/**
* Update a comment with values provided in $_POST.
*
* @since 0.0.1
*/
function edit_comment()
{
if (!current_user_can('edit_comment', (int) $_POST['comment_ID'])) {
hq_die(__('You are not allowed to edit comments on this post.'));
}
if (isset($_POST['newcomment_author'])) {
$_POST['comment_author'] = $_POST['newcomment_author'];
}
if (isset($_POST['newcomment_author_email'])) {
$_POST['comment_author_email'] = $_POST['newcomment_author_email'];
}
if (isset($_POST['newcomment_author_url'])) {
$_POST['comment_author_url'] = $_POST['newcomment_author_url'];
}
if (isset($_POST['comment_status'])) {
$_POST['comment_approved'] = $_POST['comment_status'];
}
if (isset($_POST['content'])) {
$_POST['comment_content'] = $_POST['content'];
}
if (isset($_POST['comment_ID'])) {
$_POST['comment_ID'] = (int) $_POST['comment_ID'];
}
foreach (array('aa', 'mm', 'jj', 'hh', 'mn') as $timeunit) {
if (!empty($_POST['hidden_' . $timeunit]) && $_POST['hidden_' . $timeunit] != $_POST[$timeunit]) {
$_POST['edit_date'] = '1';
break;
}
}
if (!empty($_POST['edit_date'])) {
$aa = $_POST['aa'];
$mm = $_POST['mm'];
$jj = $_POST['jj'];
$hh = $_POST['hh'];
$mn = $_POST['mn'];
$ss = $_POST['ss'];
$jj = $jj > 31 ? 31 : $jj;
$hh = $hh > 23 ? $hh - 24 : $hh;
$mn = $mn > 59 ? $mn - 60 : $mn;
$ss = $ss > 59 ? $ss - 60 : $ss;
$_POST['comment_date'] = "{$aa}-{$mm}-{$jj} {$hh}:{$mn}:{$ss}";
}
hq_update_comment($_POST);
}
/**
* Load custom DB error or display HiveQueen DB error.
*
* If a file exists in the hq-content directory named db-error.php, then it will
* be loaded instead of displaying the WordPress DB error. If it is not found,
* then the WordPress DB error will be displayed instead.
*
* The HiveQueen DB error sets the HTTP status header to 500 to try to prevent
* search engines from caching the message. Custom DB messages should do the
* same.
*
* @since 0.0.1
*
* @global hqdb $hqdb HiveQueen database abstraction object.
*/
function dead_db()
{
global $hqdb;
hq_load_translations_early();
// Load custom DB error template, if present.
if (file_exists(HQ_CONTENT_DIR . '/db-error.php')) {
require_once HQ_CONTENT_DIR . '/db-error.php';
die;
}
// If installing or in the admin, provide the verbose message.
if (defined('HQ_INSTALLING') || defined('HQ_ADMIN')) {
hq_die($hqdb->error);
}
// Otherwise, be terse.
status_header(500);
nocache_headers();
header('Content-Type: text/html; charset=utf-8');
?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"<?php
if (is_rtl()) {
echo ' dir="rtl"';
}
?>
>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><?php
_e('Database Error');
?>
</title>
</head>
<body>
<h1><?php
_e('Error establishing a database connection');
?>
</h1>
</body>
</html>
<?php
die;
}
} elseif (file_exists(dirname(ABSPATH) . '/hq-config.php') && !file_exists(dirname(ABSPATH) . '/hq-settings.php')) {
/** The config file resides one level above ABSPATH but is not part of another install */
require_once dirname(ABSPATH) . '/hq-config.php';
} else {
// A config file doesn't exist
define('HQINC', 'hq-includes');
require_once ABSPATH . HQINC . '/load.php';
// Standardize $_SERVER variables across setups.
hq_fix_server_vars();
require_once ABSPATH . HQINC . '/functions.php';
$path = hq_guess_url() . '/hq-admin/setup-config.php';
/*
* We're going to redirect to setup-config.php. While this shouldn't result
* in an infinite loop, that's a silly thing to assume, don't you think? If
* we're traveling in circles, our last-ditch effort is "Need more help?"
*/
if (false === strpos($_SERVER['REQUEST_URI'], 'setup-config')) {
header('Location: ' . $path);
exit;
}
define('HQ_CONTENT_DIR', ABSPATH . 'hq-content');
require_once ABSPATH . HQINC . '/version.php';
hq_check_php_mysql_versions();
hq_load_translations_early();
// Die with an error message
$die = __("There doesn't seem to be a <code>hq-config.php</code> file. I need this before we can get started.") . '</p>';
$die .= '<p>' . __("Need more help? <a href='https://codex.wordpress.org/Editing_hq-config.php'>We got it</a>.") . '</p>';
$die .= '<p>' . __("You can create a <code>hq-config.php</code> file through a web interface, but this doesn't work for all server setups. The safest way is to manually create the file.") . '</p>';
$die .= '<p><a href="' . $path . '" class="button button-large">' . __("Create a Configuration File") . '</a>';
hq_die($die, __('HiveQueen › Error'));
}
/**
* Verifies the AJAX request to prevent processing requests external of the blog.
*
* @since 0.0.1
*
* @param int|string $action Action nonce.
* @param false|string $query_arg Optional. Key to check for the nonce in `$_REQUEST` (since 2.5). If false,
* `$_REQUEST` values will be evaluated for '_ajax_nonce', and '_hqnonce'
* (in that order). Default false.
* @param bool $die Optional. Whether to die early when the nonce cannot be verified.
* Default true.
* @return false|int False if the nonce is invalid, 1 if the nonce is valid and generated between
* 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
*/
function check_ajax_referer($action = -1, $query_arg = false, $die = true)
{
$nonce = '';
if ($query_arg && isset($_REQUEST[$query_arg])) {
$nonce = $_REQUEST[$query_arg];
} elseif (isset($_REQUEST['_ajax_nonce'])) {
$nonce = $_REQUEST['_ajax_nonce'];
} elseif (isset($_REQUEST['_hqnonce'])) {
$nonce = $_REQUEST['_hqnonce'];
}
$result = hq_verify_nonce($nonce, $action);
if ($die && false === $result) {
if (defined('DOING_AJAX') && DOING_AJAX) {
hq_die(-1);
} else {
die('-1');
}
}
/**
* Fires once the AJAX request has been validated or not.
*
* @since 0.0.1
*
* @param string $action The AJAX nonce action.
* @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
* 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
*/
do_action('check_ajax_referer', $action, $result);
return $result;
}
do_action('load-' . $plugin_page);
if (!isset($_GET['noheader'])) {
require_once ABSPATH . 'hq-admin/admin-header.php';
}
if (file_exists(HQMU_PLUGIN_DIR . "/{$plugin_page}")) {
include HQMU_PLUGIN_DIR . "/{$plugin_page}";
} else {
include HQ_PLUGIN_DIR . "/{$plugin_page}";
}
}
include ABSPATH . 'hq-admin/admin-footer.php';
exit;
} elseif (isset($_GET['import'])) {
$importer = $_GET['import'];
if (!current_user_can('import')) {
hq_die(__('You are not allowed to import.'));
}
if (validate_file($importer)) {
hq_redirect(admin_url('import.php?invalid=' . $importer));
exit;
}
if (!isset($hq_importers[$importer]) || !is_callable($hq_importers[$importer][2])) {
hq_redirect(admin_url('import.php?invalid=' . $importer));
exit;
}
/**
* Fires before an importer screen is loaded.
*
* The dynamic portion of the hook name, `$importer`, refers to the importer slug.
*
* @since 0.0.1
/**
* Handle an Image upload for the background image.
*
* @since 0.0.1
*/
public function handle_upload()
{
if (empty($_FILES)) {
return;
}
check_admin_referer('custom-background-upload', '_hqnonce-custom-background-upload');
$overrides = array('test_form' => false);
$uploaded_file = $_FILES['import'];
$hq_filetype = hq_check_filetype_and_ext($uploaded_file['tmp_name'], $uploaded_file['name']);
if (!hq_match_mime_types('image', $hq_filetype['type'])) {
hq_die(__('The uploaded file is not a valid image. Please try again.'));
}
$file = hq_handle_upload($uploaded_file, $overrides);
if (isset($file['error'])) {
hq_die($file['error']);
}
$url = $file['url'];
$type = $file['type'];
$file = $file['file'];
$filename = basename($file);
// Construct the object array
$object = array('post_title' => $filename, 'post_content' => $url, 'post_mime_type' => $type, 'guid' => $url, 'context' => 'custom-background');
// Save the data
$id = hq_insert_attachment($object, $file);
// Add the meta-data
hq_update_attachment_metadata($id, hq_generate_attachment_metadata($id, $file));
update_post_meta($id, '_hq_attachment_is_custom_background', get_option('stylesheet'));
set_theme_mod('background_image', esc_url_raw($url));
$thumbnail = hq_get_attachment_image_src($id, 'thumbnail');
set_theme_mod('background_image_thumb', esc_url_raw($thumbnail[0]));
/** This action is documented in hq-admin/custom-header.php */
do_action('hq_create_file_in_uploads', $file, $id);
// For replication
$this->updated = true;
}
/**
* Set the database table prefix and the format specifiers for database
* table columns.
*
* Columns not listed here default to `%s`.
*
* @since 0.0.1
* @access private
*
* @global hqdb $hqdb The HiveQueen database class.
* @global string $table_prefix The database table prefix.
*/
function hq_set_hqdb_vars()
{
global $hqdb, $table_prefix;
if (!empty($hqdb->error)) {
dead_db();
}
//TODO: Redefine db
/*
$hqdb->field_types = array( 'post_author' => '%d', 'post_parent' => '%d', 'menu_order' => '%d', 'term_id' => '%d', 'term_group' => '%d', 'term_taxonomy_id' => '%d',
'parent' => '%d', 'count' => '%d','object_id' => '%d', 'term_order' => '%d', 'ID' => '%d', 'comment_ID' => '%d', 'comment_post_ID' => '%d', 'comment_parent' => '%d',
'user_id' => '%d', 'link_id' => '%d', 'link_owner' => '%d', 'link_rating' => '%d', 'option_id' => '%d', 'blog_id' => '%d', 'meta_id' => '%d', 'post_id' => '%d',
'user_status' => '%d', 'umeta_id' => '%d', 'comment_karma' => '%d', 'comment_count' => '%d',
// multisite:
'active' => '%d', 'cat_id' => '%d', 'deleted' => '%d', 'lang_id' => '%d', 'mature' => '%d', 'public' => '%d', 'site_id' => '%d', 'spam' => '%d',
);
*/
$hqdb->field_types = array('menu_order' => '%d', 'term_id' => '%d', 'term_group' => '%d', 'parent' => '%d', 'count' => '%d', 'object_id' => '%d', 'term_order' => '%d', 'ID' => '%d', 'user_id' => '%d', 'option_id' => '%d', 'user_status' => '%d');
$prefix = $hqdb->set_prefix($table_prefix);
if (is_hq_error($prefix)) {
hq_load_translations_early();
hq_die(__('<strong>ERROR</strong>: <code>$table_prefix</code> in <code>hq-config.php</code> can only contain numbers, letters, and underscores.'));
}
}
/**
* @since 0.0.1
* @access private
*
* @global string $pagenow
*/
function hq_link_manager_disabled_message()
{
global $pagenow;
if ('link-manager.php' != $pagenow && 'link-add.php' != $pagenow && 'link.php' != $pagenow) {
return;
}
add_filter('pre_option_link_manager_enabled', '__return_true', 100);
$really_can_manage_links = current_user_can('manage_links');
remove_filter('pre_option_link_manager_enabled', '__return_true', 100);
if ($really_can_manage_links && current_user_can('install_plugins')) {
$link = network_admin_url('plugin-install.php?tab=search&s=Link+Manager');
hq_die(sprintf(__('If you are looking to use the link manager, please install the <a href="%s">Link Manager</a> plugin.'), $link));
}
hq_die(__('You do not have sufficient permissions to edit the links for this site.'));
}
/**
* Protect HiveQueen special option from being modified.
*
* Will die if $option is in protected list. Protected options are 'alloptions'
* and 'notoptions' options.
*
* @since 0.0.1
*
* @param string $option Option name.
*/
function hq_protect_special_option($option)
{
if ('alloptions' === $option || 'notoptions' === $option) {
hq_die(sprintf(__('%s is a protected HQ option and may not be modified'), esc_html($option)));
}
}
/**
* Display the page based on the current step.
*
* @since 0.0.1
*/
public function admin_page()
{
if (!current_user_can('edit_theme_options')) {
hq_die(__('You do not have permission to customize headers.'));
}
$step = $this->step();
if (2 == $step) {
$this->step_2();
} elseif (3 == $step) {
$this->step_3();
} else {
$this->step_1();
}
}
/**
* Make sure that the file that was requested to edit, is allowed to be edited
*
* Function will die if if you are not allowed to edit the file
*
* @since 0.0.1
*
* @param string $file file the users is attempting to edit
* @param array $allowed_files Array of allowed files to edit, $file must match an entry exactly
* @return string|null
*/
function validate_file_to_edit($file, $allowed_files = '')
{
$code = validate_file($file, $allowed_files);
if (!$code) {
return $file;
}
switch ($code) {
case 1:
hq_die(__('Sorry, that file cannot be edited.'));
// case 2 :
// hq_die( __('Sorry, can’t call files with their real path.' ));
// case 2 :
// hq_die( __('Sorry, can’t call files with their real path.' ));
case 3:
hq_die(__('Sorry, that file cannot be edited.'));
}
}
*/
define('DB_NAME', $dbname);
define('DB_USER', $uname);
define('DB_PASSWORD', $pwd);
define('DB_HOST', $dbhost);
/**#@-*/
// Re-construct $hqdb with these new values.
unset($hqdb);
require_hq_db();
/*
* The hqdb constructor bails when HQ_SETUP_CONFIG is set, so we must
* fire this manually. We'll fail here if the values are no good.
*/
$hqdb->db_connect();
if (!empty($hqdb->error)) {
hq_die($hqdb->error->get_error_message() . $tryagain_link);
}
// Fetch or generate keys and salts.
/* goyo disable:
$no_api = isset( $_POST['noapi'] );
if ( ! $no_api ) {
$secret_keys = hq_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' );
}
if ( $no_api || is_hq_error( $secret_keys ) ) {
$secret_keys = array();
for ( $i = 0; $i < 8; $i++ ) {
$secret_keys[] = hq_generate_password( 64, true, true );
}
} else {
$secret_keys = explode( "\n", hq_remote_retrieve_body( $secret_keys ) );
/**
* Edit user settings based on contents of $_POST
*
* Used on user-edit.php and profile.php to manage and process user options, passwords etc.
*
* @since 0.0.1
*
* @param int $user_id Optional. User ID.
* @return int|HQ_Error user id of the updated user
*/
function edit_user($user_id = 0)
{
$hq_roles = hq_roles();
$user = new stdClass();
if ($user_id) {
$update = true;
$user->ID = (int) $user_id;
$userdata = get_userdata($user_id);
$user->user_login = hq_slash($userdata->user_login);
} else {
$update = false;
}
if (!$update && isset($_POST['user_login'])) {
$user->user_login = sanitize_user($_POST['user_login'], true);
}
$pass1 = $pass2 = '';
if (isset($_POST['pass1'])) {
$pass1 = $_POST['pass1'];
}
if (isset($_POST['pass2'])) {
$pass2 = $_POST['pass2'];
}
if (isset($_POST['role']) && current_user_can('edit_users')) {
$new_role = sanitize_text_field($_POST['role']);
$potential_role = isset($hq_roles->role_objects[$new_role]) ? $hq_roles->role_objects[$new_role] : false;
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
// Multisite super admins can freely edit their blog roles -- they possess all caps.
if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) {
$user->role = $new_role;
}
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles();
if (!empty($new_role) && empty($editable_roles[$new_role])) {
hq_die(__('You can’t give users that role.'));
}
}
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field(hq_unslash($_POST['email']));
}
if (isset($_POST['url'])) {
if (empty($_POST['url']) || $_POST['url'] == 'http://') {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$protocols = implode('|', array_map('preg_quote', hq_allowed_protocols()));
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
foreach (hq_get_user_contact_methods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
if ($update) {
$user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
}
$user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
$errors = new HQ_Error();
/* checking that username has been typed */
if ($user->user_login == '') {
$errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.'));
}
/* checking the password has been typed twice */
/**
* Fires before the password and confirm password fields are checked for congruity.
*
* @since 0.0.1
*
* @param string $user_login The username.
* @param string &$pass1 The password, passed by reference.
* @param string &$pass2 The confirmed password, passed by reference.
*/
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
if ($update) {
if (empty($pass1) && !empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass1'));
} elseif (!empty($pass1) && empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass2'));
}
} else {
if (empty($pass1)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.'), array('form-field' => 'pass1'));
} elseif (empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.'), array('form-field' => 'pass2'));
}
}
/* Check for "\" in password */
if (false !== strpos(hq_unslash($pass1), "\\")) {
$errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1'));
}
/* checking the password has been typed twice the same */
if ($pass1 != $pass2) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
if (!$update && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.'));
}
/* checking e-mail address */
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an e-mail address.'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The email address isn’t correct.'), array('form-field' => 'email'));
} elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) {
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email'));
}
/**
* Fires before user profile update errors are returned.
*
* @since 0.0.1
*
* @param array &$errors An array of user profile update errors, passed by reference.
* @param bool $update Whether this is a user update.
* @param HQ_User &$user HQ_User object, passed by reference.
*/
do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user));
if ($errors->get_error_codes()) {
return $errors;
}
if ($update) {
$user_id = hq_update_user($user);
} else {
$user_id = hq_insert_user($user);
hq_new_user_notification($user_id, null, 'both');
}
return $user_id;
}
_e('Please provide the following information. Don’t worry, you can always change these settings later.');
?>
</p>
<?php
display_setup_form();
break;
case 2:
if (!empty($language) && load_default_textdomain($language)) {
$loaded_language = $language;
$GLOBALS['hq_locale'] = new HQ_Locale();
} else {
$loaded_language = 'en_US';
}
if (!empty($hqdb->error)) {
hq_die($hqdb->error->get_error_message());
}
display_header();
// Fill in the data we gathered
$weblog_title = isset($_POST['weblog_title']) ? trim(hq_unslash($_POST['weblog_title'])) : '';
$user_name = isset($_POST['user_name']) ? trim(hq_unslash($_POST['user_name'])) : '';
$admin_password = isset($_POST['admin_password']) ? hq_unslash($_POST['admin_password']) : '';
$admin_password_check = isset($_POST['admin_password2']) ? hq_unslash($_POST['admin_password2']) : '';
$admin_email = isset($_POST['admin_email']) ? trim(hq_unslash($_POST['admin_email'])) : '';
$public = isset($_POST['blog_public']) ? (int) $_POST['blog_public'] : 0;
// Check e-mail address.
$error = false;
if (empty($user_name)) {
// TODO: poka-yoke
display_setup_form(__('Please provide a valid username.'));
$error = true;
/**
* Wraps errors in a nice header and footer and dies.
*
* Will not die if hqdb::$show_errors is false.
*
* @since 0.0.1
*
* @param string $message The Error message
* @param string $error_code Optional. A Computer readable string to identify the error.
* @return false|void
*/
public function bail($message, $error_code = '500')
{
if (!$this->show_errors) {
if (class_exists('HQ_Error')) {
$this->error = new HQ_Error($error_code, $message);
} else {
$this->error = $message;
}
return false;
}
hq_die($message);
}
/**
* Check whether comment flooding is occurring.
*
* Won't run, if current user can manage options, so to not block
* administrators.
*
* @since 0.0.1
*
* @global hqdb $hqdb HiveQueen database abstraction object.
*
* @param string $ip Comment IP.
* @param string $email Comment author email address.
* @param string $date MySQL time string.
*/
function check_comment_flood_db($ip, $email, $date)
{
global $hqdb;
if (current_user_can('manage_options')) {
return;
}
// don't throttle admins
$hour_ago = gmdate('Y-m-d H:i:s', time() - HOUR_IN_SECONDS);
if ($lasttime = $hqdb->get_var($hqdb->prepare("SELECT `comment_date_gmt` FROM `{$hqdb->comments}` WHERE `comment_date_gmt` >= %s AND ( `comment_author_IP` = %s OR `comment_author_email` = %s ) ORDER BY `comment_date_gmt` DESC LIMIT 1", $hour_ago, $ip, $email))) {
$time_lastcomment = mysql2date('U', $lasttime, false);
$time_newcomment = mysql2date('U', $date, false);
/**
* Filter the comment flood status.
*
* @since 0.0.1
*
* @param bool $bool Whether a comment flood is occurring. Default false.
* @param int $time_lastcomment Timestamp of when the last comment was posted.
* @param int $time_newcomment Timestamp of when the new comment was posted.
*/
$flood_die = apply_filters('comment_flood_filter', false, $time_lastcomment, $time_newcomment);
if ($flood_die) {
/**
* Fires before the comment flood message is triggered.
*
* @since 0.0.1
*
* @param int $time_lastcomment Timestamp of when the last comment was posted.
* @param int $time_newcomment Timestamp of when the new comment was posted.
*/
do_action('comment_flood_trigger', $time_lastcomment, $time_newcomment);
if (defined('DOING_AJAX')) {
die(__('You are posting comments too quickly. Slow down.'));
}
hq_die(__('You are posting comments too quickly. Slow down.'), 429);
}
}
}
/**
* Handles sending password retrieval email to user.
*
* @global hqdb $hqdb HiveQueen database abstraction object.
* @global PasswordHash $hq_hasher Portable PHP password hashing framework.
*
* @return bool|HQ_Error True: when finish. HQ_Error on error
*/
function retrieve_password()
{
global $hqdb, $hq_hasher;
$errors = new HQ_Error();
if (empty($_POST['user_login'])) {
$errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));
} elseif (strpos($_POST['user_login'], '@')) {
$user_data = get_user_by('email', trim($_POST['user_login']));
if (empty($user_data)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
}
} else {
$login = trim($_POST['user_login']);
$user_data = get_user_by('login', $login);
}
/**
* Fires before errors are returned from a password reset request.
*
* @since 0.0.1
*/
do_action('lostpassword_post');
if ($errors->get_error_code()) {
return $errors;
}
if (!$user_data) {
$errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));
return $errors;
}
// Redefining user_login ensures we return the right case in the email.
$user_login = $user_data->user_login;
$user_email = $user_data->user_email;
/**
* Fires before a new password is retrieved.
*
* @since 0.0.1
*
* @param string $user_login The user login name.
*/
do_action('retreive_password', $user_login);
/**
* Fires before a new password is retrieved.
*
* @since 0.0.1
*
* @param string $user_login The user login name.
*/
do_action('retrieve_password', $user_login);
/**
* Filter whether to allow a password to be reset.
*
* @since 0.0.1
*
* @param bool true Whether to allow the password to be reset. Default true.
* @param int $user_data->ID The ID of the user attempting to reset a password.
*/
$allow = apply_filters('allow_password_reset', true, $user_data->ID);
if (!$allow) {
return new HQ_Error('no_password_reset', __('Password reset is not allowed for this user'));
} elseif (is_hq_error($allow)) {
return $allow;
}
// Generate something random for a password reset key.
$key = hq_generate_password(20, false);
/**
* Fires when a password reset key is generated.
*
* @since 0.0.1
*
* @param string $user_login The username for the user.
* @param string $key The generated password reset key.
*/
do_action('retrieve_password_key', $user_login, $key);
// Now insert the key, hashed, into the DB.
if (empty($hq_hasher)) {
require_once ABSPATH . HQINC . '/class-phpass.php';
$hq_hasher = new PasswordHash(8, true);
}
$hashed = time() . ':' . $hq_hasher->HashPassword($key);
$hqdb->update($hqdb->users, array('user_activation_key' => $hashed), array('user_login' => $user_login));
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url('/') . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("hq-login.php?action=rp&key={$key}&login="******">\r\n";
//TODO: Goyo no multisite
//if ( is_multisite() )
if (false) {
$blogname = $GLOBALS['current_site']->site_name;
} else {
/*
* The blogname option is escaped with esc_html on the way into the database
* in sanitize_option we want to reverse this for the plain text arena of emails.
*/
$blogname = hq_specialchars_decode(get_option('blogname'), ENT_QUOTES);
}
$title = sprintf(__('[%s] Password Reset'), $blogname);
/**
* Filter the subject of the password reset email.
*
* @since 0.0.1
*
* @param string $title Default email title.
*/
$title = apply_filters('retrieve_password_title', $title);
/**
* Filter the message body of the password reset mail.
*
* @since 0.0.1
*
* @param string $message Default mail message.
* @param string $key The activation key.
* @param string $user_login The username for the user.
* @param HQ_User $user_data HQ_User object.
*/
$message = apply_filters('retrieve_password_message', $message, $key, $user_login, $user_data);
if ($message && !hq_mail($user_email, hq_specialchars_decode($title), $message)) {
hq_die(__('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function.'));
}
return true;
}