Beispiel #1
0
/**
 * Display installer setup form.
 *
 * @since 2.8.0
 *
 * @param string|null $error
 */
function display_setup_form($error = null)
{
    global $hqdb;
    $sql = $hqdb->prepare("SHOW TABLES LIKE %s", $hqdb->esc_like($hqdb->users));
    $user_table = $hqdb->get_var($sql) != null;
    // Ensure that Blogs appear in search engines by default.
    $blog_public = 1;
    if (isset($_POST['weblog_title'])) {
        $blog_public = isset($_POST['blog_public']);
    }
    $weblog_title = isset($_POST['weblog_title']) ? trim(hq_unslash($_POST['weblog_title'])) : '';
    $user_name = isset($_POST['user_name']) ? trim(hq_unslash($_POST['user_name'])) : '';
    $admin_email = isset($_POST['admin_email']) ? trim(hq_unslash($_POST['admin_email'])) : '';
    if (!is_null($error)) {
        ?>
<p class="message"><?php 
        echo $error;
        ?>
</p>
<?php 
    }
    ?>
<form id="setup" method="post" action="install.php?step=2" novalidate="novalidate">
        <table class="form-table">
                <tr>
                        <th scope="row"><label for="weblog_title"><?php 
    _e('Site Title');
    ?>
</label></th>
                        <td><input name="weblog_title" type="text" id="weblog_title" size="25" value="<?php 
    echo esc_attr($weblog_title);
    ?>
" /></td>
                </tr>
                <tr>
                        <th scope="row"><label for="user_login"><?php 
    _e('Username');
    ?>
</label></th>
                        <td>
                        <?php 
    if ($user_table) {
        _e('User(s) already exists.');
        echo '<input name="user_name" type="hidden" value="admin" />';
    } else {
        ?>
<input name="user_name" type="text" id="user_login" size="25" value="<?php 
        echo esc_attr(sanitize_user($user_name, true));
        ?>
" />
                                <p><?php 
        _e('Usernames can have only alphanumeric characters, spaces, underscores, hyphens, periods, and the @ symbol.');
        ?>
</p>
                        <?php 
    }
    ?>
                        </td>
                </tr>
                <?php 
    if (!$user_table) {
        ?>
                <tr class="form-field form-required user-pass1-wrap">
                        <th scope="row">
                                <label for="pass1">
                                        <?php 
        _e('Password');
        ?>
                                </label>
                        </th>
                        <td>
                                <div class="">
                                        <?php 
        $initial_password = isset($_POST['admin_password']) ? stripslashes($_POST['admin_password']) : hq_generate_password(18);
        ?>
                                        <input type="password" name="admin_password" id="pass1" class="regular-text" autocomplete="off" data-reveal="1" data-pw="<?php 
        echo esc_attr($initial_password);
        ?>
" aria-describedby="pass-strength-result" />
                                        <button type="button" class="button button-secondary hq-hide-pw hide-if-no-js" data-start-masked="<?php 
        echo (int) isset($_POST['admin_password']);
        ?>
" data-toggle="0" aria-label="<?php 
        esc_attr_e('Hide password');
        ?>
">
                                                <span class="dashicons dashicons-hidden"></span>
                                                <span class="text"><?php 
        _e('Hide');
        ?>
</span>
                                        </button>
                                        <div id="pass-strength-result" aria-live="polite"></div>
                                </div>
                                <p><span class="description important hide-if-no-js">
                                <strong><?php 
        _e('Important:');
        ?>
</strong>
                                <?php 
        /* translators: The non-breaking space prevents 1Password from thinking the text "log in" should trigger a password save prompt. */
        ?>
                                <?php 
        _e('You will need this password to log&nbsp;in. Please store it in a secure location.');
        ?>
</span></p>
                        </td>
                </tr>
                <tr class="form-field form-required user-pass2-wrap hide-if-js">
                        <th scope="row">
                                <label for="pass2"><?php 
        _e('Repeat Password');
        ?>
                                        <span class="description"><?php 
        _e('(required)');
        ?>
</span>
                                </label>
                        </th>
                        <td>
                                <input name="admin_password2" type="password" id="pass2" autocomplete="off" />
                        </td>
                </tr>
                <tr class="pw-weak">
                        <th scope="row"><?php 
        _e('Confirm Password');
        ?>
</th>
                        <td>
                                <label>
                                        <input type="checkbox" name="pw_weak" class="pw-checkbox" />
                                        <?php 
        _e('Confirm use of weak password');
        ?>
                                </label>
                        </td>
                </tr>
                <?php 
    }
    ?>
                <tr>
                        <th scope="row"><label for="admin_email"><?php 
    _e('Your E-mail');
    ?>
</label></th>
                        <td><input name="admin_email" type="email" id="admin_email" size="25" value="<?php 
    echo esc_attr($admin_email);
    ?>
" />
                        <p><?php 
    _e('Double-check your email address before continuing.');
    ?>
</p></td>
                </tr>
                <tr>
                        <th scope="row"><?php 
    _e('Privacy');
    ?>
</th>
                        <td colspan="2"><label><input type="checkbox" name="blog_public" id="blog_public" value="1" <?php 
    checked($blog_public);
    ?>
 /> <?php 
    _e('Allow search engines to index this site');
    ?>
</label></td>
                </tr>
        </table>
        <p class="step"><?php 
    submit_button(__('Install HiveQueen'), 'large', 'Submit', false, array('id' => 'submit'));
    ?>
</p>
        <input type="hidden" name="language" value="<?php 
    echo isset($_REQUEST['language']) ? esc_attr($_REQUEST['language']) : '';
    ?>
" />
</form>
<?php 
}
Beispiel #2
0
 /**
  * Get salt to add to hashes.
  *
  * Salts are created using secret keys. Secret keys are located in two places:
  * in the database and in the hq-config.php file. The secret key in the database
  * is randomly generated and will be appended to the secret keys in hq-config.php.
  *
  * The secret keys in hq-config.php should be updated to strong, random keys to maximize
  * security. Below is an example of how the secret key constants are defined.
  * Do not paste this example directly into hq-config.php. Instead, have a
  * {@link https://api.wordpress.org/secret-key/1.1/salt/ secret key created} just
  * for you.
  *
  *     define('AUTH_KEY',         ' Xakm<o xQy rw4EMsLKM-?!T+,PFF})H4lzcW57AF0U@N@< >M%G4Yt>f`z]MON');
  *     define('SECURE_AUTH_KEY',  'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~');
  *     define('LOGGED_IN_KEY',    '|i|Ux`9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM');
  *     define('NONCE_KEY',        '%:R{[P|,s.KuMltH5}cI;/k<Gx~j!f0I)m_sIyu+&NJZ)-iO>z7X>QYR0Z_XnZ@|');
  *     define('AUTH_SALT',        'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW');
  *     define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W<I`.JjPi)<Bmf1v,HpGe}T1:Xt7n');
  *     define('LOGGED_IN_SALT',   '+XSqHc;@Q*K_b|Z?NC[3H!!EONbh.n<+=uKR:>*c(u`g~EJBf#8u#R{mUEZrozmm');
  *     define('NONCE_SALT',       'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT');
  *
  * Salting passwords helps against tools which has stored hashed values of
  * common dictionary strings. The added values makes it harder to crack.
  *
  * @since 0.0.1
  *
  * @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for hq-config.php
  *
  * @staticvar array $cached_salts
  * @staticvar array $duplicated_keys
  *
  * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce)
  * @return string Salt value
  */
 function hq_salt($scheme = 'auth')
 {
     static $cached_salts = array();
     if (isset($cached_salts[$scheme])) {
         /**
          * Filter the HiveQueen salt.
          *
          * @since 0.0.1
          *
          * @param string $cached_salt Cached salt for the given scheme.
          * @param string $scheme      Authentication scheme. Values include 'auth',
          *                            'secure_auth', 'logged_in', and 'nonce'.
          */
         return apply_filters('salt', $cached_salts[$scheme], $scheme);
     }
     static $duplicated_keys;
     if (null === $duplicated_keys) {
         $duplicated_keys = array('put your unique phrase here' => true);
         foreach (array('AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET') as $first) {
             foreach (array('KEY', 'SALT') as $second) {
                 if (!defined("{$first}_{$second}")) {
                     continue;
                 }
                 $value = constant("{$first}_{$second}");
                 $duplicated_keys[$value] = isset($duplicated_keys[$value]);
             }
         }
     }
     $values = array('key' => '', 'salt' => '');
     if (defined('SECRET_KEY') && SECRET_KEY && empty($duplicated_keys[SECRET_KEY])) {
         $values['key'] = SECRET_KEY;
     }
     if ('auth' == $scheme && defined('SECRET_SALT') && SECRET_SALT && empty($duplicated_keys[SECRET_SALT])) {
         $values['salt'] = SECRET_SALT;
     }
     if (in_array($scheme, array('auth', 'secure_auth', 'logged_in', 'nonce'))) {
         foreach (array('key', 'salt') as $type) {
             $const = strtoupper("{$scheme}_{$type}");
             if (defined($const) && constant($const) && empty($duplicated_keys[constant($const)])) {
                 $values[$type] = constant($const);
             } elseif (!$values[$type]) {
                 $values[$type] = get_site_option("{$scheme}_{$type}");
                 if (!$values[$type]) {
                     $values[$type] = hq_generate_password(64, true, true);
                     update_site_option("{$scheme}_{$type}", $values[$type]);
                 }
             }
         }
     } else {
         if (!$values['key']) {
             $values['key'] = get_site_option('secret_key');
             if (!$values['key']) {
                 $values['key'] = hq_generate_password(64, true, true);
                 update_site_option('secret_key', $values['key']);
             }
         }
         $values['salt'] = hash_hmac('md5', $scheme, $values['key']);
     }
     $cached_salts[$scheme] = $values['key'] . $values['salt'];
     /** This filter is documented in hq-includes/pluggable.php */
     return apply_filters('salt', $cached_salts[$scheme], $scheme);
 }
Beispiel #3
0
 /**
  * Generate a session token and attach session information to it.
  *
  * A session token is a long, random string. It is used in a cookie
  * link that cookie to an expiration time and to ensure the cookie
  * becomes invalidated upon logout.
  *
  * This function generates a token and stores it with the associated
  * expiration time (and potentially other session information via the
  * `attach_session_information` filter).
  *
  * @since 0.0.1
  * @access public
  *
  * @param int $expiration Session expiration timestamp.
  * @return string Session token.
  */
 public final function create($expiration)
 {
     /**
      * Filter the information attached to the newly created session.
      *
      * Could be used in the future to attach information such as
      * IP address or user agent to a session.
      *
      * @since 0.0.1
      *
      * @param array $session Array of extra data.
      * @param int   $user_id User ID.
      */
     $session = apply_filters('attach_session_information', array(), $this->user_id);
     $session['expiration'] = $expiration;
     // IP address.
     if (!empty($_SERVER['REMOTE_ADDR'])) {
         $session['ip'] = $_SERVER['REMOTE_ADDR'];
     }
     // User-agent.
     if (!empty($_SERVER['HTTP_USER_AGENT'])) {
         $session['ua'] = hq_unslash($_SERVER['HTTP_USER_AGENT']);
     }
     // Timestamp
     $session['login'] = time();
     $token = hq_generate_password(43, false, false);
     $this->update($token, $session);
     return $token;
 }
Beispiel #4
0
 /**
  Installs the site.
 *
 * Runs the required functions to set up and populate the database,
 * including primary admin user and initial options.
 *
 * @since 0.0.1
 *
 * @param string $blog_title    Blog title.
 * @param string $user_name     User's username.
 * @param string $user_email    User's email.
 * @param bool   $public        Whether blog is public.
 * @param string $deprecated    Optional. Not used.
 * @param string $user_password Optional. User's chosen password. Default empty (random password).
 * @param string $language      Optional. Language chosen. Default empty.
 * @return array Array keys 'url', 'user_id', 'password', and 'password_message'.
 */
 function hq_install($blog_title, $user_name, $user_email, $public, $deprecated = '', $user_password = '', $language = '')
 {
     if (!empty($deprecated)) {
         _deprecated_argument(__FUNCTION__, '2.6');
     }
     hq_check_mysql_version();
     //TODO: no cache
     //hq_cache_flush();
     //TODO: Debug
     //make_db_current_silent();
     make_db_current();
     populate_options();
     populate_roles();
     update_option('blogname', $blog_title);
     update_option('admin_email', $user_email);
     update_option('blog_public', $public);
     if ($language) {
         update_option('HQLANG', $language);
     }
     $guessurl = hq_guess_url();
     update_option('siteurl', $guessurl);
     // If not a public blog, don't ping.
     if (!$public) {
         update_option('default_pingback_flag', 0);
     }
     /*
      * Create default user. If the user already exists, the user tables are
      * being shared among blogs. Just set the role in that case.
      */
     $user_id = username_exists($user_name);
     $user_password = trim($user_password);
     $email_password = false;
     if (!$user_id && empty($user_password)) {
         $user_password = hq_generate_password(12, false);
         $message = __('<strong><em>Note that password</em></strong> carefully! It is a <em>random</em> password that was generated just for you.');
         $user_id = hq_create_user($user_name, $user_password, $user_email);
         update_user_option($user_id, 'default_password_nag', true, true);
         $email_password = true;
     } elseif (!$user_id) {
         // Password has been provided
         $message = '<em>' . __('Your chosen password.') . '</em>';
         $user_id = hq_create_user($user_name, $user_password, $user_email);
     } else {
         $message = __('User already exists. Password inherited.');
     }
     $user = new HQ_User($user_id);
     $user->set_role('administrator');
     hq_install_defaults($user_id);
     hq_install_maybe_enable_pretty_permalinks();
     flush_rewrite_rules();
     hq_new_blog_notification($blog_title, $guessurl, $user_id, $email_password ? $user_password : __('The password you chose during the install.'));
     hq_cache_flush();
     /**
      * Fires after a site is fully installed.
      *
      * @since 0.0.1
      *
      * @param HQ_User $user The site owner.
      */
     do_action('hq_install', $user);
     return array('url' => $guessurl, 'user_id' => $user_id, 'password' => $user_password, 'password_message' => $message);
 }
Beispiel #5
0
/**
 * Handles sending password retrieval email to user.
 *
 * @global hqdb         $hqdb      HiveQueen database abstraction object.
 * @global PasswordHash $hq_hasher Portable PHP password hashing framework.
 *
 * @return bool|HQ_Error True: when finish. HQ_Error on error
 */
function retrieve_password()
{
    global $hqdb, $hq_hasher;
    $errors = new HQ_Error();
    if (empty($_POST['user_login'])) {
        $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));
    } elseif (strpos($_POST['user_login'], '@')) {
        $user_data = get_user_by('email', trim($_POST['user_login']));
        if (empty($user_data)) {
            $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
        }
    } else {
        $login = trim($_POST['user_login']);
        $user_data = get_user_by('login', $login);
    }
    /**
     * Fires before errors are returned from a password reset request.
     *
     * @since 0.0.1
     */
    do_action('lostpassword_post');
    if ($errors->get_error_code()) {
        return $errors;
    }
    if (!$user_data) {
        $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));
        return $errors;
    }
    // Redefining user_login ensures we return the right case in the email.
    $user_login = $user_data->user_login;
    $user_email = $user_data->user_email;
    /**
     * Fires before a new password is retrieved.
     *
     * @since 0.0.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retreive_password', $user_login);
    /**
     * Fires before a new password is retrieved.
     *
     * @since 0.0.1
     *
     * @param string $user_login The user login name.
     */
    do_action('retrieve_password', $user_login);
    /**
     * Filter whether to allow a password to be reset.
     *
     * @since 0.0.1
     *
     * @param bool true           Whether to allow the password to be reset. Default true.
     * @param int  $user_data->ID The ID of the user attempting to reset a password.
     */
    $allow = apply_filters('allow_password_reset', true, $user_data->ID);
    if (!$allow) {
        return new HQ_Error('no_password_reset', __('Password reset is not allowed for this user'));
    } elseif (is_hq_error($allow)) {
        return $allow;
    }
    // Generate something random for a password reset key.
    $key = hq_generate_password(20, false);
    /**
     * Fires when a password reset key is generated.
     *
     * @since 0.0.1
     *
     * @param string $user_login The username for the user.
     * @param string $key        The generated password reset key.
     */
    do_action('retrieve_password_key', $user_login, $key);
    // Now insert the key, hashed, into the DB.
    if (empty($hq_hasher)) {
        require_once ABSPATH . HQINC . '/class-phpass.php';
        $hq_hasher = new PasswordHash(8, true);
    }
    $hashed = time() . ':' . $hq_hasher->HashPassword($key);
    $hqdb->update($hqdb->users, array('user_activation_key' => $hashed), array('user_login' => $user_login));
    $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
    $message .= network_home_url('/') . "\r\n\r\n";
    $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
    $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
    $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
    $message .= '<' . network_site_url("hq-login.php?action=rp&key={$key}&login="******">\r\n";
    //TODO: Goyo no multisite
    //if ( is_multisite() )
    if (false) {
        $blogname = $GLOBALS['current_site']->site_name;
    } else {
        /*
         * The blogname option is escaped with esc_html on the way into the database
         * in sanitize_option we want to reverse this for the plain text arena of emails.
         */
        $blogname = hq_specialchars_decode(get_option('blogname'), ENT_QUOTES);
    }
    $title = sprintf(__('[%s] Password Reset'), $blogname);
    /**
     * Filter the subject of the password reset email.
     *
     * @since 0.0.1
     *
     * @param string $title Default email title.
     */
    $title = apply_filters('retrieve_password_title', $title);
    /**
     * Filter the message body of the password reset mail.
     *
     * @since 0.0.1
     *
     * @param string  $message    Default mail message.
     * @param string  $key        The activation key.
     * @param string  $user_login The username for the user.
     * @param HQ_User $user_data  HQ_User object.
     */
    $message = apply_filters('retrieve_password_message', $message, $key, $user_login, $user_data);
    if ($message && !hq_mail($user_email, hq_specialchars_decode($title), $message)) {
        hq_die(__('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.'));
    }
    return true;
}