/**
* Handles the changing and saving of user email addressos and passwords
*
* We do quite a bit of logic and error handling here to make sure that users
* do not accidentally lock themselves out of their accounts. We also try to
* provide as accurate of feedback as possible without exposing anyone else's
* inforation to them.
*
* Special considerations are made for super admins that are able to edit any
* users accounts already, without knowing their existing password.
*
* @global BuddyPress $bp
* @return If no reason to proceed
*/
function bp_core_screen_general_settings()
{
global $bp;
// 404 if there are any additional action variables attached
if (bp_action_variables()) {
bp_do_404();
return;
}
/** Handle Form ***********************************************************/
if ('POST' === strtoupper($_SERVER['REQUEST_METHOD'])) {
// Bail if not in settings
if (!bp_is_settings_component() || !bp_is_current_action('general')) {
return;
}
// Define local defaults
$email_error = false;
// invalid|blocked|taken|empty|false
$pass_error = false;
// invalid|mismatch|empty|false
$pass_changed = false;
// true if the user changes their password
$email_changed = false;
// true if the user changes their email
$feedback_type = 'error';
// success|error
$feedback = array();
// array of strings for feedback
// Nonce check
check_admin_referer('bp_settings_general');
// Validate the user again for the current password when making a big change
if (is_super_admin() || !empty($_POST['pwd']) && nxt_check_password($_POST['pwd'], $bp->displayed_user->userdata->user_pass, bp_displayed_user_id())) {
$update_user = get_userdata(bp_displayed_user_id());
/** Email Change Attempt ******************************************/
if (!empty($_POST['email'])) {
// What is missing from the profile page vs signup - lets double check the goodies
$user_email = sanitize_email(esc_html(trim($_POST['email'])));
// User is changing email address
if ($bp->displayed_user->userdata->user_email != $user_email) {
// Is email valid
if (!is_email($user_email)) {
$email_error = 'invalid';
}
// Get blocked email domains
$limited_email_domains = get_site_option('limited_email_domains', 'buddypress');
// If blocked email domains exist, see if this is one of them
if (is_array($limited_email_domains) && empty($limited_email_domains) == false) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (in_array($emaildomain, (array) $limited_email_domains) == false) {
$email_error = 'blocked';
}
}
// No errors, and email address doesn't match
if (false === $email_error && email_exists($user_email)) {
$email_error = 'taken';
}
// Yay we made it!
if (false === $email_error) {
$update_user->user_email = $user_email;
$email_changed = true;
}
// No change
} else {
$email_error = false;
}
// Email address cannot be empty
} else {
$email_error = 'empty';
}
/** Password Change Attempt ***************************************/
if (!empty($_POST['pass1']) && !empty($_POST['pass2'])) {
// Password change attempt is successful
if ($_POST['pass1'] == $_POST['pass2'] && !strpos(" " . $_POST['pass1'], "\\")) {
$update_user->user_pass = $_POST['pass1'];
$pass_changed = true;
// Password change attempt was unsuccessful
} else {
$pass_error = 'mismatch';
}
// Both password fields were empty
} elseif (empty($_POST['pass1']) && empty($_POST['pass2'])) {
$pass_error = false;
// One of the password boxes was left empty
} elseif (empty($_POST['pass1']) && !empty($_POST['pass2']) || !empty($_POST['pass1']) && empty($_POST['pass2'])) {
$pass_error = 'empty';
}
// The structure of the $update_user object changed in nxt 3.3, but
// nxt_update_user() still expects the old format
if (isset($update_user->data) && is_object($update_user->data)) {
$update_user = $update_user->data;
$update_user = get_object_vars($update_user);
// Unset the password field to prevent it from emptying out the
// user's user_pass field in the database.
// @see nxt_update_user()
if (false === $pass_changed) {
unset($update_user['user_pass']);
}
}
// Make sure these changes are in $bp for the current page load
if (false === $email_error && false === $pass_error && nxt_update_user($update_user)) {
$bp->displayed_user->userdata = bp_core_get_core_userdata(bp_displayed_user_id());
}
// Password Error
} else {
$pass_error = 'invalid';
}
// Email feedback
switch ($email_error) {
case 'invalid':
$feedback['email_invalid'] = __('That email address is invalid. Check the formatting and try again.', 'buddypress');
break;
case 'blocked':
$feedback['email_blocked'] = __('That email address is currently unavailable for use.', 'buddypress');
break;
case 'taken':
$feedback['email_taken'] = __('That email address is already taken.', 'buddypress');
break;
case 'empty':
$feedback['email_empty'] = __('Email address cannot be empty.', 'buddypress');
break;
case false:
// No change
break;
}
// Password feedback
switch ($pass_error) {
case 'invalid':
$feedback['pass_error'] = __('Your current password is invalid.', 'buddypress');
break;
case 'mismatch':
$feedback['pass_mismatch'] = __('The new password fields did not match.', 'buddypress');
break;
case 'empty':
$feedback['pass_empty'] = __('One of the password fields was empty.', 'buddypress');
break;
case false:
// No change
break;
}
// No errors so show a simple success message
if ((false === $email_error || false == $pass_error) && (true === $pass_changed || true === $email_changed)) {
$feedback[] = __('Your settings have been saved.', 'buddypress');
$feedback_type = 'success';
// Some kind of errors occurred
} elseif ((false === $email_error || false === $pass_error) && (false === $pass_changed || false === $email_changed)) {
if (bp_is_my_profile()) {
$feedback['nochange'] = __('No changes were made to your account.', 'buddypress');
} else {
$feedback['nochange'] = __('No changes were made to this account.', 'buddypress');
}
}
// Set the feedback
bp_core_add_message(implode('</p><p>', $feedback), $feedback_type);
// Execute additional code
do_action('bp_core_general_settings_after_save');
// Redirect to prevent issues with browser back button
bp_core_redirect(trailingslashit(bp_displayed_user_domain() . bp_get_settings_slug() . '/general'));
// Load the template
} else {
bp_core_load_template(apply_filters('bp_core_screen_general_settings', 'members/single/settings/general'));
}
}
function nxt_authenticate_username_password($user, $username, $password)
{
if (is_a($user, 'nxt_User')) {
return $user;
}
if (empty($username) || empty($password)) {
$error = new nxt_Error();
if (empty($username)) {
$error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
}
if (empty($password)) {
$error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
}
return $error;
}
$userdata = get_user_by('login', $username);
if (!$userdata) {
return new nxt_Error('invalid_username', sprintf(__('<strong>ERROR</strong>: Invalid username. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), nxt_lostpassword_url()));
}
if (is_multisite()) {
// Is user marked as spam?
if (1 == $userdata->spam) {
return new nxt_Error('invalid_username', __('<strong>ERROR</strong>: Your account has been marked as a spammer.'));
}
// Is a user's blog marked as spam?
if (!is_super_admin($userdata->ID) && isset($userdata->primary_blog)) {
$details = get_blog_details($userdata->primary_blog);
if (is_object($details) && $details->spam == 1) {
return new nxt_Error('blog_suspended', __('Site Suspended.'));
}
}
}
$userdata = apply_filters('nxt_authenticate_user', $userdata, $password);
if (is_nxt_error($userdata)) {
return $userdata;
}
if (!nxt_check_password($password, $userdata->user_pass, $userdata->ID)) {
return new nxt_Error('incorrect_password', sprintf(__('<strong>ERROR</strong>: The password you entered for the username <strong>%1$s</strong> is incorrect. <a href="%2$s" title="Password Lost and Found">Lost your password</a>?'), $username, nxt_lostpassword_url()));
}
$user = new nxt_User($userdata->ID);
return $user;
}
