Skip to:
Content

BuddyPress.org

Opened 6 years ago

Closed 4 years ago

Last modified 22 months ago

#8066 closed enhancement (fixed)

Missing password validation at password change

Reported by: devnik's profile devnik Owned by: imath's profile imath
Milestone: 7.0.0 Priority: high
Severity: normal Version: 4.1.0
Component: Members Keywords: has-patch
Cc:

Description

Hi,

I am looking for a way to validate my password before changing my profile.

I have already created a forum post. If there is no possibility, I can imagine that a hook before saving the changes would be helpful.

Best regards
devnik

Attachments (4)

8066.diff (819 bytes) - added by tharsheblows 5 years ago.
filters to be used in server side validation of password
8066.2.patch (8.9 KB) - added by imath 5 years ago.
8066.patch (9.1 KB) - added by tharsheblows 5 years ago.
filter with user object
8066.3.patch (10.0 KB) - added by imath 4 years ago.

Download all attachments as: .zip

Change History (17)

#1 @imath
6 years ago

  • Keywords reporter-feedback added

Hi @devnik

I’m not sure to fully understand the need. When changing the password a regular member needs to give his current password before changing it. You want to add another validation like a confirmation link included into an email sent to a member is that it ?

Could you add a link to the forum you posted ?

#2 @tharsheblows
5 years ago

Hi @imath and @devnik – I found this looking for a way to do server side validation requiring a strong password on the member settings page. Ie if the password is not strong, it throws an error and does not save.

Attached is a diff showing where the filters would be useful to me.

@tharsheblows
5 years ago

filters to be used in server side validation of password

#3 @imath
5 years ago

  • Milestone changed from Awaiting Review to 6.0.0

Hi @tharsheblows

Interesting. Thanks a lot for your patch I'm going to look into it more deeply asap.

#4 @tharsheblows
5 years ago

Thank you! Basically anything that replicated the functionality of the validate_password_reset filter would work :) https://core.trac.wordpress.org/changeset/21923

@imath
5 years ago

#5 @imath
5 years ago

Hi @tharsheblows

I think we can use only one filter. Could you try to filter bp_members_validate_user_password with 8066.2.patch applied and add a new error message to the WP_Error object you get from the filter to see if it matches your need.

8066.2.patch is also taking the registering process in account.

#6 @imath
5 years ago

  • Milestone changed from 6.0.0 to Up Next
  • Type changed from feature request to enhancement

We're going to be too short for 6.0.0. If @tharsheblows can confirm the patch is fine before before 6.0.0-beta1, I'm fine with moving back this ticket in 6.0.0 milestone. For now, I'm moving it to next milestone.

#7 @tharsheblows
5 years ago

@imath Thanks. It needs the user object (if it's available) for context, eg if you wanted to enforce strong passwords for moderators and roles with more capabilities but not members.

Version 0, edited 5 years ago by tharsheblows (next)

@tharsheblows
5 years ago

filter with user object

#8 @stokim
5 years ago

@imath Can I expect this patch at 6.0? I'm looking forward to it.

#9 @imath
5 years ago

  • Milestone changed from Up Next to 7.0.0

#10 @imath
4 years ago

  • Keywords needs-refresh added; reporter-feedback removed

I'm going to work on this to make it available in 7.0.0, but I believe the patch needs a refresh.

@imath
4 years ago

#11 @imath
4 years ago

  • Keywords has-patch added; needs-refresh removed

8066.3.patch is a refreshed version of the patch. I also added a new unit test to test the filter so that it checks password has at least 4 characters.

#12 @imath
4 years ago

  • Owner set to imath
  • Resolution set to fixed
  • Status changed from new to closed

In 12679:

BP Members: improve our password validation process

We're introducing a new function to validate the member's chosen password: bp_members_validate_user_password().

This function is primarly used to check the password is not empty, and to make sure the password confirmation matches the password. If it's the case, the function will return a WP_Error object with no error message. Otherwise this object will contain an error message.

Plugins can now use the bp_members_validate_user_password filter to add their own error messages according to a custom validation process. See the last unit tests of this commit for an example of use.

Props devnik, tharsheblows

Fixes #8066

#13 @ilianskia
22 months ago

how can the current password validation and the field could be removed completely for all users/members?
When user/member want to change there email and/or password to don't need to type there current password in case of that change.

Note: See TracTickets for help on using tickets.