public function test_bp_verify_nonce_request_with_port_in_home_url_and_wordpress_installed_in_subdirectory()
{
// fake various $_SERVER parameters
$host = explode(':', $_SERVER['HTTP_HOST']);
$_SERVER['HTTP_HOST'] = $host[0] . ':80';
$_SERVER['SERVER_PORT'] = 80;
$_SERVER['REQUEST_URI'] = '/wordpress/';
// add port number and subdirecotry to home URL for testing
add_filter('home_url', array($this, 'add_port_and_subdirectory_to_home_url'), 10, 3);
// test bp_verify_nonce_request()
$action = 'verify-this';
$_REQUEST[$action] = wp_create_nonce($action);
$test = bp_verify_nonce_request($action, $action);
// clean up!
remove_filter('home_url', array($this, 'add_port_and_subdirectory_to_home_url'), 10);
unset($_REQUEST[$action]);
// assert!
$this->assertSame(1, $test);
}
/**
* Handle the loading of the signup screen.
*/
function bp_core_screen_signup()
{
global $bp;
if (!bp_is_current_component('register') || bp_current_action()) {
return;
}
// Not a directory
bp_update_is_directory(false, 'register');
// If the user is logged in, redirect away from here
if (is_user_logged_in()) {
if (bp_is_component_front_page('register')) {
$redirect_to = trailingslashit(bp_get_root_domain() . '/' . bp_get_members_root_slug());
} else {
$redirect_to = bp_get_root_domain();
}
/**
* Filters the URL to redirect logged in users to when visiting registration page.
*
* @since BuddyPress (1.5.1)
*
* @param string $redirect_to URL to redirect user to.
*/
bp_core_redirect(apply_filters('bp_loggedin_register_page_redirect_to', $redirect_to));
return;
}
$bp->signup->step = 'request-details';
if (!bp_get_signup_allowed()) {
$bp->signup->step = 'registration-disabled';
// If the signup page is submitted, validate and save
} elseif (isset($_POST['signup_submit']) && bp_verify_nonce_request('bp_new_signup')) {
/**
* Fires before the validation of a new signup.
*
* @since BuddyPress (2.0.0)
*/
do_action('bp_signup_pre_validate');
// Check the base account details for problems
$account_details = bp_core_validate_user_signup($_POST['signup_username'], $_POST['signup_email']);
// If there are errors with account details, set them for display
if (!empty($account_details['errors']->errors['user_name'])) {
$bp->signup->errors['signup_username'] = $account_details['errors']->errors['user_name'][0];
}
if (!empty($account_details['errors']->errors['user_email'])) {
$bp->signup->errors['signup_email'] = $account_details['errors']->errors['user_email'][0];
}
// Check that both password fields are filled in
if (empty($_POST['signup_password']) || empty($_POST['signup_password_confirm'])) {
$bp->signup->errors['signup_password'] = __('Please make sure you enter your password twice', 'buddypress');
}
// Check that the passwords match
if (!empty($_POST['signup_password']) && !empty($_POST['signup_password_confirm']) && $_POST['signup_password'] != $_POST['signup_password_confirm']) {
$bp->signup->errors['signup_password'] = __('The passwords you entered do not match.', 'buddypress');
}
$bp->signup->username = $_POST['signup_username'];
$bp->signup->email = $_POST['signup_email'];
// Now we've checked account details, we can check profile information
if (bp_is_active('xprofile')) {
// Make sure hidden field is passed and populated
if (isset($_POST['signup_profile_field_ids']) && !empty($_POST['signup_profile_field_ids'])) {
// Let's compact any profile field info into an array
$profile_field_ids = explode(',', $_POST['signup_profile_field_ids']);
// Loop through the posted fields formatting any datebox values then validate the field
foreach ((array) $profile_field_ids as $field_id) {
if (!isset($_POST['field_' . $field_id])) {
if (!empty($_POST['field_' . $field_id . '_day']) && !empty($_POST['field_' . $field_id . '_month']) && !empty($_POST['field_' . $field_id . '_year'])) {
$_POST['field_' . $field_id] = date('Y-m-d H:i:s', strtotime($_POST['field_' . $field_id . '_day'] . $_POST['field_' . $field_id . '_month'] . $_POST['field_' . $field_id . '_year']));
}
}
// Create errors for required fields without values
if (xprofile_check_is_required_field($field_id) && empty($_POST['field_' . $field_id])) {
$bp->signup->errors['field_' . $field_id] = __('This is a required field', 'buddypress');
}
}
// This situation doesn't naturally occur so bounce to website root
} else {
bp_core_redirect(bp_get_root_domain());
}
}
// Finally, let's check the blog details, if the user wants a blog and blog creation is enabled
if (isset($_POST['signup_with_blog'])) {
$active_signup = $bp->site_options['registration'];
if ('blog' == $active_signup || 'all' == $active_signup) {
$blog_details = bp_core_validate_blog_signup($_POST['signup_blog_url'], $_POST['signup_blog_title']);
// If there are errors with blog details, set them for display
if (!empty($blog_details['errors']->errors['blogname'])) {
$bp->signup->errors['signup_blog_url'] = $blog_details['errors']->errors['blogname'][0];
}
if (!empty($blog_details['errors']->errors['blog_title'])) {
$bp->signup->errors['signup_blog_title'] = $blog_details['errors']->errors['blog_title'][0];
}
}
}
/**
* Fires after the validation of a new signup.
*
* @since BuddyPress (1.1.0)
*/
do_action('bp_signup_validate');
// Add any errors to the action for the field in the template for display.
if (!empty($bp->signup->errors)) {
foreach ((array) $bp->signup->errors as $fieldname => $error_message) {
// addslashes() and stripslashes() to avoid create_function()
// syntax errors when the $error_message contains quotes
/**
* Filters the error message in the loop.
*
* @since BuddyPress (1.5.0)
*
* @param string $value Error message wrapped in html.
*/
add_action('bp_' . $fieldname . '_errors', create_function('', 'echo apply_filters(\'bp_members_signup_error_message\', "<div class=\\"error\\">" . stripslashes( \'' . addslashes($error_message) . '\' ) . "</div>" );'));
}
} else {
$bp->signup->step = 'save-details';
// No errors! Let's register those deets.
$active_signup = !empty($bp->site_options['registration']) ? $bp->site_options['registration'] : '';
if ('none' != $active_signup) {
// Make sure the extended profiles module is enabled
if (bp_is_active('xprofile')) {
// Let's compact any profile field info into usermeta
$profile_field_ids = explode(',', $_POST['signup_profile_field_ids']);
// Loop through the posted fields formatting any datebox values then add to usermeta - @todo This logic should be shared with the same in xprofile_screen_edit_profile()
foreach ((array) $profile_field_ids as $field_id) {
if (!isset($_POST['field_' . $field_id])) {
if (!empty($_POST['field_' . $field_id . '_day']) && !empty($_POST['field_' . $field_id . '_month']) && !empty($_POST['field_' . $field_id . '_year'])) {
// Concatenate the values
$date_value = $_POST['field_' . $field_id . '_day'] . ' ' . $_POST['field_' . $field_id . '_month'] . ' ' . $_POST['field_' . $field_id . '_year'];
// Turn the concatenated value into a timestamp
$_POST['field_' . $field_id] = date('Y-m-d H:i:s', strtotime($date_value));
}
}
if (!empty($_POST['field_' . $field_id])) {
$usermeta['field_' . $field_id] = $_POST['field_' . $field_id];
}
if (!empty($_POST['field_' . $field_id . '_visibility'])) {
$usermeta['field_' . $field_id . '_visibility'] = $_POST['field_' . $field_id . '_visibility'];
}
}
// Store the profile field ID's in usermeta
$usermeta['profile_field_ids'] = $_POST['signup_profile_field_ids'];
}
// Hash and store the password
$usermeta['password'] = wp_hash_password($_POST['signup_password']);
// If the user decided to create a blog, save those details to usermeta
if ('blog' == $active_signup || 'all' == $active_signup) {
$usermeta['public'] = isset($_POST['signup_blog_privacy']) && 'public' == $_POST['signup_blog_privacy'] ? true : false;
}
/**
* Filters the user meta used for signup.
*
* @since BuddyPress (1.1.0)
*
* @param array $usermeta Array of user meta to add to signup.
*/
$usermeta = apply_filters('bp_signup_usermeta', $usermeta);
// Finally, sign up the user and/or blog
if (isset($_POST['signup_with_blog']) && is_multisite()) {
$wp_user_id = bp_core_signup_blog($blog_details['domain'], $blog_details['path'], $blog_details['blog_title'], $_POST['signup_username'], $_POST['signup_email'], $usermeta);
} else {
$wp_user_id = bp_core_signup_user($_POST['signup_username'], $_POST['signup_password'], $_POST['signup_email'], $usermeta);
}
if (is_wp_error($wp_user_id)) {
$bp->signup->step = 'request-details';
bp_core_add_message($wp_user_id->get_error_message(), 'error');
} else {
$bp->signup->step = 'completed-confirmation';
}
}
/**
* Fires after the completion of a new signup.
*
* @since BuddyPress (1.1.0)
*/
do_action('bp_complete_signup');
}
}
/**
* Fires right before the loading of the Member registration screen template file.
*
* @since BuddyPress (1.5.0)
*/
do_action('bp_core_screen_signup');
/**
* Filters the template to load for the Member registration page screen.
*
* @since BuddyPress (1.5.0)
*
* @param string $value Path to the Member registration template to load.
*/
bp_core_load_template(apply_filters('bp_core_template_register', array('register', 'registration/register')));
}
/**
* Handle deleting single notifications.
*
* @since 1.9.0
*
* @return bool
*/
function bp_notifications_action_delete()
{
// Bail if not the read or unread screen.
if (!bp_is_notifications_component() || !(bp_is_current_action('read') || bp_is_current_action('unread'))) {
return false;
}
// Get the action.
$action = !empty($_GET['action']) ? $_GET['action'] : '';
$nonce = !empty($_GET['_wpnonce']) ? $_GET['_wpnonce'] : '';
$id = !empty($_GET['notification_id']) ? $_GET['notification_id'] : '';
// Bail if no action or no ID.
if ('delete' !== $action || empty($id) || empty($nonce)) {
return false;
}
// Check the nonce and delete the notification.
if (bp_verify_nonce_request('bp_notification_delete_' . $id) && bp_notifications_delete_notification($id)) {
bp_core_add_message(__('Notification successfully deleted.', 'buddypress'));
} else {
bp_core_add_message(__('There was a problem deleting that notification.', 'buddypress'), 'error');
}
// Redirect.
bp_core_redirect(bp_displayed_user_domain() . bp_get_notifications_slug() . '/' . bp_current_action() . '/');
}
/**
* Handle marking a single message thread as unread.
*
* @since BuddyPress (2.2.0)
*
* @return bool|null Returns false on failure. Otherwise redirects back to the
* message box URL.
*/
function bp_messages_action_mark_unread()
{
if (!bp_is_messages_component() || bp_is_current_action('notices') || !bp_is_action_variable('unread', 0)) {
return false;
}
$action = !empty($_GET['action']) ? $_GET['action'] : '';
$nonce = !empty($_GET['_wpnonce']) ? $_GET['_wpnonce'] : '';
$id = !empty($_GET['message_id']) ? intval($_GET['message_id']) : '';
// Bail if no action or no ID.
if ('unread' !== $action || empty($id) || empty($nonce)) {
return false;
}
// Check the nonce.
if (!bp_verify_nonce_request('bp_message_thread_mark_unread_' . $id)) {
return false;
}
// Check access to the message and mark unread.
if (messages_check_thread_access($id)) {
messages_mark_thread_unread($id);
bp_core_add_message(__('Message marked unread.', 'buddypress'));
} else {
bp_core_add_message(__('There was a problem marking that message.', 'buddypress'), 'error');
}
// Redirect back to the message box URL.
bp_core_redirect(bp_displayed_user_domain() . bp_get_messages_slug() . '/' . bp_current_action());
}
