisite() ) {
+            update_site_option( 'registration', '' );
+        }
+
+        $request  = new WP_REST_Request( 'OPTIONS', $this->endpoint_url );
+        $response = $this->server->dispatch( $request );
+        $data     = $response->get_data();
+
+        $this->assertEquals( 403, $response->get_status() );
+        $this->assertSame(
+            $data['message'],
+            'BuddyPress: The user signup feature is currently disabled. Please activate this feature to proceed.'
+        );
+    }
 }