BuddyPress/buddypress
1
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/buddypress/buddypress.git synced 2026-05-31 05:04:29 +08:00
Code Packages Activity Actions
buddypress/bp-settings/bp-settings-actions.php
Boone B Gorges 7e99ce665a Check bp_disable_account_deletion() setting in screen function rather than bp_core_delete_account() business function 
The purpose of the disable-account-deletion setting is to prevent normal (ie
non-admin) BP users from deleting their own accounts through the front-end
interface. Locating the settings check in the business function
bp_core_delete_account() therefore caused problems when deleting accounts in
areas that were not meant to be covered by the setting, such as when accounts
are deleted in the Dashboard by an admin, or when the BP_Signup::delete()
method is called. This caused a particular problem in BP 2.0, because the
deletion of signups was no longer correctly cleaning up other data from the
database (xprofile, usermeta, etc).

Fixes #5575

git-svn-id: https://buddypress.svn.wordpress.org/branches/2.0@8325 cdf35c40-ae34-48e0-9cc9-0c9da1808c22
2014-04-26 18:45:35 +00:00

357 lines
11 KiB
PHP
Raw Permalink Blame History

<?php
/**
* BuddyPress Settings Actions
*
* @todo split actions into separate screen functions
* @package BuddyPress
* @subpackage SettingsActions
*/
// Exit if accessed directly
if ( !defined( 'ABSPATH' ) ) exit;
/**
* Handles the changing and saving of user email addressos and passwords
*
* We do quite a bit of logic and error handling here to make sure that users
* do not accidentally lock themselves out of their accounts. We also try to
* provide as accurate of feedback as possible without exposing anyone else's
* inforation to them.
*
* Special considerations are made for super admins that are able to edit any
* users accounts already, without knowing their existing password.
*
* @global BuddyPress $bp
*/
function bp_settings_action_general() {
// Bail if not a POST action
if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
return;
// Bail if no submit action
if ( ! isset( $_POST['submit'] ) )
return;
// Bail if not in settings
if ( ! bp_is_settings_component() || ! bp_is_current_action( 'general' ) )
return;
// 404 if there are any additional action variables attached
if ( bp_action_variables() ) {
bp_do_404();
return;
}
// Define local defaults
$bp = buddypress(); // The instance
$email_error = false; // invalid|blocked|taken|empty|nochange
$pass_error = false; // invalid|mismatch|empty|nochange
$pass_changed = false; // true if the user changes their password
$email_changed = false; // true if the user changes their email
$feedback_type = 'error'; // success|error
$feedback = array(); // array of strings for feedback
// Nonce check
check_admin_referer('bp_settings_general');
// Validate the user again for the current password when making a big change
if ( ( is_super_admin() ) || ( !empty( $_POST['pwd'] ) && wp_check_password( $_POST['pwd'], $bp->displayed_user->userdata->user_pass, bp_displayed_user_id() ) ) ) {
$update_user = get_userdata( bp_displayed_user_id() );
/** Email Change Attempt ******************************************/
if ( !empty( $_POST['email'] ) ) {
// What is missing from the profile page vs signup - lets double check the goodies
$user_email = sanitize_email( esc_html( trim( $_POST['email'] ) ) );
// User is changing email address
if ( $bp->displayed_user->userdata->user_email != $user_email ) {
// Run some tests on the email address
$email_checks = bp_core_validate_email_address( $user_email );
if ( true !== $email_checks ) {
if ( isset( $email_checks['invalid'] ) ) {
$email_error = 'invalid';
}
if ( isset( $email_checks['domain_banned'] ) || isset( $email_checks['domain_not_allowed'] ) ) {
$email_error = 'blocked';
}
if ( isset( $email_checks['in_use'] ) ) {
$email_error = 'taken';
}
}
// Yay we made it!
if ( false === $email_error ) {
$update_user->user_email = $user_email;
$email_changed = true;
}
// No change
} else {
$email_error = false;
}
// Email address cannot be empty
} else {
$email_error = 'empty';
}
/** Password Change Attempt ***************************************/
if ( !empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) {
// Password change attempt is successful
if ( ( $_POST['pass1'] == $_POST['pass2'] ) && !strpos( " " . $_POST['pass1'], "\\" ) ) {
$update_user->user_pass = $_POST['pass1'];
$pass_changed = true;
// Password change attempt was unsuccessful
} else {
$pass_error = 'mismatch';
}
// Both password fields were empty
} elseif ( empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) {
$pass_error = false;
// One of the password boxes was left empty
} elseif ( ( empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) || ( !empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
$pass_error = 'empty';
}
// The structure of the $update_user object changed in WP 3.3, but
// wp_update_user() still expects the old format
if ( isset( $update_user->data ) && is_object( $update_user->data ) ) {
$update_user = $update_user->data;
$update_user = get_object_vars( $update_user );
// Unset the password field to prevent it from emptying out the
// user's user_pass field in the database.
// @see wp_update_user()
if ( false === $pass_changed ) {
unset( $update_user['user_pass'] );
}
}
// Clear cached data, so that the changed settings take effect
// on the current page load
if ( ( false === $email_error ) && ( false === $pass_error ) && ( wp_update_user( $update_user ) ) ) {
wp_cache_delete( 'bp_core_userdata_' . bp_displayed_user_id(), 'bp' );
$bp->displayed_user->userdata = bp_core_get_core_userdata( bp_displayed_user_id() );
}
// Password Error
} else {
$pass_error = 'invalid';
}
// Email feedback
switch ( $email_error ) {
case 'invalid' :
$feedback['email_invalid'] = __( 'That email address is invalid. Check the formatting and try again.', 'buddypress' );
break;
case 'blocked' :
$feedback['email_blocked'] = __( 'That email address is currently unavailable for use.', 'buddypress' );
break;
case 'taken' :
$feedback['email_taken'] = __( 'That email address is already taken.', 'buddypress' );
break;
case 'empty' :
$feedback['email_empty'] = __( 'Email address cannot be empty.', 'buddypress' );
break;
case false :
// No change
break;
}
// Password feedback
switch ( $pass_error ) {
case 'invalid' :
$feedback['pass_error'] = __( 'Your current password is invalid.', 'buddypress' );
break;
case 'mismatch' :
$feedback['pass_mismatch'] = __( 'The new password fields did not match.', 'buddypress' );
break;
case 'empty' :
$feedback['pass_empty'] = __( 'One of the password fields was empty.', 'buddypress' );
break;
case false :
// No change
break;
}
// No errors so show a simple success message
if ( ( ( false === $email_error ) || ( false == $pass_error ) ) && ( ( true === $pass_changed ) || ( true === $email_changed ) ) ) {
$feedback[] = __( 'Your settings have been saved.', 'buddypress' );
$feedback_type = 'success';
// Some kind of errors occurred
} elseif ( ( ( false === $email_error ) || ( false === $pass_error ) ) && ( ( false === $pass_changed ) || ( false === $email_changed ) ) ) {
if ( bp_is_my_profile() ) {
$feedback['nochange'] = __( 'No changes were made to your account.', 'buddypress' );
} else {
$feedback['nochange'] = __( 'No changes were made to this account.', 'buddypress' );
}
}
// Set the feedback
bp_core_add_message( implode( '</p><p>', $feedback ), $feedback_type );
// Execute additional code
do_action( 'bp_core_general_settings_after_save' );
// Redirect to prevent issues with browser back button
bp_core_redirect( trailingslashit( bp_displayed_user_domain() . bp_get_settings_slug() . '/general' ) );
}
add_action( 'bp_actions', 'bp_settings_action_general' );
/**
* Handles the changing and saving of user notification settings
*/
function bp_settings_action_notifications() {
// Bail if not a POST action
if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
return;
// Bail if no submit action
if ( ! isset( $_POST['submit'] ) )
return;
// Bail if not in settings
if ( ! bp_is_settings_component() || ! bp_is_current_action( 'notifications' ) )
return false;
// 404 if there are any additional action variables attached
if ( bp_action_variables() ) {
bp_do_404();
return;
}
check_admin_referer( 'bp_settings_notifications' );
if ( isset( $_POST['notifications'] ) ) {
foreach ( (array) $_POST['notifications'] as $key => $value ) {
bp_update_user_meta( (int) bp_displayed_user_id(), $key, $value );
}
}
// Switch feedback for super admins
if ( bp_is_my_profile() ) {
bp_core_add_message( __( 'Your notification settings have been saved.', 'buddypress' ), 'success' );
} else {
bp_core_add_message( __( "This user's notification settings have been saved.", 'buddypress' ), 'success' );
}
do_action( 'bp_core_notification_settings_after_save' );
bp_core_redirect( bp_displayed_user_domain() . bp_get_settings_slug() . '/notifications/' );
}
add_action( 'bp_actions', 'bp_settings_action_notifications' );
/**
* Handles the setting of user capabilities, spamming, hamming, role, etc...
*/
function bp_settings_action_capabilities() {
// Bail if not a POST action
if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
return;
// Bail if no submit action
if ( ! isset( $_POST['capabilities-submit'] ) )
return;
// Bail if not in settings
if ( ! bp_is_settings_component() || ! bp_is_current_action( 'capabilities' ) )
return false;
// 404 if there are any additional action variables attached
if ( bp_action_variables() ) {
bp_do_404();
return;
}
// Only super admins can currently spam users (but they can't spam
// themselves)
if ( ! is_super_admin() || bp_is_my_profile() ) {
return;
}
// Nonce check
check_admin_referer( 'capabilities' );
do_action( 'bp_settings_capabilities_before_save' );
/** Spam **************************************************************/
$is_spammer = !empty( $_POST['user-spammer'] ) ? true : false;
if ( bp_is_user_spammer( bp_displayed_user_id() ) != $is_spammer ) {
$status = ( true == $is_spammer ) ? 'spam' : 'ham';
bp_core_process_spammer_status( bp_displayed_user_id(), $status );
do_action( 'bp_core_action_set_spammer_status', bp_displayed_user_id(), $status );
}
/** Other *************************************************************/
do_action( 'bp_settings_capabilities_after_save' );
// Redirect to the root domain
bp_core_redirect( bp_displayed_user_domain() . bp_get_settings_slug() . '/capabilities/' );
}
add_action( 'bp_actions', 'bp_settings_action_capabilities' );
/**
* Handles the deleting of a user
*/
function bp_settings_action_delete_account() {
// Bail if not a POST action
if ( 'POST' !== strtoupper( $_SERVER['REQUEST_METHOD'] ) )
return;
// Bail if no submit action
if ( ! isset( $_POST['delete-account-understand'] ) )
return;
// Bail if not in settings
if ( ! bp_is_settings_component() || ! bp_is_current_action( 'delete-account' ) )
return false;
// 404 if there are any additional action variables attached
if ( bp_action_variables() ) {
bp_do_404();
return;
}
// Bail if account deletion is disabled
if ( bp_disable_account_deletion() && ! bp_current_user_can( 'delete_users' ) ) {
return false;
}
// Nonce check
check_admin_referer( 'delete-account' );
// Get username now because it might be gone soon!
$username = bp_get_displayed_user_fullname();
// delete the users account
if ( bp_core_delete_account( bp_displayed_user_id() ) ) {
// Add feedback ater deleting a user
bp_core_add_message( sprintf( __( '%s was successfully deleted.', 'buddypress' ), $username ), 'success' );
// Redirect to the root domain
bp_core_redirect( bp_get_root_domain() );
}
}
add_action( 'bp_actions', 'bp_settings_action_delete_account' );
View git blame Copy permalink