laipower/wp-content/plugins/easy-digital-downloads/includes/users/lost-password.php

315 lines
10 KiB
PHP

<?php
/**
* Lost Password Functions
*
* @package EDD
* @subpackage Functions/Login
* @copyright Copyright (c) 2022, Easy Digital Downloads, LLC
* @license https://opensource.org/licenses/gpl-2.0.php GNU Public License
* @since 1.0
*/
// Exit if accessed directly
defined( 'ABSPATH' ) || exit;
add_filter( 'wp_login_errors', 'edd_login_register_error_message', 10, 2 );
/**
* Changes the WordPress login confirmation message when using EDD's reset password link.
*
* @since 2.10
* @param object \WP_Error $errors
* @param string $redirect
* @return void
*/
function edd_login_register_error_message( $errors, $redirect ) {
$redirect_url = EDD()->session->get( 'edd_forgot_password_redirect' );
if ( empty( $redirect_url ) ) {
return $errors;
}
$message = sprintf(
/* translators: %s: Link to the referring page. */
__( 'Follow the instructions in the confirmation email you just received, then <a href="%s">return to what you were doing</a>.', 'easy-digital-downloads' ),
esc_url( $redirect_url )
);
$errors->remove( 'confirm' );
$errors->add(
'confirm',
apply_filters(
'edd_login_register_error_message',
$message,
$redirect_url
),
'message'
);
EDD()->session->set( 'edd_forgot_password_redirect', null );
return $errors;
}
/**
* Gets the lost password URL, customized for EDD. Using this allows the password
* reset form to redirect to the login screen with the EDD custom confirmation message.
*
* @since 2.10
* @return string
*/
function edd_get_lostpassword_url() {
$login_page_uri = edd_get_login_page_uri();
if ( empty( $login_page_uri ) ) {
return add_query_arg(
array(
'edd_forgot_password' => 'confirm',
),
wp_lostpassword_url()
);
}
return add_query_arg( 'action', 'lostpassword', $login_page_uri );
}
/**
* Gets the password reset link for a user.
*
* @param WP_User $user
* @return false|string
*/
function edd_get_password_reset_link( $user ) {
$key = get_password_reset_key( $user );
if ( is_wp_error( $key ) ) {
return false;
}
return add_query_arg(
array(
'action' => 'rp',
'key' => rawurlencode( $key ),
'login' => rawurlencode( $user->user_login ),
),
wp_login_url()
);
}
add_action( 'lostpassword_form', 'edd_set_lostpassword_session' );
/**
* Sets a session value for the lost password redirect URI.
*
* @since 3.0.2
* @return void
*/
function edd_set_lostpassword_session() {
if ( ! empty( $_GET['edd_forgot_password'] ) && 'confirm' === $_GET['edd_forgot_password'] ) {
$url = wp_validate_redirect(
wp_get_referer(),
edd_get_checkout_uri()
);
EDD()->session->set( 'edd_forgot_password_redirect', $url );
}
}
add_action( 'edd_user_lost_password', 'edd_handle_lost_password_request' );
/**
* Handles the lost password request from the EDD lost password block.
*
* @since 3.1
* @param array $data
* @return void
*/
function edd_handle_lost_password_request( $data ) {
// Verify the nonce.
if ( empty( $data['edd_lost-password_nonce'] ) || ! wp_verify_nonce( $data['edd_lost-password_nonce'], 'edd-lost-password-nonce' ) ) {
edd_set_error( 'edd_lost_password', __( 'Your request could not be completed.', 'easy-digital-downloads' ) );
return;
}
if ( 'POST' === $_SERVER['REQUEST_METHOD'] ) {
$errors = retrieve_password();
if ( ! is_wp_error( $errors ) ) {
edd_set_success( 'checkemail', __( 'You did it! Check your email for instructions on resetting your password.', 'easy-digital-downloads' ) );
} else {
$error_code = $errors->get_error_code();
$message = $errors->get_error_message( $error_code );
if ( $message ) {
// WP_Error messages include "Error:" so we remove that here to prevent duplication.
$message = explode( ':', $message );
$output = trim( $message[0] );
if ( ! empty( $message[1] ) ) {
unset( $message[0] );
$output = trim( implode( ':', $message ) );
}
edd_set_error( $error_code, $output );
}
}
}
edd_redirect( remove_query_arg( 'action', wp_get_referer() ) );
}
add_filter( 'retrieve_password_message', 'edd_retrieve_password_message', 10, 4 );
/**
* Filters the email message sent when a password reset has been requested.
*
* @since 3.1
* @param string $message The email message.
* @param string $key The activation key.
* @param string $user_login The username for the user.
* @param WP_User $user_data WP_User object.
* @return string
*/
function edd_retrieve_password_message( $message, $key, $user_login, $user_data ) {
if ( empty( $_POST['edd_action'] ) || 'user_lost_password' !== $_POST['edd_action'] ) {
return $message;
}
if ( empty( $_POST['edd_lost-password_nonce'] ) || ! wp_verify_nonce( $_POST['edd_lost-password_nonce'], 'edd-lost-password-nonce' ) ) {
return $message;
}
if ( is_multisite() ) {
$site_name = get_network()->site_name;
} else {
/*
* The blogname option is escaped with esc_html on the way into the database
* in sanitize_option. We want to reverse this for the plain text arena of emails.
*/
$site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
}
$message = __( 'Someone has requested a password reset for the following account:', 'easy-digital-downloads' ) . "\r\n\r\n";
/* translators: %s: Site name. */
$message .= sprintf( __( 'Site Name: %s', 'easy-digital-downloads' ), $site_name ) . "\r\n\r\n";
/* translators: %s: User login. */
$message .= sprintf( __( 'Username: %s', 'easy-digital-downloads' ), $user_login ) . "\r\n\r\n";
$message .= __( 'If this was a mistake, ignore this email and nothing will happen.', 'easy-digital-downloads' ) . "\r\n\r\n";
$message .= __( 'To reset your password, visit the following address:', 'easy-digital-downloads' ) . "\r\n\r\n";
$message .= add_query_arg(
array(
'edd_action' => 'password_reset_requested',
'key' => $key,
'login' => rawurlencode( $user_login ),
),
esc_url_raw( $_POST['edd_redirect'] )
);
$message .= "\r\n\r\n";
if ( ! is_user_logged_in() ) {
$requester_ip = $_SERVER['REMOTE_ADDR'];
if ( $requester_ip ) {
$message .= sprintf(
/* translators: %s: IP address of password reset requester. */
__( 'This password reset request originated from the IP address %s.', 'easy-digital-downloads' ),
$requester_ip
) . "\r\n";
}
}
return $message;
}
add_action( 'edd_password_reset_requested', 'edd_validate_password_reset_link' );
/**
* Validates the email link and sends the user to the password reset form upon success.
*
* @since 3.1
* @return void
*/
function edd_validate_password_reset_link() {
list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
$redirect = remove_query_arg( array( 'key', 'login', 'edd_action' ), wp_get_referer() );
// Everything is good; move forward with the password reset.
if ( isset( $_GET['key'] ) && isset( $_GET['login'] ) ) {
$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
edd_redirect( add_query_arg( 'action', 'rp', $redirect ) );
}
$user = false;
if ( isset( $_COOKIE[ $rp_cookie ] ) && 0 < strpos( $_COOKIE[ $rp_cookie ], ':' ) ) {
list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[ $rp_cookie ] ), 2 );
$user = check_password_reset_key( $rp_key, $rp_login );
if ( isset( $_POST['pass1'] ) && ! hash_equals( $rp_key, $_POST['rp_key'] ) ) {
$user = false;
}
}
if ( ! $user || is_wp_error( $user ) ) {
setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
if ( $user && $user->get_error_code() === 'expired_key' ) {
edd_set_error( 'expiredkey', __( 'Your password reset link has expired. Please request a new link below.', 'easy-digital-downloads' ) );
} else {
edd_set_error( 'invalidkey', __( 'Your password reset link appears to be invalid. Please request a new link below.', 'easy-digital-downloads' ) );
}
}
// Redirect back to the lost password form instead of the password reset.
edd_redirect( add_query_arg( 'action', 'lostpassword', $redirect ) );
}
add_action( 'edd_user_reset_password', 'edd_validate_password_reset' );
/**
* Validates the password reset and redirects to the login form on success.
*
* @since 3.1
* @param array $data
* @return void
*/
function edd_validate_password_reset( $data ) {
// We don't need or use AJAX requests for this, so die if one is received.
if ( edd_doing_ajax() ) {
wp_die( __( 'Invalid password reset request.', 'easy-digital-downloads' ), __( 'Error', 'easy-digital-downloads' ), array( 'response' => 400 ) );
}
// Verify the nonce.
if ( ! isset( $data['edd_resetpassword_nonce'] ) || ! wp_verify_nonce( $data['edd_resetpassword_nonce'], 'edd-reset-password-nonce' ) ) {
edd_set_error( 'password_reset_failed', __( 'Invalid password reset request.', 'easy-digital-downloads' ) );
}
if ( empty( $data['rp_key'] ) ) {
edd_set_error( 'password_reset_failed', __( 'Invalid password reset request.', 'easy-digital-downloads' ) );
}
$user = check_password_reset_key( $data['rp_key'], $data['user_login'] );
if ( ! $user || is_wp_error( $user ) ) {
edd_set_error( 'password_reset_failed', __( 'Invalid password reset request.', 'easy-digital-downloads' ) );
}
// Check if password is one or all empty spaces.
if ( ! empty( $data['pass1'] ) ) {
$_POST['pass1'] = trim( $data['pass1'] );
}
if ( empty( $data['pass1'] ) ) {
edd_set_error( 'empty_password', __( 'The password cannot be a space or all spaces.', 'easy-digital-downloads' ) );
}
// Check if password fields do not match.
if ( ! empty( $data['pass1'] ) && trim( $data['pass2'] ) !== $data['pass1'] ) {
edd_set_error( 'password_reset_mismatch', __( 'The passwords do not match.', 'easy-digital-downloads' ) );
}
$user = get_user_by( 'login', $data['user_login'] );
if ( false === $user ) {
edd_set_error( 'password_reset_unsuccessful', __( 'Your password could not be reset.', 'easy-digital-downloads' ) );
}
$redirect = remove_query_arg( 'action', $data['edd_redirect'] );
// If no errors were registered then reset the password.
$errors = edd_get_errors();
if ( empty( $errors ) ) {
reset_password( $user, $data['pass1'] );
edd_set_success( 'password_reset_successful', __( 'Your password was successfully reset.', 'easy-digital-downloads' ) );
// todo: check if this is correct
setcookie( 'wp-resetpass-' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, wp_make_link_relative( wp_get_referer() ), COOKIE_DOMAIN, is_ssl(), true );
edd_redirect( $redirect );
}
edd_redirect( add_query_arg( 'action', 'password_reset_unsuccessful', $redirect ) );
}