/** * handle the password retrieval procedure * * The user has entered his user name or email address in order to * receive a new password. Now, let's check if that is possible * If yes, send him or her a code for resetting his or her password * * @return WP_Error event if code could not be sent to the user */ public static function handle_code_retrieval() { // Prevent Cross-Site-Request-Forgery if (!Handlers::is_nonce_ok('code_retrieval_form')) { return new \WP_Error('nonce', __('There seems to be a security issue. Please do not continue, but inform us!', 'YALW'), 'error'); } Session::set_user_login(trim($_POST['YALW_user_login'])); $user_data = Handlers::get_user_data_by(Session::get_user_login()); if (is_wp_error($user_data)) { return $user_data; } do_action('retrieve_password', $user_data->user_login); /* * check if the user may reset his or her password * the range of possible return types of apply_filters makes it useless * to move this stuff in a separate function, IMHO. */ $allowed = apply_filters('allow_password_reset', true, $user_data->ID); if (!$allowed) { return new \WP_Error('no_password_reset', __('Password reset is not allowed for this user', 'YALW'), 'warn'); } else { if (is_wp_error($allowed)) { return $allowed; } } $send_status = Handlers::send_reset_code($user_data); if (is_wp_error($send_status)) { return $send_status; } // We only save the user_login and the ID for later use, not the whole WP_User -- we don't need to Session::set_user_login($user_data->user_login); Session::set_user_id($user_data->ID); Session::set_next_widget_task('check_code'); return new \WP_Error('email_sent', __('You should have received an email with a reset code. Please check your inbox.', 'YALW'), 'info'); }