Better registration password reset management

parent f432c34e
......@@ -48,6 +48,10 @@ if(!class_exists('SexhackAddUnlockLogin')) {
return $string.$html;
}
// XXX Those 3 functions, hard-coded uri's that are dependent on a shortcode? that's sounds a bad idea, we
// really need to implement the admin subpages for the plugin so i can setup easily more things!
public function add_to_register($string, $args){
return $this->unlock_button($string, $args, $this->get_proto().wp_parse_url( home_url(), PHP_URL_HOST )."/register");
}
......
......@@ -9,6 +9,8 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
sexhack_log('SexhackPmsPasswordDataLeak() Instanced');
add_filter( 'pms_recover_password_message', array($this, "change_recover_form_message") );
add_action( 'init', array($this, 'reset_password_form'), 9);
add_action( 'login_form_rp', array( $this, 'redirect_password_reset' ) );
add_action( 'login_form_resetpass', array( $this, 'redirect_password_reset' ) );
}
public function change_recover_form_message($string)
......@@ -16,6 +18,11 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
return str_replace("<br/>", "<br/>If valid, ", $string);
}
public function redirect_password_reset()
{
wp_redirect( home_url( 'password-reset' ) );
}
public function reset_password_form()
{
......@@ -64,6 +71,9 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
//If entered username or email is valid (no errors), email the password reset confirmation link
if ( count( pms_errors()->get_error_codes() ) == 0 && !$error) {
send_changepwd_mail($user);
/*
if (is_object($user)) { //user data is set
$requestedUserID = $user->ID;
$requestedUserLogin = $user->user_login;
......@@ -109,7 +119,10 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
if( $sent === true )
do_action( 'pms_password_reset_email_sent', $user, $key );
}
} */
}
} // isset($_POST[pms_username_email])
unset($_POST['pms_username_email']);
......
......@@ -154,7 +154,7 @@ if(!class_exists('SexHackVideoGallery')) {
if($wooprod) {
sexhack_log($_SERVER['REQUEST_URI']." BEFORE ".print_r($query, true));
$query->query['post_type'] = 'sexhack_video';
$query->set('name', $wooprod);
$query->set('name', esc_sql($wooprod));
$query->set('post_type', 'any');
//$query->set('post_type', '');
sexhack_log("AFTER ".print_r($query, true));
......@@ -202,11 +202,9 @@ if(!class_exists('SexHackVideoGallery')) {
sexhack_log("REWRITE: Need to add and flush our rules!");
$wp_rewrite->add_rewrite_tag("%wooprod%", '([^/]+)', "post_type=sexhack_video&wooprod=");
$wp_rewrite->add_permastruct('v', $projects_structure, false);
//$wp_rewrite->flush_rules();
update_option('need_rewrite_flush', 1);
}
//$wp_rewrite->flush_rules();
}
......
......@@ -2,24 +2,27 @@
namespace wp_SexHackMe;
function send_changepwd_mail($user_login){
function send_changepwd_mail($user_login, $baseurl=false){
global $wpdb, $wp_hasher;
$user_login = sanitize_text_field($user_login);
if ( empty( $user_login) ) {
if(!is_object($user_login)) {
$user_login = sanitize_text_field($user_login);
if ( empty( $user_login) ) {
return false;
} else if ( strpos( $user_login, '@' ) ) {
} else if ( strpos( $user_login, '@' ) ) {
$user_data = get_user_by( 'email', trim( $user_login ) );
if ( empty( $user_data ) )
return false;
} else {
} else {
$login = trim($user_login);
$user_data = get_user_by('login', $login);
}
}
do_action('lostpassword_post');
if ( !$user_data ) return false;
if ( !is_object($user_data) ) return false;
// redefining user_login ensures we return the right case in the email
$user_login = $user_data->user_login;
......@@ -31,23 +34,34 @@ function send_changepwd_mail($user_login){
return false;
else if ( is_wp_error($allow) )
return false;
$key = get_password_reset_key( $user_data );
$key = pms_retrieve_activation_key( $user_login );
//$key = get_password_reset_key( $user_data );
do_action( 'retrieve_password_key', $user_login, $key );
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . 'wp-includes/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
}
$hashed = $wp_hasher->HashPassword( $key );
$wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) );
//$hashed = $wp_hasher->HashPassword( $key );
//$wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) );
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
// XXX Seriously? hardcoded?
$message .= '<' . network_site_url("/password-reset/?key=$key&loginName=" . rawurlencode($user_login), 'login') . ">\r\n";
//$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
// XXX Should we send it with html for the link or can we assume links are ok with mail clients? verify please!
//add_filter('wp_mail_content_type', function () { return 'text/html'; } );
// Temporary change the from name and from email
// XXX Require PMS! do we want it? Should we change with our own for sexhack?
add_filter( 'wp_mail_from_name', array( 'PMS_Emails', 'pms_email_website_name' ), 20, 1 );
add_filter( 'wp_mail_from', array( 'PMS_Emails', 'pms_email_website_email' ), 20, 1 );
if ( is_multisite() )
$blogname = $GLOBALS['current_site']->site_name;
......@@ -59,6 +73,16 @@ function send_changepwd_mail($user_login){
$title = apply_filters('retrieve_password_title', $title);
$message = apply_filters('retrieve_password_message', $message, $key);
// add option to store all user $id => $key and timestamp values that reset their passwords every 24 hours
// XXX Require PMS, shouldn't we use normal wordpress activations keys? See commented parts on user_activation_key here
if ( false === ( $activation_keys = get_option( 'pms_recover_password_activation_keys' ) ) ) {
$activation_keys = array();
}
$activation_keys[$user->ID]['key'] = $key;
$activation_keys[$user->ID]['time'] = time();
update_option( 'pms_recover_password_activation_keys', $activation_keys );
if ( $message && !wp_mail($user_email, $title, $message) )
wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment