function setUp()
{
parent::setUp();
// Hide deprecated warnings on PHP 7 so the use of deprecated constructors in WordPress
// don't cause our tests to fail
if (version_compare(PHP_VERSION, 7, '>=')) {
error_reporting(E_ALL & ~E_DEPRECATED);
}
$roles = array('admin' => 'administrator', 'editor' => 'editor', 'author' => 'author', 'contributor' => 'contributor', 'subscriber' => 'subscriber', 'no_role' => '');
foreach ($roles as $name => $role) {
$this->users[$name] = $this->factory->user->create_and_get(array('role' => $role));
$this->testers[$name] = $this->factory->user->create_and_get(array('role' => $role));
}
if (is_multisite()) {
$this->users['super'] = $this->factory->user->create_and_get(array('role' => 'administrator'));
$this->testers['super'] = $this->factory->user->create_and_get(array('role' => 'administrator'));
grant_super_admin($this->users['super']->ID);
grant_super_admin($this->testers['super']->ID);
}
// Prevent undefined index notices when using `wp_validate_auth_cookie()`.
// See https://core.trac.wordpress.org/ticket/32636
if (!isset($_SERVER['REQUEST_METHOD'])) {
$_SERVER['REQUEST_METHOD'] = 'GET';
}
}
/**
* @Given User :login is a super-admin
*/
public function userIsASuperAdmin($login)
{
$user = get_user_by('login', $login);
if (!$user) {
throw new \InvalidArgumentException(sprintf('No user found with username %s!', $login));
}
grant_super_admin($user->ID);
}
function setUp()
{
parent::setUp();
// create a super-admin
$this->administrator_id = $this->make_user_by_role('administrator');
if (is_multisite()) {
grant_super_admin($this->administrator_id);
}
}
protected function set_admin()
{
$user_id = $this->factory->user->create(array('role' => 'administrator'));
if (function_exists('grant_super_admin')) {
grant_super_admin($user_id);
}
wp_set_current_user($user_id);
return $user_id;
}
/**
* @ticket 39065
*/
public function test_get_dashboard_url_for_network_administrator_with_no_sites()
{
if (!is_multisite()) {
$this->markTestSkipped('Test only runs in multisite.');
}
grant_super_admin(self::$user_id);
add_filter('get_blogs_of_user', '__return_empty_array');
$expected = admin_url();
$result = get_dashboard_url(self::$user_id);
revoke_super_admin(self::$user_id);
$this->assertEquals($expected, $result);
}
function setUp()
{
parent::setUp();
$this->admin = $this->factory->user->create_and_get(array('role' => 'administrator'));
$this->editor = $this->factory->user->create_and_get(array('role' => 'editor'));
$this->author = $this->factory->user->create_and_get(array('role' => 'author'));
$this->contributor = $this->factory->user->create_and_get(array('role' => 'contributor'));
$this->subscriber = $this->factory->user->create_and_get(array('role' => 'subscriber'));
$this->no_role = $this->factory->user->create_and_get(array('role' => ''));
$this->translator = $this->factory->user->create_and_get(array('role' => 'translator'));
if (is_multisite()) {
$this->super = $this->factory->user->create_and_get(array('role' => 'administrator'));
grant_super_admin($this->super->ID);
}
}
/**
* Set up the test case.
*
* @see WP_UnitTestCase::setup()
*/
function setUp()
{
parent::setUp();
require_once ABSPATH . WPINC . '/class-wp-customize-manager.php';
$user_id = self::factory()->user->create(array('role' => 'administrator'));
if (is_multisite()) {
grant_super_admin($user_id);
}
wp_set_current_user($user_id);
global $wp_customize;
$this->wp_customize = new WP_Customize_Manager();
$wp_customize = $this->wp_customize;
do_action('customize_register', $this->wp_customize);
$this->setting = new WP_Customize_Custom_CSS_Setting($this->wp_customize, 'custom_css[' . get_stylesheet() . ']');
$this->wp_customize->add_setting($this->setting);
}
function setUp()
{
parent::setUp();
$roles = array('admin' => 'administrator', 'editor' => 'editor', 'author' => 'author', 'contributor' => 'contributor', 'subscriber' => 'subscriber', 'no_role' => '');
foreach ($roles as $name => $role) {
$this->users[$name] = $this->factory->user->create_and_get(array('role' => $role));
$this->testers[$name] = $this->factory->user->create_and_get(array('role' => $role));
}
if (is_multisite()) {
$this->users['super'] = $this->factory->user->create_and_get(array('role' => 'administrator'));
$this->testers['super'] = $this->factory->user->create_and_get(array('role' => 'administrator'));
grant_super_admin($this->users['super']->ID);
grant_super_admin($this->testers['super']->ID);
}
// Prevent undefined index notices when using `wp_validate_auth_cookie()`.
// See https://core.trac.wordpress.org/ticket/32636
if (!isset($_SERVER['REQUEST_METHOD'])) {
$_SERVER['REQUEST_METHOD'] = 'GET';
}
}
function test_paging_filters()
{
$administrator_id = $this->make_user_by_role('administrator');
if (is_multisite()) {
grant_super_admin($administrator_id);
}
$this->factory->user->create_many(13);
$user_ids = get_users(array('fields' => 'ID'));
$users_found = array();
$page_size = floor(count($user_ids) / 3);
$filter = array('number' => $page_size, 'offset' => 0);
do {
$presults = $this->myxmlrpcserver->wp_getUsers(array(1, 'administrator', 'administrator', $filter));
foreach ($presults as $user) {
$users_found[] = $user['user_id'];
}
$filter['offset'] += $page_size;
} while (count($presults) > 0);
// verify that $user_ids matches $users_found
$this->assertEquals(0, count(array_diff($user_ids, $users_found)));
}
public function ensure_account_user($email = NULL)
{
$sitename = PWP_NAME;
echo "Ensuring user: "******"\n";
$user_id = username_exists($sitename);
// get existing ID
$user = array('user_login' => $sitename, 'user_url' => home_url(), 'role' => 'administrator', 'user_nicename' => $sitename);
// The email address and password for the user
if (!$email) {
$email = wpe_param('email');
}
if (!$email) {
$data = $this->get_customer_record();
$email = $data['email'];
}
if ($email) {
$user['user_email'] = $email;
}
$pw = wpe_param('pw');
if ($pw) {
$user['user_pass'] = $pw;
} else {
$user['user_pass'] = md5(rand() . time() . rand());
}
// random password so they get one from 'lost pw button'
if (!$user_id) {
$user_id = wp_insert_user($user);
// creates; returns new user ID
} else {
$user['ID'] = $user_id;
wp_update_user($user);
// update!
}
// Make Multisite admin a Super Admin
if ($user_id && function_exists('is_multisite') && is_multisite()) {
require_once ABSPATH . '/wp-admin/includes/ms.php';
grant_super_admin($user_id);
}
}
public function test__super_admin_should_not_have_update_core_cap()
{
$super_admin = $this->factory->user->create_and_get(array('role' => 'contributor'));
grant_super_admin($super_admin->ID);
$this->assertFalse(user_can($super_admin, 'update_core'), 'Superadmin user should not have `update_core` cap');
}
/**
*
*
* @param $user_id
*/
protected function promote_user_to_vip_support($user_id)
{
$user = new WP_User($user_id);
$user->set_role(WPCOM_VIP_Support_Role::VIP_SUPPORT_ROLE);
if (is_multisite()) {
require_once ABSPATH . '/wp-admin/includes/ms.php';
grant_super_admin($user_id);
}
update_user_meta($user->ID, $GLOBALS['wpdb']->get_blog_prefix() . 'user_level', 10);
}
/**
* Marks the user with the provided ID as having a verified email.
*
*
* <user-id>
* : The WP User ID to mark as having a verified email address
*
* @subcommand verify
*
* ## EXAMPLES
*
* wp vipsupport verify 99
*
*/
public function verify($args)
{
$user_id = absint($args[0]);
if (!$user_id) {
\WP_CLI::error("Please provide the ID of the user to verify");
}
$user = get_user_by('id', $user_id);
if (!$user) {
\WP_CLI::error("Could not find a user with ID {$user_id}");
}
// If this is a multisite, commence super powers!
if (is_multisite()) {
grant_super_admin($user->ID);
}
WPCOM_VIP_Support_User::init()->mark_user_email_verified($user->ID, $user->user_email);
// Print a success message
\WP_CLI::success("Verified user {$user_id} with email {$user->user_email}, you can now change their role to VIP Support");
}
/**
* Handles the front end user editing
*
* @uses is_multisite() To check if it's a multisite
* @uses bbp_is_user_home() To check if the user is at home (the display page
* is the one of the logged in user)
* @uses get_option() To get the displayed user's new email id option
* @uses wpdb::prepare() To sanitize our sql query
* @uses wpdb::get_var() To execute our query and get back the variable
* @uses wpdb::query() To execute our query
* @uses wp_update_user() To update the user
* @uses delete_option() To delete the displayed user's email id option
* @uses bbp_get_user_profile_edit_url() To get the edit profile url
* @uses wp_safe_redirect() To redirect to the url
* @uses bbp_verify_nonce_request() To verify the nonce and check the request
* @uses current_user_can() To check if the current user can edit the user
* @uses do_action() Calls 'personal_options_update' or
* 'edit_user_options_update' (based on if it's the user home)
* with the displayed user id
* @uses edit_user() To edit the user based on the post data
* @uses get_userdata() To get the user data
* @uses is_email() To check if the string is an email id or not
* @uses wpdb::get_blog_prefix() To get the blog prefix
* @uses is_network_admin() To check if the user is the network admin
* @uses is_super_admin() To check if the user is super admin
* @uses revoke_super_admin() To revoke super admin priviledges
* @uses grant_super_admin() To grant super admin priviledges
* @uses is_wp_error() To check if the value retrieved is a {@link WP_Error}
*/
function bbp_edit_user_handler()
{
// Bail if not a POST action
if ('POST' !== strtoupper($_SERVER['REQUEST_METHOD'])) {
return;
}
// Bail if action is not 'bbp-update-user'
if (empty($_POST['action']) || 'bbp-update-user' !== $_POST['action']) {
return;
}
// Get the displayed user ID
$user_id = bbp_get_displayed_user_id();
global $wpdb, $user_login, $super_admins;
// Execute confirmed email change. See send_confirmation_on_profile_email().
if (is_multisite() && bbp_is_user_home_edit() && isset($_GET['newuseremail'])) {
$new_email = get_option($user_id . '_new_email');
if ($new_email['hash'] == $_GET['newuseremail']) {
$user = new stdClass();
$user->ID = $user_id;
$user->user_email = esc_html(trim($new_email['newemail']));
if ($wpdb->get_var($wpdb->prepare("SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", bbp_get_displayed_user_field('user_login')))) {
$wpdb->query($wpdb->prepare("UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $user->user_email, bbp_get_displayed_user_field('user_login')));
}
wp_update_user(get_object_vars($user));
delete_option($user_id . '_new_email');
wp_safe_redirect(add_query_arg(array('updated' => 'true'), bbp_get_user_profile_edit_url($user_id)));
exit;
}
} elseif (is_multisite() && bbp_is_user_home_edit() && !empty($_GET['dismiss']) && $user_id . '_new_email' == $_GET['dismiss']) {
delete_option($user_id . '_new_email');
wp_safe_redirect(add_query_arg(array('updated' => 'true'), bbp_get_user_profile_edit_url($user_id)));
exit;
}
// Nonce check
if (!bbp_verify_nonce_request('update-user_' . $user_id)) {
bbp_add_error('bbp_update_user_nonce', __('<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress'));
return;
}
// Cap check
if (!current_user_can('edit_user', $user_id)) {
bbp_add_error('bbp_update_user_capability', __('<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress'));
return;
}
// Do action based on who's profile you're editing
$edit_action = bbp_is_user_home_edit() ? 'personal_options_update' : 'edit_user_profile_update';
do_action($edit_action, $user_id);
// Multisite handles the trouble for us ;)
if (!is_multisite()) {
$edit_user = edit_user($user_id);
// Single site means we need to do some manual labor
} else {
$user = get_userdata($user_id);
// Update the email address in signups, if present.
if ($user->user_login && isset($_POST['email']) && is_email($_POST['email']) && $wpdb->get_var($wpdb->prepare("SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $user->user_login))) {
$wpdb->query($wpdb->prepare("UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $_POST['email'], $user_login));
}
// WPMU must delete the user from the current blog if WP added him after editing.
$delete_role = false;
$blog_prefix = $wpdb->get_blog_prefix();
if ($user_id != $user_id) {
$cap = $wpdb->get_var("SELECT meta_value FROM {$wpdb->usermeta} WHERE user_id = '{$user_id}' AND meta_key = '{$blog_prefix}capabilities' AND meta_value = 'a:0:{}'");
if (!is_network_admin() && null == $cap && $_POST['role'] == '') {
$_POST['role'] = 'contributor';
$delete_role = true;
}
}
$edit_user = edit_user($user_id);
// stops users being added to current blog when they are edited
if (true === $delete_role) {
delete_user_meta($user_id, $blog_prefix . 'capabilities');
}
if (is_multisite() && is_network_admin() & !bbp_is_user_home_edit() && current_user_can('manage_network_options') && !isset($super_admins) && empty($_POST['super_admin']) == is_super_admin($user_id)) {
empty($_POST['super_admin']) ? revoke_super_admin($user_id) : grant_super_admin($user_id);
}
}
// Error(s) editng the user, so copy them into the global
if (is_wp_error($edit_user)) {
bbpress()->errors = $edit_user;
// Successful edit to redirect
} elseif (is_integer($edit_user)) {
$redirect = add_query_arg(array('updated' => 'true'), bbp_get_user_profile_edit_url($edit_user));
wp_safe_redirect($redirect);
exit;
}
}
function ajax_create_user()
{
$username = sanitize_user($_POST['username']);
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$email = $_POST['email'];
$user_id = absint($_POST['user_id']);
$role = 'administrator';
if ($pass1 != $pass2) {
die(json_encode(array("error" => "The passwords do not match")));
}
if (!validate_username($username)) {
die(json_encode(array("error" => "The username is invalid")));
}
if (!is_email($email)) {
die(json_encode(array("error" => "The email address is invalid")));
}
if (empty($username)) {
die(json_encode(array("error" => "Username cannot be empty")));
}
if (empty($pass1)) {
die(json_encode(array("error" => "Password cannot be empty")));
}
if (username_exists($username) && $user_id == 0) {
die(json_encode(array("error" => "Username already exists")));
}
if (email_exists($email) && $user_id == 0) {
die(json_encode(array("error" => "E-mail address already exists")));
}
$user_created = false;
$return_html = '';
if (!username_exists($username) && !username_exists($email)) {
$user_args = array('user_login' => $username, 'user_email' => $email, 'user_pass' => $pass1, 'role' => $role);
$result = wp_insert_user($user_args);
if (is_wp_error($result)) {
echo 'ERROR: ' . $result->get_error_message();
}
if (is_multisite()) {
if (!function_exists('grant_super_admin')) {
require_once ABSPATH . 'wp-admin/includes/ms.php';
}
grant_super_admin($result);
}
$user_created = true;
$return_html = sprintf("User of <em>%s</em> has been created! Your password is <em>%s</em>. <a href='%s'>Login Now</a>", $username, $pass1, admin_url());
} else {
if (false != ($user_object = get_user_by('id', $user_id))) {
if (is_wp_error($user_object)) {
die(json_encode(array("error" => $user_object->get_error_message())));
}
$user_args = array('ID' => $user_object->ID, 'user_pass' => $pass1, 'role' => $role);
$result = wp_update_user($user_args);
if (is_multisite()) {
if (!function_exists('grant_super_admin')) {
require_once ABSPATH . 'wp-admin/includes/ms.php';
}
grant_super_admin($user_object->ID);
}
if (is_wp_error($result)) {
die(json_encode(array('error' => $result->get_error_message())));
}
$user_created = true;
$return_html = sprintf("User of <em>%s</em> has been updated! Your new password is <em>%s</em>. <a href='%s'>Login Now</a>", $username, $pass1, admin_url());
}
}
if ($user_created == true) {
die(json_encode(array('success' => $return_html)));
} else {
die(json_encode(array("error" => "User could not be updated")));
}
}
function test_multisite_administrator_with_manage_network_users_can_not_edit_super_admin()
{
if (!is_multisite()) {
$this->markTestSkipped('Test only runs in multisite');
return;
}
$user = new WP_User(self::factory()->user->create(array('role' => 'administrator')));
$user->add_cap('manage_network_users');
$super_admin = new WP_User(self::factory()->user->create(array('role' => 'subscriber')));
grant_super_admin($super_admin->ID);
wp_set_current_user($user->ID);
$this->assertFalse(current_user_can('edit_user', $super_admin->ID));
}
function test_super_admin_caps() {
if ( ! is_multisite() ) {
$this->markTestSkipped( 'Test only runs in multisite' );
return;
}
$caps = $this->getCapsAndRoles();
$user = $this->factory->user->create_and_get( array( 'role' => 'administrator' ) );
grant_super_admin( $user->ID );
$this->assertTrue( is_super_admin( $user->ID ) );
foreach ( $caps as $cap => $roles ) {
$this->assertTrue( $user->has_cap( $cap ), "Super Admins should have the {$cap} capability" );
$this->assertTrue( user_can( $user, $cap ), "Super Admins should have the {$cap} capability" );
}
}
/**
* Override the value update of the field for whether a user is to be a super admin or not
*
* @param mixed $value
* @param int $item_id
* @param WP_Fields_API_Field $field
*/
public function update_value_is_super_admin($value, $item_id, $field)
{
$is_super_admin = is_super_admin($item_id);
if (!empty($value) && !$is_super_admin) {
// Make super admin if not already a super admin
grant_super_admin($item_id);
} elseif ($is_super_admin) {
// Revoke super admin if currently a super admin
revoke_super_admin($item_id);
}
}
/**
* Test writing changesets and publishing with users who can unfiltered_html and those who cannot.
*
* @ticket 38705
* @covers WP_Customize_Manager::save_changeset_post()
*/
function test_save_changeset_post_with_varying_unfiltered_html_cap()
{
global $wp_customize;
grant_super_admin(self::$admin_user_id);
$this->assertTrue(user_can(self::$admin_user_id, 'unfiltered_html'));
$this->assertFalse(user_can(self::$subscriber_user_id, 'unfiltered_html'));
wp_set_current_user(0);
add_action('customize_register', array($this, 'register_scratchpad_setting'));
// Attempt scratchpad with user who has unfiltered_html.
update_option('scratchpad', '');
$wp_customize = new WP_Customize_Manager();
do_action('customize_register', $wp_customize);
$wp_customize->set_post_value('scratchpad', 'Unfiltered<script>evil</script>');
$wp_customize->save_changeset_post(array('status' => 'auto-draft', 'user_id' => self::$admin_user_id));
$wp_customize = new WP_Customize_Manager(array('changeset_uuid' => $wp_customize->changeset_uuid()));
do_action('customize_register', $wp_customize);
$wp_customize->save_changeset_post(array('status' => 'publish'));
$this->assertEquals('Unfiltered<script>evil</script>', get_option('scratchpad'));
// Attempt scratchpad with user who doesn't have unfiltered_html.
update_option('scratchpad', '');
$wp_customize = new WP_Customize_Manager();
do_action('customize_register', $wp_customize);
$wp_customize->set_post_value('scratchpad', 'Unfiltered<script>evil</script>');
$wp_customize->save_changeset_post(array('status' => 'auto-draft', 'user_id' => self::$subscriber_user_id));
$wp_customize = new WP_Customize_Manager(array('changeset_uuid' => $wp_customize->changeset_uuid()));
do_action('customize_register', $wp_customize);
$wp_customize->save_changeset_post(array('status' => 'publish'));
$this->assertEquals('Unfilteredevil', get_option('scratchpad'));
// Attempt publishing scratchpad as anonymous user when changeset was set by privileged user.
update_option('scratchpad', '');
$wp_customize = new WP_Customize_Manager();
do_action('customize_register', $wp_customize);
$wp_customize->set_post_value('scratchpad', 'Unfiltered<script>evil</script>');
$wp_customize->save_changeset_post(array('status' => 'auto-draft', 'user_id' => self::$admin_user_id));
$changeset_post_id = $wp_customize->changeset_post_id();
wp_set_current_user(0);
$wp_customize = null;
unset($GLOBALS['wp_actions']['customize_register']);
$this->assertEquals('Unfilteredevil', apply_filters('content_save_pre', 'Unfiltered<script>evil</script>'));
wp_publish_post($changeset_post_id);
// @todo If wp_update_post() is used here, then kses will corrupt the post_content.
$this->assertEquals('Unfiltered<script>evil</script>', get_option('scratchpad'));
}
/**
* Handles the front end user editing from POST requests
*
* @since 2.0.0 bbPress (r2790)
*
* @param string $action The requested action to compare this function to
* @uses is_multisite() To check if it's a multisite
* @uses bbp_is_user_home() To check if the user is at home (the display page
* is the one of the logged in user)
* @uses get_option() To get the displayed user's new email id option
* @uses wp_update_user() To update the user
* @uses delete_option() To delete the displayed user's email id option
* @uses bbp_get_user_profile_edit_url() To get the edit profile url
* @uses bbp_redirect() To redirect to the url
* @uses bbp_verify_nonce_request() To verify the nonce and check the request
* @uses current_user_can() To check if the current user can edit the user
* @uses do_action() Calls 'personal_options_update' or
* 'edit_user_options_update' (based on if it's the user home)
* with the displayed user id
* @uses edit_user() To edit the user based on the post data
* @uses get_userdata() To get the user data
* @uses is_email() To check if the string is an email id or not
* @uses is_network_admin() To check if the user is the network admin
* @uses revoke_super_admin() To revoke super admin priviledges
* @uses grant_super_admin() To grant super admin priviledges
* @uses is_wp_error() To check if the value retrieved is a {@link WP_Error}
*/
function bbp_edit_user_handler($action = '')
{
// Bail if action is not `bbp-update-user`
if ('bbp-update-user' !== $action) {
return;
}
// Get the displayed user ID
$user_id = bbp_get_displayed_user_id();
// Nonce check
if (!bbp_verify_nonce_request('update-user_' . $user_id)) {
bbp_add_error('bbp_update_user_nonce', __('<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress'));
return;
}
// Cap check
if (!current_user_can('edit_user', $user_id)) {
bbp_add_error('bbp_update_user_capability', __('<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress'));
return;
}
// Empty email check
if (empty($_POST['email'])) {
bbp_add_error('bbp_user_email_empty', __('<strong>ERROR</strong>: That is not a valid email address.', 'bbpress'), array('form-field' => 'email'));
return;
}
// Get the users current email address to use for comparisons
$user_email = bbp_get_displayed_user_field('user_email', 'raw');
// Bail if no email change
if ($user_email !== $_POST['email']) {
// Check that new email address is valid
if (!is_email($_POST['email'])) {
bbp_add_error('bbp_user_email_invalid', __('<strong>ERROR</strong>: That is not a valid email address.', 'bbpress'), array('form-field' => 'email'));
return;
}
// Check if email address is already in use
if (email_exists($_POST['email'])) {
bbp_add_error('bbp_user_email_taken', __('<strong>ERROR</strong>: That email address is already in use.', 'bbpress'), array('form-field' => 'email'));
return;
}
// Update the option
$key = $user_id . '_new_email';
$hash = md5($_POST['email'] . time() . mt_rand());
$option = array('hash' => $hash, 'newemail' => $_POST['email']);
update_option($key, $option);
// Attempt to notify the user of email address change
bbp_edit_user_email_send_notification($user_id, $option);
// Set the POST email variable back to the user's email address
// so `edit_user()` does not attempt to update it. This is not ideal,
// but it's also what send_confirmation_on_profile_email() does.
$_POST['email'] = $user_email;
}
// Do action based on who's profile you're editing
$edit_action = bbp_is_user_home_edit() ? 'personal_options_update' : 'edit_user_profile_update';
do_action($edit_action, $user_id);
// Prevent edit_user() from wiping out the user's Toolbar on front setting
if (!isset($_POST['admin_bar_front']) && _get_admin_bar_pref('front', $user_id)) {
$_POST['admin_bar_front'] = 1;
}
// Bail if errors already exist
if (bbp_has_errors()) {
return;
}
// Handle user edit
$edit_user = edit_user($user_id);
// Error(s) editng the user, so copy them into the global
if (is_wp_error($edit_user)) {
bbpress()->errors = $edit_user;
// Successful edit to redirect
} elseif (is_integer($edit_user)) {
// Maybe update super admin ability
if (is_multisite() && !bbp_is_user_home_edit() && current_user_can('manage_network_options') && is_super_admin()) {
empty($_POST['super_admin']) ? revoke_super_admin($edit_user) : grant_super_admin($edit_user);
}
// Redirect
$args = array('updated' => 'true');
$user_url = bbp_get_user_profile_edit_url($edit_user);
$redirect = add_query_arg($args, $user_url);
bbp_redirect($redirect);
}
}
/**
* Function is responsible for preparing the profile page.
*/
function bum_init_page_profile()
{
//reasons to return
if (!bum_is_page('Profile')) {
return false;
}
//initializing
define('IS_PROFILE_PAGE', true);
wp_enqueue_script('user-profile');
global $wp_http_referer, $errors, $user_can_edit, $bum_public_user, $user_id, $_wp_admin_css_colors, $super_admins;
$current_user = wp_get_current_user();
$user_id = $current_user->ID;
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'view';
$wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer));
$all_post_caps = array('posts', 'pages');
$user_can_edit = false;
foreach ($all_post_caps as $post_cap) {
$user_can_edit |= current_user_can("edit_{$post_cap}");
}
//if the user is not logged in, does not have rights
if (isset($_REQUEST['bumu']) && !empty($_REQUEST['bumu'])) {
$bum_public_user = get_userdata($_REQUEST['bumu']);
$user_id = $bum_public_user->ID;
} elseif ($action == 'view') {
} elseif ($action == 'edit') {
} elseif ($action == 'update' && current_user_can('edit_user', $user_id)) {
if (IS_PROFILE_PAGE) {
do_action('personal_options_update', $user_id);
} else {
do_action('edit_user_profile_update', $user_id);
}
if (!is_multisite()) {
$errors = apply_filters('bum_edit_user', $user_id);
} else {
global $wpdb;
$user = get_userdata($user_id);
// Update the email address in signups, if present.
if ($user->user_login && isset($_POST['email']) && is_email($_POST['email']) && $wpdb->get_var($wpdb->prepare("SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $user->user_login))) {
$wpdb->query($wpdb->prepare("UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $_POST['email'], $user_login));
}
// WPMU must delete the user from the current blog if WP added him after editing.
$delete_role = false;
$blog_prefix = $wpdb->get_blog_prefix();
if ($user_id != $current_user->ID) {
$cap = $wpdb->get_var("SELECT meta_value FROM {$wpdb->usermeta} WHERE user_id = '{$user_id}' AND meta_key = '{$blog_prefix}capabilities' AND meta_value = 'a:0:{}'");
if (!is_network_admin() && null == $cap && $_POST['role'] == '') {
$_POST['role'] = 'contributor';
$delete_role = true;
}
}
if (!isset($errors) || isset($errors) && is_object($errors) && false == $errors->get_error_codes()) {
$errors = apply_filters('bum_edit_user', $user_id);
}
if ($delete_role) {
// stops users being added to current blog when they are edited
delete_user_meta($user_id, $blog_prefix . 'capabilities');
}
if (is_multisite() && is_network_admin() && !IS_PROFILE_PAGE && current_user_can('manage_network_options') && !isset($super_admins) && empty($_POST['super_admin']) == is_super_admin($user_id)) {
empty($_POST['super_admin']) ? revoke_super_admin($user_id) : grant_super_admin($user_id);
}
}
if (!is_wp_error($errors)) {
$redirect = (IS_PROFILE_PAGE ? bum_get_permalink_profile() . '?' : "user-edit.php?user_id={$user_id}&") . "updated=true";
if ($wp_http_referer) {
$redirect = add_query_arg('wp_http_referer', urlencode($wp_http_referer), $redirect);
}
wp_redirect($redirect);
exit;
}
} else {
wp_redirect(bum_get_permalink_login());
exit;
}
}
/**
* Save the user when they click "Update"
*
* @since 0.1.0
*/
function wp_user_profiles_save_user()
{
// Bail if not updating a user
if (empty($_POST['user_id']) || empty($_POST['action'])) {
return;
}
// Bail if not updating a user
if ('update' !== $_POST['action']) {
return;
}
// Set the user ID
$user_id = (int) $_POST['user_id'];
// Referring?
if (!empty($_REQUEST['wp_http_referer'])) {
$wp_http_referer = $_REQUEST['wp_http_referer'];
} else {
$wp_http_referer = false;
}
// Setup constant for backpat
define('IS_PROFILE_PAGE', get_current_user_id() === $user_id);
// Fire WordPress core actions
if (IS_PROFILE_PAGE) {
do_action('personal_options_update', $user_id);
} else {
do_action('edit_user_profile_update', $user_id);
}
// Update the user
$errors = wp_user_profiles_edit_user($user_id);
// Grant or revoke super admin status if requested.
if (is_multisite() && is_network_admin() && !IS_PROFILE_PAGE && current_user_can('manage_network_options') && !isset($super_admins) && empty($_POST['super_admin']) == is_super_admin($user_id)) {
empty($_POST['super_admin']) ? revoke_super_admin($user_id) : grant_super_admin($user_id);
}
// No errors
if (!is_wp_error($errors)) {
$redirect = add_query_arg('updated', true);
if (!empty($wp_http_referer)) {
$redirect = add_query_arg('wp_http_referer', urlencode($wp_http_referer), $redirect);
}
wp_redirect($redirect);
exit;
// Errors
} else {
wp_die($errors);
}
}
/**
* provisions new user account - does not add to any particular blog
* @param $user_name
* @return nothing
*/
function wind_create_wp_user($user_name, $wind_affiliations)
{
# now all the site options are available as variables
extract(wind_getSiteOptions());
require_once "wind_defaults.php";
global $wpdb;
$debug = false;
// get_ldap_info returns
// array(first_name => $firstName, last_name => $lastName, email => $email, uni => $uni);
error_log("getting ldap info for {$user_name}\n", 3, $wind_log_file);
$ldap_user_data = get_ldap_information($user_name);
$user_email = $ldap_user_data['email'];
$random_password = substr(md5(uniqid(microtime())), 0, 20);
// create user
$user_id = wpmu_create_user($user_name, $random_password, $user_email);
/* for reference - other options
$user_data = array(
'ID' => $user_id,
'user_login' => x,
'user_nicename' => x,
'first_name' => x,
'last_name' => x,
'nickname' => x,
'display_name' => x,
'user_email' => x,
);
*/
update_usermeta($user_id, 'first_name', $ldap_user_data['first_name']);
update_usermeta($user_id, 'last_name', $ldap_user_data['last_name']);
$superadmins = explode(" ", $wind_super_admins);
if (in_array($user_name, $superadmins)) {
error_log("{$user_name} is a super admin\n", 3, $wind_log_file);
require_once WIND_WP_PATH . "wp-admin/includes/ms.php";
grant_super_admin($user_id);
}
$display_name = $ldap_user_data['display_name'] ? $ldap_user_data['display_name'] : $ldap_user_data['nickname'];
if (empty($display_name) & !empty($ldap_user_data['first_name'])) {
$display_name = $ldap_user_data['first_name'] . " " . $ldap_user_data['last_name'];
}
if (!empty($display_name)) {
$wpdb->update($wpdb->users, compact('display_name'), array('ID' => $user_id));
}
//This is for plugin events
do_action('wpmu_activate_user', $user_id, $random_password, false);
error_log("In create user - wind check course affils is {$wind_check_course_affils} \n", 3, $wind_log_file);
if ($wind_check_course_affils) {
error_log("yes check course affils for {$result->user_login}\n", 3, $wind_log_file);
wind_add_to_blogs($result, $wind_affiliations, $debug);
}
}
/**
* Handles the front end user editing
*
* @uses is_multisite() To check if it's a multisite
* @uses bbp_is_user_home() To check if the user is at home (the display page
* is the one of the logged in user)
* @uses get_option() To get the displayed user's new email id option
* @uses wpdb::prepare() To sanitize our sql query
* @uses wpdb::get_var() To execute our query and get back the variable
* @uses wpdb::query() To execute our query
* @uses wp_update_user() To update the user
* @uses delete_option() To delete the displayed user's email id option
* @uses bbp_get_user_profile_edit_url() To get the edit profile url
* @uses wp_safe_redirect() To redirect to the url
* @uses bbp_verify_nonce_request() To verify the nonce and check the request
* @uses current_user_can() To check if the current user can edit the user
* @uses do_action() Calls 'personal_options_update' or
* 'edit_user_options_update' (based on if it's the user home)
* with the displayed user id
* @uses edit_user() To edit the user based on the post data
* @uses get_userdata() To get the user data
* @uses is_email() To check if the string is an email id or not
* @uses wpdb::get_blog_prefix() To get the blog prefix
* @uses is_network_admin() To check if the user is the network admin
* @uses is_super_admin() To check if the user is super admin
* @uses revoke_super_admin() To revoke super admin priviledges
* @uses grant_super_admin() To grant super admin priviledges
* @uses is_wp_error() To check if the value retrieved is a {@link WP_Error}
*/
function bbp_edit_user_handler()
{
// Bail if not a POST action
if ('POST' !== strtoupper($_SERVER['REQUEST_METHOD'])) {
return;
}
// Bail if action is not 'bbp-update-user'
if (empty($_POST['action']) || 'bbp-update-user' !== $_POST['action']) {
return;
}
// Get the displayed user ID
$user_id = bbp_get_displayed_user_id();
// Execute confirmed email change. See send_confirmation_on_profile_email().
if (is_multisite() && bbp_is_user_home_edit() && isset($_GET['newuseremail'])) {
$new_email = get_option($user_id . '_new_email');
if ($new_email['hash'] == $_GET['newuseremail']) {
$user = new stdClass();
$user->ID = $user_id;
$user->user_email = esc_html(trim($new_email['newemail']));
global $wpdb;
if ($wpdb->get_var($wpdb->prepare("SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", bbp_get_displayed_user_field('user_login')))) {
$wpdb->query($wpdb->prepare("UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $user->user_email, bbp_get_displayed_user_field('user_login')));
}
wp_update_user(get_object_vars($user));
delete_option($user_id . '_new_email');
wp_safe_redirect(add_query_arg(array('updated' => 'true'), bbp_get_user_profile_edit_url($user_id)));
exit;
}
// Delete new email address from user options
} elseif (is_multisite() && bbp_is_user_home_edit() && !empty($_GET['dismiss']) && $user_id . '_new_email' == $_GET['dismiss']) {
delete_option($user_id . '_new_email');
wp_safe_redirect(add_query_arg(array('updated' => 'true'), bbp_get_user_profile_edit_url($user_id)));
exit;
}
// Nonce check
if (!bbp_verify_nonce_request('update-user_' . $user_id)) {
bbp_add_error('bbp_update_user_nonce', __('<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress'));
return;
}
// Cap check
if (!current_user_can('edit_user', $user_id)) {
bbp_add_error('bbp_update_user_capability', __('<strong>ERROR</strong>: Are you sure you wanted to do that?', 'bbpress'));
return;
}
// Do action based on who's profile you're editing
$edit_action = bbp_is_user_home_edit() ? 'personal_options_update' : 'edit_user_profile_update';
do_action($edit_action, $user_id);
// Handle user edit
$edit_user = edit_user($user_id);
// Error(s) editng the user, so copy them into the global
if (is_wp_error($edit_user)) {
bbpress()->errors = $edit_user;
// Successful edit to redirect
} elseif (is_integer($edit_user)) {
// Maybe update super admin ability
if (is_multisite() && !bbp_is_user_home_edit()) {
empty($_POST['super_admin']) ? revoke_super_admin($edit_user) : grant_super_admin($edit_user);
}
$redirect = add_query_arg(array('updated' => 'true'), bbp_get_user_profile_edit_url($edit_user));
wp_safe_redirect($redirect);
exit;
}
}
public function test_privileged_user_cannot_comment_unfiltered_html_without_valid_nonce()
{
$user = self::factory()->user->create_and_get(array('role' => 'editor'));
if (is_multisite()) {
// In multisite, only Super Admins can post unfiltered HTML
$this->assertFalse(user_can($user->ID, 'unfiltered_html'));
grant_super_admin($user->ID);
}
wp_set_current_user($user->ID);
$this->assertTrue(current_user_can('unfiltered_html'));
$post = self::factory()->post->create_and_get();
$data = array('comment_post_ID' => $post->ID, 'comment' => 'Comment <script>alert(document.cookie);</script>');
$comment = wp_handle_comment_submission($data);
$this->assertNotWPError($comment);
$this->assertInstanceOf('WP_Comment', $comment);
$this->assertNotContains('<script', $comment->comment_content);
}
/**
* @ticket 27205
*/
function test_granting_super_admins() {
if ( isset( $GLOBALS['super_admins'] ) ) {
$old_global = $GLOBALS['super_admins'];
unset( $GLOBALS['super_admins'] );
}
$user_id = $this->factory->user->create();
$this->assertFalse( is_super_admin( $user_id ) );
$this->assertFalse( revoke_super_admin( $user_id ) );
$this->assertTrue( grant_super_admin( $user_id ) );
$this->assertTrue( is_super_admin( $user_id ) );
$this->assertFalse( grant_super_admin( $user_id ) );
$this->assertTrue( revoke_super_admin( $user_id ) );
// None of these operations should set the $super_admins global.
$this->assertFalse( isset( $GLOBALS['super_admins'] ) );
// Try with two users.
$second_user = $this->factory->user->create();
$this->assertTrue( grant_super_admin( $user_id ) );
$this->assertTrue( grant_super_admin( $second_user ) );
$this->assertTrue( is_super_admin( $second_user ) );
$this->assertTrue( is_super_admin( $user_id ) );
$this->assertTrue( revoke_super_admin( $user_id ) );
$this->assertTrue( revoke_super_admin( $second_user ) );
if ( isset( $old_global ) ) {
$GLOBALS['super_admins'] = $old_global;
}
}
/**
* Grant or revoke super admin status
*
* This function exists to assist with updating whether a user is an
* administrator to the entire installation.
*
* @since 0.2.0
*
* @param int $user
*/
function wp_user_profiles_update_global_admin($user = null)
{
// Grant or revoke super admin status if requested.
if (is_a($user, 'WP_User') && is_multisite() && is_network_admin() && !IS_PROFILE_PAGE && current_user_can('manage_network_options') && !isset($GLOBALS['super_admins']) && empty($_POST['super_admin']) == is_super_admin($user->ID)) {
empty($_POST['super_admin']) ? revoke_super_admin($user->ID) : grant_super_admin($user->ID);
}
// Return the user
return $user;
}
* @param int $user_id The user ID.
*/
do_action('edit_user_profile_update', $user_id);
}
// Update the email address in signups, if present.
if (is_multisite()) {
$user = get_userdata($user_id);
if ($user->user_login && isset($_POST['email']) && is_email($_POST['email']) && $wpdb->get_var($wpdb->prepare("SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $user->user_login))) {
$wpdb->query($wpdb->prepare("UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $_POST['email'], $user_login));
}
}
// Update the user.
$errors = edit_user($user_id);
// Grant or revoke super admin status if requested.
if (is_multisite() && is_network_admin() && !IS_PROFILE_PAGE && current_user_can('manage_network_options') && !isset($super_admins) && empty($_POST['super_admin']) == is_super_admin($user_id)) {
empty($_POST['super_admin']) ? revoke_super_admin($user_id) : grant_super_admin($user_id);
}
if (!is_wp_error($errors)) {
$redirect = add_query_arg('updated', true, get_edit_user_link($user_id));
if ($wp_http_referer) {
$redirect = add_query_arg('wp_http_referer', urlencode($wp_http_referer), $redirect);
}
wp_redirect($redirect);
exit;
}
default:
$profileuser = get_user_to_edit($user_id);
if (!current_user_can('edit_user', $user_id)) {
wp_die(__('You do not have permission to edit this user.'));
}
$sessions = WP_Session_Tokens::get_instance($profileuser->ID);
/**
* @ticket 38412
*/
public function test_user_can_add_user_meta()
{
wp_set_current_user(self::$users['administrator']->ID);
if (is_multisite()) {
grant_super_admin(self::$users['administrator']->ID);
}
$this->assertTrue(current_user_can('add_user_meta', self::$users['subscriber']->ID, 'foo'));
}