Skip to:

Opened 5 years ago

Closed 4 years ago

Last modified 18 months ago

#8066 closed enhancement (fixed)

Missing password validation at password change

Reported by: devnik's profile devnik Owned by: imath's profile imath
Milestone: 7.0.0 Priority: high
Severity: normal Version: 4.1.0
Component: Members Keywords: has-patch



I am looking for a way to validate my password before changing my profile.

I have already created a forum post. If there is no possibility, I can imagine that a hook before saving the changes would be helpful.

Best regards

Attachments (4)

8066.diff (819 bytes) - added by tharsheblows 4 years ago.
filters to be used in server side validation of password
8066.2.patch (8.9 KB) - added by imath 4 years ago.
8066.patch (9.1 KB) - added by tharsheblows 4 years ago.
filter with user object
8066.3.patch (10.0 KB) - added by imath 4 years ago.

Download all attachments as: .zip

Change History (17)

#1 @imath
5 years ago

  • Keywords reporter-feedback added

Hi @devnik

I’m not sure to fully understand the need. When changing the password a regular member needs to give his current password before changing it. You want to add another validation like a confirmation link included into an email sent to a member is that it ?

Could you add a link to the forum you posted ?

#2 @tharsheblows
4 years ago

Hi @imath and @devnik – I found this looking for a way to do server side validation requiring a strong password on the member settings page. Ie if the password is not strong, it throws an error and does not save.

Attached is a diff showing where the filters would be useful to me.

4 years ago

filters to be used in server side validation of password

#3 @imath
4 years ago

  • Milestone changed from Awaiting Review to 6.0.0

Hi @tharsheblows

Interesting. Thanks a lot for your patch I'm going to look into it more deeply asap.

#4 @tharsheblows
4 years ago

Thank you! Basically anything that replicated the functionality of the validate_password_reset filter would work :)

4 years ago

#5 @imath
4 years ago

Hi @tharsheblows

I think we can use only one filter. Could you try to filter bp_members_validate_user_password with 8066.2.patch applied and add a new error message to the WP_Error object you get from the filter to see if it matches your need.

8066.2.patch is also taking the registering process in account.

#6 @imath
4 years ago

  • Milestone changed from 6.0.0 to Up Next
  • Type changed from feature request to enhancement

We're going to be too short for 6.0.0. If @tharsheblows can confirm the patch is fine before before 6.0.0-beta1, I'm fine with moving back this ticket in 6.0.0 milestone. For now, I'm moving it to next milestone.

#7 @tharsheblows
4 years ago

@imath Thanks. It needs the user object (if it's available) for context, eg if you wanted to enforce strong passwords for moderators and roles with more capabilities but not members.

I messed up the naming of the patch, sorry, my head's all over the place.

Last edited 4 years ago by tharsheblows (previous) (diff)

4 years ago

filter with user object

#8 @stokim
4 years ago

@imath Can I expect this patch at 6.0? I'm looking forward to it.

#9 @imath
4 years ago

  • Milestone changed from Up Next to 7.0.0

#10 @imath
4 years ago

  • Keywords needs-refresh added; reporter-feedback removed

I'm going to work on this to make it available in 7.0.0, but I believe the patch needs a refresh.

4 years ago

#11 @imath
4 years ago

  • Keywords has-patch added; needs-refresh removed

8066.3.patch is a refreshed version of the patch. I also added a new unit test to test the filter so that it checks password has at least 4 characters.

#12 @imath
4 years ago

  • Owner set to imath
  • Resolution set to fixed
  • Status changed from new to closed

In 12679:

BP Members: improve our password validation process

We're introducing a new function to validate the member's chosen password: bp_members_validate_user_password().

This function is primarly used to check the password is not empty, and to make sure the password confirmation matches the password. If it's the case, the function will return a WP_Error object with no error message. Otherwise this object will contain an error message.

Plugins can now use the bp_members_validate_user_password filter to add their own error messages according to a custom validation process. See the last unit tests of this commit for an example of use.

Props devnik, tharsheblows

Fixes #8066

#13 @ilianskia
18 months ago

how can the current password validation and the field could be removed completely for all users/members?
When user/member want to change there email and/or password to don't need to type there current password in case of that change.

Note: See TracTickets for help on using tickets.