//Check 1: It was previously denied, but is now allowed
$updateEmail = false;
if (strpos($user_data->user_email, $jfb_default_email) !== FALSE && strpos($fbuser['email'], $jfb_default_email) === FALSE) {
$jfb_log .= "nxt: Previously DENIED email has now been allowed; updating to (" . $fbuser['email'] . ")\n";
$updateEmail = true;
}
//Check 2: It was previously allowed, but only as an anonymous proxy. They've now revealed their "true" email.
if (strpos($user_data->user_email, "@proxymail.facebook.com") !== FALSE && strpos($fbuser['email'], "@proxymail.facebook.com") === FALSE) {
$jfb_log .= "nxt: Previously PROXIED email has now been allowed; updating to (" . $fbuser['email'] . ")\n";
$updateEmail = true;
}
if ($updateEmail) {
$user_upd = array();
$user_upd['ID'] = $user_login_id;
$user_upd['user_email'] = $fbuser['email'];
nxt_update_user($user_upd);
}
//Run a hook when an existing user logs in
do_action('nxtfb_existing_user', array('nxt_ID' => $user_login_id, 'FB_ID' => $fb_uid, 'facebook' => $facebook, 'nxt_UserData' => $user_data));
}
//If we still don't have a user_login_id, the FB user who's logging in has never been to this blog.
//We'll auto-register them a new account. Note that if they haven't allowed email permissions, the
//account we register will have a bogus email address (but that's OK, since we still know their Facebook ID)
if (!$user_login_id) {
$jfb_log .= "nxt: No user found. Automatically registering (FB_" . $fb_uid . ")\n";
$user_data = array();
$user_data['user_login'] = "******" . $fb_uid;
$user_data['user_pass'] = nxt_generate_password();
$user_data['user_nicename'] = sanitize_title($user_data['user_login']);
$user_data['first_name'] = $fbuser['first_name'];
$user_data['last_name'] = $fbuser['last_name'];
/**
* Edit user settings based on contents of $_POST
*
* Used on user-edit.php and profile.php to manage and process user options, passwords etc.
*
* @since 2.0
*
* @param int $user_id Optional. User ID.
* @return int user id of the updated user
*/
function edit_user($user_id = 0)
{
global $nxt_roles, $nxtdb;
$user = new stdClass();
if ($user_id) {
$update = true;
$user->ID = (int) $user_id;
$userdata = get_userdata($user_id);
$user->user_login = $nxtdb->escape($userdata->user_login);
} else {
$update = false;
}
if (!$update && isset($_POST['user_login'])) {
$user->user_login = sanitize_user($_POST['user_login'], true);
}
$pass1 = $pass2 = '';
if (isset($_POST['pass1'])) {
$pass1 = $_POST['pass1'];
}
if (isset($_POST['pass2'])) {
$pass2 = $_POST['pass2'];
}
if (isset($_POST['role']) && current_user_can('edit_users')) {
$new_role = sanitize_text_field($_POST['role']);
$potential_role = isset($nxt_roles->role_objects[$new_role]) ? $nxt_roles->role_objects[$new_role] : false;
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
// Multisite super admins can freely edit their blog roles -- they possess all caps.
if (is_multisite() && current_user_can('manage_sites') || $user_id != get_current_user_id() || $potential_role && $potential_role->has_cap('edit_users')) {
$user->role = $new_role;
}
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles();
if (!empty($new_role) && empty($editable_roles[$new_role])) {
nxt_die(__('You can’t give users that role.'));
}
}
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field($_POST['email']);
}
if (isset($_POST['url'])) {
if (empty($_POST['url']) || $_POST['url'] == 'http://') {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://' . $user->user_url;
}
}
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
foreach (_nxt_get_user_contactmethods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
if ($update) {
$user->rich_editing = isset($_POST['rich_editing']) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
}
$user->comment_shortcuts = isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
$errors = new nxt_Error();
/* checking that username has been typed */
if ($user->user_login == '') {
$errors->add('user_login', __('<strong>ERROR</strong>: Please enter a username.'));
}
/* checking the password has been typed twice */
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
if ($update) {
if (empty($pass1) && !empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass1'));
} elseif (!empty($pass1) && empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: You entered your new password only once.'), array('form-field' => 'pass2'));
}
} else {
if (empty($pass1)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password.'), array('form-field' => 'pass1'));
} elseif (empty($pass2)) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter your password twice.'), array('form-field' => 'pass2'));
}
}
/* Check for "\" in password */
if (false !== strpos(stripslashes($pass1), "\\")) {
$errors->add('pass', __('<strong>ERROR</strong>: Passwords may not contain the character "\\".'), array('form-field' => 'pass1'));
}
/* checking the password has been typed twice the same */
if ($pass1 != $pass2) {
$errors->add('pass', __('<strong>ERROR</strong>: Please enter the same password in the two password fields.'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
if (!$update && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>ERROR</strong>: This username is already registered. Please choose another one.'));
}
/* checking e-mail address */
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>ERROR</strong>: Please enter an e-mail address.'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>ERROR</strong>: The e-mail address isn’t correct.'), array('form-field' => 'email'));
} elseif (($owner_id = email_exists($user->user_email)) && (!$update || $owner_id != $user->ID)) {
$errors->add('email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email'));
}
// Allow plugins to return their own errors.
do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user));
if ($errors->get_error_codes()) {
return $errors;
}
if ($update) {
$user_id = nxt_update_user(get_object_vars($user));
} else {
$user_id = nxt_insert_user(get_object_vars($user));
nxt_new_user_notification($user_id, isset($_POST['send_password']) ? $pass1 : '');
}
return $user_id;
}
/**
* Handles the changing and saving of user email addressos and passwords
*
* We do quite a bit of logic and error handling here to make sure that users
* do not accidentally lock themselves out of their accounts. We also try to
* provide as accurate of feedback as possible without exposing anyone else's
* inforation to them.
*
* Special considerations are made for super admins that are able to edit any
* users accounts already, without knowing their existing password.
*
* @global BuddyPress $bp
* @return If no reason to proceed
*/
function bp_core_screen_general_settings()
{
global $bp;
// 404 if there are any additional action variables attached
if (bp_action_variables()) {
bp_do_404();
return;
}
/** Handle Form ***********************************************************/
if ('POST' === strtoupper($_SERVER['REQUEST_METHOD'])) {
// Bail if not in settings
if (!bp_is_settings_component() || !bp_is_current_action('general')) {
return;
}
// Define local defaults
$email_error = false;
// invalid|blocked|taken|empty|false
$pass_error = false;
// invalid|mismatch|empty|false
$pass_changed = false;
// true if the user changes their password
$email_changed = false;
// true if the user changes their email
$feedback_type = 'error';
// success|error
$feedback = array();
// array of strings for feedback
// Nonce check
check_admin_referer('bp_settings_general');
// Validate the user again for the current password when making a big change
if (is_super_admin() || !empty($_POST['pwd']) && nxt_check_password($_POST['pwd'], $bp->displayed_user->userdata->user_pass, bp_displayed_user_id())) {
$update_user = get_userdata(bp_displayed_user_id());
/** Email Change Attempt ******************************************/
if (!empty($_POST['email'])) {
// What is missing from the profile page vs signup - lets double check the goodies
$user_email = sanitize_email(esc_html(trim($_POST['email'])));
// User is changing email address
if ($bp->displayed_user->userdata->user_email != $user_email) {
// Is email valid
if (!is_email($user_email)) {
$email_error = 'invalid';
}
// Get blocked email domains
$limited_email_domains = get_site_option('limited_email_domains', 'buddypress');
// If blocked email domains exist, see if this is one of them
if (is_array($limited_email_domains) && empty($limited_email_domains) == false) {
$emaildomain = substr($user_email, 1 + strpos($user_email, '@'));
if (in_array($emaildomain, (array) $limited_email_domains) == false) {
$email_error = 'blocked';
}
}
// No errors, and email address doesn't match
if (false === $email_error && email_exists($user_email)) {
$email_error = 'taken';
}
// Yay we made it!
if (false === $email_error) {
$update_user->user_email = $user_email;
$email_changed = true;
}
// No change
} else {
$email_error = false;
}
// Email address cannot be empty
} else {
$email_error = 'empty';
}
/** Password Change Attempt ***************************************/
if (!empty($_POST['pass1']) && !empty($_POST['pass2'])) {
// Password change attempt is successful
if ($_POST['pass1'] == $_POST['pass2'] && !strpos(" " . $_POST['pass1'], "\\")) {
$update_user->user_pass = $_POST['pass1'];
$pass_changed = true;
// Password change attempt was unsuccessful
} else {
$pass_error = 'mismatch';
}
// Both password fields were empty
} elseif (empty($_POST['pass1']) && empty($_POST['pass2'])) {
$pass_error = false;
// One of the password boxes was left empty
} elseif (empty($_POST['pass1']) && !empty($_POST['pass2']) || !empty($_POST['pass1']) && empty($_POST['pass2'])) {
$pass_error = 'empty';
}
// The structure of the $update_user object changed in nxt 3.3, but
// nxt_update_user() still expects the old format
if (isset($update_user->data) && is_object($update_user->data)) {
$update_user = $update_user->data;
$update_user = get_object_vars($update_user);
// Unset the password field to prevent it from emptying out the
// user's user_pass field in the database.
// @see nxt_update_user()
if (false === $pass_changed) {
unset($update_user['user_pass']);
}
}
// Make sure these changes are in $bp for the current page load
if (false === $email_error && false === $pass_error && nxt_update_user($update_user)) {
$bp->displayed_user->userdata = bp_core_get_core_userdata(bp_displayed_user_id());
}
// Password Error
} else {
$pass_error = 'invalid';
}
// Email feedback
switch ($email_error) {
case 'invalid':
$feedback['email_invalid'] = __('That email address is invalid. Check the formatting and try again.', 'buddypress');
break;
case 'blocked':
$feedback['email_blocked'] = __('That email address is currently unavailable for use.', 'buddypress');
break;
case 'taken':
$feedback['email_taken'] = __('That email address is already taken.', 'buddypress');
break;
case 'empty':
$feedback['email_empty'] = __('Email address cannot be empty.', 'buddypress');
break;
case false:
// No change
break;
}
// Password feedback
switch ($pass_error) {
case 'invalid':
$feedback['pass_error'] = __('Your current password is invalid.', 'buddypress');
break;
case 'mismatch':
$feedback['pass_mismatch'] = __('The new password fields did not match.', 'buddypress');
break;
case 'empty':
$feedback['pass_empty'] = __('One of the password fields was empty.', 'buddypress');
break;
case false:
// No change
break;
}
// No errors so show a simple success message
if ((false === $email_error || false == $pass_error) && (true === $pass_changed || true === $email_changed)) {
$feedback[] = __('Your settings have been saved.', 'buddypress');
$feedback_type = 'success';
// Some kind of errors occurred
} elseif ((false === $email_error || false === $pass_error) && (false === $pass_changed || false === $email_changed)) {
if (bp_is_my_profile()) {
$feedback['nochange'] = __('No changes were made to your account.', 'buddypress');
} else {
$feedback['nochange'] = __('No changes were made to this account.', 'buddypress');
}
}
// Set the feedback
bp_core_add_message(implode('</p><p>', $feedback), $feedback_type);
// Execute additional code
do_action('bp_core_general_settings_after_save');
// Redirect to prevent issues with browser back button
bp_core_redirect(trailingslashit(bp_displayed_user_domain() . bp_get_settings_slug() . '/general'));
// Load the template
} else {
bp_core_load_template(apply_filters('bp_core_screen_general_settings', 'members/single/settings/general'));
}
}
function bp_core_activate_signup($key)
{
global $bp, $nxtdb;
$user = false;
// Multisite installs have their own activation routine
if (is_multisite()) {
$user = nxtmu_activate_signup($key);
// If there were errors, add a message and redirect
if (!empty($user->errors)) {
return $user;
}
$user_id = $user['user_id'];
// Set any profile data
if (bp_is_active('xprofile')) {
if (!empty($user['meta']['profile_field_ids'])) {
$profile_field_ids = explode(',', $user['meta']['profile_field_ids']);
foreach ((array) $profile_field_ids as $field_id) {
$current_field = isset($user['meta']["field_{$field_id}"]) ? $user['meta']["field_{$field_id}"] : false;
if (!empty($current_field)) {
xprofile_set_field_data($field_id, $user_id, $current_field);
}
}
}
}
} else {
// Get the user_id based on the $key
$user_id = $nxtdb->get_var($nxtdb->prepare("SELECT user_id FROM {$nxtdb->usermeta} WHERE meta_key = 'activation_key' AND meta_value = %s", $key));
if (empty($user_id)) {
return new nxt_Error('invalid_key', __('Invalid activation key', 'buddypress'));
}
// Change the user's status so they become active
if (!$nxtdb->query($nxtdb->prepare("UPDATE {$nxtdb->users} SET user_status = 0 WHERE ID = %d", $user_id))) {
return new nxt_Error('invalid_key', __('Invalid activation key', 'buddypress'));
}
// Notify the site admin of a new user registration
nxt_new_user_notification($user_id);
// Remove the activation key meta
delete_user_meta($user_id, 'activation_key');
}
// Update the display_name
nxt_update_user(array('ID' => $user_id, 'display_name' => bp_core_get_user_displayname($user_id)));
// Set the password on multisite installs
if (is_multisite() && !empty($user['meta']['password'])) {
$nxtdb->query($nxtdb->prepare("UPDATE {$nxtdb->users} SET user_pass = %s WHERE ID = %d", $user['meta']['password'], $user_id));
}
// Delete the total member cache
nxt_cache_delete('bp_total_member_count', 'bp');
do_action('bp_core_activated_user', $user_id, $key, $user);
return $user_id;
}
<?php
}
// Only allow super admins on multisite to edit every user.
if (is_multisite() && !current_user_can('manage_network_users') && $user_id != $current_user->ID && !apply_filters('enable_edit_any_user_configuration', true)) {
nxt_die(__('You do not have permission to edit this user.'));
}
// Execute confirmed email change. See send_confirmation_on_profile_email().
if (is_multisite() && IS_PROFILE_PAGE && isset($_GET['newuseremail']) && $current_user->ID) {
$new_email = get_option($current_user->ID . '_new_email');
if ($new_email['hash'] == $_GET['newuseremail']) {
$user->ID = $current_user->ID;
$user->user_email = esc_html(trim($new_email['newemail']));
if ($nxtdb->get_var($nxtdb->prepare("SELECT user_login FROM {$nxtdb->signups} WHERE user_login = %s", $current_user->user_login))) {
$nxtdb->query($nxtdb->prepare("UPDATE {$nxtdb->signups} SET user_email = %s WHERE user_login = %s", $user->user_email, $current_user->user_login));
}
nxt_update_user(get_object_vars($user));
delete_option($current_user->ID . '_new_email');
nxt_redirect(add_query_arg(array('updated' => 'true'), self_admin_url('profile.php')));
die;
}
} elseif (is_multisite() && IS_PROFILE_PAGE && !empty($_GET['dismiss']) && $current_user->ID . '_new_email' == $_GET['dismiss']) {
delete_option($current_user->ID . '_new_email');
nxt_redirect(add_query_arg(array('updated' => 'true'), self_admin_url('profile.php')));
die;
}
switch ($action) {
case 'update':
check_admin_referer('update-user_' . $user_id);
if (!current_user_can('edit_user', $user_id)) {
nxt_die(__('You do not have permission to edit this user.'));
}
/**
* Action method for completing the 'verify' action. This action is used adding an identity URL to a
* NXTClass user through the admin interface.
*
* @param string $identity_url verified OpenID URL
*/
function openid_finish_verify($identity_url, $action)
{
if ($action != 'verify') {
return;
}
$message;
$user = nxt_get_current_user();
if (empty($identity_url)) {
$message = openid_message();
if (empty($message)) {
$message = 1;
}
} else {
if (!openid_add_identity($user->ID, $identity_url)) {
$message = 2;
} else {
$message = 3;
// ensure that profile URL is a verified OpenID
require_once 'Auth/OpenID.php';
require_once ABSPATH . 'nxt-admin/includes/admin.php';
if (!openid_ensure_url_match($user)) {
nxt_update_user(array('ID' => $user->ID, 'user_url' => $identity_url));
$update_url = 1;
}
}
}
$finish_url = $_SESSION['openid_finish_url'];
$finish_url = add_query_arg('status', openid_status(), $finish_url);
$finish_url = add_query_arg('message', $message, $finish_url);
if (isset($update_url) && $update_url) {
$finish_url = add_query_arg('update_url', $update_url, $finish_url);
}
nxt_safe_redirect($finish_url);
exit;
}