Better registration password reset management

parent f432c34e
...@@ -48,6 +48,10 @@ if(!class_exists('SexhackAddUnlockLogin')) { ...@@ -48,6 +48,10 @@ if(!class_exists('SexhackAddUnlockLogin')) {
return $string.$html; return $string.$html;
} }
// XXX Those 3 functions, hard-coded uri's that are dependent on a shortcode? that's sounds a bad idea, we
// really need to implement the admin subpages for the plugin so i can setup easily more things!
public function add_to_register($string, $args){ public function add_to_register($string, $args){
return $this->unlock_button($string, $args, $this->get_proto().wp_parse_url( home_url(), PHP_URL_HOST )."/register"); return $this->unlock_button($string, $args, $this->get_proto().wp_parse_url( home_url(), PHP_URL_HOST )."/register");
} }
......
...@@ -9,6 +9,8 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) { ...@@ -9,6 +9,8 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
sexhack_log('SexhackPmsPasswordDataLeak() Instanced'); sexhack_log('SexhackPmsPasswordDataLeak() Instanced');
add_filter( 'pms_recover_password_message', array($this, "change_recover_form_message") ); add_filter( 'pms_recover_password_message', array($this, "change_recover_form_message") );
add_action( 'init', array($this, 'reset_password_form'), 9); add_action( 'init', array($this, 'reset_password_form'), 9);
add_action( 'login_form_rp', array( $this, 'redirect_password_reset' ) );
add_action( 'login_form_resetpass', array( $this, 'redirect_password_reset' ) );
} }
public function change_recover_form_message($string) public function change_recover_form_message($string)
...@@ -16,6 +18,11 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) { ...@@ -16,6 +18,11 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
return str_replace("<br/>", "<br/>If valid, ", $string); return str_replace("<br/>", "<br/>If valid, ", $string);
} }
public function redirect_password_reset()
{
wp_redirect( home_url( 'password-reset' ) );
}
public function reset_password_form() public function reset_password_form()
{ {
...@@ -64,6 +71,9 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) { ...@@ -64,6 +71,9 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
//If entered username or email is valid (no errors), email the password reset confirmation link //If entered username or email is valid (no errors), email the password reset confirmation link
if ( count( pms_errors()->get_error_codes() ) == 0 && !$error) { if ( count( pms_errors()->get_error_codes() ) == 0 && !$error) {
send_changepwd_mail($user);
/*
if (is_object($user)) { //user data is set if (is_object($user)) { //user data is set
$requestedUserID = $user->ID; $requestedUserID = $user->ID;
$requestedUserLogin = $user->user_login; $requestedUserLogin = $user->user_login;
...@@ -109,7 +119,10 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) { ...@@ -109,7 +119,10 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
if( $sent === true ) if( $sent === true )
do_action( 'pms_password_reset_email_sent', $user, $key ); do_action( 'pms_password_reset_email_sent', $user, $key );
} } */
} }
} // isset($_POST[pms_username_email]) } // isset($_POST[pms_username_email])
unset($_POST['pms_username_email']); unset($_POST['pms_username_email']);
......
...@@ -154,7 +154,7 @@ if(!class_exists('SexHackVideoGallery')) { ...@@ -154,7 +154,7 @@ if(!class_exists('SexHackVideoGallery')) {
if($wooprod) { if($wooprod) {
sexhack_log($_SERVER['REQUEST_URI']." BEFORE ".print_r($query, true)); sexhack_log($_SERVER['REQUEST_URI']." BEFORE ".print_r($query, true));
$query->query['post_type'] = 'sexhack_video'; $query->query['post_type'] = 'sexhack_video';
$query->set('name', $wooprod); $query->set('name', esc_sql($wooprod));
$query->set('post_type', 'any'); $query->set('post_type', 'any');
//$query->set('post_type', ''); //$query->set('post_type', '');
sexhack_log("AFTER ".print_r($query, true)); sexhack_log("AFTER ".print_r($query, true));
...@@ -202,11 +202,9 @@ if(!class_exists('SexHackVideoGallery')) { ...@@ -202,11 +202,9 @@ if(!class_exists('SexHackVideoGallery')) {
sexhack_log("REWRITE: Need to add and flush our rules!"); sexhack_log("REWRITE: Need to add and flush our rules!");
$wp_rewrite->add_rewrite_tag("%wooprod%", '([^/]+)', "post_type=sexhack_video&wooprod="); $wp_rewrite->add_rewrite_tag("%wooprod%", '([^/]+)', "post_type=sexhack_video&wooprod=");
$wp_rewrite->add_permastruct('v', $projects_structure, false); $wp_rewrite->add_permastruct('v', $projects_structure, false);
//$wp_rewrite->flush_rules();
update_option('need_rewrite_flush', 1); update_option('need_rewrite_flush', 1);
} }
//$wp_rewrite->flush_rules();
} }
......
...@@ -2,9 +2,10 @@ ...@@ -2,9 +2,10 @@
namespace wp_SexHackMe; namespace wp_SexHackMe;
function send_changepwd_mail($user_login){ function send_changepwd_mail($user_login, $baseurl=false){
global $wpdb, $wp_hasher; global $wpdb, $wp_hasher;
if(!is_object($user_login)) {
$user_login = sanitize_text_field($user_login); $user_login = sanitize_text_field($user_login);
if ( empty( $user_login) ) { if ( empty( $user_login) ) {
return false; return false;
...@@ -16,10 +17,12 @@ function send_changepwd_mail($user_login){ ...@@ -16,10 +17,12 @@ function send_changepwd_mail($user_login){
$login = trim($user_login); $login = trim($user_login);
$user_data = get_user_by('login', $login); $user_data = get_user_by('login', $login);
} }
}
do_action('lostpassword_post'); do_action('lostpassword_post');
if ( !$user_data ) return false; if ( !$user_data ) return false;
if ( !is_object($user_data) ) return false;
// redefining user_login ensures we return the right case in the email // redefining user_login ensures we return the right case in the email
$user_login = $user_data->user_login; $user_login = $user_data->user_login;
...@@ -32,22 +35,33 @@ function send_changepwd_mail($user_login){ ...@@ -32,22 +35,33 @@ function send_changepwd_mail($user_login){
else if ( is_wp_error($allow) ) else if ( is_wp_error($allow) )
return false; return false;
$key = pms_retrieve_activation_key( $user_login );
$key = get_password_reset_key( $user_data ); //$key = get_password_reset_key( $user_data );
do_action( 'retrieve_password_key', $user_login, $key ); do_action( 'retrieve_password_key', $user_login, $key );
if ( empty( $wp_hasher ) ) { if ( empty( $wp_hasher ) ) {
require_once ABSPATH . 'wp-includes/class-phpass.php'; require_once ABSPATH . 'wp-includes/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true ); $wp_hasher = new PasswordHash( 8, true );
} }
$hashed = $wp_hasher->HashPassword( $key ); //$hashed = $wp_hasher->HashPassword( $key );
$wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) ); //$wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) );
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n"; $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url( '/' ) . "\r\n\r\n"; $message .= network_home_url( '/' ) . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n"; $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n"; $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n"; $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n"; // XXX Seriously? hardcoded?
$message .= '<' . network_site_url("/password-reset/?key=$key&loginName=" . rawurlencode($user_login), 'login') . ">\r\n";
//$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
// XXX Should we send it with html for the link or can we assume links are ok with mail clients? verify please!
//add_filter('wp_mail_content_type', function () { return 'text/html'; } );
// Temporary change the from name and from email
// XXX Require PMS! do we want it? Should we change with our own for sexhack?
add_filter( 'wp_mail_from_name', array( 'PMS_Emails', 'pms_email_website_name' ), 20, 1 );
add_filter( 'wp_mail_from', array( 'PMS_Emails', 'pms_email_website_email' ), 20, 1 );
if ( is_multisite() ) if ( is_multisite() )
$blogname = $GLOBALS['current_site']->site_name; $blogname = $GLOBALS['current_site']->site_name;
...@@ -59,6 +73,16 @@ function send_changepwd_mail($user_login){ ...@@ -59,6 +73,16 @@ function send_changepwd_mail($user_login){
$title = apply_filters('retrieve_password_title', $title); $title = apply_filters('retrieve_password_title', $title);
$message = apply_filters('retrieve_password_message', $message, $key); $message = apply_filters('retrieve_password_message', $message, $key);
// add option to store all user $id => $key and timestamp values that reset their passwords every 24 hours
// XXX Require PMS, shouldn't we use normal wordpress activations keys? See commented parts on user_activation_key here
if ( false === ( $activation_keys = get_option( 'pms_recover_password_activation_keys' ) ) ) {
$activation_keys = array();
}
$activation_keys[$user->ID]['key'] = $key;
$activation_keys[$user->ID]['time'] = time();
update_option( 'pms_recover_password_activation_keys', $activation_keys );
if ( $message && !wp_mail($user_email, $title, $message) ) if ( $message && !wp_mail($user_email, $title, $message) )
wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') ); wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment