Better registration password reset management

ba5be614 · Franco (nextime) Lanza · f432c34e · ba5be614 · ba5be614 · ba5be614
Commit ba5be614 authored Jul 01, 2022 by Franco (nextime) Lanza
4 changed files
--- a/classes/add_unlock_login.php
+++ b/classes/add_unlock_login.php
@@ -48,6 +48,10 @@ if(!class_exists('SexhackAddUnlockLogin')) {
 			return $string.$html;
 		}

+
+
+      // XXX Those 3 functions, hard-coded uri's that are dependent on a shortcode? that's sounds a bad idea, we 
+      //     really need to implement the admin subpages for the plugin so i can setup easily more things!
 		public function add_to_register($string, $args){
 			return $this->unlock_button($string, $args, $this->get_proto().wp_parse_url( home_url(), PHP_URL_HOST )."/register");
 		}

--- a/classes/pms_reset_password_fix.php
+++ b/classes/pms_reset_password_fix.php
@@ -9,6 +9,8 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
         sexhack_log('SexhackPmsPasswordDataLeak() Instanced');
         add_filter( 'pms_recover_password_message', array($this, "change_recover_form_message") );
         add_action( 'init', array($this, 'reset_password_form'), 9);
+			add_action( 'login_form_rp', array( $this, 'redirect_password_reset' ) );
+			add_action( 'login_form_resetpass', array( $this, 'redirect_password_reset' ) );
      }

      public function change_recover_form_message($string)
@@ -16,6 +18,11 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
         return str_replace("<br/>", "<br/>If valid, ", $string);
      }

+		public function redirect_password_reset() 
+		{
+			wp_redirect( home_url( 'password-reset' ) );
+		}
+
      public function reset_password_form() 
      {

@@ -64,6 +71,9 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {
            //If entered username or email is valid (no errors), email the password reset confirmation link
            if ( count( pms_errors()->get_error_codes() ) == 0 && !$error) {

+               
+                send_changepwd_mail($user);
+                /* 
                if (is_object($user)) {  //user data is set
                    $requestedUserID = $user->ID;
                    $requestedUserLogin = $user->user_login;
@@ -109,7 +119,10 @@ if(!class_exists('SexhackPmsPasswordDataLeak')) {

                    if( $sent === true )
                        do_action( 'pms_password_reset_email_sent', $user, $key );
-                }
+                } */
+
+
+
             }
     		 } // isset($_POST[pms_username_email])
 	 		 unset($_POST['pms_username_email']);

--- a/classes/sexhack_gallery.php
+++ b/classes/sexhack_gallery.php
@@ -154,7 +154,7 @@ if(!class_exists('SexHackVideoGallery')) {
      		if($wooprod) {
         		sexhack_log($_SERVER['REQUEST_URI']." BEFORE ".print_r($query, true));
         		$query->query['post_type'] = 'sexhack_video';
-         		$query->set('name', $wooprod);
+         		$query->set('name', esc_sql($wooprod));
         		$query->set('post_type', 'any');
         		//$query->set('post_type', '');
         		sexhack_log("AFTER ".print_r($query, true));
@@ -202,11 +202,9 @@ if(!class_exists('SexHackVideoGallery')) {
            sexhack_log("REWRITE: Need to add and flush our rules!");
            $wp_rewrite->add_rewrite_tag("%wooprod%", '([^/]+)', "post_type=sexhack_video&wooprod=");
            $wp_rewrite->add_permastruct('v', $projects_structure, false);
-            //$wp_rewrite->flush_rules();
            update_option('need_rewrite_flush', 1);

         }
-         //$wp_rewrite->flush_rules();
 		}



--- a/helpers/pwdutils.php
+++ b/helpers/pwdutils.php
@@ -2,9 +2,10 @@

 namespace wp_SexHackMe;

-function send_changepwd_mail($user_login){
+function send_changepwd_mail($user_login, $baseurl=false){
 	
    global $wpdb, $wp_hasher;
+    if(!is_object($user_login)) {
      $user_login = sanitize_text_field($user_login);
      if ( empty( $user_login) ) {
        return false;
@@ -16,10 +17,12 @@ function send_changepwd_mail($user_login){
        $login = trim($user_login);
        $user_data = get_user_by('login', $login);
      }
+    }
    
    do_action('lostpassword_post');
 	
    if ( !$user_data ) return false;
+    if ( !is_object($user_data) ) return false;

    // redefining user_login ensures we return the right case in the email
    $user_login = $user_data->user_login;
@@ -32,22 +35,33 @@ function send_changepwd_mail($user_login){
    else if ( is_wp_error($allow) )
        return false;

-	
-	$key = get_password_reset_key( $user_data );
+	 $key = pms_retrieve_activation_key( $user_login );
+	 //$key = get_password_reset_key( $user_data );
    do_action( 'retrieve_password_key', $user_login, $key );

    if ( empty( $wp_hasher ) ) {
        require_once ABSPATH . 'wp-includes/class-phpass.php';
        $wp_hasher = new PasswordHash( 8, true );
    }
-    $hashed = $wp_hasher->HashPassword( $key );    
-    $wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) );
+    //$hashed = $wp_hasher->HashPassword( $key );    
+    //$wpdb->update( $wpdb->users, array( 'user_activation_key' => time().":".$hashed ), array( 'user_login' => $user_login ) );
    $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
    $message .= network_home_url( '/' ) . "\r\n\r\n";
    $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
    $message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
    $message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
-    $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
+    // XXX Seriously? hardcoded?
+    $message .= '<' . network_site_url("/password-reset/?key=$key&loginName=" . rawurlencode($user_login), 'login') . ">\r\n";
+    //$message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n";
+
+    
+    // XXX Should we send it with html for the link or can we assume links are ok with mail clients? verify please!
+    //add_filter('wp_mail_content_type', function () { return 'text/html'; } );
+
+    // Temporary change the from name and from email
+    // XXX Require PMS! do we want it? Should we change with our own for sexhack?
+    add_filter( 'wp_mail_from_name', array( 'PMS_Emails', 'pms_email_website_name' ), 20, 1 );
+    add_filter( 'wp_mail_from', array( 'PMS_Emails', 'pms_email_website_email' ), 20, 1 );

    if ( is_multisite() )
        $blogname = $GLOBALS['current_site']->site_name;
@@ -59,6 +73,16 @@ function send_changepwd_mail($user_login){
    $title = apply_filters('retrieve_password_title', $title);
    $message = apply_filters('retrieve_password_message', $message, $key);

+
+    // add option to store all user $id => $key and timestamp values that reset their passwords every 24 hours
+    // XXX Require PMS, shouldn't we use normal wordpress activations keys? See commented parts on user_activation_key here
+    if ( false === ( $activation_keys = get_option( 'pms_recover_password_activation_keys' ) ) ) {
+         $activation_keys = array();
+    }
+    $activation_keys[$user->ID]['key'] = $key;
+    $activation_keys[$user->ID]['time'] = time();
+    update_option( 'pms_recover_password_activation_keys', $activation_keys );
+
    if ( $message && !wp_mail($user_email, $title, $message) )
        wp_die( __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') );