/** * Edit user settings based on contents of $_POST * * Used on user-edit.php and profile.php to manage and process user options, passwords etc. * * @since 2.0 * * @param int $user_id Optional. User ID. * @return int user id of the updated user */ function edit_user($user_id = 0) { global $nxt_roles, $nxtdb; $user = new stdClass(); if ($user_id) { $update = true; $user->ID = (int) $user_id; $userdata = get_userdata($user_id); $user->user_login = $nxtdb->escape($userdata->user_login); } else { $update = false; } if (!$update && isset($_POST['user_login'])) { $user->user_login = sanitize_user($_POST['user_login'], true); } $pass1 = $pass2 = ''; if (isset($_POST['pass1'])) { $pass1 = $_POST['pass1']; } if (isset($_POST['pass2'])) { $pass2 = $_POST['pass2']; } if (isset($_POST['role']) && current_user_can('edit_users')) { $new_role = sanitize_text_field($_POST['role']); $potential_role = isset($nxt_roles->role_objects[$new_role]) ? $nxt_roles->role_objects[$new_role] : false; // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. // Multisite super admins can freely edit their blog roles -- they possess all caps. if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) { $user->role = $new_role; } // If the new role isn't editable by the logged-in user die with error $editable_roles = get_editable_roles(); if (!empty($new_role) && empty($editable_roles[$new_role])) { nxt_die(__('You can’t give users that role.')); } } if (isset($_POST['email'])) { $user->user_email = sanitize_text_field($_POST['email']); } if (isset($_POST['url'])) { if (empty($_POST['url']) || $_POST['url'] == 'http://') { $user->user_url = ''; } else { $user->user_url = esc_url_raw($_POST['url']); $user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url; } } if (isset($_POST['first_name'])) { $user->first_name = sanitize_text_field($_POST['first_name']); } if (isset($_POST['last_name'])) { $user->last_name = sanitize_text_field($_POST['last_name']); } if (isset($_POST['nickname'])) { $user->nickname = sanitize_text_field($_POST['nickname']); } if (isset($_POST['display_name'])) { $user->display_name = sanitize_text_field($_POST['display_name']); } if (isset($_POST['description'])) { $user->description = trim($_POST['description']); } foreach (_nxt_get_user_contactmethods($user) as $method => $name) { if (isset($_POST[$method])) { $user->{$method} = sanitize_text_field($_POST[$method]); } } if ($update) { $user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; $user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh'; $user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false'; } $user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; if (!empty($_POST['use_ssl'])) { $user->use_ssl = 1; } $errors = new nxt_Error(); /* checking that username has been typed */ if ($user->user_login == '') { $errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.')); } /* checking the password has been typed twice */ do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2)); if ($update) { if (empty($pass1) && !empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass1')); } elseif (!empty($pass1) && empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass2')); } } else { if (empty($pass1)) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.'), array('form-field' => 'pass1')); } elseif (empty($pass2)) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.'), array('form-field' => 'pass2')); } } /* Check for "\" in password */ if (false !== strpos(stripslashes($pass1), "\\")) { $errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1')); } /* checking the password has been typed twice the same */ if ($pass1 != $pass2) { $errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.'), array('form-field' => 'pass1')); } if (!empty($pass1)) { $user->user_pass = $pass1; } if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.')); } if (!$update && username_exists($user->user_login)) { $errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.')); } /* checking e-mail address */ if (empty($user->user_email)) { $errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an e-mail address.'), array('form-field' => 'email')); } elseif (!is_email($user->user_email)) { $errors->add('invalid_email', __('<strong>ERROR</strong>: The e-mail address isn’t correct.'), array('form-field' => 'email')); } elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) { $errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email')); } // Allow plugins to return their own errors. do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user)); if ($errors->get_error_codes()) { return $errors; } if ($update) { $user_id = nxt_update_user(get_object_vars($user)); } else { $user_id = nxt_insert_user(get_object_vars($user)); nxt_new_user_notification($user_id, isset($_POST['send_password']) ? $pass1 : ''); } return $user_id; }
if (isset(${$cap})) { continue; } ${$cap} = isset($_POST[$cap]) && $_POST[$cap] ? 1 : 0; } } // Deal with errors generated from the password form if (bb_current_user_can('change_user_password', $user->ID)) { if ((!empty($_POST['pass1']) || !empty($_POST['pass2'])) && $_POST['pass1'] !== $_POST['pass2']) { $errors->add('pass', __('You must enter the same password twice.')); } elseif (!empty($_POST['pass1']) && !bb_current_user_can('change_user_password', $user->ID)) { $errors->add('pass', __("You are not allowed to change this user's password.")); } } // If there are no errors then update the records if (!$errors->get_error_codes()) { do_action('before_profile_edited', $user->ID); if (bb_current_user_can('edit_user', $user->ID)) { // All these are always set at this point bb_update_user($user->ID, $user_email, $user_url, $display_name); // Add user meta data foreach ($profile_info_keys as $key => $label) { if ('display_name' == $key || 'ID' == $key || strpos($key, 'user_') === 0) { continue; } if (${$key} != '' || isset($user->{$key})) { bb_update_usermeta($user->ID, $key, ${$key}); } } } if (bb_current_user_can('edit_users')) {
} // Check for errors on post method if ('post' == strtolower($_SERVER['REQUEST_METHOD'])) { // If the user doesn't exist then add that error if (empty($user_exists)) { if (!empty($_POST['log'])) { $bb_login_error->add('user_login', __('User does not exist.')); } else { $bb_login_error->add('user_login', $email_login ? __('Enter a username or email address.') : __('Enter a username.')); } } // If the password was wrong then add that error if (!$bb_login_error->get_error_code()) { $bb_login_error->add('password', __('Incorrect password.')); } } /** * If trying to log in with email address, don't leak whether or not email * address exists in the db. is_email() is not perfect. Usernames can be * valid email addresses potentially. */ if (!empty($email_login) && $bb_login_error->get_error_codes() && false !== is_email(@$_POST['log'])) { $bb_login_error = new nxt_Error('user_login', __('Username and Password do not match.')); } /** Prepare for display *******************************************************/ // Sanitze variables for display $remember_checked = @$_POST['rememberme'] ? ' checked="checked"' : ''; $user_login = esc_attr(sanitize_user(@$_POST['log'], true)); // Load the template bb_load_template('login.php', array('user_exists', 'user_login', 'remember_checked', 'redirect_to', 're', 'bb_login_error')); exit;