/** * Proccesses the request * * Callback for "parse_request" hook in WP::parse_request() * * @see WP::parse_request() * @since 6.0 * @access public */ function parse_request() { $errors =& $this->errors; $action =& $this->request_action; $instance =& $this->request_instance; if (is_admin()) { return; } do_action_ref_array('tml_request', array(&$this)); // allow plugins to override the default actions, and to add extra actions if they want do_action('login_form_' . $action); if (has_action('tml_request_' . $action)) { do_action_ref_array('tml_request_' . $action, array(&$this)); } else { $http_post = 'POST' == $_SERVER['REQUEST_METHOD']; switch ($action) { case 'logout': check_admin_referer('log-out'); $user = wp_get_current_user(); $redirect_to = apply_filters('logout_redirect', site_url('wp-login.php?loggedout=true'), isset($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : '', $user); wp_logout(); wp_safe_redirect($redirect_to); exit; break; case 'lostpassword': case 'retrievepassword': $this->check_ssl(); if ($http_post) { $errors = $this->retrieve_password(); if (!is_wp_error($errors)) { $redirect_to = !empty($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : Theme_My_Login::get_current_url('checkemail=confirm'); if (!empty($instance)) { $redirect_to = add_query_arg('instance', $instance, $redirect_to); } wp_safe_redirect($redirect_to); exit; } } if (isset($_REQUEST['error']) && 'invalidkey' == $_REQUEST['error']) { $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.', 'theme-my-login')); } break; case 'resetpass': case 'rp': $this->check_ssl(); $user = $this->check_password_reset_key($_REQUEST['key'], $_REQUEST['login']); if (is_wp_error($user)) { wp_redirect(Theme_My_Login::get_current_url('action=lostpassword&error=invalidkey')); exit; } $errors = ''; if (isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2']) { $errors = new WP_Error('password_reset_mismatch', __('Your passwords do not match.', 'theme-my-login')); } elseif (isset($_POST['pass1']) && !empty($_POST['pass1'])) { $this->reset_password($user, $_POST['pass1']); $redirect_to = Theme_My_Login::get_current_url('resetpass=complete'); if (isset($_REQUEST['instance']) & !empty($_REQUEST['instance'])) { $redirect_to = add_query_arg('instance', $_REQUEST['instance'], $redirect_to); } wp_safe_redirect($redirect_to); exit; } $suffix = defined('SCRIPT_DEBUG') && SCRIPT_DEBUG ? '.dev' : ''; wp_enqueue_script('user-profile', admin_url("js/user-profile{$suffix}.js"), array('jquery'), '', true); wp_enqueue_script('password-strength-meter', admin_url("js/password-strength-meter{$suffix}.js"), array('jquery'), '', true); wp_localize_script('password-strength-meter', 'pwsL10n', array('empty' => __('Strength indicator', 'theme-my-login'), 'short' => __('Very weak', 'theme-my-login'), 'bad' => __('Weak', 'theme-my-login'), 'good' => _x('Medium', 'password strength', 'theme-my-login'), 'strong' => __('Strong', 'theme-my-login'), 'l10n_print_after' => 'try{convertEntities(pwsL10n);}catch(e){};')); break; case 'register': if (!get_option('users_can_register')) { wp_redirect(Theme_My_Login::get_current_url('registration=disabled')); exit; } $this->check_ssl(); $user_login = ''; $user_email = ''; if ($http_post) { if (version_compare($GLOBALS['wp_version'], '3.1', '<')) { require_once ABSPATH . WPINC . '/registration.php'; } $user_login = $_POST['user_login']; $user_email = $_POST['user_email']; $errors = Theme_My_Login::register_new_user($user_login, $user_email); if (!is_wp_error($errors)) { $redirect_to = !empty($_POST['redirect_to']) ? $_POST['redirect_to'] : Theme_My_Login::get_current_url('checkemail=registered'); if (!empty($instance)) { $redirect_to = add_query_arg('instance', $instance, $redirect_to); } $redirect_to = apply_filters('register_redirect', $redirect_to); wp_safe_redirect($redirect_to); exit; } } break; case 'login': default: $secure_cookie = ''; $interim_login = isset($_REQUEST['interim-login']); // If the user wants ssl but the session is not ssl, force a secure cookie. if (!empty($_POST['log']) && !force_ssl_admin()) { $user_name = sanitize_user($_POST['log']); if ($user = get_userdatabylogin($user_name)) { if (get_user_option('use_ssl', $user->ID)) { $secure_cookie = true; force_ssl_admin(true); } } } if (isset($_REQUEST['redirect_to']) && !empty($_REQUEST['redirect_to'])) { $redirect_to = $_REQUEST['redirect_to']; // Redirect to https if user wants ssl if ($secure_cookie && false !== strpos($redirect_to, 'wp-admin')) { $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to); } } else { $redirect_to = admin_url(); } $reauth = empty($_REQUEST['reauth']) ? false : true; // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting // the admin via http or https. if (!$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && 0 !== strpos($redirect_to, 'https') && 0 === strpos($redirect_to, 'http')) { $secure_cookie = false; } if ($http_post && isset($_POST['log'])) { $this->check_ssl(); // Set a cookie now to see if they are supported by the browser. setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN); if (SITECOOKIEPATH != COOKIEPATH) { setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN); } $user = wp_signon('', $secure_cookie); $redirect_to = apply_filters('login_redirect', $redirect_to, isset($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : '', $user); if (!is_wp_error($user) && !$reauth) { // If the user can't edit posts, send them to their profile. if (!$user->has_cap('edit_posts') && (empty($redirect_to) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url())) { $redirect_to = admin_url('profile.php'); } wp_safe_redirect($redirect_to); exit; } $errors = $user; } $this->redirect_to = $redirect_to; // Clear errors if loggedout is set. if (!empty($_GET['loggedout']) || $reauth) { $errors = new WP_Error(); } // If cookies are disabled we can't log in even with a valid user+pass if (isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE])) { $errors->add('test_cookie', __('<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href="http://www.google.com/cookies.html">enable cookies</a> to use WordPress.', 'theme-my-login')); } // Some parts of this script use the main login form to display a message if (isset($_GET['loggedout']) && TRUE == $_GET['loggedout']) { $errors->add('loggedout', __('You are now logged out.', 'theme-my-login'), 'message'); } elseif (isset($_GET['registration']) && 'disabled' == $_GET['registration']) { $errors->add('registerdisabled', __('User registration is currently not allowed.', 'theme-my-login')); } elseif (isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail']) { $errors->add('confirm', __('Check your e-mail for the confirmation link.', 'theme-my-login'), 'message'); } elseif (isset($_GET['resetpass']) && 'complete' == $_GET['resetpass']) { $errors->add('password_reset', __('Your password has been reset.', 'theme-my-login'), 'message'); } elseif (isset($_GET['checkemail']) && 'registered' == $_GET['checkemail']) { $errors->add('registered', __('Registration complete. Please check your e-mail.', 'theme-my-login'), 'message'); } elseif ($interim_login) { $errors->add('expired', __('Your session has expired. Please log-in again.', 'theme-my-login'), 'message'); } elseif ($reauth) { $errors->add('reauth', __('Please log in to continue.', 'theme-my-login'), 'message'); } // Clear any stale cookies. if ($reauth) { wp_clear_auth_cookie(); } break; } // end switch } // endif has_filter() }
/** * Proccesses the request * * Callback for "parse_request" hook in WP::parse_request() * * @see WP::parse_request() * @since 6.0 * @access public */ function parse_request(&$wp) { $errors =& $this->errors; $action =& $this->request_action; if (isset($wp->query_vars['action'])) { $action = $wp->query_vars['action']; unset($wp->query_vars['action']); } $instance =& $this->request_instance; if (is_admin()) { return; } do_action_ref_array('tml_request', array(&$this)); // allow plugins to override the default actions, and to add extra actions if they want do_action('login_form_' . $action); if (has_action('tml_request_' . $action)) { do_action_ref_array('tml_request_' . $action, array(&$this)); } else { $http_post = 'POST' == $_SERVER['REQUEST_METHOD']; switch ($action) { case 'postpass': global $wp_hasher; if (empty($wp_hasher)) { require_once ABSPATH . 'wp-includes/class-phpass.php'; // By default, use the portable hash from phpass $wp_hasher = new PasswordHash(8, true); } // 10 days setcookie('wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword(stripslashes($_POST['post_password'])), time() + 864000, COOKIEPATH); wp_safe_redirect(wp_get_referer()); exit; break; case 'logout': check_admin_referer('log-out'); $user = wp_get_current_user(); wp_logout(); $redirect_to = apply_filters('logout_redirect', site_url('wp-login.php?loggedout=true'), isset($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : '', $user); wp_safe_redirect($redirect_to); exit; break; case 'lostpassword': case 'retrievepassword': if ($http_post) { $errors = $this->retrieve_password(); if (!is_wp_error($errors)) { $redirect_to = !empty($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : Theme_My_Login::get_current_url('checkemail=confirm'); if (!empty($instance)) { $redirect_to = add_query_arg('instance', $instance, $redirect_to); } wp_safe_redirect($redirect_to); exit; } } if (isset($_REQUEST['error']) && 'invalidkey' == $_REQUEST['error']) { $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.', 'theme-my-login')); } do_action('lost_password'); break; case 'resetpass': case 'rp': $user = $this->check_password_reset_key($_REQUEST['key'], $_REQUEST['login']); if (is_wp_error($user)) { wp_redirect(Theme_My_Login::get_current_url('action=lostpassword&error=invalidkey')); exit; } $errors = ''; if (isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2']) { $errors = new WP_Error('password_reset_mismatch', __('The passwords do not match.', 'theme-my-login')); } elseif (isset($_POST['pass1']) && !empty($_POST['pass1'])) { $this->reset_password($user, $_POST['pass1']); $redirect_to = Theme_My_Login::get_current_url('resetpass=complete'); if (isset($_REQUEST['instance']) & !empty($_REQUEST['instance'])) { $redirect_to = add_query_arg('instance', $_REQUEST['instance'], $redirect_to); } wp_safe_redirect($redirect_to); exit; } wp_enqueue_script('utils'); wp_enqueue_script('user-profile'); break; case 'register': if (!get_option('users_can_register')) { wp_redirect(Theme_My_Login::get_current_url('registration=disabled')); exit; } $user_login = ''; $user_email = ''; if ($http_post) { $user_login = $_POST['user_login']; $user_email = $_POST['user_email']; $errors = Theme_My_Login::register_new_user($user_login, $user_email); if (!is_wp_error($errors)) { $redirect_to = !empty($_POST['redirect_to']) ? $_POST['redirect_to'] : Theme_My_Login::get_current_url('checkemail=registered'); if (!empty($instance)) { $redirect_to = add_query_arg('instance', $instance, $redirect_to); } $redirect_to = apply_filters('register_redirect', $redirect_to); wp_safe_redirect($redirect_to); exit; } } break; case 'login': default: $secure_cookie = ''; $interim_login = isset($_REQUEST['interim-login']); // If the user wants ssl but the session is not ssl, force a secure cookie. if (!empty($_POST['log']) && !force_ssl_admin()) { $user_name = sanitize_user($_POST['log']); if ($user = get_user_by('login', $user_name)) { if (get_user_option('use_ssl', $user->ID)) { $secure_cookie = true; force_ssl_admin(true); } } } if (!empty($_REQUEST['redirect_to'])) { $redirect_to = $_REQUEST['redirect_to']; // Redirect to https if user wants ssl if ($secure_cookie && false !== strpos($redirect_to, 'wp-admin')) { $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to); } } else { $redirect_to = admin_url(); } $reauth = empty($_REQUEST['reauth']) ? false : true; // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting // the admin via http or https. if (!$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && 0 !== strpos($redirect_to, 'https') && 0 === strpos($redirect_to, 'http')) { $secure_cookie = false; } if ($http_post && isset($_POST['log'])) { // Set a cookie now to see if they are supported by the browser. setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN); if (SITECOOKIEPATH != COOKIEPATH) { setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN); } $user = wp_signon('', $secure_cookie); $redirect_to = apply_filters('login_redirect', $redirect_to, isset($_REQUEST['redirect_to']) ? $_REQUEST['redirect_to'] : '', $user); if (!is_wp_error($user) && !$reauth) { if (empty($redirect_to) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url()) { // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile. if (is_multisite() && !get_active_blog_for_user($user->ID) && !is_super_admin($user->ID)) { $redirect_to = user_admin_url(); } elseif (is_multisite() && !$user->has_cap('read')) { $redirect_to = get_dashboard_url($user->ID); } elseif (!$user->has_cap('edit_posts')) { $redirect_to = admin_url('profile.php'); } } wp_safe_redirect($redirect_to); exit; } $errors = $user; } $this->redirect_to = $redirect_to; // Clear errors if loggedout is set. if (!empty($_GET['loggedout']) || $reauth) { $errors = new WP_Error(); } // If cookies are disabled we can't log in even with a valid user+pass if (isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE])) { $errors->add('test_cookie', __('<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href="http://www.google.com/cookies.html">enable cookies</a> to use WordPress.', 'theme-my-login')); } // Some parts of this script use the main login form to display a message if (isset($_GET['loggedout']) && true == $_GET['loggedout']) { $errors->add('loggedout', __('You are now logged out.', 'theme-my-login'), 'message'); } elseif (isset($_GET['registration']) && 'disabled' == $_GET['registration']) { $errors->add('registerdisabled', __('User registration is currently not allowed.', 'theme-my-login')); } elseif (isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail']) { $errors->add('confirm', __('Check your e-mail for the confirmation link.', 'theme-my-login'), 'message'); } elseif (isset($_GET['resetpass']) && 'complete' == $_GET['resetpass']) { $errors->add('password_reset', __('Your password has been reset.', 'theme-my-login'), 'message'); } elseif (isset($_GET['checkemail']) && 'registered' == $_GET['checkemail']) { $errors->add('registered', __('Registration complete. Please check your e-mail.', 'theme-my-login'), 'message'); } elseif ($interim_login) { $errors->add('expired', __('Your session has expired. Please log-in again.', 'theme-my-login'), 'message'); } elseif (strpos($redirect_to, 'about.php?updated')) { $errors->add('updated', __('<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.'), 'message'); } elseif ($reauth) { $errors->add('reauth', __('Please log in to continue.', 'theme-my-login'), 'message'); } // Clear any stale cookies. if ($reauth) { wp_clear_auth_cookie(); } break; } // end switch } // endif has_filter() }