Skip to:
Content

BuddyPress.org

Changeset 8560


Ignore:
Timestamp:
07/05/2014 07:01:09 PM (7 years ago)
Author:
boonebgorges
Message:

When a user changes her email address, require email verification of the new address

This feature, built into WordPress MS by default (when updating one's profile
via the Dashboard), ensures that new email addresses are valid and not
mistyped, helping to avoid unintentionally locked-out accounts.

Fixes #2265

Props j.conti for an initial patch

Location:
trunk/src/bp-settings
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-settings/bp-settings-actions.php

    r8324 r8560  
    6666        if ( !empty( $_POST['email'] ) ) {
    6767
    68             // What is missing from the profile page vs signup - lets double check the goodies
    69             $user_email = sanitize_email( esc_html( trim( $_POST['email'] ) ) );
     68            // What is missing from the profile page vs signup -
     69            // let's double check the goodies
     70            $user_email     = sanitize_email( esc_html( trim( $_POST['email'] ) ) );
     71            $old_user_email = $bp->displayed_user->userdata->user_email;
    7072
    7173            // User is changing email address
    72             if ( $bp->displayed_user->userdata->user_email != $user_email ) {
     74            if ( $old_user_email != $user_email ) {
    7375
    7476                // Run some tests on the email address
     
    8991                }
    9092
    91                 // Yay we made it!
     93                // Store a hash to enable email validation
    9294                if ( false === $email_error ) {
    93                     $update_user->user_email = $user_email;
     95                    $hash = wp_hash( $_POST['email'] );
     96
     97                    $pending_email = array(
     98                        'hash'     => $hash,
     99                        'newemail' => $user_email,
     100                    );
     101
     102                    bp_update_user_meta( bp_displayed_user_id(), 'pending_email_change', $pending_email );
     103
     104                    $email_text = sprintf(
     105                        __( 'Dear %1$s,
     106
     107You recently changed the email address associated with your account on %2$s.
     108If this is correct, please click on the following link to complete the change:
     109%3$s
     110
     111You can safely ignore and delete this email if you do not want to take this action or if you have received this email in error.
     112
     113This email has been sent to %4$s.
     114
     115Regards,
     116%5$s
     117%6$s', 'buddypress' ),
     118                        bp_core_get_user_displayname( bp_displayed_user_id() ),
     119                        bp_get_site_name(),
     120                        esc_url( bp_displayed_user_domain() . bp_get_settings_slug() . '/?verify_email_change=' . $hash ),
     121                        $user_email,
     122                        bp_get_site_name(),
     123                        bp_get_root_domain()
     124                    );
     125
     126                    /**
     127                     * Filter the email text sent when a user changes emails.
     128                     *
     129                     * @since BuddyPress (2.1.0)
     130                     *
     131                     * @param string $email_text Text of the email.
     132                     * @param string $new_user_email New user email that
     133                     *        the current user has changed to.
     134                     * @param string $old_user_email Existing email addres
     135                     *        for the current user.
     136                     * @param object $update_user Userdata for the current user.
     137                     */
     138                    $content = apply_filters( 'bp_new_user_email_content', $email_text, $user_email, $old_user_email, $update_user );
     139
     140                    // Send the verification email
     141                    wp_mail( $user_email, sprintf( __( '[%s] Verify your new email address', 'buddypress' ), wp_specialchars_decode( bp_get_site_name() ) ), $content );
     142
     143                    // We mark that the change has taken place so as to ensure a
     144                    // success message, even though verification is still required
     145                    $_POST['email'] = $current_user->user_email;
    94146                    $email_changed = true;
    95147                }
     
    356408}
    357409add_action( 'bp_actions', 'bp_settings_action_delete_account' );
     410
     411/**
     412 * Process email change verification or cancel requests.
     413 *
     414 * @since BuddyPress (2.1.0)
     415 */
     416function bp_settings_verify_email_change(){
     417    if ( ! bp_is_settings_component() ) {
     418        return;
     419    }
     420
     421    if ( ! bp_is_my_profile() ) {
     422        return;
     423    }
     424
     425    $redirect_to = trailingslashit( bp_displayed_user_domain() . bp_get_settings_slug() );
     426
     427    // Email change is being verified
     428    if ( isset( $_GET['verify_email_change'] ) ) {
     429        $pending_email = bp_get_user_meta( bp_displayed_user_id(), 'pending_email_change' );
     430
     431        // Bail if the hash provided doesn't match the one saved in the database
     432        if ( urldecode( $_GET['verify_email_change'] ) !== $pending_email['hash'] ) {
     433            return;
     434        }
     435
     436        $email_changed = wp_update_user( array(
     437            'ID'         => bp_displayed_user_id(),
     438            'user_email' => trim( $pending_email['newemail'] ),
     439        ) );
     440
     441        if ( $email_changed ) {
     442            // Delete the pending email change key
     443            bp_delete_user_meta( bp_displayed_user_id(), 'pending_email_change' );
     444
     445            // Post a success message and redirect
     446            bp_core_add_message( __( 'You have successfully verified your new email address.', 'buddypress' ) );
     447        } else {
     448            // Unknown error
     449            bp_core_add_message( __( 'There was a problem verifying your new email address. Please try again.', 'buddypress' ), 'error' );
     450        }
     451
     452        bp_core_redirect( $redirect_to );
     453        die();
     454
     455    // Email change is being dismissed
     456    } elseif ( ! empty( $_GET['dismiss_email_change'] ) ) {
     457            bp_delete_user_meta( bp_displayed_user_id(), 'pending_email_change' );
     458        bp_core_add_message( __( 'You have successfully dismissed your pending email change.', 'buddypress' ) );
     459
     460        bp_core_redirect( $redirect_to );
     461        die();
     462    }
     463}
     464add_action( 'bp_actions', 'bp_settings_verify_email_change' );
  • trunk/src/bp-settings/bp-settings-template.php

    r6317 r8560  
    5656        return apply_filters( 'bp_get_settings_root_slug', buddypress()->settings->root_slug );
    5757    }
     58
     59/**
     60 * Add the 'pending email change' message to the settings page.
     61 *
     62 * @since BuddyPress (2.1.0)
     63 */
     64function bp_settings_pending_email_notice() {
     65    $pending_email = bp_get_user_meta( bp_displayed_user_id(), 'pending_email_change', true );
     66
     67    if ( empty( $pending_email['newemail'] ) ) {
     68        return;
     69    }
     70
     71    if ( bp_get_displayed_user_email() == $pending_email['newemail'] ) {
     72        return;
     73    }
     74
     75    ?>
     76
     77    <div id="message" class="bp-template-notice error">
     78        <p><?php printf( __( 'There is a pending change of your email address to <code>%1$s</code>.<br />Check your email (<code>%2$s</code>) for the verification link. <a href="%3$s">Cancel</a>', 'buddypress' ), $pending_email['newemail'], bp_get_displayed_user_email(), esc_url( bp_displayed_user_domain() . bp_get_settings_slug() . '/?dismiss_email_change=1' ) ) ?></p>
     79    </div>
     80
     81    <?php
     82}
     83add_action( 'bp_before_member_settings_template', 'bp_settings_pending_email_notice' );
Note: See TracChangeset for help on using the changeset viewer.