/**
* Edit user settings based on contents of $_POST
*
* Used on user-edit.php and profile.php to manage and process user options, passwords etc.
*
* @since 2.0
*
* @param int $user_id Optional. User ID.
* @return int user id of the updated user
*/
function edit_user($user_id = 0)
{
global $nxt_roles, $nxtdb;
$user = new stdClass();
if ($user_id) {
$update = true;
$user->ID = (int) $user_id;
$userdata = get_userdata($user_id);
$user->user_login = $nxtdb->escape($userdata->user_login);
} else {
$update = false;
}
if (!$update && isset($_POST['user_login'])) {
$user->user_login = sanitize_user($_POST['user_login'], true);
}
$pass1 = $pass2 = '';
if (isset($_POST['pass1'])) {
$pass1 = $_POST['pass1'];
}
if (isset($_POST['pass2'])) {
$pass2 = $_POST['pass2'];
}
if (isset($_POST['role']) && current_user_can('edit_users')) {
$new_role = sanitize_text_field($_POST['role']);
$potential_role = isset($nxt_roles->role_objects[$new_role]) ? $nxt_roles->role_objects[$new_role] : false;
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
// Multisite super admins can freely edit their blog roles -- they possess all caps.
if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) {
$user->role = $new_role;
}
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles();
if (!empty($new_role) && empty($editable_roles[$new_role])) {
nxt_die(__('You can’t give users that role.'));
}
}
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field($_POST['email']);
}
if (isset($_POST['url'])) {
if (empty($_POST['url']) || $_POST['url'] == 'http://') {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
foreach (_nxt_get_user_contactmethods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
if ($update) {
$user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
}
$user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
$errors = new nxt_Error();
/* checking that username has been typed */
if ($user->user_login == '') {
$errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.'));
}
/* checking the password has been typed twice */
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
if ($update) {
if (empty($pass1) && !empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass1'));
} elseif (!empty($pass1) && empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass2'));
}
} else {
if (empty($pass1)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.'), array('form-field' => 'pass1'));
} elseif (empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.'), array('form-field' => 'pass2'));
}
}
/* Check for "\" in password */
if (false !== strpos(stripslashes($pass1), "\\")) {
$errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1'));
}
/* checking the password has been typed twice the same */
if ($pass1 != $pass2) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
if (!$update && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.'));
}
/* checking e-mail address */
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an e-mail address.'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The e-mail address isn’t correct.'), array('form-field' => 'email'));
} elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) {
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email'));
}
// Allow plugins to return their own errors.
do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user));
if ($errors->get_error_codes()) {
return $errors;
}
if ($update) {
$user_id = nxt_update_user(get_object_vars($user));
} else {
$user_id = nxt_insert_user(get_object_vars($user));
nxt_new_user_notification($user_id, isset($_POST['send_password']) ? $pass1 : '');
}
return $user_id;
}
if (isset(${$cap})) {
continue;
}
${$cap} = isset($_POST[$cap]) && $_POST[$cap] ? 1 : 0;
}
}
// Deal with errors generated from the password form
if (bb_current_user_can('change_user_password', $user->ID)) {
if ((!empty($_POST['pass1']) || !empty($_POST['pass2'])) && $_POST['pass1'] !== $_POST['pass2']) {
$errors->add('pass', __('You must enter the same password twice.'));
} elseif (!empty($_POST['pass1']) && !bb_current_user_can('change_user_password', $user->ID)) {
$errors->add('pass', __("You are not allowed to change this user's password."));
}
}
// If there are no errors then update the records
if (!$errors->get_error_codes()) {
do_action('before_profile_edited', $user->ID);
if (bb_current_user_can('edit_user', $user->ID)) {
// All these are always set at this point
bb_update_user($user->ID, $user_email, $user_url, $display_name);
// Add user meta data
foreach ($profile_info_keys as $key => $label) {
if ('display_name' == $key || 'ID' == $key || strpos($key, 'user_') === 0) {
continue;
}
if (${$key} != '' || isset($user->{$key})) {
bb_update_usermeta($user->ID, $key, ${$key});
}
}
}
if (bb_current_user_can('edit_users')) {
}
// Check for errors on post method
if ('post' == strtolower($_SERVER['REQUEST_METHOD'])) {
// If the user doesn't exist then add that error
if (empty($user_exists)) {
if (!empty($_POST['log'])) {
$bb_login_error->add('user_login', __('User does not exist.'));
} else {
$bb_login_error->add('user_login', $email_login ? __('Enter a username or email address.') : __('Enter a username.'));
}
}
// If the password was wrong then add that error
if (!$bb_login_error->get_error_code()) {
$bb_login_error->add('password', __('Incorrect password.'));
}
}
/**
* If trying to log in with email address, don't leak whether or not email
* address exists in the db. is_email() is not perfect. Usernames can be
* valid email addresses potentially.
*/
if (!empty($email_login) && $bb_login_error->get_error_codes() && false !== is_email(@$_POST['log'])) {
$bb_login_error = new nxt_Error('user_login', __('Username and Password do not match.'));
}
/** Prepare for display *******************************************************/
// Sanitze variables for display
$remember_checked = @$_POST['rememberme'] ? ' checked="checked"' : '';
$user_login = esc_attr(sanitize_user(@$_POST['log'], true));
// Load the template
bb_load_template('login.php', array('user_exists', 'user_login', 'remember_checked', 'redirect_to', 're', 'bb_login_error'));
exit;
