[ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * Core User API 4 * 5 * @package WordPress 6 * @subpackage Users 7 */ 8 9 /** 10 * Authenticates and logs a user in with 'remember' capability. 11 * 12 * The credentials is an array that has 'user_login', 'user_password', and 13 * 'remember' indices. If the credentials is not given, then the log in form 14 * will be assumed and used if set. 15 * 16 * The various authentication cookies will be set by this function and will be 17 * set for a longer period depending on if the 'remember' credential is set to 18 * true. 19 * 20 * Note: wp_signon() doesn't handle setting the current user. This means that if the 21 * function is called before the {@see 'init'} hook is fired, is_user_logged_in() will 22 * evaluate as false until that point. If is_user_logged_in() is needed in conjunction 23 * with wp_signon(), wp_set_current_user() should be called explicitly. 24 * 25 * @since 2.5.0 26 * 27 * @global string $auth_secure_cookie 28 * 29 * @param array $credentials { 30 * Optional. User info in order to sign on. 31 * 32 * @type string $user_login Username. 33 * @type string $user_password User password. 34 * @type bool $remember Whether to 'remember' the user. Increases the time 35 * that the cookie will be kept. Default false. 36 * } 37 * @param string|bool $secure_cookie Optional. Whether to use secure cookie. 38 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 39 */ 40 function wp_signon( $credentials = array(), $secure_cookie = '' ) { 41 if ( empty( $credentials ) ) { 42 $credentials = array( 43 'user_login' => '', 44 'user_password' => '', 45 'remember' => false, 46 ); 47 48 if ( ! empty( $_POST['log'] ) ) { 49 $credentials['user_login'] = wp_unslash( $_POST['log'] ); 50 } 51 if ( ! empty( $_POST['pwd'] ) ) { 52 $credentials['user_password'] = $_POST['pwd']; 53 } 54 if ( ! empty( $_POST['rememberme'] ) ) { 55 $credentials['remember'] = $_POST['rememberme']; 56 } 57 } 58 59 if ( ! empty( $credentials['remember'] ) ) { 60 $credentials['remember'] = true; 61 } else { 62 $credentials['remember'] = false; 63 } 64 65 /** 66 * Fires before the user is authenticated. 67 * 68 * The variables passed to the callbacks are passed by reference, 69 * and can be modified by callback functions. 70 * 71 * @since 1.5.1 72 * 73 * @todo Decide whether to deprecate the wp_authenticate action. 74 * 75 * @param string $user_login Username (passed by reference). 76 * @param string $user_password User password (passed by reference). 77 */ 78 do_action_ref_array( 'wp_authenticate', array( &$credentials['user_login'], &$credentials['user_password'] ) ); 79 80 if ( '' === $secure_cookie ) { 81 $secure_cookie = is_ssl(); 82 } 83 84 /** 85 * Filters whether to use a secure sign-on cookie. 86 * 87 * @since 3.1.0 88 * 89 * @param bool $secure_cookie Whether to use a secure sign-on cookie. 90 * @param array $credentials { 91 * Array of entered sign-on data. 92 * 93 * @type string $user_login Username. 94 * @type string $user_password Password entered. 95 * @type bool $remember Whether to 'remember' the user. Increases the time 96 * that the cookie will be kept. Default false. 97 * } 98 */ 99 $secure_cookie = apply_filters( 'secure_signon_cookie', $secure_cookie, $credentials ); 100 101 global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie(). 102 $auth_secure_cookie = $secure_cookie; 103 104 add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 ); 105 106 $user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] ); 107 108 if ( is_wp_error( $user ) ) { 109 return $user; 110 } 111 112 wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie ); 113 /** 114 * Fires after the user has successfully logged in. 115 * 116 * @since 1.5.0 117 * 118 * @param string $user_login Username. 119 * @param WP_User $user WP_User object of the logged-in user. 120 */ 121 do_action( 'wp_login', $user->user_login, $user ); 122 return $user; 123 } 124 125 /** 126 * Authenticates a user, confirming the username and password are valid. 127 * 128 * @since 2.8.0 129 * 130 * @param WP_User|WP_Error|null $user WP_User or WP_Error object from a previous callback. Default null. 131 * @param string $username Username for authentication. 132 * @param string $password Password for authentication. 133 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 134 */ 135 function wp_authenticate_username_password( $user, $username, $password ) { 136 if ( $user instanceof WP_User ) { 137 return $user; 138 } 139 140 if ( empty( $username ) || empty( $password ) ) { 141 if ( is_wp_error( $user ) ) { 142 return $user; 143 } 144 145 $error = new WP_Error(); 146 147 if ( empty( $username ) ) { 148 $error->add( 'empty_username', __( '<strong>Error:</strong> The username field is empty.' ) ); 149 } 150 151 if ( empty( $password ) ) { 152 $error->add( 'empty_password', __( '<strong>Error:</strong> The password field is empty.' ) ); 153 } 154 155 return $error; 156 } 157 158 $user = get_user_by( 'login', $username ); 159 160 if ( ! $user ) { 161 return new WP_Error( 162 'invalid_username', 163 sprintf( 164 /* translators: %s: User name. */ 165 __( '<strong>Error:</strong> The username <strong>%s</strong> is not registered on this site. If you are unsure of your username, try your email address instead.' ), 166 $username 167 ) 168 ); 169 } 170 171 /** 172 * Filters whether the given user can be authenticated with the provided password. 173 * 174 * @since 2.5.0 175 * 176 * @param WP_User|WP_Error $user WP_User or WP_Error object if a previous 177 * callback failed authentication. 178 * @param string $password Password to check against the user. 179 */ 180 $user = apply_filters( 'wp_authenticate_user', $user, $password ); 181 if ( is_wp_error( $user ) ) { 182 return $user; 183 } 184 185 if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) { 186 return new WP_Error( 187 'incorrect_password', 188 sprintf( 189 /* translators: %s: User name. */ 190 __( '<strong>Error:</strong> The password you entered for the username %s is incorrect.' ), 191 '<strong>' . $username . '</strong>' 192 ) . 193 ' <a href="' . wp_lostpassword_url() . '">' . 194 __( 'Lost your password?' ) . 195 '</a>' 196 ); 197 } 198 199 return $user; 200 } 201 202 /** 203 * Authenticates a user using the email and password. 204 * 205 * @since 4.5.0 206 * 207 * @param WP_User|WP_Error|null $user WP_User or WP_Error object if a previous 208 * callback failed authentication. 209 * @param string $email Email address for authentication. 210 * @param string $password Password for authentication. 211 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 212 */ 213 function wp_authenticate_email_password( $user, $email, $password ) { 214 if ( $user instanceof WP_User ) { 215 return $user; 216 } 217 218 if ( empty( $email ) || empty( $password ) ) { 219 if ( is_wp_error( $user ) ) { 220 return $user; 221 } 222 223 $error = new WP_Error(); 224 225 if ( empty( $email ) ) { 226 // Uses 'empty_username' for back-compat with wp_signon(). 227 $error->add( 'empty_username', __( '<strong>Error:</strong> The email field is empty.' ) ); 228 } 229 230 if ( empty( $password ) ) { 231 $error->add( 'empty_password', __( '<strong>Error:</strong> The password field is empty.' ) ); 232 } 233 234 return $error; 235 } 236 237 if ( ! is_email( $email ) ) { 238 return $user; 239 } 240 241 $user = get_user_by( 'email', $email ); 242 243 if ( ! $user ) { 244 return new WP_Error( 245 'invalid_email', 246 __( 'Unknown email address. Check again or try your username.' ) 247 ); 248 } 249 250 /** This filter is documented in wp-includes/user.php */ 251 $user = apply_filters( 'wp_authenticate_user', $user, $password ); 252 253 if ( is_wp_error( $user ) ) { 254 return $user; 255 } 256 257 if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) { 258 return new WP_Error( 259 'incorrect_password', 260 sprintf( 261 /* translators: %s: Email address. */ 262 __( '<strong>Error:</strong> The password you entered for the email address %s is incorrect.' ), 263 '<strong>' . $email . '</strong>' 264 ) . 265 ' <a href="' . wp_lostpassword_url() . '">' . 266 __( 'Lost your password?' ) . 267 '</a>' 268 ); 269 } 270 271 return $user; 272 } 273 274 /** 275 * Authenticates the user using the WordPress auth cookie. 276 * 277 * @since 2.8.0 278 * 279 * @global string $auth_secure_cookie 280 * 281 * @param WP_User|WP_Error|null $user WP_User or WP_Error object from a previous callback. Default null. 282 * @param string $username Username. If not empty, cancels the cookie authentication. 283 * @param string $password Password. If not empty, cancels the cookie authentication. 284 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 285 */ 286 function wp_authenticate_cookie( $user, $username, $password ) { 287 if ( $user instanceof WP_User ) { 288 return $user; 289 } 290 291 if ( empty( $username ) && empty( $password ) ) { 292 $user_id = wp_validate_auth_cookie(); 293 if ( $user_id ) { 294 return new WP_User( $user_id ); 295 } 296 297 global $auth_secure_cookie; 298 299 if ( $auth_secure_cookie ) { 300 $auth_cookie = SECURE_AUTH_COOKIE; 301 } else { 302 $auth_cookie = AUTH_COOKIE; 303 } 304 305 if ( ! empty( $_COOKIE[ $auth_cookie ] ) ) { 306 return new WP_Error( 'expired_session', __( 'Please log in again.' ) ); 307 } 308 309 // If the cookie is not set, be silent. 310 } 311 312 return $user; 313 } 314 315 /** 316 * Authenticates the user using an application password. 317 * 318 * @since 5.6.0 319 * 320 * @param WP_User|WP_Error|null $input_user WP_User or WP_Error object if a previous 321 * callback failed authentication. 322 * @param string $username Username for authentication. 323 * @param string $password Password for authentication. 324 * @return WP_User|WP_Error|null WP_User on success, WP_Error on failure, null if 325 * null is passed in and this isn't an API request. 326 */ 327 function wp_authenticate_application_password( $input_user, $username, $password ) { 328 if ( $input_user instanceof WP_User ) { 329 return $input_user; 330 } 331 332 if ( ! WP_Application_Passwords::is_in_use() ) { 333 return $input_user; 334 } 335 336 // The 'REST_REQUEST' check here may happen too early for the constant to be available. 337 $is_api_request = ( ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) ); 338 339 /** 340 * Filters whether this is an API request that Application Passwords can be used on. 341 * 342 * By default, Application Passwords is available for the REST API and XML-RPC. 343 * 344 * @since 5.6.0 345 * 346 * @param bool $is_api_request If this is an acceptable API request. 347 */ 348 $is_api_request = apply_filters( 'application_password_is_api_request', $is_api_request ); 349 350 if ( ! $is_api_request ) { 351 return $input_user; 352 } 353 354 $error = null; 355 $user = get_user_by( 'login', $username ); 356 357 if ( ! $user && is_email( $username ) ) { 358 $user = get_user_by( 'email', $username ); 359 } 360 361 // If the login name is invalid, short circuit. 362 if ( ! $user ) { 363 if ( is_email( $username ) ) { 364 $error = new WP_Error( 365 'invalid_email', 366 __( '<strong>Error:</strong> Unknown email address. Check again or try your username.' ) 367 ); 368 } else { 369 $error = new WP_Error( 370 'invalid_username', 371 __( '<strong>Error:</strong> Unknown username. Check again or try your email address.' ) 372 ); 373 } 374 } elseif ( ! wp_is_application_passwords_available() ) { 375 $error = new WP_Error( 376 'application_passwords_disabled', 377 __( 'Application passwords are not available.' ) 378 ); 379 } elseif ( ! wp_is_application_passwords_available_for_user( $user ) ) { 380 $error = new WP_Error( 381 'application_passwords_disabled_for_user', 382 __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' ) 383 ); 384 } 385 386 if ( $error ) { 387 /** 388 * Fires when an application password failed to authenticate the user. 389 * 390 * @since 5.6.0 391 * 392 * @param WP_Error $error The authentication error. 393 */ 394 do_action( 'application_password_failed_authentication', $error ); 395 396 return $error; 397 } 398 399 /* 400 * Strips out anything non-alphanumeric. This is so passwords can be used with 401 * or without spaces to indicate the groupings for readability. 402 * 403 * Generated application passwords are exclusively alphanumeric. 404 */ 405 $password = preg_replace( '/[^a-z\d]/i', '', $password ); 406 407 $hashed_passwords = WP_Application_Passwords::get_user_application_passwords( $user->ID ); 408 409 foreach ( $hashed_passwords as $key => $item ) { 410 if ( ! wp_check_password( $password, $item['password'], $user->ID ) ) { 411 continue; 412 } 413 414 $error = new WP_Error(); 415 416 /** 417 * Fires when an application password has been successfully checked as valid. 418 * 419 * This allows for plugins to add additional constraints to prevent an application password from being used. 420 * 421 * @since 5.6.0 422 * 423 * @param WP_Error $error The error object. 424 * @param WP_User $user The user authenticating. 425 * @param array $item The details about the application password. 426 * @param string $password The raw supplied password. 427 */ 428 do_action( 'wp_authenticate_application_password_errors', $error, $user, $item, $password ); 429 430 if ( is_wp_error( $error ) && $error->has_errors() ) { 431 /** This action is documented in wp-includes/user.php */ 432 do_action( 'application_password_failed_authentication', $error ); 433 434 return $error; 435 } 436 437 WP_Application_Passwords::record_application_password_usage( $user->ID, $item['uuid'] ); 438 439 /** 440 * Fires after an application password was used for authentication. 441 * 442 * @since 5.6.0 443 * 444 * @param WP_User $user The user who was authenticated. 445 * @param array $item The application password used. 446 */ 447 do_action( 'application_password_did_authenticate', $user, $item ); 448 449 return $user; 450 } 451 452 $error = new WP_Error( 453 'incorrect_password', 454 __( 'The provided password is an invalid application password.' ) 455 ); 456 457 /** This action is documented in wp-includes/user.php */ 458 do_action( 'application_password_failed_authentication', $error ); 459 460 return $error; 461 } 462 463 /** 464 * Validates the application password credentials passed via Basic Authentication. 465 * 466 * @since 5.6.0 467 * 468 * @param int|false $input_user User ID if one has been determined, false otherwise. 469 * @return int|false The authenticated user ID if successful, false otherwise. 470 */ 471 function wp_validate_application_password( $input_user ) { 472 // Don't authenticate twice. 473 if ( ! empty( $input_user ) ) { 474 return $input_user; 475 } 476 477 if ( ! wp_is_application_passwords_available() ) { 478 return $input_user; 479 } 480 481 // Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication. 482 if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) { 483 return $input_user; 484 } 485 486 $authenticated = wp_authenticate_application_password( null, $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ); 487 488 if ( $authenticated instanceof WP_User ) { 489 return $authenticated->ID; 490 } 491 492 // If it wasn't a user what got returned, just pass on what we had received originally. 493 return $input_user; 494 } 495 496 /** 497 * For Multisite blogs, checks if the authenticated user has been marked as a 498 * spammer, or if the user's primary blog has been marked as spam. 499 * 500 * @since 3.7.0 501 * 502 * @param WP_User|WP_Error|null $user WP_User or WP_Error object from a previous callback. Default null. 503 * @return WP_User|WP_Error WP_User on success, WP_Error if the user is considered a spammer. 504 */ 505 function wp_authenticate_spam_check( $user ) { 506 if ( $user instanceof WP_User && is_multisite() ) { 507 /** 508 * Filters whether the user has been marked as a spammer. 509 * 510 * @since 3.7.0 511 * 512 * @param bool $spammed Whether the user is considered a spammer. 513 * @param WP_User $user User to check against. 514 */ 515 $spammed = apply_filters( 'check_is_user_spammed', is_user_spammy( $user ), $user ); 516 517 if ( $spammed ) { 518 return new WP_Error( 'spammer_account', __( '<strong>Error:</strong> Your account has been marked as a spammer.' ) ); 519 } 520 } 521 return $user; 522 } 523 524 /** 525 * Validates the logged-in cookie. 526 * 527 * Checks the logged-in cookie if the previous auth cookie could not be 528 * validated and parsed. 529 * 530 * This is a callback for the {@see 'determine_current_user'} filter, rather than API. 531 * 532 * @since 3.9.0 533 * 534 * @param int|false $user_id The user ID (or false) as received from 535 * the `determine_current_user` filter. 536 * @return int|false User ID if validated, false otherwise. If a user ID from 537 * an earlier filter callback is received, that value is returned. 538 */ 539 function wp_validate_logged_in_cookie( $user_id ) { 540 if ( $user_id ) { 541 return $user_id; 542 } 543 544 if ( is_blog_admin() || is_network_admin() || empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) { 545 return false; 546 } 547 548 return wp_validate_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' ); 549 } 550 551 /** 552 * Gets the number of posts a user has written. 553 * 554 * @since 3.0.0 555 * @since 4.1.0 Added `$post_type` argument. 556 * @since 4.3.0 Added `$public_only` argument. Added the ability to pass an array 557 * of post types to `$post_type`. 558 * 559 * @global wpdb $wpdb WordPress database abstraction object. 560 * 561 * @param int $userid User ID. 562 * @param array|string $post_type Optional. Single post type or array of post types to count the number of posts for. Default 'post'. 563 * @param bool $public_only Optional. Whether to only return counts for public posts. Default false. 564 * @return string Number of posts the user has written in this post type. 565 */ 566 function count_user_posts( $userid, $post_type = 'post', $public_only = false ) { 567 global $wpdb; 568 569 $where = get_posts_by_author_sql( $post_type, true, $userid, $public_only ); 570 571 $count = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->posts $where" ); 572 573 /** 574 * Filters the number of posts a user has written. 575 * 576 * @since 2.7.0 577 * @since 4.1.0 Added `$post_type` argument. 578 * @since 4.3.1 Added `$public_only` argument. 579 * 580 * @param int $count The user's post count. 581 * @param int $userid User ID. 582 * @param string|array $post_type Single post type or array of post types to count the number of posts for. 583 * @param bool $public_only Whether to limit counted posts to public posts. 584 */ 585 return apply_filters( 'get_usernumposts', $count, $userid, $post_type, $public_only ); 586 } 587 588 /** 589 * Gets the number of posts written by a list of users. 590 * 591 * @since 3.0.0 592 * 593 * @global wpdb $wpdb WordPress database abstraction object. 594 * 595 * @param int[] $users Array of user IDs. 596 * @param string|string[] $post_type Optional. Single post type or array of post types to check. Defaults to 'post'. 597 * @param bool $public_only Optional. Only return counts for public posts. Defaults to false. 598 * @return string[] Amount of posts each user has written, as strings, keyed by user ID. 599 */ 600 function count_many_users_posts( $users, $post_type = 'post', $public_only = false ) { 601 global $wpdb; 602 603 $count = array(); 604 if ( empty( $users ) || ! is_array( $users ) ) { 605 return $count; 606 } 607 608 $userlist = implode( ',', array_map( 'absint', $users ) ); 609 $where = get_posts_by_author_sql( $post_type, true, null, $public_only ); 610 611 $result = $wpdb->get_results( "SELECT post_author, COUNT(*) FROM $wpdb->posts $where AND post_author IN ($userlist) GROUP BY post_author", ARRAY_N ); 612 foreach ( $result as $row ) { 613 $count[ $row[0] ] = $row[1]; 614 } 615 616 foreach ( $users as $id ) { 617 if ( ! isset( $count[ $id ] ) ) { 618 $count[ $id ] = 0; 619 } 620 } 621 622 return $count; 623 } 624 625 // 626 // User option functions. 627 // 628 629 /** 630 * Gets the current user's ID. 631 * 632 * @since MU (3.0.0) 633 * 634 * @return int The current user's ID, or 0 if no user is logged in. 635 */ 636 function get_current_user_id() { 637 if ( ! function_exists( 'wp_get_current_user' ) ) { 638 return 0; 639 } 640 $user = wp_get_current_user(); 641 return ( isset( $user->ID ) ? (int) $user->ID : 0 ); 642 } 643 644 /** 645 * Retrieves user option that can be either per Site or per Network. 646 * 647 * If the user ID is not given, then the current user will be used instead. If 648 * the user ID is given, then the user data will be retrieved. The filter for 649 * the result, will also pass the original option name and finally the user data 650 * object as the third parameter. 651 * 652 * The option will first check for the per site name and then the per Network name. 653 * 654 * @since 2.0.0 655 * 656 * @global wpdb $wpdb WordPress database abstraction object. 657 * 658 * @param string $option User option name. 659 * @param int $user Optional. User ID. 660 * @param string $deprecated Use get_option() to check for an option in the options table. 661 * @return mixed User option value on success, false on failure. 662 */ 663 function get_user_option( $option, $user = 0, $deprecated = '' ) { 664 global $wpdb; 665 666 if ( ! empty( $deprecated ) ) { 667 _deprecated_argument( __FUNCTION__, '3.0.0' ); 668 } 669 670 if ( empty( $user ) ) { 671 $user = get_current_user_id(); 672 } 673 674 $user = get_userdata( $user ); 675 if ( ! $user ) { 676 return false; 677 } 678 679 $prefix = $wpdb->get_blog_prefix(); 680 if ( $user->has_prop( $prefix . $option ) ) { // Blog-specific. 681 $result = $user->get( $prefix . $option ); 682 } elseif ( $user->has_prop( $option ) ) { // User-specific and cross-blog. 683 $result = $user->get( $option ); 684 } else { 685 $result = false; 686 } 687 688 /** 689 * Filters a specific user option value. 690 * 691 * The dynamic portion of the hook name, `$option`, refers to the user option name. 692 * 693 * @since 2.5.0 694 * 695 * @param mixed $result Value for the user's option. 696 * @param string $option Name of the option being retrieved. 697 * @param WP_User $user WP_User object of the user whose option is being retrieved. 698 */ 699 return apply_filters( "get_user_option_{$option}", $result, $option, $user ); 700 } 701 702 /** 703 * Updates user option with global blog capability. 704 * 705 * User options are just like user metadata except that they have support for 706 * global blog options. If the 'is_global' parameter is false, which it is by default, 707 * it will prepend the WordPress table prefix to the option name. 708 * 709 * Deletes the user option if $newvalue is empty. 710 * 711 * @since 2.0.0 712 * 713 * @global wpdb $wpdb WordPress database abstraction object. 714 * 715 * @param int $user_id User ID. 716 * @param string $option_name User option name. 717 * @param mixed $newvalue User option value. 718 * @param bool $is_global Optional. Whether option name is global or blog specific. 719 * Default false (blog specific). 720 * @return int|bool User meta ID if the option didn't exist, true on successful update, 721 * false on failure. 722 */ 723 function update_user_option( $user_id, $option_name, $newvalue, $is_global = false ) { 724 global $wpdb; 725 726 if ( ! $is_global ) { 727 $option_name = $wpdb->get_blog_prefix() . $option_name; 728 } 729 730 return update_user_meta( $user_id, $option_name, $newvalue ); 731 } 732 733 /** 734 * Deletes user option with global blog capability. 735 * 736 * User options are just like user metadata except that they have support for 737 * global blog options. If the 'is_global' parameter is false, which it is by default, 738 * it will prepend the WordPress table prefix to the option name. 739 * 740 * @since 3.0.0 741 * 742 * @global wpdb $wpdb WordPress database abstraction object. 743 * 744 * @param int $user_id User ID 745 * @param string $option_name User option name. 746 * @param bool $is_global Optional. Whether option name is global or blog specific. 747 * Default false (blog specific). 748 * @return bool True on success, false on failure. 749 */ 750 function delete_user_option( $user_id, $option_name, $is_global = false ) { 751 global $wpdb; 752 753 if ( ! $is_global ) { 754 $option_name = $wpdb->get_blog_prefix() . $option_name; 755 } 756 757 return delete_user_meta( $user_id, $option_name ); 758 } 759 760 /** 761 * Retrieves list of users matching criteria. 762 * 763 * @since 3.1.0 764 * 765 * @see WP_User_Query 766 * 767 * @param array $args Optional. Arguments to retrieve users. See WP_User_Query::prepare_query() 768 * for more information on accepted arguments. 769 * @return array List of users. 770 */ 771 function get_users( $args = array() ) { 772 773 $args = wp_parse_args( $args ); 774 $args['count_total'] = false; 775 776 $user_search = new WP_User_Query( $args ); 777 778 return (array) $user_search->get_results(); 779 } 780 781 /** 782 * Lists all the users of the site, with several options available. 783 * 784 * @since 5.9.0 785 * 786 * @param string|array $args { 787 * Optional. Array or string of default arguments. 788 * 789 * @type string $orderby How to sort the users. Accepts 'nicename', 'email', 'url', 'registered', 790 * 'user_nicename', 'user_email', 'user_url', 'user_registered', 'name', 791 * 'display_name', 'post_count', 'ID', 'meta_value', 'user_login'. Default 'name'. 792 * @type string $order Sorting direction for $orderby. Accepts 'ASC', 'DESC'. Default 'ASC'. 793 * @type int $number Maximum users to return or display. Default empty (all users). 794 * @type bool $exclude_admin Whether to exclude the 'admin' account, if it exists. Default false. 795 * @type bool $show_fullname Whether to show the user's full name. Default false. 796 * @type string $feed If not empty, show a link to the user's feed and use this text as the alt 797 * parameter of the link. Default empty. 798 * @type string $feed_image If not empty, show a link to the user's feed and use this image URL as 799 * clickable anchor. Default empty. 800 * @type string $feed_type The feed type to link to, such as 'rss2'. Defaults to default feed type. 801 * @type bool $echo Whether to output the result or instead return it. Default true. 802 * @type string $style If 'list', each user is wrapped in an `<li>` element, otherwise the users 803 * will be separated by commas. 804 * @type bool $html Whether to list the items in HTML form or plaintext. Default true. 805 * @type string $exclude An array, comma-, or space-separated list of user IDs to exclude. Default empty. 806 * @type string $include An array, comma-, or space-separated list of user IDs to include. Default empty. 807 * } 808 * @return string|null The output if echo is false. Otherwise null. 809 */ 810 function wp_list_users( $args = array() ) { 811 $defaults = array( 812 'orderby' => 'name', 813 'order' => 'ASC', 814 'number' => '', 815 'exclude_admin' => true, 816 'show_fullname' => false, 817 'feed' => '', 818 'feed_image' => '', 819 'feed_type' => '', 820 'echo' => true, 821 'style' => 'list', 822 'html' => true, 823 'exclude' => '', 824 'include' => '', 825 ); 826 827 $parsed_args = wp_parse_args( $args, $defaults ); 828 829 $return = ''; 830 831 $query_args = wp_array_slice_assoc( $parsed_args, array( 'orderby', 'order', 'number', 'exclude', 'include' ) ); 832 $query_args['fields'] = 'ids'; 833 834 /** 835 * Filters the query arguments for the list of all users of the site. 836 * 837 * @since 6.1.0 838 * 839 * @param array $query_args The query arguments for get_users(). 840 * @param array $parsed_args The arguments passed to wp_list_users() combined with the defaults. 841 */ 842 $query_args = apply_filters( 'wp_list_users_args', $query_args, $parsed_args ); 843 844 $users = get_users( $query_args ); 845 846 foreach ( $users as $user_id ) { 847 $user = get_userdata( $user_id ); 848 849 if ( $parsed_args['exclude_admin'] && 'admin' === $user->display_name ) { 850 continue; 851 } 852 853 if ( $parsed_args['show_fullname'] && '' !== $user->first_name && '' !== $user->last_name ) { 854 $name = sprintf( 855 /* translators: 1: User's first name, 2: Last name. */ 856 _x( '%1$s %2$s', 'Display name based on first name and last name' ), 857 $user->first_name, 858 $user->last_name 859 ); 860 } else { 861 $name = $user->display_name; 862 } 863 864 if ( ! $parsed_args['html'] ) { 865 $return .= $name . ', '; 866 867 continue; // No need to go further to process HTML. 868 } 869 870 if ( 'list' === $parsed_args['style'] ) { 871 $return .= '<li>'; 872 } 873 874 $row = $name; 875 876 if ( ! empty( $parsed_args['feed_image'] ) || ! empty( $parsed_args['feed'] ) ) { 877 $row .= ' '; 878 if ( empty( $parsed_args['feed_image'] ) ) { 879 $row .= '('; 880 } 881 882 $row .= '<a href="' . get_author_feed_link( $user->ID, $parsed_args['feed_type'] ) . '"'; 883 884 $alt = ''; 885 if ( ! empty( $parsed_args['feed'] ) ) { 886 $alt = ' alt="' . esc_attr( $parsed_args['feed'] ) . '"'; 887 $name = $parsed_args['feed']; 888 } 889 890 $row .= '>'; 891 892 if ( ! empty( $parsed_args['feed_image'] ) ) { 893 $row .= '<img src="' . esc_url( $parsed_args['feed_image'] ) . '" style="border: none;"' . $alt . ' />'; 894 } else { 895 $row .= $name; 896 } 897 898 $row .= '</a>'; 899 900 if ( empty( $parsed_args['feed_image'] ) ) { 901 $row .= ')'; 902 } 903 } 904 905 $return .= $row; 906 $return .= ( 'list' === $parsed_args['style'] ) ? '</li>' : ', '; 907 } 908 909 $return = rtrim( $return, ', ' ); 910 911 if ( ! $parsed_args['echo'] ) { 912 return $return; 913 } 914 echo $return; 915 } 916 917 /** 918 * Gets the sites a user belongs to. 919 * 920 * @since 3.0.0 921 * @since 4.7.0 Converted to use `get_sites()`. 922 * 923 * @global wpdb $wpdb WordPress database abstraction object. 924 * 925 * @param int $user_id User ID 926 * @param bool $all Whether to retrieve all sites, or only sites that are not 927 * marked as deleted, archived, or spam. 928 * @return object[] A list of the user's sites. An empty array if the user doesn't exist 929 * or belongs to no sites. 930 */ 931 function get_blogs_of_user( $user_id, $all = false ) { 932 global $wpdb; 933 934 $user_id = (int) $user_id; 935 936 // Logged out users can't have sites. 937 if ( empty( $user_id ) ) { 938 return array(); 939 } 940 941 /** 942 * Filters the list of a user's sites before it is populated. 943 * 944 * Returning a non-null value from the filter will effectively short circuit 945 * get_blogs_of_user(), returning that value instead. 946 * 947 * @since 4.6.0 948 * 949 * @param null|object[] $sites An array of site objects of which the user is a member. 950 * @param int $user_id User ID. 951 * @param bool $all Whether the returned array should contain all sites, including 952 * those marked 'deleted', 'archived', or 'spam'. Default false. 953 */ 954 $sites = apply_filters( 'pre_get_blogs_of_user', null, $user_id, $all ); 955 956 if ( null !== $sites ) { 957 return $sites; 958 } 959 960 $keys = get_user_meta( $user_id ); 961 if ( empty( $keys ) ) { 962 return array(); 963 } 964 965 if ( ! is_multisite() ) { 966 $site_id = get_current_blog_id(); 967 $sites = array( $site_id => new stdClass() ); 968 $sites[ $site_id ]->userblog_id = $site_id; 969 $sites[ $site_id ]->blogname = get_option( 'blogname' ); 970 $sites[ $site_id ]->domain = ''; 971 $sites[ $site_id ]->path = ''; 972 $sites[ $site_id ]->site_id = 1; 973 $sites[ $site_id ]->siteurl = get_option( 'siteurl' ); 974 $sites[ $site_id ]->archived = 0; 975 $sites[ $site_id ]->spam = 0; 976 $sites[ $site_id ]->deleted = 0; 977 return $sites; 978 } 979 980 $site_ids = array(); 981 982 if ( isset( $keys[ $wpdb->base_prefix . 'capabilities' ] ) && defined( 'MULTISITE' ) ) { 983 $site_ids[] = 1; 984 unset( $keys[ $wpdb->base_prefix . 'capabilities' ] ); 985 } 986 987 $keys = array_keys( $keys ); 988 989 foreach ( $keys as $key ) { 990 if ( ! str_ends_with( $key, 'capabilities' ) ) { 991 continue; 992 } 993 if ( $wpdb->base_prefix && ! str_starts_with( $key, $wpdb->base_prefix ) ) { 994 continue; 995 } 996 $site_id = str_replace( array( $wpdb->base_prefix, '_capabilities' ), '', $key ); 997 if ( ! is_numeric( $site_id ) ) { 998 continue; 999 } 1000 1001 $site_ids[] = (int) $site_id; 1002 } 1003 1004 $sites = array(); 1005 1006 if ( ! empty( $site_ids ) ) { 1007 $args = array( 1008 'number' => '', 1009 'site__in' => $site_ids, 1010 ); 1011 if ( ! $all ) { 1012 $args['archived'] = 0; 1013 $args['spam'] = 0; 1014 $args['deleted'] = 0; 1015 } 1016 1017 $_sites = get_sites( $args ); 1018 1019 foreach ( $_sites as $site ) { 1020 $sites[ $site->id ] = (object) array( 1021 'userblog_id' => $site->id, 1022 'blogname' => $site->blogname, 1023 'domain' => $site->domain, 1024 'path' => $site->path, 1025 'site_id' => $site->network_id, 1026 'siteurl' => $site->siteurl, 1027 'archived' => $site->archived, 1028 'mature' => $site->mature, 1029 'spam' => $site->spam, 1030 'deleted' => $site->deleted, 1031 ); 1032 } 1033 } 1034 1035 /** 1036 * Filters the list of sites a user belongs to. 1037 * 1038 * @since MU (3.0.0) 1039 * 1040 * @param object[] $sites An array of site objects belonging to the user. 1041 * @param int $user_id User ID. 1042 * @param bool $all Whether the returned sites array should contain all sites, including 1043 * those marked 'deleted', 'archived', or 'spam'. Default false. 1044 */ 1045 return apply_filters( 'get_blogs_of_user', $sites, $user_id, $all ); 1046 } 1047 1048 /** 1049 * Finds out whether a user is a member of a given blog. 1050 * 1051 * @since MU (3.0.0) 1052 * 1053 * @global wpdb $wpdb WordPress database abstraction object. 1054 * 1055 * @param int $user_id Optional. The unique ID of the user. Defaults to the current user. 1056 * @param int $blog_id Optional. ID of the blog to check. Defaults to the current site. 1057 * @return bool 1058 */ 1059 function is_user_member_of_blog( $user_id = 0, $blog_id = 0 ) { 1060 global $wpdb; 1061 1062 $user_id = (int) $user_id; 1063 $blog_id = (int) $blog_id; 1064 1065 if ( empty( $user_id ) ) { 1066 $user_id = get_current_user_id(); 1067 } 1068 1069 /* 1070 * Technically not needed, but does save calls to get_site() and get_user_meta() 1071 * in the event that the function is called when a user isn't logged in. 1072 */ 1073 if ( empty( $user_id ) ) { 1074 return false; 1075 } else { 1076 $user = get_userdata( $user_id ); 1077 if ( ! $user instanceof WP_User ) { 1078 return false; 1079 } 1080 } 1081 1082 if ( ! is_multisite() ) { 1083 return true; 1084 } 1085 1086 if ( empty( $blog_id ) ) { 1087 $blog_id = get_current_blog_id(); 1088 } 1089 1090 $blog = get_site( $blog_id ); 1091 1092 if ( ! $blog || ! isset( $blog->domain ) || $blog->archived || $blog->spam || $blog->deleted ) { 1093 return false; 1094 } 1095 1096 $keys = get_user_meta( $user_id ); 1097 if ( empty( $keys ) ) { 1098 return false; 1099 } 1100 1101 // No underscore before capabilities in $base_capabilities_key. 1102 $base_capabilities_key = $wpdb->base_prefix . 'capabilities'; 1103 $site_capabilities_key = $wpdb->base_prefix . $blog_id . '_capabilities'; 1104 1105 if ( isset( $keys[ $base_capabilities_key ] ) && 1 == $blog_id ) { 1106 return true; 1107 } 1108 1109 if ( isset( $keys[ $site_capabilities_key ] ) ) { 1110 return true; 1111 } 1112 1113 return false; 1114 } 1115 1116 /** 1117 * Adds meta data to a user. 1118 * 1119 * @since 3.0.0 1120 * 1121 * @param int $user_id User ID. 1122 * @param string $meta_key Metadata name. 1123 * @param mixed $meta_value Metadata value. Must be serializable if non-scalar. 1124 * @param bool $unique Optional. Whether the same key should not be added. 1125 * Default false. 1126 * @return int|false Meta ID on success, false on failure. 1127 */ 1128 function add_user_meta( $user_id, $meta_key, $meta_value, $unique = false ) { 1129 return add_metadata( 'user', $user_id, $meta_key, $meta_value, $unique ); 1130 } 1131 1132 /** 1133 * Removes metadata matching criteria from a user. 1134 * 1135 * You can match based on the key, or key and value. Removing based on key and 1136 * value, will keep from removing duplicate metadata with the same key. It also 1137 * allows removing all metadata matching key, if needed. 1138 * 1139 * @since 3.0.0 1140 * 1141 * @link https://developer.wordpress.org/reference/functions/delete_user_meta/ 1142 * 1143 * @param int $user_id User ID 1144 * @param string $meta_key Metadata name. 1145 * @param mixed $meta_value Optional. Metadata value. If provided, 1146 * rows will only be removed that match the value. 1147 * Must be serializable if non-scalar. Default empty. 1148 * @return bool True on success, false on failure. 1149 */ 1150 function delete_user_meta( $user_id, $meta_key, $meta_value = '' ) { 1151 return delete_metadata( 'user', $user_id, $meta_key, $meta_value ); 1152 } 1153 1154 /** 1155 * Retrieves user meta field for a user. 1156 * 1157 * @since 3.0.0 1158 * 1159 * @link https://developer.wordpress.org/reference/functions/get_user_meta/ 1160 * 1161 * @param int $user_id User ID. 1162 * @param string $key Optional. The meta key to retrieve. By default, 1163 * returns data for all keys. 1164 * @param bool $single Optional. Whether to return a single value. 1165 * This parameter has no effect if `$key` is not specified. 1166 * Default false. 1167 * @return mixed An array of values if `$single` is false. 1168 * The value of meta data field if `$single` is true. 1169 * False for an invalid `$user_id` (non-numeric, zero, or negative value). 1170 * An empty string if a valid but non-existing user ID is passed. 1171 */ 1172 function get_user_meta( $user_id, $key = '', $single = false ) { 1173 return get_metadata( 'user', $user_id, $key, $single ); 1174 } 1175 1176 /** 1177 * Updates user meta field based on user ID. 1178 * 1179 * Use the $prev_value parameter to differentiate between meta fields with the 1180 * same key and user ID. 1181 * 1182 * If the meta field for the user does not exist, it will be added. 1183 * 1184 * @since 3.0.0 1185 * 1186 * @link https://developer.wordpress.org/reference/functions/update_user_meta/ 1187 * 1188 * @param int $user_id User ID. 1189 * @param string $meta_key Metadata key. 1190 * @param mixed $meta_value Metadata value. Must be serializable if non-scalar. 1191 * @param mixed $prev_value Optional. Previous value to check before updating. 1192 * If specified, only update existing metadata entries with 1193 * this value. Otherwise, update all entries. Default empty. 1194 * @return int|bool Meta ID if the key didn't exist, true on successful update, 1195 * false on failure or if the value passed to the function 1196 * is the same as the one that is already in the database. 1197 */ 1198 function update_user_meta( $user_id, $meta_key, $meta_value, $prev_value = '' ) { 1199 return update_metadata( 'user', $user_id, $meta_key, $meta_value, $prev_value ); 1200 } 1201 1202 /** 1203 * Counts number of users who have each of the user roles. 1204 * 1205 * Assumes there are neither duplicated nor orphaned capabilities meta_values. 1206 * Assumes role names are unique phrases. Same assumption made by WP_User_Query::prepare_query() 1207 * Using $strategy = 'time' this is CPU-intensive and should handle around 10^7 users. 1208 * Using $strategy = 'memory' this is memory-intensive and should handle around 10^5 users, but see WP Bug #12257. 1209 * 1210 * @since 3.0.0 1211 * @since 4.4.0 The number of users with no role is now included in the `none` element. 1212 * @since 4.9.0 The `$site_id` parameter was added to support multisite. 1213 * 1214 * @global wpdb $wpdb WordPress database abstraction object. 1215 * 1216 * @param string $strategy Optional. The computational strategy to use when counting the users. 1217 * Accepts either 'time' or 'memory'. Default 'time'. 1218 * @param int|null $site_id Optional. The site ID to count users for. Defaults to the current site. 1219 * @return array { 1220 * User counts. 1221 * 1222 * @type int $total_users Total number of users on the site. 1223 * @type int[] $avail_roles Array of user counts keyed by user role. 1224 * } 1225 */ 1226 function count_users( $strategy = 'time', $site_id = null ) { 1227 global $wpdb; 1228 1229 // Initialize. 1230 if ( ! $site_id ) { 1231 $site_id = get_current_blog_id(); 1232 } 1233 1234 /** 1235 * Filters the user count before queries are run. 1236 * 1237 * Return a non-null value to cause count_users() to return early. 1238 * 1239 * @since 5.1.0 1240 * 1241 * @param null|array $result The value to return instead. Default null to continue with the query. 1242 * @param string $strategy Optional. The computational strategy to use when counting the users. 1243 * Accepts either 'time' or 'memory'. Default 'time'. 1244 * @param int $site_id The site ID to count users for. 1245 */ 1246 $pre = apply_filters( 'pre_count_users', null, $strategy, $site_id ); 1247 1248 if ( null !== $pre ) { 1249 return $pre; 1250 } 1251 1252 $blog_prefix = $wpdb->get_blog_prefix( $site_id ); 1253 $result = array(); 1254 1255 if ( 'time' === $strategy ) { 1256 if ( is_multisite() && get_current_blog_id() != $site_id ) { 1257 switch_to_blog( $site_id ); 1258 $avail_roles = wp_roles()->get_names(); 1259 restore_current_blog(); 1260 } else { 1261 $avail_roles = wp_roles()->get_names(); 1262 } 1263 1264 // Build a CPU-intensive query that will return concise information. 1265 $select_count = array(); 1266 foreach ( $avail_roles as $this_role => $name ) { 1267 $select_count[] = $wpdb->prepare( 'COUNT(NULLIF(`meta_value` LIKE %s, false))', '%' . $wpdb->esc_like( '"' . $this_role . '"' ) . '%' ); 1268 } 1269 $select_count[] = "COUNT(NULLIF(`meta_value` = 'a:0:{}', false))"; 1270 $select_count = implode( ', ', $select_count ); 1271 1272 // Add the meta_value index to the selection list, then run the query. 1273 $row = $wpdb->get_row( 1274 " 1275 SELECT {$select_count}, COUNT(*) 1276 FROM {$wpdb->usermeta} 1277 INNER JOIN {$wpdb->users} ON user_id = ID 1278 WHERE meta_key = '{$blog_prefix}capabilities' 1279 ", 1280 ARRAY_N 1281 ); 1282 1283 // Run the previous loop again to associate results with role names. 1284 $col = 0; 1285 $role_counts = array(); 1286 foreach ( $avail_roles as $this_role => $name ) { 1287 $count = (int) $row[ $col++ ]; 1288 if ( $count > 0 ) { 1289 $role_counts[ $this_role ] = $count; 1290 } 1291 } 1292 1293 $role_counts['none'] = (int) $row[ $col++ ]; 1294 1295 // Get the meta_value index from the end of the result set. 1296 $total_users = (int) $row[ $col ]; 1297 1298 $result['total_users'] = $total_users; 1299 $result['avail_roles'] =& $role_counts; 1300 } else { 1301 $avail_roles = array( 1302 'none' => 0, 1303 ); 1304 1305 $users_of_blog = $wpdb->get_col( 1306 " 1307 SELECT meta_value 1308 FROM {$wpdb->usermeta} 1309 INNER JOIN {$wpdb->users} ON user_id = ID 1310 WHERE meta_key = '{$blog_prefix}capabilities' 1311 " 1312 ); 1313 1314 foreach ( $users_of_blog as $caps_meta ) { 1315 $b_roles = maybe_unserialize( $caps_meta ); 1316 if ( ! is_array( $b_roles ) ) { 1317 continue; 1318 } 1319 if ( empty( $b_roles ) ) { 1320 ++$avail_roles['none']; 1321 } 1322 foreach ( $b_roles as $b_role => $val ) { 1323 if ( isset( $avail_roles[ $b_role ] ) ) { 1324 ++$avail_roles[ $b_role ]; 1325 } else { 1326 $avail_roles[ $b_role ] = 1; 1327 } 1328 } 1329 } 1330 1331 $result['total_users'] = count( $users_of_blog ); 1332 $result['avail_roles'] =& $avail_roles; 1333 } 1334 1335 return $result; 1336 } 1337 1338 /** 1339 * Returns the number of active users in your installation. 1340 * 1341 * Note that on a large site the count may be cached and only updated twice daily. 1342 * 1343 * @since MU (3.0.0) 1344 * @since 4.8.0 The `$network_id` parameter has been added. 1345 * @since 6.0.0 Moved to wp-includes/user.php. 1346 * 1347 * @param int|null $network_id ID of the network. Defaults to the current network. 1348 * @return int Number of active users on the network. 1349 */ 1350 function get_user_count( $network_id = null ) { 1351 if ( ! is_multisite() && null !== $network_id ) { 1352 _doing_it_wrong( 1353 __FUNCTION__, 1354 sprintf( 1355 /* translators: %s: $network_id */ 1356 __( 'Unable to pass %s if not using multisite.' ), 1357 '<code>$network_id</code>' 1358 ), 1359 '6.0.0' 1360 ); 1361 } 1362 1363 return (int) get_network_option( $network_id, 'user_count', -1 ); 1364 } 1365 1366 /** 1367 * Updates the total count of users on the site if live user counting is enabled. 1368 * 1369 * @since 6.0.0 1370 * 1371 * @param int|null $network_id ID of the network. Defaults to the current network. 1372 * @return bool Whether the update was successful. 1373 */ 1374 function wp_maybe_update_user_counts( $network_id = null ) { 1375 if ( ! is_multisite() && null !== $network_id ) { 1376 _doing_it_wrong( 1377 __FUNCTION__, 1378 sprintf( 1379 /* translators: %s: $network_id */ 1380 __( 'Unable to pass %s if not using multisite.' ), 1381 '<code>$network_id</code>' 1382 ), 1383 '6.0.0' 1384 ); 1385 } 1386 1387 $is_small_network = ! wp_is_large_user_count( $network_id ); 1388 /** This filter is documented in wp-includes/ms-functions.php */ 1389 if ( ! apply_filters( 'enable_live_network_counts', $is_small_network, 'users' ) ) { 1390 return false; 1391 } 1392 1393 return wp_update_user_counts( $network_id ); 1394 } 1395 1396 /** 1397 * Updates the total count of users on the site. 1398 * 1399 * @global wpdb $wpdb WordPress database abstraction object. 1400 * @since 6.0.0 1401 * 1402 * @param int|null $network_id ID of the network. Defaults to the current network. 1403 * @return bool Whether the update was successful. 1404 */ 1405 function wp_update_user_counts( $network_id = null ) { 1406 global $wpdb; 1407 1408 if ( ! is_multisite() && null !== $network_id ) { 1409 _doing_it_wrong( 1410 __FUNCTION__, 1411 sprintf( 1412 /* translators: %s: $network_id */ 1413 __( 'Unable to pass %s if not using multisite.' ), 1414 '<code>$network_id</code>' 1415 ), 1416 '6.0.0' 1417 ); 1418 } 1419 1420 $query = "SELECT COUNT(ID) as c FROM $wpdb->users"; 1421 if ( is_multisite() ) { 1422 $query .= " WHERE spam = '0' AND deleted = '0'"; 1423 } 1424 1425 $count = $wpdb->get_var( $query ); 1426 1427 return update_network_option( $network_id, 'user_count', $count ); 1428 } 1429 1430 /** 1431 * Schedules a recurring recalculation of the total count of users. 1432 * 1433 * @since 6.0.0 1434 */ 1435 function wp_schedule_update_user_counts() { 1436 if ( ! is_main_site() ) { 1437 return; 1438 } 1439 1440 if ( ! wp_next_scheduled( 'wp_update_user_counts' ) && ! wp_installing() ) { 1441 wp_schedule_event( time(), 'twicedaily', 'wp_update_user_counts' ); 1442 } 1443 } 1444 1445 /** 1446 * Determines whether the site has a large number of users. 1447 * 1448 * The default criteria for a large site is more than 10,000 users. 1449 * 1450 * @since 6.0.0 1451 * 1452 * @param int|null $network_id ID of the network. Defaults to the current network. 1453 * @return bool Whether the site has a large number of users. 1454 */ 1455 function wp_is_large_user_count( $network_id = null ) { 1456 if ( ! is_multisite() && null !== $network_id ) { 1457 _doing_it_wrong( 1458 __FUNCTION__, 1459 sprintf( 1460 /* translators: %s: $network_id */ 1461 __( 'Unable to pass %s if not using multisite.' ), 1462 '<code>$network_id</code>' 1463 ), 1464 '6.0.0' 1465 ); 1466 } 1467 1468 $count = get_user_count( $network_id ); 1469 1470 /** 1471 * Filters whether the site is considered large, based on its number of users. 1472 * 1473 * @since 6.0.0 1474 * 1475 * @param bool $is_large_user_count Whether the site has a large number of users. 1476 * @param int $count The total number of users. 1477 * @param int|null $network_id ID of the network. `null` represents the current network. 1478 */ 1479 return apply_filters( 'wp_is_large_user_count', $count > 10000, $count, $network_id ); 1480 } 1481 1482 // 1483 // Private helper functions. 1484 // 1485 1486 /** 1487 * Sets up global user vars. 1488 * 1489 * Used by wp_set_current_user() for back compat. Might be deprecated in the future. 1490 * 1491 * @since 2.0.4 1492 * 1493 * @global string $user_login The user username for logging in 1494 * @global WP_User $userdata User data. 1495 * @global int $user_level The level of the user 1496 * @global int $user_ID The ID of the user 1497 * @global string $user_email The email address of the user 1498 * @global string $user_url The url in the user's profile 1499 * @global string $user_identity The display name of the user 1500 * 1501 * @param int $for_user_id Optional. User ID to set up global data. Default 0. 1502 */ 1503 function setup_userdata( $for_user_id = 0 ) { 1504 global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_identity; 1505 1506 if ( ! $for_user_id ) { 1507 $for_user_id = get_current_user_id(); 1508 } 1509 $user = get_userdata( $for_user_id ); 1510 1511 if ( ! $user ) { 1512 $user_ID = 0; 1513 $user_level = 0; 1514 $userdata = null; 1515 $user_login = ''; 1516 $user_email = ''; 1517 $user_url = ''; 1518 $user_identity = ''; 1519 return; 1520 } 1521 1522 $user_ID = (int) $user->ID; 1523 $user_level = (int) $user->user_level; 1524 $userdata = $user; 1525 $user_login = $user->user_login; 1526 $user_email = $user->user_email; 1527 $user_url = $user->user_url; 1528 $user_identity = $user->display_name; 1529 } 1530 1531 /** 1532 * Creates dropdown HTML content of users. 1533 * 1534 * The content can either be displayed, which it is by default or retrieved by 1535 * setting the 'echo' argument. The 'include' and 'exclude' arguments do not 1536 * need to be used; all users will be displayed in that case. Only one can be 1537 * used, either 'include' or 'exclude', but not both. 1538 * 1539 * The available arguments are as follows: 1540 * 1541 * @since 2.3.0 1542 * @since 4.5.0 Added the 'display_name_with_login' value for 'show'. 1543 * @since 4.7.0 Added the `$role`, `$role__in`, and `$role__not_in` parameters. 1544 * 1545 * @param array|string $args { 1546 * Optional. Array or string of arguments to generate a drop-down of users. 1547 * See WP_User_Query::prepare_query() for additional available arguments. 1548 * 1549 * @type string $show_option_all Text to show as the drop-down default (all). 1550 * Default empty. 1551 * @type string $show_option_none Text to show as the drop-down default when no 1552 * users were found. Default empty. 1553 * @type int|string $option_none_value Value to use for $show_option_none when no users 1554 * were found. Default -1. 1555 * @type string $hide_if_only_one_author Whether to skip generating the drop-down 1556 * if only one user was found. Default empty. 1557 * @type string $orderby Field to order found users by. Accepts user fields. 1558 * Default 'display_name'. 1559 * @type string $order Whether to order users in ascending or descending 1560 * order. Accepts 'ASC' (ascending) or 'DESC' (descending). 1561 * Default 'ASC'. 1562 * @type int[]|string $include Array or comma-separated list of user IDs to include. 1563 * Default empty. 1564 * @type int[]|string $exclude Array or comma-separated list of user IDs to exclude. 1565 * Default empty. 1566 * @type bool|int $multi Whether to skip the ID attribute on the 'select' element. 1567 * Accepts 1|true or 0|false. Default 0|false. 1568 * @type string $show User data to display. If the selected item is empty 1569 * then the 'user_login' will be displayed in parentheses. 1570 * Accepts any user field, or 'display_name_with_login' to show 1571 * the display name with user_login in parentheses. 1572 * Default 'display_name'. 1573 * @type int|bool $echo Whether to echo or return the drop-down. Accepts 1|true (echo) 1574 * or 0|false (return). Default 1|true. 1575 * @type int $selected Which user ID should be selected. Default 0. 1576 * @type bool $include_selected Whether to always include the selected user ID in the drop- 1577 * down. Default false. 1578 * @type string $name Name attribute of select element. Default 'user'. 1579 * @type string $id ID attribute of the select element. Default is the value of $name. 1580 * @type string $class Class attribute of the select element. Default empty. 1581 * @type int $blog_id ID of blog (Multisite only). Default is ID of the current blog. 1582 * @type string $who Which type of users to query. Accepts only an empty string or 1583 * 'authors'. Default empty. 1584 * @type string|array $role An array or a comma-separated list of role names that users must 1585 * match to be included in results. Note that this is an inclusive 1586 * list: users must match *each* role. Default empty. 1587 * @type string[] $role__in An array of role names. Matched users must have at least one of 1588 * these roles. Default empty array. 1589 * @type string[] $role__not_in An array of role names to exclude. Users matching one or more of 1590 * these roles will not be included in results. Default empty array. 1591 * } 1592 * @return string HTML dropdown list of users. 1593 */ 1594 function wp_dropdown_users( $args = '' ) { 1595 $defaults = array( 1596 'show_option_all' => '', 1597 'show_option_none' => '', 1598 'hide_if_only_one_author' => '', 1599 'orderby' => 'display_name', 1600 'order' => 'ASC', 1601 'include' => '', 1602 'exclude' => '', 1603 'multi' => 0, 1604 'show' => 'display_name', 1605 'echo' => 1, 1606 'selected' => 0, 1607 'name' => 'user', 1608 'class' => '', 1609 'id' => '', 1610 'blog_id' => get_current_blog_id(), 1611 'who' => '', 1612 'include_selected' => false, 1613 'option_none_value' => -1, 1614 'role' => '', 1615 'role__in' => array(), 1616 'role__not_in' => array(), 1617 'capability' => '', 1618 'capability__in' => array(), 1619 'capability__not_in' => array(), 1620 ); 1621 1622 $defaults['selected'] = is_author() ? get_query_var( 'author' ) : 0; 1623 1624 $parsed_args = wp_parse_args( $args, $defaults ); 1625 1626 $query_args = wp_array_slice_assoc( 1627 $parsed_args, 1628 array( 1629 'blog_id', 1630 'include', 1631 'exclude', 1632 'orderby', 1633 'order', 1634 'who', 1635 'role', 1636 'role__in', 1637 'role__not_in', 1638 'capability', 1639 'capability__in', 1640 'capability__not_in', 1641 ) 1642 ); 1643 1644 $fields = array( 'ID', 'user_login' ); 1645 1646 $show = ! empty( $parsed_args['show'] ) ? $parsed_args['show'] : 'display_name'; 1647 if ( 'display_name_with_login' === $show ) { 1648 $fields[] = 'display_name'; 1649 } else { 1650 $fields[] = $show; 1651 } 1652 1653 $query_args['fields'] = $fields; 1654 1655 $show_option_all = $parsed_args['show_option_all']; 1656 $show_option_none = $parsed_args['show_option_none']; 1657 $option_none_value = $parsed_args['option_none_value']; 1658 1659 /** 1660 * Filters the query arguments for the list of users in the dropdown. 1661 * 1662 * @since 4.4.0 1663 * 1664 * @param array $query_args The query arguments for get_users(). 1665 * @param array $parsed_args The arguments passed to wp_dropdown_users() combined with the defaults. 1666 */ 1667 $query_args = apply_filters( 'wp_dropdown_users_args', $query_args, $parsed_args ); 1668 1669 $users = get_users( $query_args ); 1670 1671 $output = ''; 1672 if ( ! empty( $users ) && ( empty( $parsed_args['hide_if_only_one_author'] ) || count( $users ) > 1 ) ) { 1673 $name = esc_attr( $parsed_args['name'] ); 1674 if ( $parsed_args['multi'] && ! $parsed_args['id'] ) { 1675 $id = ''; 1676 } else { 1677 $id = $parsed_args['id'] ? " id='" . esc_attr( $parsed_args['id'] ) . "'" : " id='$name'"; 1678 } 1679 $output = "<select name='{$name}'{$id} class='" . $parsed_args['class'] . "'>\n"; 1680 1681 if ( $show_option_all ) { 1682 $output .= "\t<option value='0'>$show_option_all</option>\n"; 1683 } 1684 1685 if ( $show_option_none ) { 1686 $_selected = selected( $option_none_value, $parsed_args['selected'], false ); 1687 $output .= "\t<option value='" . esc_attr( $option_none_value ) . "'$_selected>$show_option_none</option>\n"; 1688 } 1689 1690 if ( $parsed_args['include_selected'] && ( $parsed_args['selected'] > 0 ) ) { 1691 $found_selected = false; 1692 $parsed_args['selected'] = (int) $parsed_args['selected']; 1693 1694 foreach ( (array) $users as $user ) { 1695 $user->ID = (int) $user->ID; 1696 if ( $user->ID === $parsed_args['selected'] ) { 1697 $found_selected = true; 1698 } 1699 } 1700 1701 if ( ! $found_selected ) { 1702 $selected_user = get_userdata( $parsed_args['selected'] ); 1703 if ( $selected_user ) { 1704 $users[] = $selected_user; 1705 } 1706 } 1707 } 1708 1709 foreach ( (array) $users as $user ) { 1710 if ( 'display_name_with_login' === $show ) { 1711 /* translators: 1: User's display name, 2: User login. */ 1712 $display = sprintf( _x( '%1$s (%2$s)', 'user dropdown' ), $user->display_name, $user->user_login ); 1713 } elseif ( ! empty( $user->$show ) ) { 1714 $display = $user->$show; 1715 } else { 1716 $display = '(' . $user->user_login . ')'; 1717 } 1718 1719 $_selected = selected( $user->ID, $parsed_args['selected'], false ); 1720 $output .= "\t<option value='$user->ID'$_selected>" . esc_html( $display ) . "</option>\n"; 1721 } 1722 1723 $output .= '</select>'; 1724 } 1725 1726 /** 1727 * Filters the wp_dropdown_users() HTML output. 1728 * 1729 * @since 2.3.0 1730 * 1731 * @param string $output HTML output generated by wp_dropdown_users(). 1732 */ 1733 $html = apply_filters( 'wp_dropdown_users', $output ); 1734 1735 if ( $parsed_args['echo'] ) { 1736 echo $html; 1737 } 1738 return $html; 1739 } 1740 1741 /** 1742 * Sanitizes user field based on context. 1743 * 1744 * Possible context values are: 'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The 1745 * 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display' 1746 * when calling filters. 1747 * 1748 * @since 2.3.0 1749 * 1750 * @param string $field The user Object field name. 1751 * @param mixed $value The user Object value. 1752 * @param int $user_id User ID. 1753 * @param string $context How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display', 1754 * 'attribute' and 'js'. 1755 * @return mixed Sanitized value. 1756 */ 1757 function sanitize_user_field( $field, $value, $user_id, $context ) { 1758 $int_fields = array( 'ID' ); 1759 if ( in_array( $field, $int_fields, true ) ) { 1760 $value = (int) $value; 1761 } 1762 1763 if ( 'raw' === $context ) { 1764 return $value; 1765 } 1766 1767 if ( ! is_string( $value ) && ! is_numeric( $value ) ) { 1768 return $value; 1769 } 1770 1771 $prefixed = str_contains( $field, 'user_' ); 1772 1773 if ( 'edit' === $context ) { 1774 if ( $prefixed ) { 1775 1776 /** This filter is documented in wp-includes/post.php */ 1777 $value = apply_filters( "edit_{$field}", $value, $user_id ); 1778 } else { 1779 1780 /** 1781 * Filters a user field value in the 'edit' context. 1782 * 1783 * The dynamic portion of the hook name, `$field`, refers to the prefixed user 1784 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc. 1785 * 1786 * @since 2.9.0 1787 * 1788 * @param mixed $value Value of the prefixed user field. 1789 * @param int $user_id User ID. 1790 */ 1791 $value = apply_filters( "edit_user_{$field}", $value, $user_id ); 1792 } 1793 1794 if ( 'description' === $field ) { 1795 $value = esc_html( $value ); // textarea_escaped? 1796 } else { 1797 $value = esc_attr( $value ); 1798 } 1799 } elseif ( 'db' === $context ) { 1800 if ( $prefixed ) { 1801 /** This filter is documented in wp-includes/post.php */ 1802 $value = apply_filters( "pre_{$field}", $value ); 1803 } else { 1804 1805 /** 1806 * Filters the value of a user field in the 'db' context. 1807 * 1808 * The dynamic portion of the hook name, `$field`, refers to the prefixed user 1809 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc. 1810 * 1811 * @since 2.9.0 1812 * 1813 * @param mixed $value Value of the prefixed user field. 1814 */ 1815 $value = apply_filters( "pre_user_{$field}", $value ); 1816 } 1817 } else { 1818 // Use display filters by default. 1819 if ( $prefixed ) { 1820 1821 /** This filter is documented in wp-includes/post.php */ 1822 $value = apply_filters( "{$field}", $value, $user_id, $context ); 1823 } else { 1824 1825 /** 1826 * Filters the value of a user field in a standard context. 1827 * 1828 * The dynamic portion of the hook name, `$field`, refers to the prefixed user 1829 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc. 1830 * 1831 * @since 2.9.0 1832 * 1833 * @param mixed $value The user object value to sanitize. 1834 * @param int $user_id User ID. 1835 * @param string $context The context to filter within. 1836 */ 1837 $value = apply_filters( "user_{$field}", $value, $user_id, $context ); 1838 } 1839 } 1840 1841 if ( 'user_url' === $field ) { 1842 $value = esc_url( $value ); 1843 } 1844 1845 if ( 'attribute' === $context ) { 1846 $value = esc_attr( $value ); 1847 } elseif ( 'js' === $context ) { 1848 $value = esc_js( $value ); 1849 } 1850 1851 // Restore the type for integer fields after esc_attr(). 1852 if ( in_array( $field, $int_fields, true ) ) { 1853 $value = (int) $value; 1854 } 1855 1856 return $value; 1857 } 1858 1859 /** 1860 * Updates all user caches. 1861 * 1862 * @since 3.0.0 1863 * 1864 * @param object|WP_User $user User object or database row to be cached 1865 * @return void|false Void on success, false on failure. 1866 */ 1867 function update_user_caches( $user ) { 1868 if ( $user instanceof WP_User ) { 1869 if ( ! $user->exists() ) { 1870 return false; 1871 } 1872 1873 $user = $user->data; 1874 } 1875 1876 wp_cache_add( $user->ID, $user, 'users' ); 1877 wp_cache_add( $user->user_login, $user->ID, 'userlogins' ); 1878 wp_cache_add( $user->user_nicename, $user->ID, 'userslugs' ); 1879 1880 if ( ! empty( $user->user_email ) ) { 1881 wp_cache_add( $user->user_email, $user->ID, 'useremail' ); 1882 } 1883 } 1884 1885 /** 1886 * Cleans all user caches. 1887 * 1888 * @since 3.0.0 1889 * @since 4.4.0 'clean_user_cache' action was added. 1890 * @since 6.2.0 User metadata caches are now cleared. 1891 * 1892 * @param WP_User|int $user User object or ID to be cleaned from the cache 1893 */ 1894 function clean_user_cache( $user ) { 1895 if ( is_numeric( $user ) ) { 1896 $user = new WP_User( $user ); 1897 } 1898 1899 if ( ! $user->exists() ) { 1900 return; 1901 } 1902 1903 wp_cache_delete( $user->ID, 'users' ); 1904 wp_cache_delete( $user->user_login, 'userlogins' ); 1905 wp_cache_delete( $user->user_nicename, 'userslugs' ); 1906 1907 if ( ! empty( $user->user_email ) ) { 1908 wp_cache_delete( $user->user_email, 'useremail' ); 1909 } 1910 1911 wp_cache_delete( $user->ID, 'user_meta' ); 1912 wp_cache_set_users_last_changed(); 1913 1914 /** 1915 * Fires immediately after the given user's cache is cleaned. 1916 * 1917 * @since 4.4.0 1918 * 1919 * @param int $user_id User ID. 1920 * @param WP_User $user User object. 1921 */ 1922 do_action( 'clean_user_cache', $user->ID, $user ); 1923 } 1924 1925 /** 1926 * Determines whether the given username exists. 1927 * 1928 * For more information on this and similar theme functions, check out 1929 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 1930 * Conditional Tags} article in the Theme Developer Handbook. 1931 * 1932 * @since 2.0.0 1933 * 1934 * @param string $username The username to check for existence. 1935 * @return int|false The user ID on success, false on failure. 1936 */ 1937 function username_exists( $username ) { 1938 $user = get_user_by( 'login', $username ); 1939 if ( $user ) { 1940 $user_id = $user->ID; 1941 } else { 1942 $user_id = false; 1943 } 1944 1945 /** 1946 * Filters whether the given username exists. 1947 * 1948 * @since 4.9.0 1949 * 1950 * @param int|false $user_id The user ID associated with the username, 1951 * or false if the username does not exist. 1952 * @param string $username The username to check for existence. 1953 */ 1954 return apply_filters( 'username_exists', $user_id, $username ); 1955 } 1956 1957 /** 1958 * Determines whether the given email exists. 1959 * 1960 * For more information on this and similar theme functions, check out 1961 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 1962 * Conditional Tags} article in the Theme Developer Handbook. 1963 * 1964 * @since 2.1.0 1965 * 1966 * @param string $email The email to check for existence. 1967 * @return int|false The user ID on success, false on failure. 1968 */ 1969 function email_exists( $email ) { 1970 $user = get_user_by( 'email', $email ); 1971 if ( $user ) { 1972 $user_id = $user->ID; 1973 } else { 1974 $user_id = false; 1975 } 1976 1977 /** 1978 * Filters whether the given email exists. 1979 * 1980 * @since 5.6.0 1981 * 1982 * @param int|false $user_id The user ID associated with the email, 1983 * or false if the email does not exist. 1984 * @param string $email The email to check for existence. 1985 */ 1986 return apply_filters( 'email_exists', $user_id, $email ); 1987 } 1988 1989 /** 1990 * Checks whether a username is valid. 1991 * 1992 * @since 2.0.1 1993 * @since 4.4.0 Empty sanitized usernames are now considered invalid. 1994 * 1995 * @param string $username Username. 1996 * @return bool Whether username given is valid. 1997 */ 1998 function validate_username( $username ) { 1999 $sanitized = sanitize_user( $username, true ); 2000 $valid = ( $sanitized == $username && ! empty( $sanitized ) ); 2001 2002 /** 2003 * Filters whether the provided username is valid. 2004 * 2005 * @since 2.0.1 2006 * 2007 * @param bool $valid Whether given username is valid. 2008 * @param string $username Username to check. 2009 */ 2010 return apply_filters( 'validate_username', $valid, $username ); 2011 } 2012 2013 /** 2014 * Inserts a user into the database. 2015 * 2016 * Most of the `$userdata` array fields have filters associated with the values. Exceptions are 2017 * 'ID', 'rich_editing', 'syntax_highlighting', 'comment_shortcuts', 'admin_color', 'use_ssl', 2018 * 'user_registered', 'user_activation_key', 'spam', and 'role'. The filters have the prefix 2019 * 'pre_user_' followed by the field name. An example using 'description' would have the filter 2020 * called 'pre_user_description' that can be hooked into. 2021 * 2022 * @since 2.0.0 2023 * @since 3.6.0 The `aim`, `jabber`, and `yim` fields were removed as default user contact 2024 * methods for new installations. See wp_get_user_contact_methods(). 2025 * @since 4.7.0 The `locale` field can be passed to `$userdata`. 2026 * @since 5.3.0 The `user_activation_key` field can be passed to `$userdata`. 2027 * @since 5.3.0 The `spam` field can be passed to `$userdata` (Multisite only). 2028 * @since 5.9.0 The `meta_input` field can be passed to `$userdata` to allow addition of user meta data. 2029 * 2030 * @global wpdb $wpdb WordPress database abstraction object. 2031 * 2032 * @param array|object|WP_User $userdata { 2033 * An array, object, or WP_User object of user data arguments. 2034 * 2035 * @type int $ID User ID. If supplied, the user will be updated. 2036 * @type string $user_pass The plain-text user password for new users. 2037 * Hashed password for existing users. 2038 * @type string $user_login The user's login username. 2039 * @type string $user_nicename The URL-friendly user name. 2040 * @type string $user_url The user URL. 2041 * @type string $user_email The user email address. 2042 * @type string $display_name The user's display name. 2043 * Default is the user's username. 2044 * @type string $nickname The user's nickname. 2045 * Default is the user's username. 2046 * @type string $first_name The user's first name. For new users, will be used 2047 * to build the first part of the user's display name 2048 * if `$display_name` is not specified. 2049 * @type string $last_name The user's last name. For new users, will be used 2050 * to build the second part of the user's display name 2051 * if `$display_name` is not specified. 2052 * @type string $description The user's biographical description. 2053 * @type string $rich_editing Whether to enable the rich-editor for the user. 2054 * Accepts 'true' or 'false' as a string literal, 2055 * not boolean. Default 'true'. 2056 * @type string $syntax_highlighting Whether to enable the rich code editor for the user. 2057 * Accepts 'true' or 'false' as a string literal, 2058 * not boolean. Default 'true'. 2059 * @type string $comment_shortcuts Whether to enable comment moderation keyboard 2060 * shortcuts for the user. Accepts 'true' or 'false' 2061 * as a string literal, not boolean. Default 'false'. 2062 * @type string $admin_color Admin color scheme for the user. Default 'fresh'. 2063 * @type bool $use_ssl Whether the user should always access the admin over 2064 * https. Default false. 2065 * @type string $user_registered Date the user registered in UTC. Format is 'Y-m-d H:i:s'. 2066 * @type string $user_activation_key Password reset key. Default empty. 2067 * @type bool $spam Multisite only. Whether the user is marked as spam. 2068 * Default false. 2069 * @type string $show_admin_bar_front Whether to display the Admin Bar for the user 2070 * on the site's front end. Accepts 'true' or 'false' 2071 * as a string literal, not boolean. Default 'true'. 2072 * @type string $role User's role. 2073 * @type string $locale User's locale. Default empty. 2074 * @type array $meta_input Array of custom user meta values keyed by meta key. 2075 * Default empty. 2076 * } 2077 * @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not 2078 * be created. 2079 */ 2080 function wp_insert_user( $userdata ) { 2081 global $wpdb; 2082 2083 if ( $userdata instanceof stdClass ) { 2084 $userdata = get_object_vars( $userdata ); 2085 } elseif ( $userdata instanceof WP_User ) { 2086 $userdata = $userdata->to_array(); 2087 } 2088 2089 // Are we updating or creating? 2090 if ( ! empty( $userdata['ID'] ) ) { 2091 $user_id = (int) $userdata['ID']; 2092 $update = true; 2093 $old_user_data = get_userdata( $user_id ); 2094 2095 if ( ! $old_user_data ) { 2096 return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) ); 2097 } 2098 2099 // Slash current user email to compare it later with slashed new user email. 2100 $old_user_data->user_email = wp_slash( $old_user_data->user_email ); 2101 2102 // Hashed in wp_update_user(), plaintext if called directly. 2103 $user_pass = ! empty( $userdata['user_pass'] ) ? $userdata['user_pass'] : $old_user_data->user_pass; 2104 } else { 2105 $update = false; 2106 // Hash the password. 2107 $user_pass = wp_hash_password( $userdata['user_pass'] ); 2108 } 2109 2110 $sanitized_user_login = sanitize_user( $userdata['user_login'], true ); 2111 2112 /** 2113 * Filters a username after it has been sanitized. 2114 * 2115 * This filter is called before the user is created or updated. 2116 * 2117 * @since 2.0.3 2118 * 2119 * @param string $sanitized_user_login Username after it has been sanitized. 2120 */ 2121 $pre_user_login = apply_filters( 'pre_user_login', $sanitized_user_login ); 2122 2123 // Remove any non-printable chars from the login string to see if we have ended up with an empty username. 2124 $user_login = trim( $pre_user_login ); 2125 2126 // user_login must be between 0 and 60 characters. 2127 if ( empty( $user_login ) ) { 2128 return new WP_Error( 'empty_user_login', __( 'Cannot create a user with an empty login name.' ) ); 2129 } elseif ( mb_strlen( $user_login ) > 60 ) { 2130 return new WP_Error( 'user_login_too_long', __( 'Username may not be longer than 60 characters.' ) ); 2131 } 2132 2133 if ( ! $update && username_exists( $user_login ) ) { 2134 return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) ); 2135 } 2136 2137 /** 2138 * Filters the list of disallowed usernames. 2139 * 2140 * @since 4.4.0 2141 * 2142 * @param array $usernames Array of disallowed usernames. 2143 */ 2144 $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() ); 2145 2146 if ( in_array( strtolower( $user_login ), array_map( 'strtolower', $illegal_logins ), true ) ) { 2147 return new WP_Error( 'invalid_username', __( 'Sorry, that username is not allowed.' ) ); 2148 } 2149 2150 /* 2151 * If a nicename is provided, remove unsafe user characters before using it. 2152 * Otherwise build a nicename from the user_login. 2153 */ 2154 if ( ! empty( $userdata['user_nicename'] ) ) { 2155 $user_nicename = sanitize_user( $userdata['user_nicename'], true ); 2156 } else { 2157 $user_nicename = mb_substr( $user_login, 0, 50 ); 2158 } 2159 2160 $user_nicename = sanitize_title( $user_nicename ); 2161 2162 /** 2163 * Filters a user's nicename before the user is created or updated. 2164 * 2165 * @since 2.0.3 2166 * 2167 * @param string $user_nicename The user's nicename. 2168 */ 2169 $user_nicename = apply_filters( 'pre_user_nicename', $user_nicename ); 2170 2171 if ( mb_strlen( $user_nicename ) > 50 ) { 2172 return new WP_Error( 'user_nicename_too_long', __( 'Nicename may not be longer than 50 characters.' ) ); 2173 } 2174 2175 $user_nicename_check = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1", $user_nicename, $user_login ) ); 2176 2177 if ( $user_nicename_check ) { 2178 $suffix = 2; 2179 while ( $user_nicename_check ) { 2180 // user_nicename allows 50 chars. Subtract one for a hyphen, plus the length of the suffix. 2181 $base_length = 49 - mb_strlen( $suffix ); 2182 $alt_user_nicename = mb_substr( $user_nicename, 0, $base_length ) . "-$suffix"; 2183 $user_nicename_check = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1", $alt_user_nicename, $user_login ) ); 2184 ++$suffix; 2185 } 2186 $user_nicename = $alt_user_nicename; 2187 } 2188 2189 $raw_user_email = empty( $userdata['user_email'] ) ? '' : $userdata['user_email']; 2190 2191 /** 2192 * Filters a user's email before the user is created or updated. 2193 * 2194 * @since 2.0.3 2195 * 2196 * @param string $raw_user_email The user's email. 2197 */ 2198 $user_email = apply_filters( 'pre_user_email', $raw_user_email ); 2199 2200 /* 2201 * If there is no update, just check for `email_exists`. If there is an update, 2202 * check if current email and new email are the same, and check `email_exists` 2203 * accordingly. 2204 */ 2205 if ( ( ! $update || ( ! empty( $old_user_data ) && 0 !== strcasecmp( $user_email, $old_user_data->user_email ) ) ) 2206 && ! defined( 'WP_IMPORTING' ) 2207 && email_exists( $user_email ) 2208 ) { 2209 return new WP_Error( 'existing_user_email', __( 'Sorry, that email address is already used!' ) ); 2210 } 2211 2212 $raw_user_url = empty( $userdata['user_url'] ) ? '' : $userdata['user_url']; 2213 2214 /** 2215 * Filters a user's URL before the user is created or updated. 2216 * 2217 * @since 2.0.3 2218 * 2219 * @param string $raw_user_url The user's URL. 2220 */ 2221 $user_url = apply_filters( 'pre_user_url', $raw_user_url ); 2222 2223 if ( mb_strlen( $user_url ) > 100 ) { 2224 return new WP_Error( 'user_url_too_long', __( 'User URL may not be longer than 100 characters.' ) ); 2225 } 2226 2227 $user_registered = empty( $userdata['user_registered'] ) ? gmdate( 'Y-m-d H:i:s' ) : $userdata['user_registered']; 2228 2229 $user_activation_key = empty( $userdata['user_activation_key'] ) ? '' : $userdata['user_activation_key']; 2230 2231 if ( ! empty( $userdata['spam'] ) && ! is_multisite() ) { 2232 return new WP_Error( 'no_spam', __( 'Sorry, marking a user as spam is only supported on Multisite.' ) ); 2233 } 2234 2235 $spam = empty( $userdata['spam'] ) ? 0 : (bool) $userdata['spam']; 2236 2237 // Store values to save in user meta. 2238 $meta = array(); 2239 2240 $nickname = empty( $userdata['nickname'] ) ? $user_login : $userdata['nickname']; 2241 2242 /** 2243 * Filters a user's nickname before the user is created or updated. 2244 * 2245 * @since 2.0.3 2246 * 2247 * @param string $nickname The user's nickname. 2248 */ 2249 $meta['nickname'] = apply_filters( 'pre_user_nickname', $nickname ); 2250 2251 $first_name = empty( $userdata['first_name'] ) ? '' : $userdata['first_name']; 2252 2253 /** 2254 * Filters a user's first name before the user is created or updated. 2255 * 2256 * @since 2.0.3 2257 * 2258 * @param string $first_name The user's first name. 2259 */ 2260 $meta['first_name'] = apply_filters( 'pre_user_first_name', $first_name ); 2261 2262 $last_name = empty( $userdata['last_name'] ) ? '' : $userdata['last_name']; 2263 2264 /** 2265 * Filters a user's last name before the user is created or updated. 2266 * 2267 * @since 2.0.3 2268 * 2269 * @param string $last_name The user's last name. 2270 */ 2271 $meta['last_name'] = apply_filters( 'pre_user_last_name', $last_name ); 2272 2273 if ( empty( $userdata['display_name'] ) ) { 2274 if ( $update ) { 2275 $display_name = $user_login; 2276 } elseif ( $meta['first_name'] && $meta['last_name'] ) { 2277 $display_name = sprintf( 2278 /* translators: 1: User's first name, 2: Last name. */ 2279 _x( '%1$s %2$s', 'Display name based on first name and last name' ), 2280 $meta['first_name'], 2281 $meta['last_name'] 2282 ); 2283 } elseif ( $meta['first_name'] ) { 2284 $display_name = $meta['first_name']; 2285 } elseif ( $meta['last_name'] ) { 2286 $display_name = $meta['last_name']; 2287 } else { 2288 $display_name = $user_login; 2289 } 2290 } else { 2291 $display_name = $userdata['display_name']; 2292 } 2293 2294 /** 2295 * Filters a user's display name before the user is created or updated. 2296 * 2297 * @since 2.0.3 2298 * 2299 * @param string $display_name The user's display name. 2300 */ 2301 $display_name = apply_filters( 'pre_user_display_name', $display_name ); 2302 2303 $description = empty( $userdata['description'] ) ? '' : $userdata['description']; 2304 2305 /** 2306 * Filters a user's description before the user is created or updated. 2307 * 2308 * @since 2.0.3 2309 * 2310 * @param string $description The user's description. 2311 */ 2312 $meta['description'] = apply_filters( 'pre_user_description', $description ); 2313 2314 $meta['rich_editing'] = empty( $userdata['rich_editing'] ) ? 'true' : $userdata['rich_editing']; 2315 2316 $meta['syntax_highlighting'] = empty( $userdata['syntax_highlighting'] ) ? 'true' : $userdata['syntax_highlighting']; 2317 2318 $meta['comment_shortcuts'] = empty( $userdata['comment_shortcuts'] ) || 'false' === $userdata['comment_shortcuts'] ? 'false' : 'true'; 2319 2320 $admin_color = empty( $userdata['admin_color'] ) ? 'fresh' : $userdata['admin_color']; 2321 $meta['admin_color'] = preg_replace( '|[^a-z0-9 _.\-@]|i', '', $admin_color ); 2322 2323 $meta['use_ssl'] = empty( $userdata['use_ssl'] ) ? 0 : (bool) $userdata['use_ssl']; 2324 2325 $meta['show_admin_bar_front'] = empty( $userdata['show_admin_bar_front'] ) ? 'true' : $userdata['show_admin_bar_front']; 2326 2327 $meta['locale'] = isset( $userdata['locale'] ) ? $userdata['locale'] : ''; 2328 2329 $compacted = compact( 'user_pass', 'user_nicename', 'user_email', 'user_url', 'user_registered', 'user_activation_key', 'display_name' ); 2330 $data = wp_unslash( $compacted ); 2331 2332 if ( ! $update ) { 2333 $data = $data + compact( 'user_login' ); 2334 } 2335 2336 if ( is_multisite() ) { 2337 $data = $data + compact( 'spam' ); 2338 } 2339 2340 /** 2341 * Filters user data before the record is created or updated. 2342 * 2343 * It only includes data in the users table, not any user metadata. 2344 * 2345 * @since 4.9.0 2346 * @since 5.8.0 The `$userdata` parameter was added. 2347 * 2348 * @param array $data { 2349 * Values and keys for the user. 2350 * 2351 * @type string $user_login The user's login. Only included if $update == false 2352 * @type string $user_pass The user's password. 2353 * @type string $user_email The user's email. 2354 * @type string $user_url The user's url. 2355 * @type string $user_nicename The user's nice name. Defaults to a URL-safe version of user's login 2356 * @type string $display_name The user's display name. 2357 * @type string $user_registered MySQL timestamp describing the moment when the user registered. Defaults to 2358 * the current UTC timestamp. 2359 * } 2360 * @param bool $update Whether the user is being updated rather than created. 2361 * @param int|null $user_id ID of the user to be updated, or NULL if the user is being created. 2362 * @param array $userdata The raw array of data passed to wp_insert_user(). 2363 */ 2364 $data = apply_filters( 'wp_pre_insert_user_data', $data, $update, ( $update ? $user_id : null ), $userdata ); 2365 2366 if ( empty( $data ) || ! is_array( $data ) ) { 2367 return new WP_Error( 'empty_data', __( 'Not enough data to create this user.' ) ); 2368 } 2369 2370 if ( $update ) { 2371 if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) { 2372 $data['user_activation_key'] = ''; 2373 } 2374 $wpdb->update( $wpdb->users, $data, array( 'ID' => $user_id ) ); 2375 } else { 2376 $wpdb->insert( $wpdb->users, $data ); 2377 $user_id = (int) $wpdb->insert_id; 2378 } 2379 2380 $user = new WP_User( $user_id ); 2381 2382 /** 2383 * Filters a user's meta values and keys immediately after the user is created or updated 2384 * and before any user meta is inserted or updated. 2385 * 2386 * Does not include contact methods. These are added using `wp_get_user_contact_methods( $user )`. 2387 * 2388 * For custom meta fields, see the {@see 'insert_custom_user_meta'} filter. 2389 * 2390 * @since 4.4.0 2391 * @since 5.8.0 The `$userdata` parameter was added. 2392 * 2393 * @param array $meta { 2394 * Default meta values and keys for the user. 2395 * 2396 * @type string $nickname The user's nickname. Default is the user's username. 2397 * @type string $first_name The user's first name. 2398 * @type string $last_name The user's last name. 2399 * @type string $description The user's description. 2400 * @type string $rich_editing Whether to enable the rich-editor for the user. Default 'true'. 2401 * @type string $syntax_highlighting Whether to enable the rich code editor for the user. Default 'true'. 2402 * @type string $comment_shortcuts Whether to enable keyboard shortcuts for the user. Default 'false'. 2403 * @type string $admin_color The color scheme for a user's admin screen. Default 'fresh'. 2404 * @type int|bool $use_ssl Whether to force SSL on the user's admin area. 0|false if SSL 2405 * is not forced. 2406 * @type string $show_admin_bar_front Whether to show the admin bar on the front end for the user. 2407 * Default 'true'. 2408 * @type string $locale User's locale. Default empty. 2409 * } 2410 * @param WP_User $user User object. 2411 * @param bool $update Whether the user is being updated rather than created. 2412 * @param array $userdata The raw array of data passed to wp_insert_user(). 2413 */ 2414 $meta = apply_filters( 'insert_user_meta', $meta, $user, $update, $userdata ); 2415 2416 $custom_meta = array(); 2417 if ( array_key_exists( 'meta_input', $userdata ) && is_array( $userdata['meta_input'] ) && ! empty( $userdata['meta_input'] ) ) { 2418 $custom_meta = $userdata['meta_input']; 2419 } 2420 2421 /** 2422 * Filters a user's custom meta values and keys immediately after the user is created or updated 2423 * and before any user meta is inserted or updated. 2424 * 2425 * For non-custom meta fields, see the {@see 'insert_user_meta'} filter. 2426 * 2427 * @since 5.9.0 2428 * 2429 * @param array $custom_meta Array of custom user meta values keyed by meta key. 2430 * @param WP_User $user User object. 2431 * @param bool $update Whether the user is being updated rather than created. 2432 * @param array $userdata The raw array of data passed to wp_insert_user(). 2433 */ 2434 $custom_meta = apply_filters( 'insert_custom_user_meta', $custom_meta, $user, $update, $userdata ); 2435 2436 $meta = array_merge( $meta, $custom_meta ); 2437 2438 if ( $update ) { 2439 // Update user meta. 2440 foreach ( $meta as $key => $value ) { 2441 update_user_meta( $user_id, $key, $value ); 2442 } 2443 } else { 2444 // Add user meta. 2445 foreach ( $meta as $key => $value ) { 2446 add_user_meta( $user_id, $key, $value ); 2447 } 2448 } 2449 2450 foreach ( wp_get_user_contact_methods( $user ) as $key => $value ) { 2451 if ( isset( $userdata[ $key ] ) ) { 2452 update_user_meta( $user_id, $key, $userdata[ $key ] ); 2453 } 2454 } 2455 2456 if ( isset( $userdata['role'] ) ) { 2457 $user->set_role( $userdata['role'] ); 2458 } elseif ( ! $update ) { 2459 $user->set_role( get_option( 'default_role' ) ); 2460 } 2461 2462 clean_user_cache( $user_id ); 2463 2464 if ( $update ) { 2465 /** 2466 * Fires immediately after an existing user is updated. 2467 * 2468 * @since 2.0.0 2469 * @since 5.8.0 The `$userdata` parameter was added. 2470 * 2471 * @param int $user_id User ID. 2472 * @param WP_User $old_user_data Object containing user's data prior to update. 2473 * @param array $userdata The raw array of data passed to wp_insert_user(). 2474 */ 2475 do_action( 'profile_update', $user_id, $old_user_data, $userdata ); 2476 2477 if ( isset( $userdata['spam'] ) && $userdata['spam'] != $old_user_data->spam ) { 2478 if ( 1 == $userdata['spam'] ) { 2479 /** 2480 * Fires after the user is marked as a SPAM user. 2481 * 2482 * @since 3.0.0 2483 * 2484 * @param int $user_id ID of the user marked as SPAM. 2485 */ 2486 do_action( 'make_spam_user', $user_id ); 2487 } else { 2488 /** 2489 * Fires after the user is marked as a HAM user. Opposite of SPAM. 2490 * 2491 * @since 3.0.0 2492 * 2493 * @param int $user_id ID of the user marked as HAM. 2494 */ 2495 do_action( 'make_ham_user', $user_id ); 2496 } 2497 } 2498 } else { 2499 /** 2500 * Fires immediately after a new user is registered. 2501 * 2502 * @since 1.5.0 2503 * @since 5.8.0 The `$userdata` parameter was added. 2504 * 2505 * @param int $user_id User ID. 2506 * @param array $userdata The raw array of data passed to wp_insert_user(). 2507 */ 2508 do_action( 'user_register', $user_id, $userdata ); 2509 } 2510 2511 return $user_id; 2512 } 2513 2514 /** 2515 * Updates a user in the database. 2516 * 2517 * It is possible to update a user's password by specifying the 'user_pass' 2518 * value in the $userdata parameter array. 2519 * 2520 * If current user's password is being updated, then the cookies will be 2521 * cleared. 2522 * 2523 * @since 2.0.0 2524 * 2525 * @see wp_insert_user() For what fields can be set in $userdata. 2526 * 2527 * @param array|object|WP_User $userdata An array of user data or a user object of type stdClass or WP_User. 2528 * @return int|WP_Error The updated user's ID or a WP_Error object if the user could not be updated. 2529 */ 2530 function wp_update_user( $userdata ) { 2531 if ( $userdata instanceof stdClass ) { 2532 $userdata = get_object_vars( $userdata ); 2533 } elseif ( $userdata instanceof WP_User ) { 2534 $userdata = $userdata->to_array(); 2535 } 2536 2537 $userdata_raw = $userdata; 2538 2539 $user_id = isset( $userdata['ID'] ) ? (int) $userdata['ID'] : 0; 2540 if ( ! $user_id ) { 2541 return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) ); 2542 } 2543 2544 // First, get all of the original fields. 2545 $user_obj = get_userdata( $user_id ); 2546 if ( ! $user_obj ) { 2547 return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) ); 2548 } 2549 2550 $user = $user_obj->to_array(); 2551 2552 // Add additional custom fields. 2553 foreach ( _get_additional_user_keys( $user_obj ) as $key ) { 2554 $user[ $key ] = get_user_meta( $user_id, $key, true ); 2555 } 2556 2557 // Escape data pulled from DB. 2558 $user = add_magic_quotes( $user ); 2559 2560 if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) { 2561 // If password is changing, hash it now. 2562 $plaintext_pass = $userdata['user_pass']; 2563 $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] ); 2564 2565 /** 2566 * Filters whether to send the password change email. 2567 * 2568 * @since 4.3.0 2569 * 2570 * @see wp_insert_user() For `$user` and `$userdata` fields. 2571 * 2572 * @param bool $send Whether to send the email. 2573 * @param array $user The original user array. 2574 * @param array $userdata The updated user array. 2575 */ 2576 $send_password_change_email = apply_filters( 'send_password_change_email', true, $user, $userdata ); 2577 } 2578 2579 if ( isset( $userdata['user_email'] ) && $user['user_email'] !== $userdata['user_email'] ) { 2580 /** 2581 * Filters whether to send the email change email. 2582 * 2583 * @since 4.3.0 2584 * 2585 * @see wp_insert_user() For `$user` and `$userdata` fields. 2586 * 2587 * @param bool $send Whether to send the email. 2588 * @param array $user The original user array. 2589 * @param array $userdata The updated user array. 2590 */ 2591 $send_email_change_email = apply_filters( 'send_email_change_email', true, $user, $userdata ); 2592 } 2593 2594 clean_user_cache( $user_obj ); 2595 2596 // Merge old and new fields with new fields overwriting old ones. 2597 $userdata = array_merge( $user, $userdata ); 2598 $user_id = wp_insert_user( $userdata ); 2599 2600 if ( is_wp_error( $user_id ) ) { 2601 return $user_id; 2602 } 2603 2604 $blog_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 2605 2606 $switched_locale = false; 2607 if ( ! empty( $send_password_change_email ) || ! empty( $send_email_change_email ) ) { 2608 $switched_locale = switch_to_user_locale( $user_id ); 2609 } 2610 2611 if ( ! empty( $send_password_change_email ) ) { 2612 /* translators: Do not translate USERNAME, ADMIN_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */ 2613 $pass_change_text = __( 2614 'Hi ###USERNAME###, 2615 2616 This notice confirms that your password was changed on ###SITENAME###. 2617 2618 If you did not change your password, please contact the Site Administrator at 2619 ###ADMIN_EMAIL### 2620 2621 This email has been sent to ###EMAIL### 2622 2623 Regards, 2624 All at ###SITENAME### 2625 ###SITEURL###' 2626 ); 2627 2628 $pass_change_email = array( 2629 'to' => $user['user_email'], 2630 /* translators: Password change notification email subject. %s: Site title. */ 2631 'subject' => __( '[%s] Password Changed' ), 2632 'message' => $pass_change_text, 2633 'headers' => '', 2634 ); 2635 2636 /** 2637 * Filters the contents of the email sent when the user's password is changed. 2638 * 2639 * @since 4.3.0 2640 * 2641 * @param array $pass_change_email { 2642 * Used to build wp_mail(). 2643 * 2644 * @type string $to The intended recipients. Add emails in a comma separated string. 2645 * @type string $subject The subject of the email. 2646 * @type string $message The content of the email. 2647 * The following strings have a special meaning and will get replaced dynamically: 2648 * - ###USERNAME### The current user's username. 2649 * - ###ADMIN_EMAIL### The admin email in case this was unexpected. 2650 * - ###EMAIL### The user's email address. 2651 * - ###SITENAME### The name of the site. 2652 * - ###SITEURL### The URL to the site. 2653 * @type string $headers Headers. Add headers in a newline (\r\n) separated string. 2654 * } 2655 * @param array $user The original user array. 2656 * @param array $userdata The updated user array. 2657 */ 2658 $pass_change_email = apply_filters( 'password_change_email', $pass_change_email, $user, $userdata ); 2659 2660 $pass_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $pass_change_email['message'] ); 2661 $pass_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $pass_change_email['message'] ); 2662 $pass_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $pass_change_email['message'] ); 2663 $pass_change_email['message'] = str_replace( '###SITENAME###', $blog_name, $pass_change_email['message'] ); 2664 $pass_change_email['message'] = str_replace( '###SITEURL###', home_url(), $pass_change_email['message'] ); 2665 2666 wp_mail( $pass_change_email['to'], sprintf( $pass_change_email['subject'], $blog_name ), $pass_change_email['message'], $pass_change_email['headers'] ); 2667 } 2668 2669 if ( ! empty( $send_email_change_email ) ) { 2670 /* translators: Do not translate USERNAME, ADMIN_EMAIL, NEW_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */ 2671 $email_change_text = __( 2672 'Hi ###USERNAME###, 2673 2674 This notice confirms that your email address on ###SITENAME### was changed to ###NEW_EMAIL###. 2675 2676 If you did not change your email, please contact the Site Administrator at 2677 ###ADMIN_EMAIL### 2678 2679 This email has been sent to ###EMAIL### 2680 2681 Regards, 2682 All at ###SITENAME### 2683 ###SITEURL###' 2684 ); 2685 2686 $email_change_email = array( 2687 'to' => $user['user_email'], 2688 /* translators: Email change notification email subject. %s: Site title. */ 2689 'subject' => __( '[%s] Email Changed' ), 2690 'message' => $email_change_text, 2691 'headers' => '', 2692 ); 2693 2694 /** 2695 * Filters the contents of the email sent when the user's email is changed. 2696 * 2697 * @since 4.3.0 2698 * 2699 * @param array $email_change_email { 2700 * Used to build wp_mail(). 2701 * 2702 * @type string $to The intended recipients. 2703 * @type string $subject The subject of the email. 2704 * @type string $message The content of the email. 2705 * The following strings have a special meaning and will get replaced dynamically: 2706 * - ###USERNAME### The current user's username. 2707 * - ###ADMIN_EMAIL### The admin email in case this was unexpected. 2708 * - ###NEW_EMAIL### The new email address. 2709 * - ###EMAIL### The old email address. 2710 * - ###SITENAME### The name of the site. 2711 * - ###SITEURL### The URL to the site. 2712 * @type string $headers Headers. 2713 * } 2714 * @param array $user The original user array. 2715 * @param array $userdata The updated user array. 2716 */ 2717 $email_change_email = apply_filters( 'email_change_email', $email_change_email, $user, $userdata ); 2718 2719 $email_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $email_change_email['message'] ); 2720 $email_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $email_change_email['message'] ); 2721 $email_change_email['message'] = str_replace( '###NEW_EMAIL###', $userdata['user_email'], $email_change_email['message'] ); 2722 $email_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $email_change_email['message'] ); 2723 $email_change_email['message'] = str_replace( '###SITENAME###', $blog_name, $email_change_email['message'] ); 2724 $email_change_email['message'] = str_replace( '###SITEURL###', home_url(), $email_change_email['message'] ); 2725 2726 wp_mail( $email_change_email['to'], sprintf( $email_change_email['subject'], $blog_name ), $email_change_email['message'], $email_change_email['headers'] ); 2727 } 2728 2729 if ( $switched_locale ) { 2730 restore_previous_locale(); 2731 } 2732 2733 // Update the cookies if the password changed. 2734 $current_user = wp_get_current_user(); 2735 if ( $current_user->ID == $user_id ) { 2736 if ( isset( $plaintext_pass ) ) { 2737 wp_clear_auth_cookie(); 2738 2739 /* 2740 * Here we calculate the expiration length of the current auth cookie and compare it to the default expiration. 2741 * If it's greater than this, then we know the user checked 'Remember Me' when they logged in. 2742 */ 2743 $logged_in_cookie = wp_parse_auth_cookie( '', 'logged_in' ); 2744 /** This filter is documented in wp-includes/pluggable.php */ 2745 $default_cookie_life = apply_filters( 'auth_cookie_expiration', ( 2 * DAY_IN_SECONDS ), $user_id, false ); 2746 $remember = false; 2747 if ( false !== $logged_in_cookie && ( $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) { 2748 $remember = true; 2749 } 2750 2751 wp_set_auth_cookie( $user_id, $remember ); 2752 } 2753 } 2754 2755 /** 2756 * Fires after the user has been updated and emails have been sent. 2757 * 2758 * @since 6.3.0 2759 * 2760 * @param int $user_id The ID of the user that was just updated. 2761 * @param array $userdata The array of user data that was updated. 2762 * @param array $userdata_raw The unedited array of user data that was updated. 2763 */ 2764 do_action( 'wp_update_user', $user_id, $userdata, $userdata_raw ); 2765 2766 return $user_id; 2767 } 2768 2769 /** 2770 * Provides a simpler way of inserting a user into the database. 2771 * 2772 * Creates a new user with just the username, password, and email. For more 2773 * complex user creation use wp_insert_user() to specify more information. 2774 * 2775 * @since 2.0.0 2776 * 2777 * @see wp_insert_user() More complete way to create a new user. 2778 * 2779 * @param string $username The user's username. 2780 * @param string $password The user's password. 2781 * @param string $email Optional. The user's email. Default empty. 2782 * @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not 2783 * be created. 2784 */ 2785 function wp_create_user( $username, $password, $email = '' ) { 2786 $user_login = wp_slash( $username ); 2787 $user_email = wp_slash( $email ); 2788 $user_pass = $password; 2789 2790 $userdata = compact( 'user_login', 'user_email', 'user_pass' ); 2791 return wp_insert_user( $userdata ); 2792 } 2793 2794 /** 2795 * Returns a list of meta keys to be (maybe) populated in wp_update_user(). 2796 * 2797 * The list of keys returned via this function are dependent on the presence 2798 * of those keys in the user meta data to be set. 2799 * 2800 * @since 3.3.0 2801 * @access private 2802 * 2803 * @param WP_User $user WP_User instance. 2804 * @return string[] List of user keys to be populated in wp_update_user(). 2805 */ 2806 function _get_additional_user_keys( $user ) { 2807 $keys = array( 'first_name', 'last_name', 'nickname', 'description', 'rich_editing', 'syntax_highlighting', 'comment_shortcuts', 'admin_color', 'use_ssl', 'show_admin_bar_front', 'locale' ); 2808 return array_merge( $keys, array_keys( wp_get_user_contact_methods( $user ) ) ); 2809 } 2810 2811 /** 2812 * Sets up the user contact methods. 2813 * 2814 * Default contact methods were removed in 3.6. A filter dictates contact methods. 2815 * 2816 * @since 3.7.0 2817 * 2818 * @param WP_User|null $user Optional. WP_User object. 2819 * @return string[] Array of contact method labels keyed by contact method. 2820 */ 2821 function wp_get_user_contact_methods( $user = null ) { 2822 $methods = array(); 2823 if ( get_site_option( 'initial_db_version' ) < 23588 ) { 2824 $methods = array( 2825 'aim' => __( 'AIM' ), 2826 'yim' => __( 'Yahoo IM' ), 2827 'jabber' => __( 'Jabber / Google Talk' ), 2828 ); 2829 } 2830 2831 /** 2832 * Filters the user contact methods. 2833 * 2834 * @since 2.9.0 2835 * 2836 * @param string[] $methods Array of contact method labels keyed by contact method. 2837 * @param WP_User|null $user WP_User object or null if none was provided. 2838 */ 2839 return apply_filters( 'user_contactmethods', $methods, $user ); 2840 } 2841 2842 /** 2843 * The old private function for setting up user contact methods. 2844 * 2845 * Use wp_get_user_contact_methods() instead. 2846 * 2847 * @since 2.9.0 2848 * @access private 2849 * 2850 * @param WP_User|null $user Optional. WP_User object. Default null. 2851 * @return string[] Array of contact method labels keyed by contact method. 2852 */ 2853 function _wp_get_user_contactmethods( $user = null ) { 2854 return wp_get_user_contact_methods( $user ); 2855 } 2856 2857 /** 2858 * Gets the text suggesting how to create strong passwords. 2859 * 2860 * @since 4.1.0 2861 * 2862 * @return string The password hint text. 2863 */ 2864 function wp_get_password_hint() { 2865 $hint = __( 'Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).' ); 2866 2867 /** 2868 * Filters the text describing the site's password complexity policy. 2869 * 2870 * @since 4.1.0 2871 * 2872 * @param string $hint The password hint text. 2873 */ 2874 return apply_filters( 'password_hint', $hint ); 2875 } 2876 2877 /** 2878 * Creates, stores, then returns a password reset key for user. 2879 * 2880 * @since 4.4.0 2881 * 2882 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 2883 * 2884 * @param WP_User $user User to retrieve password reset key for. 2885 * @return string|WP_Error Password reset key on success. WP_Error on error. 2886 */ 2887 function get_password_reset_key( $user ) { 2888 global $wp_hasher; 2889 2890 if ( ! ( $user instanceof WP_User ) ) { 2891 return new WP_Error( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) ); 2892 } 2893 2894 /** 2895 * Fires before a new password is retrieved. 2896 * 2897 * Use the {@see 'retrieve_password'} hook instead. 2898 * 2899 * @since 1.5.0 2900 * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead. 2901 * 2902 * @param string $user_login The user login name. 2903 */ 2904 do_action_deprecated( 'retreive_password', array( $user->user_login ), '1.5.1', 'retrieve_password' ); 2905 2906 /** 2907 * Fires before a new password is retrieved. 2908 * 2909 * @since 1.5.1 2910 * 2911 * @param string $user_login The user login name. 2912 */ 2913 do_action( 'retrieve_password', $user->user_login ); 2914 2915 $password_reset_allowed = wp_is_password_reset_allowed_for_user( $user ); 2916 if ( ! $password_reset_allowed ) { 2917 return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) ); 2918 } elseif ( is_wp_error( $password_reset_allowed ) ) { 2919 return $password_reset_allowed; 2920 } 2921 2922 // Generate something random for a password reset key. 2923 $key = wp_generate_password( 20, false ); 2924 2925 /** 2926 * Fires when a password reset key is generated. 2927 * 2928 * @since 2.5.0 2929 * 2930 * @param string $user_login The username for the user. 2931 * @param string $key The generated password reset key. 2932 */ 2933 do_action( 'retrieve_password_key', $user->user_login, $key ); 2934 2935 // Now insert the key, hashed, into the DB. 2936 if ( empty( $wp_hasher ) ) { 2937 require_once ABSPATH . WPINC . '/class-phpass.php'; 2938 $wp_hasher = new PasswordHash( 8, true ); 2939 } 2940 2941 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 2942 2943 $key_saved = wp_update_user( 2944 array( 2945 'ID' => $user->ID, 2946 'user_activation_key' => $hashed, 2947 ) 2948 ); 2949 2950 if ( is_wp_error( $key_saved ) ) { 2951 return $key_saved; 2952 } 2953 2954 return $key; 2955 } 2956 2957 /** 2958 * Retrieves a user row based on password reset key and login. 2959 * 2960 * A key is considered 'expired' if it exactly matches the value of the 2961 * user_activation_key field, rather than being matched after going through the 2962 * hashing process. This field is now hashed; old values are no longer accepted 2963 * but have a different WP_Error code so good user feedback can be provided. 2964 * 2965 * @since 3.1.0 2966 * 2967 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 2968 * 2969 * @param string $key Hash to validate sending user's password. 2970 * @param string $login The user login. 2971 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys. 2972 */ 2973 function check_password_reset_key( $key, $login ) { 2974 global $wp_hasher; 2975 2976 $key = preg_replace( '/[^a-z0-9]/i', '', $key ); 2977 2978 if ( empty( $key ) || ! is_string( $key ) ) { 2979 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 2980 } 2981 2982 if ( empty( $login ) || ! is_string( $login ) ) { 2983 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 2984 } 2985 2986 $user = get_user_by( 'login', $login ); 2987 2988 if ( ! $user ) { 2989 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 2990 } 2991 2992 if ( empty( $wp_hasher ) ) { 2993 require_once ABSPATH . WPINC . '/class-phpass.php'; 2994 $wp_hasher = new PasswordHash( 8, true ); 2995 } 2996 2997 /** 2998 * Filters the expiration time of password reset keys. 2999 * 3000 * @since 4.3.0 3001 * 3002 * @param int $expiration The expiration time in seconds. 3003 */ 3004 $expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS ); 3005 3006 if ( str_contains( $user->user_activation_key, ':' ) ) { 3007 list( $pass_request_time, $pass_key ) = explode( ':', $user->user_activation_key, 2 ); 3008 $expiration_time = $pass_request_time + $expiration_duration; 3009 } else { 3010 $pass_key = $user->user_activation_key; 3011 $expiration_time = false; 3012 } 3013 3014 if ( ! $pass_key ) { 3015 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3016 } 3017 3018 $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key ); 3019 3020 if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) { 3021 return $user; 3022 } elseif ( $hash_is_correct && $expiration_time ) { 3023 // Key has an expiration time that's passed. 3024 return new WP_Error( 'expired_key', __( 'Invalid key.' ) ); 3025 } 3026 3027 if ( hash_equals( $user->user_activation_key, $key ) || ( $hash_is_correct && ! $expiration_time ) ) { 3028 $return = new WP_Error( 'expired_key', __( 'Invalid key.' ) ); 3029 $user_id = $user->ID; 3030 3031 /** 3032 * Filters the return value of check_password_reset_key() when an 3033 * old-style key is used. 3034 * 3035 * @since 3.7.0 Previously plain-text keys were stored in the database. 3036 * @since 4.3.0 Previously key hashes were stored without an expiration time. 3037 * 3038 * @param WP_Error $return A WP_Error object denoting an expired key. 3039 * Return a WP_User object to validate the key. 3040 * @param int $user_id The matched user ID. 3041 */ 3042 return apply_filters( 'password_reset_key_expired', $return, $user_id ); 3043 } 3044 3045 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3046 } 3047 3048 /** 3049 * Handles sending a password retrieval email to a user. 3050 * 3051 * @since 2.5.0 3052 * @since 5.7.0 Added `$user_login` parameter. 3053 * 3054 * @global wpdb $wpdb WordPress database abstraction object. 3055 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 3056 * 3057 * @param string $user_login Optional. Username to send a password retrieval email for. 3058 * Defaults to `$_POST['user_login']` if not set. 3059 * @return true|WP_Error True when finished, WP_Error object on error. 3060 */ 3061 function retrieve_password( $user_login = null ) { 3062 $errors = new WP_Error(); 3063 $user_data = false; 3064 3065 // Use the passed $user_login if available, otherwise use $_POST['user_login']. 3066 if ( ! $user_login && ! empty( $_POST['user_login'] ) ) { 3067 $user_login = $_POST['user_login']; 3068 } 3069 3070 $user_login = trim( wp_unslash( $user_login ) ); 3071 3072 if ( empty( $user_login ) ) { 3073 $errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username or email address.' ) ); 3074 } elseif ( strpos( $user_login, '@' ) ) { 3075 $user_data = get_user_by( 'email', $user_login ); 3076 3077 if ( empty( $user_data ) ) { 3078 $user_data = get_user_by( 'login', $user_login ); 3079 } 3080 3081 if ( empty( $user_data ) ) { 3082 $errors->add( 'invalid_email', __( '<strong>Error:</strong> There is no account with that username or email address.' ) ); 3083 } 3084 } else { 3085 $user_data = get_user_by( 'login', $user_login ); 3086 } 3087 3088 /** 3089 * Filters the user data during a password reset request. 3090 * 3091 * Allows, for example, custom validation using data other than username or email address. 3092 * 3093 * @since 5.7.0 3094 * 3095 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist. 3096 * @param WP_Error $errors A WP_Error object containing any errors generated 3097 * by using invalid credentials. 3098 */ 3099 $user_data = apply_filters( 'lostpassword_user_data', $user_data, $errors ); 3100 3101 /** 3102 * Fires before errors are returned from a password reset request. 3103 * 3104 * @since 2.1.0 3105 * @since 4.4.0 Added the `$errors` parameter. 3106 * @since 5.4.0 Added the `$user_data` parameter. 3107 * 3108 * @param WP_Error $errors A WP_Error object containing any errors generated 3109 * by using invalid credentials. 3110 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist. 3111 */ 3112 do_action( 'lostpassword_post', $errors, $user_data ); 3113 3114 /** 3115 * Filters the errors encountered on a password reset request. 3116 * 3117 * The filtered WP_Error object may, for example, contain errors for an invalid 3118 * username or email address. A WP_Error object should always be returned, 3119 * but may or may not contain errors. 3120 * 3121 * If any errors are present in $errors, this will abort the password reset request. 3122 * 3123 * @since 5.5.0 3124 * 3125 * @param WP_Error $errors A WP_Error object containing any errors generated 3126 * by using invalid credentials. 3127 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist. 3128 */ 3129 $errors = apply_filters( 'lostpassword_errors', $errors, $user_data ); 3130 3131 if ( $errors->has_errors() ) { 3132 return $errors; 3133 } 3134 3135 if ( ! $user_data ) { 3136 $errors->add( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) ); 3137 return $errors; 3138 } 3139 3140 /** 3141 * Filters whether to send the retrieve password email. 3142 * 3143 * Return false to disable sending the email. 3144 * 3145 * @since 6.0.0 3146 * 3147 * @param bool $send Whether to send the email. 3148 * @param string $user_login The username for the user. 3149 * @param WP_User $user_data WP_User object. 3150 */ 3151 if ( ! apply_filters( 'send_retrieve_password_email', true, $user_login, $user_data ) ) { 3152 return true; 3153 } 3154 3155 // Redefining user_login ensures we return the right case in the email. 3156 $user_login = $user_data->user_login; 3157 $user_email = $user_data->user_email; 3158 $key = get_password_reset_key( $user_data ); 3159 3160 if ( is_wp_error( $key ) ) { 3161 return $key; 3162 } 3163 3164 // Localize password reset message content for user. 3165 $locale = get_user_locale( $user_data ); 3166 3167 $switched_locale = switch_to_user_locale( $user_data->ID ); 3168 3169 if ( is_multisite() ) { 3170 $site_name = get_network()->site_name; 3171 } else { 3172 /* 3173 * The blogname option is escaped with esc_html on the way into the database 3174 * in sanitize_option. We want to reverse this for the plain text arena of emails. 3175 */ 3176 $site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 3177 } 3178 3179 $message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n"; 3180 /* translators: %s: Site name. */ 3181 $message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n"; 3182 /* translators: %s: User login. */ 3183 $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n"; 3184 $message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n"; 3185 $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n"; 3186 $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n"; 3187 3188 if ( ! is_user_logged_in() ) { 3189 $requester_ip = $_SERVER['REMOTE_ADDR']; 3190 if ( $requester_ip ) { 3191 $message .= sprintf( 3192 /* translators: %s: IP address of password reset requester. */ 3193 __( 'This password reset request originated from the IP address %s.' ), 3194 $requester_ip 3195 ) . "\r\n"; 3196 } 3197 } 3198 3199 /* translators: Password reset notification email subject. %s: Site title. */ 3200 $title = sprintf( __( '[%s] Password Reset' ), $site_name ); 3201 3202 /** 3203 * Filters the subject of the password reset email. 3204 * 3205 * @since 2.8.0 3206 * @since 4.4.0 Added the `$user_login` and `$user_data` parameters. 3207 * 3208 * @param string $title Email subject. 3209 * @param string $user_login The username for the user. 3210 * @param WP_User $user_data WP_User object. 3211 */ 3212 $title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data ); 3213 3214 /** 3215 * Filters the message body of the password reset mail. 3216 * 3217 * If the filtered message is empty, the password reset email will not be sent. 3218 * 3219 * @since 2.8.0 3220 * @since 4.1.0 Added `$user_login` and `$user_data` parameters. 3221 * 3222 * @param string $message Email message. 3223 * @param string $key The activation key. 3224 * @param string $user_login The username for the user. 3225 * @param WP_User $user_data WP_User object. 3226 */ 3227 $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data ); 3228 3229 // Short-circuit on falsey $message value for backwards compatibility. 3230 if ( ! $message ) { 3231 return true; 3232 } 3233 3234 /* 3235 * Wrap the single notification email arguments in an array 3236 * to pass them to the retrieve_password_notification_email filter. 3237 */ 3238 $defaults = array( 3239 'to' => $user_email, 3240 'subject' => $title, 3241 'message' => $message, 3242 'headers' => '', 3243 ); 3244 3245 /** 3246 * Filters the contents of the reset password notification email sent to the user. 3247 * 3248 * @since 6.0.0 3249 * 3250 * @param array $defaults { 3251 * The default notification email arguments. Used to build wp_mail(). 3252 * 3253 * @type string $to The intended recipient - user email address. 3254 * @type string $subject The subject of the email. 3255 * @type string $message The body of the email. 3256 * @type string $headers The headers of the email. 3257 * } 3258 * @type string $key The activation key. 3259 * @type string $user_login The username for the user. 3260 * @type WP_User $user_data WP_User object. 3261 */ 3262 $notification_email = apply_filters( 'retrieve_password_notification_email', $defaults, $key, $user_login, $user_data ); 3263 3264 if ( $switched_locale ) { 3265 restore_previous_locale(); 3266 } 3267 3268 if ( is_array( $notification_email ) ) { 3269 // Force key order and merge defaults in case any value is missing in the filtered array. 3270 $notification_email = array_merge( $defaults, $notification_email ); 3271 } else { 3272 $notification_email = $defaults; 3273 } 3274 3275 list( $to, $subject, $message, $headers ) = array_values( $notification_email ); 3276 3277 $subject = wp_specialchars_decode( $subject ); 3278 3279 if ( ! wp_mail( $to, $subject, $message, $headers ) ) { 3280 $errors->add( 3281 'retrieve_password_email_failure', 3282 sprintf( 3283 /* translators: %s: Documentation URL. */ 3284 __( '<strong>Error:</strong> The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ), 3285 esc_url( __( 'https://wordpress.org/documentation/article/reset-your-password/' ) ) 3286 ) 3287 ); 3288 return $errors; 3289 } 3290 3291 return true; 3292 } 3293 3294 /** 3295 * Handles resetting the user's password. 3296 * 3297 * @since 2.5.0 3298 * 3299 * @param WP_User $user The user 3300 * @param string $new_pass New password for the user in plaintext 3301 */ 3302 function reset_password( $user, $new_pass ) { 3303 /** 3304 * Fires before the user's password is reset. 3305 * 3306 * @since 1.5.0 3307 * 3308 * @param WP_User $user The user. 3309 * @param string $new_pass New user password. 3310 */ 3311 do_action( 'password_reset', $user, $new_pass ); 3312 3313 wp_set_password( $new_pass, $user->ID ); 3314 update_user_meta( $user->ID, 'default_password_nag', false ); 3315 3316 /** 3317 * Fires after the user's password is reset. 3318 * 3319 * @since 4.4.0 3320 * 3321 * @param WP_User $user The user. 3322 * @param string $new_pass New user password. 3323 */ 3324 do_action( 'after_password_reset', $user, $new_pass ); 3325 } 3326 3327 /** 3328 * Handles registering a new user. 3329 * 3330 * @since 2.5.0 3331 * 3332 * @param string $user_login User's username for logging in 3333 * @param string $user_email User's email address to send password and add 3334 * @return int|WP_Error Either user's ID or error on failure. 3335 */ 3336 function register_new_user( $user_login, $user_email ) { 3337 $errors = new WP_Error(); 3338 3339 $sanitized_user_login = sanitize_user( $user_login ); 3340 /** 3341 * Filters the email address of a user being registered. 3342 * 3343 * @since 2.1.0 3344 * 3345 * @param string $user_email The email address of the new user. 3346 */ 3347 $user_email = apply_filters( 'user_registration_email', $user_email ); 3348 3349 // Check the username. 3350 if ( '' === $sanitized_user_login ) { 3351 $errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username.' ) ); 3352 } elseif ( ! validate_username( $user_login ) ) { 3353 $errors->add( 'invalid_username', __( '<strong>Error:</strong> This username is invalid because it uses illegal characters. Please enter a valid username.' ) ); 3354 $sanitized_user_login = ''; 3355 } elseif ( username_exists( $sanitized_user_login ) ) { 3356 $errors->add( 'username_exists', __( '<strong>Error:</strong> This username is already registered. Please choose another one.' ) ); 3357 } else { 3358 /** This filter is documented in wp-includes/user.php */ 3359 $illegal_user_logins = (array) apply_filters( 'illegal_user_logins', array() ); 3360 if ( in_array( strtolower( $sanitized_user_login ), array_map( 'strtolower', $illegal_user_logins ), true ) ) { 3361 $errors->add( 'invalid_username', __( '<strong>Error:</strong> Sorry, that username is not allowed.' ) ); 3362 } 3363 } 3364 3365 // Check the email address. 3366 if ( '' === $user_email ) { 3367 $errors->add( 'empty_email', __( '<strong>Error:</strong> Please type your email address.' ) ); 3368 } elseif ( ! is_email( $user_email ) ) { 3369 $errors->add( 'invalid_email', __( '<strong>Error:</strong> The email address is not correct.' ) ); 3370 $user_email = ''; 3371 } elseif ( email_exists( $user_email ) ) { 3372 $errors->add( 3373 'email_exists', 3374 sprintf( 3375 /* translators: %s: Link to the login page. */ 3376 __( '<strong>Error:</strong> This email address is already registered. <a href="%s">Log in</a> with this address or choose another one.' ), 3377 wp_login_url() 3378 ) 3379 ); 3380 } 3381 3382 /** 3383 * Fires when submitting registration form data, before the user is created. 3384 * 3385 * @since 2.1.0 3386 * 3387 * @param string $sanitized_user_login The submitted username after being sanitized. 3388 * @param string $user_email The submitted email. 3389 * @param WP_Error $errors Contains any errors with submitted username and email, 3390 * e.g., an empty field, an invalid username or email, 3391 * or an existing username or email. 3392 */ 3393 do_action( 'register_post', $sanitized_user_login, $user_email, $errors ); 3394 3395 /** 3396 * Filters the errors encountered when a new user is being registered. 3397 * 3398 * The filtered WP_Error object may, for example, contain errors for an invalid 3399 * or existing username or email address. A WP_Error object should always be returned, 3400 * but may or may not contain errors. 3401 * 3402 * If any errors are present in $errors, this will abort the user's registration. 3403 * 3404 * @since 2.1.0 3405 * 3406 * @param WP_Error $errors A WP_Error object containing any errors encountered 3407 * during registration. 3408 * @param string $sanitized_user_login User's username after it has been sanitized. 3409 * @param string $user_email User's email. 3410 */ 3411 $errors = apply_filters( 'registration_errors', $errors, $sanitized_user_login, $user_email ); 3412 3413 if ( $errors->has_errors() ) { 3414 return $errors; 3415 } 3416 3417 $user_pass = wp_generate_password( 12, false ); 3418 $user_id = wp_create_user( $sanitized_user_login, $user_pass, $user_email ); 3419 if ( ! $user_id || is_wp_error( $user_id ) ) { 3420 $errors->add( 3421 'registerfail', 3422 sprintf( 3423 /* translators: %s: Admin email address. */ 3424 __( '<strong>Error:</strong> Could not register you… please contact the <a href="mailto:%s">site admin</a>!' ), 3425 get_option( 'admin_email' ) 3426 ) 3427 ); 3428 return $errors; 3429 } 3430 3431 update_user_meta( $user_id, 'default_password_nag', true ); // Set up the password change nag. 3432 3433 if ( ! empty( $_COOKIE['wp_lang'] ) ) { 3434 $wp_lang = sanitize_text_field( $_COOKIE['wp_lang'] ); 3435 if ( in_array( $wp_lang, get_available_languages(), true ) ) { 3436 update_user_meta( $user_id, 'locale', $wp_lang ); // Set user locale if defined on registration. 3437 } 3438 } 3439 3440 /** 3441 * Fires after a new user registration has been recorded. 3442 * 3443 * @since 4.4.0 3444 * 3445 * @param int $user_id ID of the newly registered user. 3446 */ 3447 do_action( 'register_new_user', $user_id ); 3448 3449 return $user_id; 3450 } 3451 3452 /** 3453 * Initiates email notifications related to the creation of new users. 3454 * 3455 * Notifications are sent both to the site admin and to the newly created user. 3456 * 3457 * @since 4.4.0 3458 * @since 4.6.0 Converted the `$notify` parameter to accept 'user' for sending 3459 * notifications only to the user created. 3460 * 3461 * @param int $user_id ID of the newly created user. 3462 * @param string $notify Optional. Type of notification that should happen. Accepts 'admin' 3463 * or an empty string (admin only), 'user', or 'both' (admin and user). 3464 * Default 'both'. 3465 */ 3466 function wp_send_new_user_notifications( $user_id, $notify = 'both' ) { 3467 wp_new_user_notification( $user_id, null, $notify ); 3468 } 3469 3470 /** 3471 * Retrieves the current session token from the logged_in cookie. 3472 * 3473 * @since 4.0.0 3474 * 3475 * @return string Token. 3476 */ 3477 function wp_get_session_token() { 3478 $cookie = wp_parse_auth_cookie( '', 'logged_in' ); 3479 return ! empty( $cookie['token'] ) ? $cookie['token'] : ''; 3480 } 3481 3482 /** 3483 * Retrieves a list of sessions for the current user. 3484 * 3485 * @since 4.0.0 3486 * 3487 * @return array Array of sessions. 3488 */ 3489 function wp_get_all_sessions() { 3490 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3491 return $manager->get_all(); 3492 } 3493 3494 /** 3495 * Removes the current session token from the database. 3496 * 3497 * @since 4.0.0 3498 */ 3499 function wp_destroy_current_session() { 3500 $token = wp_get_session_token(); 3501 if ( $token ) { 3502 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3503 $manager->destroy( $token ); 3504 } 3505 } 3506 3507 /** 3508 * Removes all but the current session token for the current user for the database. 3509 * 3510 * @since 4.0.0 3511 */ 3512 function wp_destroy_other_sessions() { 3513 $token = wp_get_session_token(); 3514 if ( $token ) { 3515 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3516 $manager->destroy_others( $token ); 3517 } 3518 } 3519 3520 /** 3521 * Removes all session tokens for the current user from the database. 3522 * 3523 * @since 4.0.0 3524 */ 3525 function wp_destroy_all_sessions() { 3526 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3527 $manager->destroy_all(); 3528 } 3529 3530 /** 3531 * Gets the user IDs of all users with no role on this site. 3532 * 3533 * @since 4.4.0 3534 * @since 4.9.0 The `$site_id` parameter was added to support multisite. 3535 * 3536 * @global wpdb $wpdb WordPress database abstraction object. 3537 * 3538 * @param int|null $site_id Optional. The site ID to get users with no role for. Defaults to the current site. 3539 * @return string[] Array of user IDs as strings. 3540 */ 3541 function wp_get_users_with_no_role( $site_id = null ) { 3542 global $wpdb; 3543 3544 if ( ! $site_id ) { 3545 $site_id = get_current_blog_id(); 3546 } 3547 3548 $prefix = $wpdb->get_blog_prefix( $site_id ); 3549 3550 if ( is_multisite() && get_current_blog_id() != $site_id ) { 3551 switch_to_blog( $site_id ); 3552 $role_names = wp_roles()->get_names(); 3553 restore_current_blog(); 3554 } else { 3555 $role_names = wp_roles()->get_names(); 3556 } 3557 3558 $regex = implode( '|', array_keys( $role_names ) ); 3559 $regex = preg_replace( '/[^a-zA-Z_\|-]/', '', $regex ); 3560 $users = $wpdb->get_col( 3561 $wpdb->prepare( 3562 "SELECT user_id 3563 FROM $wpdb->usermeta 3564 WHERE meta_key = '{$prefix}capabilities' 3565 AND meta_value NOT REGEXP %s", 3566 $regex 3567 ) 3568 ); 3569 3570 return $users; 3571 } 3572 3573 /** 3574 * Retrieves the current user object. 3575 * 3576 * Will set the current user, if the current user is not set. The current user 3577 * will be set to the logged-in person. If no user is logged-in, then it will 3578 * set the current user to 0, which is invalid and won't have any permissions. 3579 * 3580 * This function is used by the pluggable functions wp_get_current_user() and 3581 * get_currentuserinfo(), the latter of which is deprecated but used for backward 3582 * compatibility. 3583 * 3584 * @since 4.5.0 3585 * @access private 3586 * 3587 * @see wp_get_current_user() 3588 * @global WP_User $current_user Checks if the current user is set. 3589 * 3590 * @return WP_User Current WP_User instance. 3591 */ 3592 function _wp_get_current_user() { 3593 global $current_user; 3594 3595 if ( ! empty( $current_user ) ) { 3596 if ( $current_user instanceof WP_User ) { 3597 return $current_user; 3598 } 3599 3600 // Upgrade stdClass to WP_User. 3601 if ( is_object( $current_user ) && isset( $current_user->ID ) ) { 3602 $cur_id = $current_user->ID; 3603 $current_user = null; 3604 wp_set_current_user( $cur_id ); 3605 return $current_user; 3606 } 3607 3608 // $current_user has a junk value. Force to WP_User with ID 0. 3609 $current_user = null; 3610 wp_set_current_user( 0 ); 3611 return $current_user; 3612 } 3613 3614 if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { 3615 wp_set_current_user( 0 ); 3616 return $current_user; 3617 } 3618 3619 /** 3620 * Filters the current user. 3621 * 3622 * The default filters use this to determine the current user from the 3623 * request's cookies, if available. 3624 * 3625 * Returning a value of false will effectively short-circuit setting 3626 * the current user. 3627 * 3628 * @since 3.9.0 3629 * 3630 * @param int|false $user_id User ID if one has been determined, false otherwise. 3631 */ 3632 $user_id = apply_filters( 'determine_current_user', false ); 3633 if ( ! $user_id ) { 3634 wp_set_current_user( 0 ); 3635 return $current_user; 3636 } 3637 3638 wp_set_current_user( $user_id ); 3639 3640 return $current_user; 3641 } 3642 3643 /** 3644 * Sends a confirmation request email when a change of user email address is attempted. 3645 * 3646 * @since 3.0.0 3647 * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific. 3648 * 3649 * @global WP_Error $errors WP_Error object. 3650 */ 3651 function send_confirmation_on_profile_email() { 3652 global $errors; 3653 3654 $current_user = wp_get_current_user(); 3655 if ( ! is_object( $errors ) ) { 3656 $errors = new WP_Error(); 3657 } 3658 3659 if ( $current_user->ID != $_POST['user_id'] ) { 3660 return false; 3661 } 3662 3663 if ( $current_user->user_email != $_POST['email'] ) { 3664 if ( ! is_email( $_POST['email'] ) ) { 3665 $errors->add( 3666 'user_email', 3667 __( '<strong>Error:</strong> The email address is not correct.' ), 3668 array( 3669 'form-field' => 'email', 3670 ) 3671 ); 3672 3673 return; 3674 } 3675 3676 if ( email_exists( $_POST['email'] ) ) { 3677 $errors->add( 3678 'user_email', 3679 __( '<strong>Error:</strong> The email address is already used.' ), 3680 array( 3681 'form-field' => 'email', 3682 ) 3683 ); 3684 delete_user_meta( $current_user->ID, '_new_email' ); 3685 3686 return; 3687 } 3688 3689 $hash = md5( $_POST['email'] . time() . wp_rand() ); 3690 $new_user_email = array( 3691 'hash' => $hash, 3692 'newemail' => $_POST['email'], 3693 ); 3694 update_user_meta( $current_user->ID, '_new_email', $new_user_email ); 3695 3696 $sitename = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 3697 3698 /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */ 3699 $email_text = __( 3700 'Howdy ###USERNAME###, 3701 3702 You recently requested to have the email address on your account changed. 3703 3704 If this is correct, please click on the following link to change it: 3705 ###ADMIN_URL### 3706 3707 You can safely ignore and delete this email if you do not want to 3708 take this action. 3709 3710 This email has been sent to ###EMAIL### 3711 3712 Regards, 3713 All at ###SITENAME### 3714 ###SITEURL###' 3715 ); 3716 3717 /** 3718 * Filters the text of the email sent when a change of user email address is attempted. 3719 * 3720 * The following strings have a special meaning and will get replaced dynamically: 3721 * - ###USERNAME### The current user's username. 3722 * - ###ADMIN_URL### The link to click on to confirm the email change. 3723 * - ###EMAIL### The new email. 3724 * - ###SITENAME### The name of the site. 3725 * - ###SITEURL### The URL to the site. 3726 * 3727 * @since MU (3.0.0) 3728 * @since 4.9.0 This filter is no longer Multisite specific. 3729 * 3730 * @param string $email_text Text in the email. 3731 * @param array $new_user_email { 3732 * Data relating to the new user email address. 3733 * 3734 * @type string $hash The secure hash used in the confirmation link URL. 3735 * @type string $newemail The proposed new email address. 3736 * } 3737 */ 3738 $content = apply_filters( 'new_user_email_content', $email_text, $new_user_email ); 3739 3740 $content = str_replace( '###USERNAME###', $current_user->user_login, $content ); 3741 $content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'profile.php?newuseremail=' . $hash ) ), $content ); 3742 $content = str_replace( '###EMAIL###', $_POST['email'], $content ); 3743 $content = str_replace( '###SITENAME###', $sitename, $content ); 3744 $content = str_replace( '###SITEURL###', home_url(), $content ); 3745 3746 /* translators: New email address notification email subject. %s: Site title. */ 3747 wp_mail( $_POST['email'], sprintf( __( '[%s] Email Change Request' ), $sitename ), $content ); 3748 3749 $_POST['email'] = $current_user->user_email; 3750 } 3751 } 3752 3753 /** 3754 * Adds an admin notice alerting the user to check for confirmation request email 3755 * after email address change. 3756 * 3757 * @since 3.0.0 3758 * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific. 3759 * 3760 * @global string $pagenow The filename of the current screen. 3761 */ 3762 function new_user_email_admin_notice() { 3763 global $pagenow; 3764 3765 if ( 'profile.php' === $pagenow && isset( $_GET['updated'] ) ) { 3766 $email = get_user_meta( get_current_user_id(), '_new_email', true ); 3767 if ( $email ) { 3768 $message = sprintf( 3769 /* translators: %s: New email address. */ 3770 __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), 3771 '<code>' . esc_html( $email['newemail'] ) . '</code>' 3772 ); 3773 wp_admin_notice( $message, array( 'type' => 'info' ) ); 3774 } 3775 } 3776 } 3777 3778 /** 3779 * Gets all personal data request types. 3780 * 3781 * @since 4.9.6 3782 * @access private 3783 * 3784 * @return string[] List of core privacy action types. 3785 */ 3786 function _wp_privacy_action_request_types() { 3787 return array( 3788 'export_personal_data', 3789 'remove_personal_data', 3790 ); 3791 } 3792 3793 /** 3794 * Registers the personal data exporter for users. 3795 * 3796 * @since 4.9.6 3797 * 3798 * @param array[] $exporters An array of personal data exporters. 3799 * @return array[] An array of personal data exporters. 3800 */ 3801 function wp_register_user_personal_data_exporter( $exporters ) { 3802 $exporters['wordpress-user'] = array( 3803 'exporter_friendly_name' => __( 'WordPress User' ), 3804 'callback' => 'wp_user_personal_data_exporter', 3805 ); 3806 3807 return $exporters; 3808 } 3809 3810 /** 3811 * Finds and exports personal data associated with an email address from the user and user_meta table. 3812 * 3813 * @since 4.9.6 3814 * @since 5.4.0 Added 'Community Events Location' group to the export data. 3815 * @since 5.4.0 Added 'Session Tokens' group to the export data. 3816 * 3817 * @param string $email_address The user's email address. 3818 * @return array { 3819 * An array of personal data. 3820 * 3821 * @type array[] $data An array of personal data arrays. 3822 * @type bool $done Whether the exporter is finished. 3823 * } 3824 */ 3825 function wp_user_personal_data_exporter( $email_address ) { 3826 $email_address = trim( $email_address ); 3827 3828 $data_to_export = array(); 3829 3830 $user = get_user_by( 'email', $email_address ); 3831 3832 if ( ! $user ) { 3833 return array( 3834 'data' => array(), 3835 'done' => true, 3836 ); 3837 } 3838 3839 $user_meta = get_user_meta( $user->ID ); 3840 3841 $user_props_to_export = array( 3842 'ID' => __( 'User ID' ), 3843 'user_login' => __( 'User Login Name' ), 3844 'user_nicename' => __( 'User Nice Name' ), 3845 'user_email' => __( 'User Email' ), 3846 'user_url' => __( 'User URL' ), 3847 'user_registered' => __( 'User Registration Date' ), 3848 'display_name' => __( 'User Display Name' ), 3849 'nickname' => __( 'User Nickname' ), 3850 'first_name' => __( 'User First Name' ), 3851 'last_name' => __( 'User Last Name' ), 3852 'description' => __( 'User Description' ), 3853 ); 3854 3855 $user_data_to_export = array(); 3856 3857 foreach ( $user_props_to_export as $key => $name ) { 3858 $value = ''; 3859 3860 switch ( $key ) { 3861 case 'ID': 3862 case 'user_login': 3863 case 'user_nicename': 3864 case 'user_email': 3865 case 'user_url': 3866 case 'user_registered': 3867 case 'display_name': 3868 $value = $user->data->$key; 3869 break; 3870 case 'nickname': 3871 case 'first_name': 3872 case 'last_name': 3873 case 'description': 3874 $value = $user_meta[ $key ][0]; 3875 break; 3876 } 3877 3878 if ( ! empty( $value ) ) { 3879 $user_data_to_export[] = array( 3880 'name' => $name, 3881 'value' => $value, 3882 ); 3883 } 3884 } 3885 3886 // Get the list of reserved names. 3887 $reserved_names = array_values( $user_props_to_export ); 3888 3889 /** 3890 * Filters the user's profile data for the privacy exporter. 3891 * 3892 * @since 5.4.0 3893 * 3894 * @param array $additional_user_profile_data { 3895 * An array of name-value pairs of additional user data items. Default empty array. 3896 * 3897 * @type string $name The user-facing name of an item name-value pair,e.g. 'IP Address'. 3898 * @type string $value The user-facing value of an item data pair, e.g. '50.60.70.0'. 3899 * } 3900 * @param WP_User $user The user whose data is being exported. 3901 * @param string[] $reserved_names An array of reserved names. Any item in `$additional_user_data` 3902 * that uses one of these for its `name` will not be included in the export. 3903 */ 3904 $_extra_data = apply_filters( 'wp_privacy_additional_user_profile_data', array(), $user, $reserved_names ); 3905 3906 if ( is_array( $_extra_data ) && ! empty( $_extra_data ) ) { 3907 // Remove items that use reserved names. 3908 $extra_data = array_filter( 3909 $_extra_data, 3910 static function ( $item ) use ( $reserved_names ) { 3911 return ! in_array( $item['name'], $reserved_names, true ); 3912 } 3913 ); 3914 3915 if ( count( $extra_data ) !== count( $_extra_data ) ) { 3916 _doing_it_wrong( 3917 __FUNCTION__, 3918 sprintf( 3919 /* translators: %s: wp_privacy_additional_user_profile_data */ 3920 __( 'Filter %s returned items with reserved names.' ), 3921 '<code>wp_privacy_additional_user_profile_data</code>' 3922 ), 3923 '5.4.0' 3924 ); 3925 } 3926 3927 if ( ! empty( $extra_data ) ) { 3928 $user_data_to_export = array_merge( $user_data_to_export, $extra_data ); 3929 } 3930 } 3931 3932 $data_to_export[] = array( 3933 'group_id' => 'user', 3934 'group_label' => __( 'User' ), 3935 'group_description' => __( 'User’s profile data.' ), 3936 'item_id' => "user-{$user->ID}", 3937 'data' => $user_data_to_export, 3938 ); 3939 3940 if ( isset( $user_meta['community-events-location'] ) ) { 3941 $location = maybe_unserialize( $user_meta['community-events-location'][0] ); 3942 3943 $location_props_to_export = array( 3944 'description' => __( 'City' ), 3945 'country' => __( 'Country' ), 3946 'latitude' => __( 'Latitude' ), 3947 'longitude' => __( 'Longitude' ), 3948 'ip' => __( 'IP' ), 3949 ); 3950 3951 $location_data_to_export = array(); 3952 3953 foreach ( $location_props_to_export as $key => $name ) { 3954 if ( ! empty( $location[ $key ] ) ) { 3955 $location_data_to_export[] = array( 3956 'name' => $name, 3957 'value' => $location[ $key ], 3958 ); 3959 } 3960 } 3961 3962 $data_to_export[] = array( 3963 'group_id' => 'community-events-location', 3964 'group_label' => __( 'Community Events Location' ), 3965 'group_description' => __( 'User’s location data used for the Community Events in the WordPress Events and News dashboard widget.' ), 3966 'item_id' => "community-events-location-{$user->ID}", 3967 'data' => $location_data_to_export, 3968 ); 3969 } 3970 3971 if ( isset( $user_meta['session_tokens'] ) ) { 3972 $session_tokens = maybe_unserialize( $user_meta['session_tokens'][0] ); 3973 3974 $session_tokens_props_to_export = array( 3975 'expiration' => __( 'Expiration' ), 3976 'ip' => __( 'IP' ), 3977 'ua' => __( 'User Agent' ), 3978 'login' => __( 'Last Login' ), 3979 ); 3980 3981 foreach ( $session_tokens as $token_key => $session_token ) { 3982 $session_tokens_data_to_export = array(); 3983 3984 foreach ( $session_tokens_props_to_export as $key => $name ) { 3985 if ( ! empty( $session_token[ $key ] ) ) { 3986 $value = $session_token[ $key ]; 3987 if ( in_array( $key, array( 'expiration', 'login' ), true ) ) { 3988 $value = date_i18n( 'F d, Y H:i A', $value ); 3989 } 3990 $session_tokens_data_to_export[] = array( 3991 'name' => $name, 3992 'value' => $value, 3993 ); 3994 } 3995 } 3996 3997 $data_to_export[] = array( 3998 'group_id' => 'session-tokens', 3999 'group_label' => __( 'Session Tokens' ), 4000 'group_description' => __( 'User’s Session Tokens data.' ), 4001 'item_id' => "session-tokens-{$user->ID}-{$token_key}", 4002 'data' => $session_tokens_data_to_export, 4003 ); 4004 } 4005 } 4006 4007 return array( 4008 'data' => $data_to_export, 4009 'done' => true, 4010 ); 4011 } 4012 4013 /** 4014 * Updates log when privacy request is confirmed. 4015 * 4016 * @since 4.9.6 4017 * @access private 4018 * 4019 * @param int $request_id ID of the request. 4020 */ 4021 function _wp_privacy_account_request_confirmed( $request_id ) { 4022 $request = wp_get_user_request( $request_id ); 4023 4024 if ( ! $request ) { 4025 return; 4026 } 4027 4028 if ( ! in_array( $request->status, array( 'request-pending', 'request-failed' ), true ) ) { 4029 return; 4030 } 4031 4032 update_post_meta( $request_id, '_wp_user_request_confirmed_timestamp', time() ); 4033 wp_update_post( 4034 array( 4035 'ID' => $request_id, 4036 'post_status' => 'request-confirmed', 4037 ) 4038 ); 4039 } 4040 4041 /** 4042 * Notifies the site administrator via email when a request is confirmed. 4043 * 4044 * Without this, the admin would have to manually check the site to see if any 4045 * action was needed on their part yet. 4046 * 4047 * @since 4.9.6 4048 * 4049 * @param int $request_id The ID of the request. 4050 */ 4051 function _wp_privacy_send_request_confirmation_notification( $request_id ) { 4052 $request = wp_get_user_request( $request_id ); 4053 4054 if ( ! ( $request instanceof WP_User_Request ) || 'request-confirmed' !== $request->status ) { 4055 return; 4056 } 4057 4058 $already_notified = (bool) get_post_meta( $request_id, '_wp_admin_notified', true ); 4059 4060 if ( $already_notified ) { 4061 return; 4062 } 4063 4064 if ( 'export_personal_data' === $request->action_name ) { 4065 $manage_url = admin_url( 'export-personal-data.php' ); 4066 } elseif ( 'remove_personal_data' === $request->action_name ) { 4067 $manage_url = admin_url( 'erase-personal-data.php' ); 4068 } 4069 $action_description = wp_user_request_action_description( $request->action_name ); 4070 4071 /** 4072 * Filters the recipient of the data request confirmation notification. 4073 * 4074 * In a Multisite environment, this will default to the email address of the 4075 * network admin because, by default, single site admins do not have the 4076 * capabilities required to process requests. Some networks may wish to 4077 * delegate those capabilities to a single-site admin, or a dedicated person 4078 * responsible for managing privacy requests. 4079 * 4080 * @since 4.9.6 4081 * 4082 * @param string $admin_email The email address of the notification recipient. 4083 * @param WP_User_Request $request The request that is initiating the notification. 4084 */ 4085 $admin_email = apply_filters( 'user_request_confirmed_email_to', get_site_option( 'admin_email' ), $request ); 4086 4087 $email_data = array( 4088 'request' => $request, 4089 'user_email' => $request->email, 4090 'description' => $action_description, 4091 'manage_url' => $manage_url, 4092 'sitename' => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), 4093 'siteurl' => home_url(), 4094 'admin_email' => $admin_email, 4095 ); 4096 4097 $subject = sprintf( 4098 /* translators: Privacy data request confirmed notification email subject. 1: Site title, 2: Name of the confirmed action. */ 4099 __( '[%1$s] Action Confirmed: %2$s' ), 4100 $email_data['sitename'], 4101 $action_description 4102 ); 4103 4104 /** 4105 * Filters the subject of the user request confirmation email. 4106 * 4107 * @since 4.9.8 4108 * 4109 * @param string $subject The email subject. 4110 * @param string $sitename The name of the site. 4111 * @param array $email_data { 4112 * Data relating to the account action email. 4113 * 4114 * @type WP_User_Request $request User request object. 4115 * @type string $user_email The email address confirming a request 4116 * @type string $description Description of the action being performed so the user knows what the email is for. 4117 * @type string $manage_url The link to click manage privacy requests of this type. 4118 * @type string $sitename The site name sending the mail. 4119 * @type string $siteurl The site URL sending the mail. 4120 * @type string $admin_email The administrator email receiving the mail. 4121 * } 4122 */ 4123 $subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $email_data['sitename'], $email_data ); 4124 4125 /* translators: Do not translate SITENAME, USER_EMAIL, DESCRIPTION, MANAGE_URL, SITEURL; those are placeholders. */ 4126 $content = __( 4127 'Howdy, 4128 4129 A user data privacy request has been confirmed on ###SITENAME###: 4130 4131 User: ###USER_EMAIL### 4132 Request: ###DESCRIPTION### 4133 4134 You can view and manage these data privacy requests here: 4135 4136 ###MANAGE_URL### 4137 4138 Regards, 4139 All at ###SITENAME### 4140 ###SITEURL###' 4141 ); 4142 4143 /** 4144 * Filters the body of the user request confirmation email. 4145 * 4146 * The email is sent to an administrator when a user request is confirmed. 4147 * 4148 * The following strings have a special meaning and will get replaced dynamically: 4149 * 4150 * ###SITENAME### The name of the site. 4151 * ###USER_EMAIL### The user email for the request. 4152 * ###DESCRIPTION### Description of the action being performed so the user knows what the email is for. 4153 * ###MANAGE_URL### The URL to manage requests. 4154 * ###SITEURL### The URL to the site. 4155 * 4156 * @since 4.9.6 4157 * @deprecated 5.8.0 Use {@see 'user_request_confirmed_email_content'} instead. 4158 * For user erasure fulfillment email content 4159 * use {@see 'user_erasure_fulfillment_email_content'} instead. 4160 * 4161 * @param string $content The email content. 4162 * @param array $email_data { 4163 * Data relating to the account action email. 4164 * 4165 * @type WP_User_Request $request User request object. 4166 * @type string $user_email The email address confirming a request 4167 * @type string $description Description of the action being performed 4168 * so the user knows what the email is for. 4169 * @type string $manage_url The link to click manage privacy requests of this type. 4170 * @type string $sitename The site name sending the mail. 4171 * @type string $siteurl The site URL sending the mail. 4172 * @type string $admin_email The administrator email receiving the mail. 4173 * } 4174 */ 4175 $content = apply_filters_deprecated( 4176 'user_confirmed_action_email_content', 4177 array( $content, $email_data ), 4178 '5.8.0', 4179 sprintf( 4180 /* translators: 1 & 2: Deprecation replacement options. */ 4181 __( '%1$s or %2$s' ), 4182 'user_request_confirmed_email_content', 4183 'user_erasure_fulfillment_email_content' 4184 ) 4185 ); 4186 4187 /** 4188 * Filters the body of the user request confirmation email. 4189 * 4190 * The email is sent to an administrator when a user request is confirmed. 4191 * The following strings have a special meaning and will get replaced dynamically: 4192 * 4193 * ###SITENAME### The name of the site. 4194 * ###USER_EMAIL### The user email for the request. 4195 * ###DESCRIPTION### Description of the action being performed so the user knows what the email is for. 4196 * ###MANAGE_URL### The URL to manage requests. 4197 * ###SITEURL### The URL to the site. 4198 * 4199 * @since 5.8.0 4200 * 4201 * @param string $content The email content. 4202 * @param array $email_data { 4203 * Data relating to the account action email. 4204 * 4205 * @type WP_User_Request $request User request object. 4206 * @type string $user_email The email address confirming a request 4207 * @type string $description Description of the action being performed so the user knows what the email is for. 4208 * @type string $manage_url The link to click manage privacy requests of this type. 4209 * @type string $sitename The site name sending the mail. 4210 * @type string $siteurl The site URL sending the mail. 4211 * @type string $admin_email The administrator email receiving the mail. 4212 * } 4213 */ 4214 $content = apply_filters( 'user_request_confirmed_email_content', $content, $email_data ); 4215 4216 $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); 4217 $content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content ); 4218 $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); 4219 $content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content ); 4220 $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); 4221 4222 $headers = ''; 4223 4224 /** 4225 * Filters the headers of the user request confirmation email. 4226 * 4227 * @since 5.4.0 4228 * 4229 * @param string|array $headers The email headers. 4230 * @param string $subject The email subject. 4231 * @param string $content The email content. 4232 * @param int $request_id The request ID. 4233 * @param array $email_data { 4234 * Data relating to the account action email. 4235 * 4236 * @type WP_User_Request $request User request object. 4237 * @type string $user_email The email address confirming a request 4238 * @type string $description Description of the action being performed so the user knows what the email is for. 4239 * @type string $manage_url The link to click manage privacy requests of this type. 4240 * @type string $sitename The site name sending the mail. 4241 * @type string $siteurl The site URL sending the mail. 4242 * @type string $admin_email The administrator email receiving the mail. 4243 * } 4244 */ 4245 $headers = apply_filters( 'user_request_confirmed_email_headers', $headers, $subject, $content, $request_id, $email_data ); 4246 4247 $email_sent = wp_mail( $email_data['admin_email'], $subject, $content, $headers ); 4248 4249 if ( $email_sent ) { 4250 update_post_meta( $request_id, '_wp_admin_notified', true ); 4251 } 4252 } 4253 4254 /** 4255 * Notifies the user when their erasure request is fulfilled. 4256 * 4257 * Without this, the user would never know if their data was actually erased. 4258 * 4259 * @since 4.9.6 4260 * 4261 * @param int $request_id The privacy request post ID associated with this request. 4262 */ 4263 function _wp_privacy_send_erasure_fulfillment_notification( $request_id ) { 4264 $request = wp_get_user_request( $request_id ); 4265 4266 if ( ! ( $request instanceof WP_User_Request ) || 'request-completed' !== $request->status ) { 4267 return; 4268 } 4269 4270 $already_notified = (bool) get_post_meta( $request_id, '_wp_user_notified', true ); 4271 4272 if ( $already_notified ) { 4273 return; 4274 } 4275 4276 // Localize message content for user; fallback to site default for visitors. 4277 if ( ! empty( $request->user_id ) ) { 4278 $switched_locale = switch_to_user_locale( $request->user_id ); 4279 } else { 4280 $switched_locale = switch_to_locale( get_locale() ); 4281 } 4282 4283 /** 4284 * Filters the recipient of the data erasure fulfillment notification. 4285 * 4286 * @since 4.9.6 4287 * 4288 * @param string $user_email The email address of the notification recipient. 4289 * @param WP_User_Request $request The request that is initiating the notification. 4290 */ 4291 $user_email = apply_filters( 'user_erasure_fulfillment_email_to', $request->email, $request ); 4292 4293 $email_data = array( 4294 'request' => $request, 4295 'message_recipient' => $user_email, 4296 'privacy_policy_url' => get_privacy_policy_url(), 4297 'sitename' => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), 4298 'siteurl' => home_url(), 4299 ); 4300 4301 $subject = sprintf( 4302 /* translators: Erasure request fulfilled notification email subject. %s: Site title. */ 4303 __( '[%s] Erasure Request Fulfilled' ), 4304 $email_data['sitename'] 4305 ); 4306 4307 /** 4308 * Filters the subject of the email sent when an erasure request is completed. 4309 * 4310 * @since 4.9.8 4311 * @deprecated 5.8.0 Use {@see 'user_erasure_fulfillment_email_subject'} instead. 4312 * 4313 * @param string $subject The email subject. 4314 * @param string $sitename The name of the site. 4315 * @param array $email_data { 4316 * Data relating to the account action email. 4317 * 4318 * @type WP_User_Request $request User request object. 4319 * @type string $message_recipient The address that the email will be sent to. Defaults 4320 * to the value of `$request->email`, but can be changed 4321 * by the `user_erasure_fulfillment_email_to` filter. 4322 * @type string $privacy_policy_url Privacy policy URL. 4323 * @type string $sitename The site name sending the mail. 4324 * @type string $siteurl The site URL sending the mail. 4325 * } 4326 */ 4327 $subject = apply_filters_deprecated( 4328 'user_erasure_complete_email_subject', 4329 array( $subject, $email_data['sitename'], $email_data ), 4330 '5.8.0', 4331 'user_erasure_fulfillment_email_subject' 4332 ); 4333 4334 /** 4335 * Filters the subject of the email sent when an erasure request is completed. 4336 * 4337 * @since 5.8.0 4338 * 4339 * @param string $subject The email subject. 4340 * @param string $sitename The name of the site. 4341 * @param array $email_data { 4342 * Data relating to the account action email. 4343 * 4344 * @type WP_User_Request $request User request object. 4345 * @type string $message_recipient The address that the email will be sent to. Defaults 4346 * to the value of `$request->email`, but can be changed 4347 * by the `user_erasure_fulfillment_email_to` filter. 4348 * @type string $privacy_policy_url Privacy policy URL. 4349 * @type string $sitename The site name sending the mail. 4350 * @type string $siteurl The site URL sending the mail. 4351 * } 4352 */ 4353 $subject = apply_filters( 'user_erasure_fulfillment_email_subject', $subject, $email_data['sitename'], $email_data ); 4354 4355 /* translators: Do not translate SITENAME, SITEURL; those are placeholders. */ 4356 $content = __( 4357 'Howdy, 4358 4359 Your request to erase your personal data on ###SITENAME### has been completed. 4360 4361 If you have any follow-up questions or concerns, please contact the site administrator. 4362 4363 Regards, 4364 All at ###SITENAME### 4365 ###SITEURL###' 4366 ); 4367 4368 if ( ! empty( $email_data['privacy_policy_url'] ) ) { 4369 /* translators: Do not translate SITENAME, SITEURL, PRIVACY_POLICY_URL; those are placeholders. */ 4370 $content = __( 4371 'Howdy, 4372 4373 Your request to erase your personal data on ###SITENAME### has been completed. 4374 4375 If you have any follow-up questions or concerns, please contact the site administrator. 4376 4377 For more information, you can also read our privacy policy: ###PRIVACY_POLICY_URL### 4378 4379 Regards, 4380 All at ###SITENAME### 4381 ###SITEURL###' 4382 ); 4383 } 4384 4385 /** 4386 * Filters the body of the data erasure fulfillment notification. 4387 * 4388 * The email is sent to a user when their data erasure request is fulfilled 4389 * by an administrator. 4390 * 4391 * The following strings have a special meaning and will get replaced dynamically: 4392 * 4393 * ###SITENAME### The name of the site. 4394 * ###PRIVACY_POLICY_URL### Privacy policy page URL. 4395 * ###SITEURL### The URL to the site. 4396 * 4397 * @since 4.9.6 4398 * @deprecated 5.8.0 Use {@see 'user_erasure_fulfillment_email_content'} instead. 4399 * For user request confirmation email content 4400 * use {@see 'user_request_confirmed_email_content'} instead. 4401 * 4402 * @param string $content The email content. 4403 * @param array $email_data { 4404 * Data relating to the account action email. 4405 * 4406 * @type WP_User_Request $request User request object. 4407 * @type string $message_recipient The address that the email will be sent to. Defaults 4408 * to the value of `$request->email`, but can be changed 4409 * by the `user_erasure_fulfillment_email_to` filter. 4410 * @type string $privacy_policy_url Privacy policy URL. 4411 * @type string $sitename The site name sending the mail. 4412 * @type string $siteurl The site URL sending the mail. 4413 * } 4414 */ 4415 $content = apply_filters_deprecated( 4416 'user_confirmed_action_email_content', 4417 array( $content, $email_data ), 4418 '5.8.0', 4419 sprintf( 4420 /* translators: 1 & 2: Deprecation replacement options. */ 4421 __( '%1$s or %2$s' ), 4422 'user_erasure_fulfillment_email_content', 4423 'user_request_confirmed_email_content' 4424 ) 4425 ); 4426 4427 /** 4428 * Filters the body of the data erasure fulfillment notification. 4429 * 4430 * The email is sent to a user when their data erasure request is fulfilled 4431 * by an administrator. 4432 * 4433 * The following strings have a special meaning and will get replaced dynamically: 4434 * 4435 * ###SITENAME### The name of the site. 4436 * ###PRIVACY_POLICY_URL### Privacy policy page URL. 4437 * ###SITEURL### The URL to the site. 4438 * 4439 * @since 5.8.0 4440 * 4441 * @param string $content The email content. 4442 * @param array $email_data { 4443 * Data relating to the account action email. 4444 * 4445 * @type WP_User_Request $request User request object. 4446 * @type string $message_recipient The address that the email will be sent to. Defaults 4447 * to the value of `$request->email`, but can be changed 4448 * by the `user_erasure_fulfillment_email_to` filter. 4449 * @type string $privacy_policy_url Privacy policy URL. 4450 * @type string $sitename The site name sending the mail. 4451 * @type string $siteurl The site URL sending the mail. 4452 * } 4453 */ 4454 $content = apply_filters( 'user_erasure_fulfillment_email_content', $content, $email_data ); 4455 4456 $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); 4457 $content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content ); 4458 $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); 4459 4460 $headers = ''; 4461 4462 /** 4463 * Filters the headers of the data erasure fulfillment notification. 4464 * 4465 * @since 5.4.0 4466 * @deprecated 5.8.0 Use {@see 'user_erasure_fulfillment_email_headers'} instead. 4467 * 4468 * @param string|array $headers The email headers. 4469 * @param string $subject The email subject. 4470 * @param string $content The email content. 4471 * @param int $request_id The request ID. 4472 * @param array $email_data { 4473 * Data relating to the account action email. 4474 * 4475 * @type WP_User_Request $request User request object. 4476 * @type string $message_recipient The address that the email will be sent to. Defaults 4477 * to the value of `$request->email`, but can be changed 4478 * by the `user_erasure_fulfillment_email_to` filter. 4479 * @type string $privacy_policy_url Privacy policy URL. 4480 * @type string $sitename The site name sending the mail. 4481 * @type string $siteurl The site URL sending the mail. 4482 * } 4483 */ 4484 $headers = apply_filters_deprecated( 4485 'user_erasure_complete_email_headers', 4486 array( $headers, $subject, $content, $request_id, $email_data ), 4487 '5.8.0', 4488 'user_erasure_fulfillment_email_headers' 4489 ); 4490 4491 /** 4492 * Filters the headers of the data erasure fulfillment notification. 4493 * 4494 * @since 5.8.0 4495 * 4496 * @param string|array $headers The email headers. 4497 * @param string $subject The email subject. 4498 * @param string $content The email content. 4499 * @param int $request_id The request ID. 4500 * @param array $email_data { 4501 * Data relating to the account action email. 4502 * 4503 * @type WP_User_Request $request User request object. 4504 * @type string $message_recipient The address that the email will be sent to. Defaults 4505 * to the value of `$request->email`, but can be changed 4506 * by the `user_erasure_fulfillment_email_to` filter. 4507 * @type string $privacy_policy_url Privacy policy URL. 4508 * @type string $sitename The site name sending the mail. 4509 * @type string $siteurl The site URL sending the mail. 4510 * } 4511 */ 4512 $headers = apply_filters( 'user_erasure_fulfillment_email_headers', $headers, $subject, $content, $request_id, $email_data ); 4513 4514 $email_sent = wp_mail( $user_email, $subject, $content, $headers ); 4515 4516 if ( $switched_locale ) { 4517 restore_previous_locale(); 4518 } 4519 4520 if ( $email_sent ) { 4521 update_post_meta( $request_id, '_wp_user_notified', true ); 4522 } 4523 } 4524 4525 /** 4526 * Returns request confirmation message HTML. 4527 * 4528 * @since 4.9.6 4529 * @access private 4530 * 4531 * @param int $request_id The request ID being confirmed. 4532 * @return string The confirmation message. 4533 */ 4534 function _wp_privacy_account_request_confirmed_message( $request_id ) { 4535 $request = wp_get_user_request( $request_id ); 4536 4537 $message = '<p class="success">' . __( 'Action has been confirmed.' ) . '</p>'; 4538 $message .= '<p>' . __( 'The site administrator has been notified and will fulfill your request as soon as possible.' ) . '</p>'; 4539 4540 if ( $request && in_array( $request->action_name, _wp_privacy_action_request_types(), true ) ) { 4541 if ( 'export_personal_data' === $request->action_name ) { 4542 $message = '<p class="success">' . __( 'Thanks for confirming your export request.' ) . '</p>'; 4543 $message .= '<p>' . __( 'The site administrator has been notified. You will receive a link to download your export via email when they fulfill your request.' ) . '</p>'; 4544 } elseif ( 'remove_personal_data' === $request->action_name ) { 4545 $message = '<p class="success">' . __( 'Thanks for confirming your erasure request.' ) . '</p>'; 4546 $message .= '<p>' . __( 'The site administrator has been notified. You will receive an email confirmation when they erase your data.' ) . '</p>'; 4547 } 4548 } 4549 4550 /** 4551 * Filters the message displayed to a user when they confirm a data request. 4552 * 4553 * @since 4.9.6 4554 * 4555 * @param string $message The message to the user. 4556 * @param int $request_id The ID of the request being confirmed. 4557 */ 4558 $message = apply_filters( 'user_request_action_confirmed_message', $message, $request_id ); 4559 4560 return $message; 4561 } 4562 4563 /** 4564 * Creates and logs a user request to perform a specific action. 4565 * 4566 * Requests are stored inside a post type named `user_request` since they can apply to both 4567 * users on the site, or guests without a user account. 4568 * 4569 * @since 4.9.6 4570 * @since 5.7.0 Added the `$status` parameter. 4571 * 4572 * @param string $email_address User email address. This can be the address of a registered 4573 * or non-registered user. 4574 * @param string $action_name Name of the action that is being confirmed. Required. 4575 * @param array $request_data Misc data you want to send with the verification request and pass 4576 * to the actions once the request is confirmed. 4577 * @param string $status Optional request status (pending or confirmed). Default 'pending'. 4578 * @return int|WP_Error Returns the request ID if successful, or a WP_Error object on failure. 4579 */ 4580 function wp_create_user_request( $email_address = '', $action_name = '', $request_data = array(), $status = 'pending' ) { 4581 $email_address = sanitize_email( $email_address ); 4582 $action_name = sanitize_key( $action_name ); 4583 4584 if ( ! is_email( $email_address ) ) { 4585 return new WP_Error( 'invalid_email', __( 'Invalid email address.' ) ); 4586 } 4587 4588 if ( ! in_array( $action_name, _wp_privacy_action_request_types(), true ) ) { 4589 return new WP_Error( 'invalid_action', __( 'Invalid action name.' ) ); 4590 } 4591 4592 if ( ! in_array( $status, array( 'pending', 'confirmed' ), true ) ) { 4593 return new WP_Error( 'invalid_status', __( 'Invalid request status.' ) ); 4594 } 4595 4596 $user = get_user_by( 'email', $email_address ); 4597 $user_id = $user && ! is_wp_error( $user ) ? $user->ID : 0; 4598 4599 // Check for duplicates. 4600 $requests_query = new WP_Query( 4601 array( 4602 'post_type' => 'user_request', 4603 'post_name__in' => array( $action_name ), // Action name stored in post_name column. 4604 'title' => $email_address, // Email address stored in post_title column. 4605 'post_status' => array( 4606 'request-pending', 4607 'request-confirmed', 4608 ), 4609 'fields' => 'ids', 4610 ) 4611 ); 4612 4613 if ( $requests_query->found_posts ) { 4614 return new WP_Error( 'duplicate_request', __( 'An incomplete personal data request for this email address already exists.' ) ); 4615 } 4616 4617 $request_id = wp_insert_post( 4618 array( 4619 'post_author' => $user_id, 4620 'post_name' => $action_name, 4621 'post_title' => $email_address, 4622 'post_content' => wp_json_encode( $request_data ), 4623 'post_status' => 'request-' . $status, 4624 'post_type' => 'user_request', 4625 'post_date' => current_time( 'mysql', false ), 4626 'post_date_gmt' => current_time( 'mysql', true ), 4627 ), 4628 true 4629 ); 4630 4631 return $request_id; 4632 } 4633 4634 /** 4635 * Gets action description from the name and return a string. 4636 * 4637 * @since 4.9.6 4638 * 4639 * @param string $action_name Action name of the request. 4640 * @return string Human readable action name. 4641 */ 4642 function wp_user_request_action_description( $action_name ) { 4643 switch ( $action_name ) { 4644 case 'export_personal_data': 4645 $description = __( 'Export Personal Data' ); 4646 break; 4647 case 'remove_personal_data': 4648 $description = __( 'Erase Personal Data' ); 4649 break; 4650 default: 4651 /* translators: %s: Action name. */ 4652 $description = sprintf( __( 'Confirm the "%s" action' ), $action_name ); 4653 break; 4654 } 4655 4656 /** 4657 * Filters the user action description. 4658 * 4659 * @since 4.9.6 4660 * 4661 * @param string $description The default description. 4662 * @param string $action_name The name of the request. 4663 */ 4664 return apply_filters( 'user_request_action_description', $description, $action_name ); 4665 } 4666 4667 /** 4668 * Send a confirmation request email to confirm an action. 4669 * 4670 * If the request is not already pending, it will be updated. 4671 * 4672 * @since 4.9.6 4673 * 4674 * @param string $request_id ID of the request created via wp_create_user_request(). 4675 * @return true|WP_Error True on success, `WP_Error` on failure. 4676 */ 4677 function wp_send_user_request( $request_id ) { 4678 $request_id = absint( $request_id ); 4679 $request = wp_get_user_request( $request_id ); 4680 4681 if ( ! $request ) { 4682 return new WP_Error( 'invalid_request', __( 'Invalid personal data request.' ) ); 4683 } 4684 4685 // Localize message content for user; fallback to site default for visitors. 4686 if ( ! empty( $request->user_id ) ) { 4687 $switched_locale = switch_to_user_locale( $request->user_id ); 4688 } else { 4689 $switched_locale = switch_to_locale( get_locale() ); 4690 } 4691 4692 $email_data = array( 4693 'request' => $request, 4694 'email' => $request->email, 4695 'description' => wp_user_request_action_description( $request->action_name ), 4696 'confirm_url' => add_query_arg( 4697 array( 4698 'action' => 'confirmaction', 4699 'request_id' => $request_id, 4700 'confirm_key' => wp_generate_user_request_key( $request_id ), 4701 ), 4702 wp_login_url() 4703 ), 4704 'sitename' => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), 4705 'siteurl' => home_url(), 4706 ); 4707 4708 /* translators: Confirm privacy data request notification email subject. 1: Site title, 2: Name of the action. */ 4709 $subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $email_data['sitename'], $email_data['description'] ); 4710 4711 /** 4712 * Filters the subject of the email sent when an account action is attempted. 4713 * 4714 * @since 4.9.6 4715 * 4716 * @param string $subject The email subject. 4717 * @param string $sitename The name of the site. 4718 * @param array $email_data { 4719 * Data relating to the account action email. 4720 * 4721 * @type WP_User_Request $request User request object. 4722 * @type string $email The email address this is being sent to. 4723 * @type string $description Description of the action being performed so the user knows what the email is for. 4724 * @type string $confirm_url The link to click on to confirm the account action. 4725 * @type string $sitename The site name sending the mail. 4726 * @type string $siteurl The site URL sending the mail. 4727 * } 4728 */ 4729 $subject = apply_filters( 'user_request_action_email_subject', $subject, $email_data['sitename'], $email_data ); 4730 4731 /* translators: Do not translate DESCRIPTION, CONFIRM_URL, SITENAME, SITEURL: those are placeholders. */ 4732 $content = __( 4733 'Howdy, 4734 4735 A request has been made to perform the following action on your account: 4736 4737 ###DESCRIPTION### 4738 4739 To confirm this, please click on the following link: 4740 ###CONFIRM_URL### 4741 4742 You can safely ignore and delete this email if you do not want to 4743 take this action. 4744 4745 Regards, 4746 All at ###SITENAME### 4747 ###SITEURL###' 4748 ); 4749 4750 /** 4751 * Filters the text of the email sent when an account action is attempted. 4752 * 4753 * The following strings have a special meaning and will get replaced dynamically: 4754 * 4755 * ###DESCRIPTION### Description of the action being performed so the user knows what the email is for. 4756 * ###CONFIRM_URL### The link to click on to confirm the account action. 4757 * ###SITENAME### The name of the site. 4758 * ###SITEURL### The URL to the site. 4759 * 4760 * @since 4.9.6 4761 * 4762 * @param string $content Text in the email. 4763 * @param array $email_data { 4764 * Data relating to the account action email. 4765 * 4766 * @type WP_User_Request $request User request object. 4767 * @type string $email The email address this is being sent to. 4768 * @type string $description Description of the action being performed so the user knows what the email is for. 4769 * @type string $confirm_url The link to click on to confirm the account action. 4770 * @type string $sitename The site name sending the mail. 4771 * @type string $siteurl The site URL sending the mail. 4772 * } 4773 */ 4774 $content = apply_filters( 'user_request_action_email_content', $content, $email_data ); 4775 4776 $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); 4777 $content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content ); 4778 $content = str_replace( '###EMAIL###', $email_data['email'], $content ); 4779 $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); 4780 $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); 4781 4782 $headers = ''; 4783 4784 /** 4785 * Filters the headers of the email sent when an account action is attempted. 4786 * 4787 * @since 5.4.0 4788 * 4789 * @param string|array $headers The email headers. 4790 * @param string $subject The email subject. 4791 * @param string $content The email content. 4792 * @param int $request_id The request ID. 4793 * @param array $email_data { 4794 * Data relating to the account action email. 4795 * 4796 * @type WP_User_Request $request User request object. 4797 * @type string $email The email address this is being sent to. 4798 * @type string $description Description of the action being performed so the user knows what the email is for. 4799 * @type string $confirm_url The link to click on to confirm the account action. 4800 * @type string $sitename The site name sending the mail. 4801 * @type string $siteurl The site URL sending the mail. 4802 * } 4803 */ 4804 $headers = apply_filters( 'user_request_action_email_headers', $headers, $subject, $content, $request_id, $email_data ); 4805 4806 $email_sent = wp_mail( $email_data['email'], $subject, $content, $headers ); 4807 4808 if ( $switched_locale ) { 4809 restore_previous_locale(); 4810 } 4811 4812 if ( ! $email_sent ) { 4813 return new WP_Error( 'privacy_email_error', __( 'Unable to send personal data export confirmation email.' ) ); 4814 } 4815 4816 return true; 4817 } 4818 4819 /** 4820 * Returns a confirmation key for a user action and stores the hashed version for future comparison. 4821 * 4822 * @since 4.9.6 4823 * 4824 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 4825 * 4826 * @param int $request_id Request ID. 4827 * @return string Confirmation key. 4828 */ 4829 function wp_generate_user_request_key( $request_id ) { 4830 global $wp_hasher; 4831 4832 // Generate something random for a confirmation key. 4833 $key = wp_generate_password( 20, false ); 4834 4835 // Return the key, hashed. 4836 if ( empty( $wp_hasher ) ) { 4837 require_once ABSPATH . WPINC . '/class-phpass.php'; 4838 $wp_hasher = new PasswordHash( 8, true ); 4839 } 4840 4841 wp_update_post( 4842 array( 4843 'ID' => $request_id, 4844 'post_status' => 'request-pending', 4845 'post_password' => $wp_hasher->HashPassword( $key ), 4846 ) 4847 ); 4848 4849 return $key; 4850 } 4851 4852 /** 4853 * Validates a user request by comparing the key with the request's key. 4854 * 4855 * @since 4.9.6 4856 * 4857 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 4858 * 4859 * @param string $request_id ID of the request being confirmed. 4860 * @param string $key Provided key to validate. 4861 * @return true|WP_Error True on success, WP_Error on failure. 4862 */ 4863 function wp_validate_user_request_key( $request_id, $key ) { 4864 global $wp_hasher; 4865 4866 $request_id = absint( $request_id ); 4867 $request = wp_get_user_request( $request_id ); 4868 $saved_key = $request->confirm_key; 4869 $key_request_time = $request->modified_timestamp; 4870 4871 if ( ! $request || ! $saved_key || ! $key_request_time ) { 4872 return new WP_Error( 'invalid_request', __( 'Invalid personal data request.' ) ); 4873 } 4874 4875 if ( ! in_array( $request->status, array( 'request-pending', 'request-failed' ), true ) ) { 4876 return new WP_Error( 'expired_request', __( 'This personal data request has expired.' ) ); 4877 } 4878 4879 if ( empty( $key ) ) { 4880 return new WP_Error( 'missing_key', __( 'The confirmation key is missing from this personal data request.' ) ); 4881 } 4882 4883 if ( empty( $wp_hasher ) ) { 4884 require_once ABSPATH . WPINC . '/class-phpass.php'; 4885 $wp_hasher = new PasswordHash( 8, true ); 4886 } 4887 4888 /** 4889 * Filters the expiration time of confirm keys. 4890 * 4891 * @since 4.9.6 4892 * 4893 * @param int $expiration The expiration time in seconds. 4894 */ 4895 $expiration_duration = (int) apply_filters( 'user_request_key_expiration', DAY_IN_SECONDS ); 4896 $expiration_time = $key_request_time + $expiration_duration; 4897 4898 if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) { 4899 return new WP_Error( 'invalid_key', __( 'The confirmation key is invalid for this personal data request.' ) ); 4900 } 4901 4902 if ( ! $expiration_time || time() > $expiration_time ) { 4903 return new WP_Error( 'expired_key', __( 'The confirmation key has expired for this personal data request.' ) ); 4904 } 4905 4906 return true; 4907 } 4908 4909 /** 4910 * Returns the user request object for the specified request ID. 4911 * 4912 * @since 4.9.6 4913 * 4914 * @param int $request_id The ID of the user request. 4915 * @return WP_User_Request|false 4916 */ 4917 function wp_get_user_request( $request_id ) { 4918 $request_id = absint( $request_id ); 4919 $post = get_post( $request_id ); 4920 4921 if ( ! $post || 'user_request' !== $post->post_type ) { 4922 return false; 4923 } 4924 4925 return new WP_User_Request( $post ); 4926 } 4927 4928 /** 4929 * Checks if Application Passwords is supported. 4930 * 4931 * Application Passwords is supported only by sites using SSL or local environments 4932 * but may be made available using the {@see 'wp_is_application_passwords_available'} filter. 4933 * 4934 * @since 5.9.0 4935 * 4936 * @return bool 4937 */ 4938 function wp_is_application_passwords_supported() { 4939 return is_ssl() || 'local' === wp_get_environment_type(); 4940 } 4941 4942 /** 4943 * Checks if Application Passwords is globally available. 4944 * 4945 * By default, Application Passwords is available to all sites using SSL or to local environments. 4946 * Use the {@see 'wp_is_application_passwords_available'} filter to adjust its availability. 4947 * 4948 * @since 5.6.0 4949 * 4950 * @return bool 4951 */ 4952 function wp_is_application_passwords_available() { 4953 /** 4954 * Filters whether Application Passwords is available. 4955 * 4956 * @since 5.6.0 4957 * 4958 * @param bool $available True if available, false otherwise. 4959 */ 4960 return apply_filters( 'wp_is_application_passwords_available', wp_is_application_passwords_supported() ); 4961 } 4962 4963 /** 4964 * Checks if Application Passwords is available for a specific user. 4965 * 4966 * By default all users can use Application Passwords. Use {@see 'wp_is_application_passwords_available_for_user'} 4967 * to restrict availability to certain users. 4968 * 4969 * @since 5.6.0 4970 * 4971 * @param int|WP_User $user The user to check. 4972 * @return bool 4973 */ 4974 function wp_is_application_passwords_available_for_user( $user ) { 4975 if ( ! wp_is_application_passwords_available() ) { 4976 return false; 4977 } 4978 4979 if ( ! is_object( $user ) ) { 4980 $user = get_userdata( $user ); 4981 } 4982 4983 if ( ! $user || ! $user->exists() ) { 4984 return false; 4985 } 4986 4987 /** 4988 * Filters whether Application Passwords is available for a specific user. 4989 * 4990 * @since 5.6.0 4991 * 4992 * @param bool $available True if available, false otherwise. 4993 * @param WP_User $user The user to check. 4994 */ 4995 return apply_filters( 'wp_is_application_passwords_available_for_user', true, $user ); 4996 } 4997 4998 /** 4999 * Registers the user meta property for persisted preferences. 5000 * 5001 * This property is used to store user preferences across page reloads and is 5002 * currently used by the block editor for preferences like 'fullscreenMode' and 5003 * 'fixedToolbar'. 5004 * 5005 * @since 6.1.0 5006 * @access private 5007 * 5008 * @global wpdb $wpdb WordPress database abstraction object. 5009 */ 5010 function wp_register_persisted_preferences_meta() { 5011 /* 5012 * Create a meta key that incorporates the blog prefix so that each site 5013 * on a multisite can have distinct user preferences. 5014 */ 5015 global $wpdb; 5016 $meta_key = $wpdb->get_blog_prefix() . 'persisted_preferences'; 5017 5018 register_meta( 5019 'user', 5020 $meta_key, 5021 array( 5022 'type' => 'object', 5023 'single' => true, 5024 'show_in_rest' => array( 5025 'name' => 'persisted_preferences', 5026 'type' => 'object', 5027 'schema' => array( 5028 'type' => 'object', 5029 'context' => array( 'edit' ), 5030 'properties' => array( 5031 '_modified' => array( 5032 'description' => __( 'The date and time the preferences were updated.' ), 5033 'type' => 'string', 5034 'format' => 'date-time', 5035 'readonly' => false, 5036 ), 5037 ), 5038 'additionalProperties' => true, 5039 ), 5040 ), 5041 ) 5042 ); 5043 } 5044 5045 /** 5046 * Sets the last changed time for the 'users' cache group. 5047 * 5048 * @since 6.3.0 5049 */ 5050 function wp_cache_set_users_last_changed() { 5051 wp_cache_set_last_changed( 'users' ); 5052 } 5053 5054 /** 5055 * Checks if password reset is allowed for a specific user. 5056 * 5057 * @since 6.3.0 5058 * 5059 * @param int|WP_User $user The user to check. 5060 * @return bool|WP_Error True if allowed, false or WP_Error otherwise. 5061 */ 5062 function wp_is_password_reset_allowed_for_user( $user ) { 5063 if ( ! is_object( $user ) ) { 5064 $user = get_userdata( $user ); 5065 } 5066 5067 if ( ! $user || ! $user->exists() ) { 5068 return false; 5069 } 5070 $allow = true; 5071 if ( is_multisite() && is_user_spammy( $user ) ) { 5072 $allow = false; 5073 } 5074 5075 /** 5076 * Filters whether to allow a password to be reset. 5077 * 5078 * @since 2.7.0 5079 * 5080 * @param bool $allow Whether to allow the password to be reset. Default true. 5081 * @param int $user_id The ID of the user attempting to reset a password. 5082 */ 5083 return apply_filters( 'allow_password_reset', $allow, $user->ID ); 5084 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated : Mon Mar 18 08:20:01 2024 | Cross-referenced by PHPXref |