| [ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * Core User API 4 * 5 * @package WordPress 6 * @subpackage Users 7 */ 8 9 /** 10 * Authenticates and logs a user in with 'remember' capability. 11 * 12 * The credentials is an array that has 'user_login', 'user_password', and 13 * 'remember' indices. If the credentials is not given, then the log in form 14 * will be assumed and used if set. 15 * 16 * The various authentication cookies will be set by this function and will be 17 * set for a longer period depending on if the 'remember' credential is set to 18 * true. 19 * 20 * Note: wp_signon() doesn't handle setting the current user. This means that if the 21 * function is called before the {@see 'init'} hook is fired, is_user_logged_in() will 22 * evaluate as false until that point. If is_user_logged_in() is needed in conjunction 23 * with wp_signon(), wp_set_current_user() should be called explicitly. 24 * 25 * @since 2.5.0 26 * 27 * @global string $auth_secure_cookie 28 * @global wpdb $wpdb WordPress database abstraction object. 29 * 30 * @param array $credentials { 31 * Optional. User info in order to sign on. 32 * 33 * @type string $user_login Username. 34 * @type string $user_password User password. 35 * @type bool $remember Whether to 'remember' the user. Increases the time 36 * that the cookie will be kept. Default false. 37 * } 38 * @param string|bool $secure_cookie Optional. Whether to use secure cookie. 39 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 40 */ 41 function wp_signon( $credentials = array(), $secure_cookie = '' ) { 42 global $auth_secure_cookie, $wpdb; 43 44 if ( empty( $credentials ) ) { 45 $credentials = array( 46 'user_login' => '', 47 'user_password' => '', 48 'remember' => false, 49 ); 50 51 if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) { 52 $credentials['user_login'] = wp_unslash( $_POST['log'] ); 53 } 54 if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) { 55 $credentials['user_password'] = $_POST['pwd']; 56 } 57 if ( ! empty( $_POST['rememberme'] ) ) { 58 $credentials['remember'] = $_POST['rememberme']; 59 } 60 } 61 62 if ( ! empty( $credentials['remember'] ) ) { 63 $credentials['remember'] = true; 64 } else { 65 $credentials['remember'] = false; 66 } 67 68 /** 69 * Fires before the user is authenticated. 70 * 71 * The variables passed to the callbacks are passed by reference, 72 * and can be modified by callback functions. 73 * 74 * @since 1.5.1 75 * 76 * @todo Decide whether to deprecate the wp_authenticate action. 77 * 78 * @param string $user_login Username (passed by reference). 79 * @param string $user_password User password (passed by reference). 80 */ 81 do_action_ref_array( 'wp_authenticate', array( &$credentials['user_login'], &$credentials['user_password'] ) ); 82 83 if ( '' === $secure_cookie ) { 84 $secure_cookie = is_ssl(); 85 } 86 87 /** 88 * Filters whether to use a secure sign-on cookie. 89 * 90 * @since 3.1.0 91 * 92 * @param bool $secure_cookie Whether to use a secure sign-on cookie. 93 * @param array $credentials { 94 * Array of entered sign-on data. 95 * 96 * @type string $user_login Username. 97 * @type string $user_password Password entered. 98 * @type bool $remember Whether to 'remember' the user. Increases the time 99 * that the cookie will be kept. Default false. 100 * } 101 */ 102 $secure_cookie = apply_filters( 'secure_signon_cookie', $secure_cookie, $credentials ); 103 104 // XXX ugly hack to pass this to wp_authenticate_cookie(). 105 $auth_secure_cookie = $secure_cookie; 106 107 add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 ); 108 109 $user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] ); 110 111 if ( is_wp_error( $user ) ) { 112 return $user; 113 } 114 115 wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie ); 116 117 // Clear `user_activation_key` after a successful login. 118 if ( ! empty( $user->user_activation_key ) ) { 119 $wpdb->update( 120 $wpdb->users, 121 array( 122 'user_activation_key' => '', 123 ), 124 array( 'ID' => $user->ID ) 125 ); 126 127 $user->user_activation_key = ''; 128 } 129 130 /** 131 * Fires after the user has successfully logged in. 132 * 133 * @since 1.5.0 134 * 135 * @param string $user_login Username. 136 * @param WP_User $user WP_User object of the logged-in user. 137 */ 138 do_action( 'wp_login', $user->user_login, $user ); 139 140 return $user; 141 } 142 143 /** 144 * Authenticates a user, confirming the username and password are valid. 145 * 146 * @since 2.8.0 147 * 148 * @param WP_User|WP_Error|null $user WP_User or WP_Error object from a previous callback. Default null. 149 * @param string $username Username for authentication. 150 * @param string $password Password for authentication. 151 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 152 */ 153 function wp_authenticate_username_password( $user, $username, $password ) { 154 if ( $user instanceof WP_User ) { 155 return $user; 156 } 157 158 if ( empty( $username ) || empty( $password ) ) { 159 if ( is_wp_error( $user ) ) { 160 return $user; 161 } 162 163 $error = new WP_Error(); 164 165 if ( empty( $username ) ) { 166 $error->add( 'empty_username', __( '<strong>Error:</strong> The username field is empty.' ) ); 167 } 168 169 if ( empty( $password ) ) { 170 $error->add( 'empty_password', __( '<strong>Error:</strong> The password field is empty.' ) ); 171 } 172 173 return $error; 174 } 175 176 $user = get_user_by( 'login', $username ); 177 178 if ( ! $user ) { 179 return new WP_Error( 180 'invalid_username', 181 sprintf( 182 /* translators: %s: User name. */ 183 __( '<strong>Error:</strong> The username <strong>%s</strong> is not registered on this site. If you are unsure of your username, try your email address instead.' ), 184 $username 185 ) 186 ); 187 } 188 189 /** 190 * Filters whether the given user can be authenticated with the provided password. 191 * 192 * @since 2.5.0 193 * 194 * @param WP_User|WP_Error $user WP_User or WP_Error object if a previous 195 * callback failed authentication. 196 * @param string $password Password to check against the user. 197 */ 198 $user = apply_filters( 'wp_authenticate_user', $user, $password ); 199 if ( is_wp_error( $user ) ) { 200 return $user; 201 } 202 203 if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) { 204 return new WP_Error( 205 'incorrect_password', 206 sprintf( 207 /* translators: %s: User name. */ 208 __( '<strong>Error:</strong> The password you entered for the username %s is incorrect.' ), 209 '<strong>' . $username . '</strong>' 210 ) . 211 ' <a href="' . wp_lostpassword_url() . '">' . 212 __( 'Lost your password?' ) . 213 '</a>' 214 ); 215 } 216 217 return $user; 218 } 219 220 /** 221 * Authenticates a user using the email and password. 222 * 223 * @since 4.5.0 224 * 225 * @param WP_User|WP_Error|null $user WP_User or WP_Error object if a previous 226 * callback failed authentication. 227 * @param string $email Email address for authentication. 228 * @param string $password Password for authentication. 229 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 230 */ 231 function wp_authenticate_email_password( $user, $email, $password ) { 232 if ( $user instanceof WP_User ) { 233 return $user; 234 } 235 236 if ( empty( $email ) || empty( $password ) ) { 237 if ( is_wp_error( $user ) ) { 238 return $user; 239 } 240 241 $error = new WP_Error(); 242 243 if ( empty( $email ) ) { 244 // Uses 'empty_username' for back-compat with wp_signon(). 245 $error->add( 'empty_username', __( '<strong>Error:</strong> The email field is empty.' ) ); 246 } 247 248 if ( empty( $password ) ) { 249 $error->add( 'empty_password', __( '<strong>Error:</strong> The password field is empty.' ) ); 250 } 251 252 return $error; 253 } 254 255 if ( ! is_email( $email ) ) { 256 return $user; 257 } 258 259 $user = get_user_by( 'email', $email ); 260 261 if ( ! $user ) { 262 return new WP_Error( 263 'invalid_email', 264 __( 'Unknown email address. Check again or try your username.' ) 265 ); 266 } 267 268 /** This filter is documented in wp-includes/user.php */ 269 $user = apply_filters( 'wp_authenticate_user', $user, $password ); 270 271 if ( is_wp_error( $user ) ) { 272 return $user; 273 } 274 275 if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) { 276 return new WP_Error( 277 'incorrect_password', 278 sprintf( 279 /* translators: %s: Email address. */ 280 __( '<strong>Error:</strong> The password you entered for the email address %s is incorrect.' ), 281 '<strong>' . $email . '</strong>' 282 ) . 283 ' <a href="' . wp_lostpassword_url() . '">' . 284 __( 'Lost your password?' ) . 285 '</a>' 286 ); 287 } 288 289 return $user; 290 } 291 292 /** 293 * Authenticates the user using the WordPress auth cookie. 294 * 295 * @since 2.8.0 296 * 297 * @global string $auth_secure_cookie 298 * 299 * @param WP_User|WP_Error|null $user WP_User or WP_Error object from a previous callback. Default null. 300 * @param string $username Username. If not empty, cancels the cookie authentication. 301 * @param string $password Password. If not empty, cancels the cookie authentication. 302 * @return WP_User|WP_Error WP_User on success, WP_Error on failure. 303 */ 304 function wp_authenticate_cookie( $user, $username, $password ) { 305 global $auth_secure_cookie; 306 307 if ( $user instanceof WP_User ) { 308 return $user; 309 } 310 311 if ( empty( $username ) && empty( $password ) ) { 312 $user_id = wp_validate_auth_cookie(); 313 if ( $user_id ) { 314 return new WP_User( $user_id ); 315 } 316 317 if ( $auth_secure_cookie ) { 318 $auth_cookie = SECURE_AUTH_COOKIE; 319 } else { 320 $auth_cookie = AUTH_COOKIE; 321 } 322 323 if ( ! empty( $_COOKIE[ $auth_cookie ] ) ) { 324 return new WP_Error( 'expired_session', __( 'Please log in again.' ) ); 325 } 326 327 // If the cookie is not set, be silent. 328 } 329 330 return $user; 331 } 332 333 /** 334 * Authenticates the user using an application password. 335 * 336 * @since 5.6.0 337 * 338 * @param WP_User|WP_Error|null $input_user WP_User or WP_Error object if a previous 339 * callback failed authentication. 340 * @param string $username Username for authentication. 341 * @param string $password Password for authentication. 342 * @return WP_User|WP_Error|null WP_User on success, WP_Error on failure, null if 343 * null is passed in and this isn't an API request. 344 */ 345 function wp_authenticate_application_password( $input_user, $username, $password ) { 346 if ( $input_user instanceof WP_User ) { 347 return $input_user; 348 } 349 350 if ( ! WP_Application_Passwords::is_in_use() ) { 351 return $input_user; 352 } 353 354 // The 'REST_REQUEST' check here may happen too early for the constant to be available. 355 $is_api_request = ( ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) ); 356 357 /** 358 * Filters whether this is an API request that Application Passwords can be used on. 359 * 360 * By default, Application Passwords is available for the REST API and XML-RPC. 361 * 362 * @since 5.6.0 363 * 364 * @param bool $is_api_request If this is an acceptable API request. 365 */ 366 $is_api_request = apply_filters( 'application_password_is_api_request', $is_api_request ); 367 368 if ( ! $is_api_request ) { 369 return $input_user; 370 } 371 372 $error = null; 373 $user = get_user_by( 'login', $username ); 374 375 if ( ! $user && is_email( $username ) ) { 376 $user = get_user_by( 'email', $username ); 377 } 378 379 // If the login name is invalid, short circuit. 380 if ( ! $user ) { 381 if ( is_email( $username ) ) { 382 $error = new WP_Error( 383 'invalid_email', 384 __( '<strong>Error:</strong> Unknown email address. Check again or try your username.' ) 385 ); 386 } else { 387 $error = new WP_Error( 388 'invalid_username', 389 __( '<strong>Error:</strong> Unknown username. Check again or try your email address.' ) 390 ); 391 } 392 } elseif ( ! wp_is_application_passwords_available() ) { 393 $error = new WP_Error( 394 'application_passwords_disabled', 395 __( 'Application passwords are not available.' ) 396 ); 397 } elseif ( ! wp_is_application_passwords_available_for_user( $user ) ) { 398 $error = new WP_Error( 399 'application_passwords_disabled_for_user', 400 __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' ) 401 ); 402 } 403 404 if ( $error ) { 405 /** 406 * Fires when an application password failed to authenticate the user. 407 * 408 * @since 5.6.0 409 * 410 * @param WP_Error $error The authentication error. 411 */ 412 do_action( 'application_password_failed_authentication', $error ); 413 414 return $error; 415 } 416 417 /* 418 * Strips out anything non-alphanumeric. This is so passwords can be used with 419 * or without spaces to indicate the groupings for readability. 420 * 421 * Generated application passwords are exclusively alphanumeric. 422 */ 423 $password = preg_replace( '/[^a-z\d]/i', '', $password ); 424 425 $hashed_passwords = WP_Application_Passwords::get_user_application_passwords( $user->ID ); 426 427 foreach ( $hashed_passwords as $key => $item ) { 428 if ( ! wp_check_password( $password, $item['password'], $user->ID ) ) { 429 continue; 430 } 431 432 $error = new WP_Error(); 433 434 /** 435 * Fires when an application password has been successfully checked as valid. 436 * 437 * This allows for plugins to add additional constraints to prevent an application password from being used. 438 * 439 * @since 5.6.0 440 * 441 * @param WP_Error $error The error object. 442 * @param WP_User $user The user authenticating. 443 * @param array $item The details about the application password. 444 * @param string $password The raw supplied password. 445 */ 446 do_action( 'wp_authenticate_application_password_errors', $error, $user, $item, $password ); 447 448 if ( is_wp_error( $error ) && $error->has_errors() ) { 449 /** This action is documented in wp-includes/user.php */ 450 do_action( 'application_password_failed_authentication', $error ); 451 452 return $error; 453 } 454 455 WP_Application_Passwords::record_application_password_usage( $user->ID, $item['uuid'] ); 456 457 /** 458 * Fires after an application password was used for authentication. 459 * 460 * @since 5.6.0 461 * 462 * @param WP_User $user The user who was authenticated. 463 * @param array $item The application password used. 464 */ 465 do_action( 'application_password_did_authenticate', $user, $item ); 466 467 return $user; 468 } 469 470 $error = new WP_Error( 471 'incorrect_password', 472 __( 'The provided password is an invalid application password.' ) 473 ); 474 475 /** This action is documented in wp-includes/user.php */ 476 do_action( 'application_password_failed_authentication', $error ); 477 478 return $error; 479 } 480 481 /** 482 * Validates the application password credentials passed via Basic Authentication. 483 * 484 * @since 5.6.0 485 * 486 * @param int|false $input_user User ID if one has been determined, false otherwise. 487 * @return int|false The authenticated user ID if successful, false otherwise. 488 */ 489 function wp_validate_application_password( $input_user ) { 490 // Don't authenticate twice. 491 if ( ! empty( $input_user ) ) { 492 return $input_user; 493 } 494 495 if ( ! wp_is_application_passwords_available() ) { 496 return $input_user; 497 } 498 499 // Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication. 500 if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) { 501 return $input_user; 502 } 503 504 $authenticated = wp_authenticate_application_password( null, $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ); 505 506 if ( $authenticated instanceof WP_User ) { 507 return $authenticated->ID; 508 } 509 510 // If it wasn't a user what got returned, just pass on what we had received originally. 511 return $input_user; 512 } 513 514 /** 515 * For Multisite blogs, checks if the authenticated user has been marked as a 516 * spammer, or if the user's primary blog has been marked as spam. 517 * 518 * @since 3.7.0 519 * 520 * @param WP_User|WP_Error|null $user WP_User or WP_Error object from a previous callback. Default null. 521 * @return WP_User|WP_Error WP_User on success, WP_Error if the user is considered a spammer. 522 */ 523 function wp_authenticate_spam_check( $user ) { 524 if ( $user instanceof WP_User && is_multisite() ) { 525 /** 526 * Filters whether the user has been marked as a spammer. 527 * 528 * @since 3.7.0 529 * 530 * @param bool $spammed Whether the user is considered a spammer. 531 * @param WP_User $user User to check against. 532 */ 533 $spammed = apply_filters( 'check_is_user_spammed', is_user_spammy( $user ), $user ); 534 535 if ( $spammed ) { 536 return new WP_Error( 'spammer_account', __( '<strong>Error:</strong> Your account has been marked as a spammer.' ) ); 537 } 538 } 539 return $user; 540 } 541 542 /** 543 * Validates the logged-in cookie. 544 * 545 * Checks the logged-in cookie if the previous auth cookie could not be 546 * validated and parsed. 547 * 548 * This is a callback for the {@see 'determine_current_user'} filter, rather than API. 549 * 550 * @since 3.9.0 551 * 552 * @param int|false $user_id The user ID (or false) as received from 553 * the `determine_current_user` filter. 554 * @return int|false User ID if validated, false otherwise. If a user ID from 555 * an earlier filter callback is received, that value is returned. 556 */ 557 function wp_validate_logged_in_cookie( $user_id ) { 558 if ( $user_id ) { 559 return $user_id; 560 } 561 562 if ( is_blog_admin() || is_network_admin() || empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) { 563 return false; 564 } 565 566 return wp_validate_auth_cookie( $_COOKIE[ LOGGED_IN_COOKIE ], 'logged_in' ); 567 } 568 569 /** 570 * Gets the number of posts a user has written. 571 * 572 * @since 3.0.0 573 * @since 4.1.0 Added `$post_type` argument. 574 * @since 4.3.0 Added `$public_only` argument. Added the ability to pass an array 575 * of post types to `$post_type`. 576 * 577 * @global wpdb $wpdb WordPress database abstraction object. 578 * 579 * @param int $userid User ID. 580 * @param array|string $post_type Optional. Single post type or array of post types to count the number of posts for. Default 'post'. 581 * @param bool $public_only Optional. Whether to only return counts for public posts. Default false. 582 * @return string Number of posts the user has written in this post type. 583 */ 584 function count_user_posts( $userid, $post_type = 'post', $public_only = false ) { 585 global $wpdb; 586 587 $where = get_posts_by_author_sql( $post_type, true, $userid, $public_only ); 588 589 $count = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->posts $where" ); 590 591 /** 592 * Filters the number of posts a user has written. 593 * 594 * @since 2.7.0 595 * @since 4.1.0 Added `$post_type` argument. 596 * @since 4.3.1 Added `$public_only` argument. 597 * 598 * @param int $count The user's post count. 599 * @param int $userid User ID. 600 * @param string|array $post_type Single post type or array of post types to count the number of posts for. 601 * @param bool $public_only Whether to limit counted posts to public posts. 602 */ 603 return apply_filters( 'get_usernumposts', $count, $userid, $post_type, $public_only ); 604 } 605 606 /** 607 * Gets the number of posts written by a list of users. 608 * 609 * @since 3.0.0 610 * 611 * @global wpdb $wpdb WordPress database abstraction object. 612 * 613 * @param int[] $users Array of user IDs. 614 * @param string|string[] $post_type Optional. Single post type or array of post types to check. Defaults to 'post'. 615 * @param bool $public_only Optional. Only return counts for public posts. Defaults to false. 616 * @return string[] Amount of posts each user has written, as strings, keyed by user ID. 617 */ 618 function count_many_users_posts( $users, $post_type = 'post', $public_only = false ) { 619 global $wpdb; 620 621 $count = array(); 622 if ( empty( $users ) || ! is_array( $users ) ) { 623 return $count; 624 } 625 626 $userlist = implode( ',', array_map( 'absint', $users ) ); 627 $where = get_posts_by_author_sql( $post_type, true, null, $public_only ); 628 629 $result = $wpdb->get_results( "SELECT post_author, COUNT(*) FROM $wpdb->posts $where AND post_author IN ($userlist) GROUP BY post_author", ARRAY_N ); 630 foreach ( $result as $row ) { 631 $count[ $row[0] ] = $row[1]; 632 } 633 634 foreach ( $users as $id ) { 635 if ( ! isset( $count[ $id ] ) ) { 636 $count[ $id ] = 0; 637 } 638 } 639 640 return $count; 641 } 642 643 // 644 // User option functions. 645 // 646 647 /** 648 * Gets the current user's ID. 649 * 650 * @since MU (3.0.0) 651 * 652 * @return int The current user's ID, or 0 if no user is logged in. 653 */ 654 function get_current_user_id() { 655 if ( ! function_exists( 'wp_get_current_user' ) ) { 656 return 0; 657 } 658 $user = wp_get_current_user(); 659 return ( isset( $user->ID ) ? (int) $user->ID : 0 ); 660 } 661 662 /** 663 * Retrieves user option that can be either per Site or per Network. 664 * 665 * If the user ID is not given, then the current user will be used instead. If 666 * the user ID is given, then the user data will be retrieved. The filter for 667 * the result, will also pass the original option name and finally the user data 668 * object as the third parameter. 669 * 670 * The option will first check for the per site name and then the per Network name. 671 * 672 * @since 2.0.0 673 * 674 * @global wpdb $wpdb WordPress database abstraction object. 675 * 676 * @param string $option User option name. 677 * @param int $user Optional. User ID. 678 * @param string $deprecated Use get_option() to check for an option in the options table. 679 * @return mixed User option value on success, false on failure. 680 */ 681 function get_user_option( $option, $user = 0, $deprecated = '' ) { 682 global $wpdb; 683 684 if ( ! empty( $deprecated ) ) { 685 _deprecated_argument( __FUNCTION__, '3.0.0' ); 686 } 687 688 if ( empty( $user ) ) { 689 $user = get_current_user_id(); 690 } 691 692 $user = get_userdata( $user ); 693 if ( ! $user ) { 694 return false; 695 } 696 697 $prefix = $wpdb->get_blog_prefix(); 698 if ( $user->has_prop( $prefix . $option ) ) { // Blog-specific. 699 $result = $user->get( $prefix . $option ); 700 } elseif ( $user->has_prop( $option ) ) { // User-specific and cross-blog. 701 $result = $user->get( $option ); 702 } else { 703 $result = false; 704 } 705 706 /** 707 * Filters a specific user option value. 708 * 709 * The dynamic portion of the hook name, `$option`, refers to the user option name. 710 * 711 * @since 2.5.0 712 * 713 * @param mixed $result Value for the user's option. 714 * @param string $option Name of the option being retrieved. 715 * @param WP_User $user WP_User object of the user whose option is being retrieved. 716 */ 717 return apply_filters( "get_user_option_{$option}", $result, $option, $user ); 718 } 719 720 /** 721 * Updates user option with global blog capability. 722 * 723 * User options are just like user metadata except that they have support for 724 * global blog options. If the 'is_global' parameter is false, which it is by default, 725 * it will prepend the WordPress table prefix to the option name. 726 * 727 * Deletes the user option if $newvalue is empty. 728 * 729 * @since 2.0.0 730 * 731 * @global wpdb $wpdb WordPress database abstraction object. 732 * 733 * @param int $user_id User ID. 734 * @param string $option_name User option name. 735 * @param mixed $newvalue User option value. 736 * @param bool $is_global Optional. Whether option name is global or blog specific. 737 * Default false (blog specific). 738 * @return int|bool User meta ID if the option didn't exist, true on successful update, 739 * false on failure. 740 */ 741 function update_user_option( $user_id, $option_name, $newvalue, $is_global = false ) { 742 global $wpdb; 743 744 if ( ! $is_global ) { 745 $option_name = $wpdb->get_blog_prefix() . $option_name; 746 } 747 748 return update_user_meta( $user_id, $option_name, $newvalue ); 749 } 750 751 /** 752 * Deletes user option with global blog capability. 753 * 754 * User options are just like user metadata except that they have support for 755 * global blog options. If the 'is_global' parameter is false, which it is by default, 756 * it will prepend the WordPress table prefix to the option name. 757 * 758 * @since 3.0.0 759 * 760 * @global wpdb $wpdb WordPress database abstraction object. 761 * 762 * @param int $user_id User ID 763 * @param string $option_name User option name. 764 * @param bool $is_global Optional. Whether option name is global or blog specific. 765 * Default false (blog specific). 766 * @return bool True on success, false on failure. 767 */ 768 function delete_user_option( $user_id, $option_name, $is_global = false ) { 769 global $wpdb; 770 771 if ( ! $is_global ) { 772 $option_name = $wpdb->get_blog_prefix() . $option_name; 773 } 774 775 return delete_user_meta( $user_id, $option_name ); 776 } 777 778 /** 779 * Retrieves user info by user ID. 780 * 781 * @since 6.7.0 782 * 783 * @param int $user_id User ID. 784 * 785 * @return WP_User|false WP_User object on success, false on failure. 786 */ 787 function get_user( $user_id ) { 788 return get_user_by( 'id', $user_id ); 789 } 790 791 /** 792 * Retrieves list of users matching criteria. 793 * 794 * @since 3.1.0 795 * 796 * @see WP_User_Query 797 * 798 * @param array $args Optional. Arguments to retrieve users. See WP_User_Query::prepare_query() 799 * for more information on accepted arguments. 800 * @return array List of users. 801 */ 802 function get_users( $args = array() ) { 803 804 $args = wp_parse_args( $args ); 805 $args['count_total'] = false; 806 807 $user_search = new WP_User_Query( $args ); 808 809 return (array) $user_search->get_results(); 810 } 811 812 /** 813 * Lists all the users of the site, with several options available. 814 * 815 * @since 5.9.0 816 * 817 * @param string|array $args { 818 * Optional. Array or string of default arguments. 819 * 820 * @type string $orderby How to sort the users. Accepts 'nicename', 'email', 'url', 'registered', 821 * 'user_nicename', 'user_email', 'user_url', 'user_registered', 'name', 822 * 'display_name', 'post_count', 'ID', 'meta_value', 'user_login'. Default 'name'. 823 * @type string $order Sorting direction for $orderby. Accepts 'ASC', 'DESC'. Default 'ASC'. 824 * @type int $number Maximum users to return or display. Default empty (all users). 825 * @type bool $exclude_admin Whether to exclude the 'admin' account, if it exists. Default false. 826 * @type bool $show_fullname Whether to show the user's full name. Default false. 827 * @type string $feed If not empty, show a link to the user's feed and use this text as the alt 828 * parameter of the link. Default empty. 829 * @type string $feed_image If not empty, show a link to the user's feed and use this image URL as 830 * clickable anchor. Default empty. 831 * @type string $feed_type The feed type to link to, such as 'rss2'. Defaults to default feed type. 832 * @type bool $echo Whether to output the result or instead return it. Default true. 833 * @type string $style If 'list', each user is wrapped in an `<li>` element, otherwise the users 834 * will be separated by commas. 835 * @type bool $html Whether to list the items in HTML form or plaintext. Default true. 836 * @type string $exclude An array, comma-, or space-separated list of user IDs to exclude. Default empty. 837 * @type string $include An array, comma-, or space-separated list of user IDs to include. Default empty. 838 * } 839 * @return string|null The output if echo is false. Otherwise null. 840 */ 841 function wp_list_users( $args = array() ) { 842 $defaults = array( 843 'orderby' => 'name', 844 'order' => 'ASC', 845 'number' => '', 846 'exclude_admin' => true, 847 'show_fullname' => false, 848 'feed' => '', 849 'feed_image' => '', 850 'feed_type' => '', 851 'echo' => true, 852 'style' => 'list', 853 'html' => true, 854 'exclude' => '', 855 'include' => '', 856 ); 857 858 $parsed_args = wp_parse_args( $args, $defaults ); 859 860 $return = ''; 861 862 $query_args = wp_array_slice_assoc( $parsed_args, array( 'orderby', 'order', 'number', 'exclude', 'include' ) ); 863 $query_args['fields'] = 'ids'; 864 865 /** 866 * Filters the query arguments for the list of all users of the site. 867 * 868 * @since 6.1.0 869 * 870 * @param array $query_args The query arguments for get_users(). 871 * @param array $parsed_args The arguments passed to wp_list_users() combined with the defaults. 872 */ 873 $query_args = apply_filters( 'wp_list_users_args', $query_args, $parsed_args ); 874 875 $users = get_users( $query_args ); 876 877 foreach ( $users as $user_id ) { 878 $user = get_userdata( $user_id ); 879 880 if ( $parsed_args['exclude_admin'] && 'admin' === $user->display_name ) { 881 continue; 882 } 883 884 if ( $parsed_args['show_fullname'] && '' !== $user->first_name && '' !== $user->last_name ) { 885 $name = sprintf( 886 /* translators: 1: User's first name, 2: Last name. */ 887 _x( '%1$s %2$s', 'Display name based on first name and last name' ), 888 $user->first_name, 889 $user->last_name 890 ); 891 } else { 892 $name = $user->display_name; 893 } 894 895 if ( ! $parsed_args['html'] ) { 896 $return .= $name . ', '; 897 898 continue; // No need to go further to process HTML. 899 } 900 901 if ( 'list' === $parsed_args['style'] ) { 902 $return .= '<li>'; 903 } 904 905 $row = $name; 906 907 if ( ! empty( $parsed_args['feed_image'] ) || ! empty( $parsed_args['feed'] ) ) { 908 $row .= ' '; 909 if ( empty( $parsed_args['feed_image'] ) ) { 910 $row .= '('; 911 } 912 913 $row .= '<a href="' . get_author_feed_link( $user->ID, $parsed_args['feed_type'] ) . '"'; 914 915 $alt = ''; 916 if ( ! empty( $parsed_args['feed'] ) ) { 917 $alt = ' alt="' . esc_attr( $parsed_args['feed'] ) . '"'; 918 $name = $parsed_args['feed']; 919 } 920 921 $row .= '>'; 922 923 if ( ! empty( $parsed_args['feed_image'] ) ) { 924 $row .= '<img src="' . esc_url( $parsed_args['feed_image'] ) . '" style="border: none;"' . $alt . ' />'; 925 } else { 926 $row .= $name; 927 } 928 929 $row .= '</a>'; 930 931 if ( empty( $parsed_args['feed_image'] ) ) { 932 $row .= ')'; 933 } 934 } 935 936 $return .= $row; 937 $return .= ( 'list' === $parsed_args['style'] ) ? '</li>' : ', '; 938 } 939 940 $return = rtrim( $return, ', ' ); 941 942 if ( ! $parsed_args['echo'] ) { 943 return $return; 944 } 945 echo $return; 946 } 947 948 /** 949 * Gets the sites a user belongs to. 950 * 951 * @since 3.0.0 952 * @since 4.7.0 Converted to use `get_sites()`. 953 * 954 * @global wpdb $wpdb WordPress database abstraction object. 955 * 956 * @param int $user_id User ID 957 * @param bool $all Whether to retrieve all sites, or only sites that are not 958 * marked as deleted, archived, or spam. 959 * @return object[] A list of the user's sites. An empty array if the user doesn't exist 960 * or belongs to no sites. 961 */ 962 function get_blogs_of_user( $user_id, $all = false ) { 963 global $wpdb; 964 965 $user_id = (int) $user_id; 966 967 // Logged out users can't have sites. 968 if ( empty( $user_id ) ) { 969 return array(); 970 } 971 972 /** 973 * Filters the list of a user's sites before it is populated. 974 * 975 * Returning a non-null value from the filter will effectively short circuit 976 * get_blogs_of_user(), returning that value instead. 977 * 978 * @since 4.6.0 979 * 980 * @param null|object[] $sites An array of site objects of which the user is a member. 981 * @param int $user_id User ID. 982 * @param bool $all Whether the returned array should contain all sites, including 983 * those marked 'deleted', 'archived', or 'spam'. Default false. 984 */ 985 $sites = apply_filters( 'pre_get_blogs_of_user', null, $user_id, $all ); 986 987 if ( null !== $sites ) { 988 return $sites; 989 } 990 991 $keys = get_user_meta( $user_id ); 992 if ( empty( $keys ) ) { 993 return array(); 994 } 995 996 if ( ! is_multisite() ) { 997 $site_id = get_current_blog_id(); 998 $sites = array( $site_id => new stdClass() ); 999 $sites[ $site_id ]->userblog_id = $site_id; 1000 $sites[ $site_id ]->blogname = get_option( 'blogname' ); 1001 $sites[ $site_id ]->domain = ''; 1002 $sites[ $site_id ]->path = ''; 1003 $sites[ $site_id ]->site_id = 1; 1004 $sites[ $site_id ]->siteurl = get_option( 'siteurl' ); 1005 $sites[ $site_id ]->archived = 0; 1006 $sites[ $site_id ]->spam = 0; 1007 $sites[ $site_id ]->deleted = 0; 1008 return $sites; 1009 } 1010 1011 $site_ids = array(); 1012 1013 if ( isset( $keys[ $wpdb->base_prefix . 'capabilities' ] ) && defined( 'MULTISITE' ) ) { 1014 $site_ids[] = 1; 1015 unset( $keys[ $wpdb->base_prefix . 'capabilities' ] ); 1016 } 1017 1018 $keys = array_keys( $keys ); 1019 1020 foreach ( $keys as $key ) { 1021 if ( ! str_ends_with( $key, 'capabilities' ) ) { 1022 continue; 1023 } 1024 if ( $wpdb->base_prefix && ! str_starts_with( $key, $wpdb->base_prefix ) ) { 1025 continue; 1026 } 1027 $site_id = str_replace( array( $wpdb->base_prefix, '_capabilities' ), '', $key ); 1028 if ( ! is_numeric( $site_id ) ) { 1029 continue; 1030 } 1031 1032 $site_ids[] = (int) $site_id; 1033 } 1034 1035 $sites = array(); 1036 1037 if ( ! empty( $site_ids ) ) { 1038 $args = array( 1039 'number' => '', 1040 'site__in' => $site_ids, 1041 ); 1042 if ( ! $all ) { 1043 $args['archived'] = 0; 1044 $args['spam'] = 0; 1045 $args['deleted'] = 0; 1046 } 1047 1048 $_sites = get_sites( $args ); 1049 1050 foreach ( $_sites as $site ) { 1051 $sites[ $site->id ] = (object) array( 1052 'userblog_id' => $site->id, 1053 'blogname' => $site->blogname, 1054 'domain' => $site->domain, 1055 'path' => $site->path, 1056 'site_id' => $site->network_id, 1057 'siteurl' => $site->siteurl, 1058 'archived' => $site->archived, 1059 'mature' => $site->mature, 1060 'spam' => $site->spam, 1061 'deleted' => $site->deleted, 1062 ); 1063 } 1064 } 1065 1066 /** 1067 * Filters the list of sites a user belongs to. 1068 * 1069 * @since MU (3.0.0) 1070 * 1071 * @param object[] $sites An array of site objects belonging to the user. 1072 * @param int $user_id User ID. 1073 * @param bool $all Whether the returned sites array should contain all sites, including 1074 * those marked 'deleted', 'archived', or 'spam'. Default false. 1075 */ 1076 return apply_filters( 'get_blogs_of_user', $sites, $user_id, $all ); 1077 } 1078 1079 /** 1080 * Finds out whether a user is a member of a given blog. 1081 * 1082 * @since MU (3.0.0) 1083 * 1084 * @global wpdb $wpdb WordPress database abstraction object. 1085 * 1086 * @param int $user_id Optional. The unique ID of the user. Defaults to the current user. 1087 * @param int $blog_id Optional. ID of the blog to check. Defaults to the current site. 1088 * @return bool 1089 */ 1090 function is_user_member_of_blog( $user_id = 0, $blog_id = 0 ) { 1091 global $wpdb; 1092 1093 $user_id = (int) $user_id; 1094 $blog_id = (int) $blog_id; 1095 1096 if ( empty( $user_id ) ) { 1097 $user_id = get_current_user_id(); 1098 } 1099 1100 /* 1101 * Technically not needed, but does save calls to get_site() and get_user_meta() 1102 * in the event that the function is called when a user isn't logged in. 1103 */ 1104 if ( empty( $user_id ) ) { 1105 return false; 1106 } else { 1107 $user = get_userdata( $user_id ); 1108 if ( ! $user instanceof WP_User ) { 1109 return false; 1110 } 1111 } 1112 1113 if ( ! is_multisite() ) { 1114 return true; 1115 } 1116 1117 if ( empty( $blog_id ) ) { 1118 $blog_id = get_current_blog_id(); 1119 } 1120 1121 $blog = get_site( $blog_id ); 1122 1123 if ( ! $blog || ! isset( $blog->domain ) || $blog->archived || $blog->spam || $blog->deleted ) { 1124 return false; 1125 } 1126 1127 $keys = get_user_meta( $user_id ); 1128 if ( empty( $keys ) ) { 1129 return false; 1130 } 1131 1132 // No underscore before capabilities in $base_capabilities_key. 1133 $base_capabilities_key = $wpdb->base_prefix . 'capabilities'; 1134 $site_capabilities_key = $wpdb->base_prefix . $blog_id . '_capabilities'; 1135 1136 if ( isset( $keys[ $base_capabilities_key ] ) && 1 === $blog_id ) { 1137 return true; 1138 } 1139 1140 if ( isset( $keys[ $site_capabilities_key ] ) ) { 1141 return true; 1142 } 1143 1144 return false; 1145 } 1146 1147 /** 1148 * Adds meta data to a user. 1149 * 1150 * @since 3.0.0 1151 * 1152 * @param int $user_id User ID. 1153 * @param string $meta_key Metadata name. 1154 * @param mixed $meta_value Metadata value. Arrays and objects are stored as serialized data and 1155 * will be returned as the same type when retrieved. Other data types will 1156 * be stored as strings in the database: 1157 * - false is stored and retrieved as an empty string ('') 1158 * - true is stored and retrieved as '1' 1159 * - numbers (both integer and float) are stored and retrieved as strings 1160 * Must be serializable if non-scalar. 1161 * @param bool $unique Optional. Whether the same key should not be added. 1162 * Default false. 1163 * @return int|false Meta ID on success, false on failure. 1164 */ 1165 function add_user_meta( $user_id, $meta_key, $meta_value, $unique = false ) { 1166 return add_metadata( 'user', $user_id, $meta_key, $meta_value, $unique ); 1167 } 1168 1169 /** 1170 * Removes metadata matching criteria from a user. 1171 * 1172 * You can match based on the key, or key and value. Removing based on key and 1173 * value, will keep from removing duplicate metadata with the same key. It also 1174 * allows removing all metadata matching key, if needed. 1175 * 1176 * @since 3.0.0 1177 * 1178 * @link https://developer.wordpress.org/reference/functions/delete_user_meta/ 1179 * 1180 * @param int $user_id User ID 1181 * @param string $meta_key Metadata name. 1182 * @param mixed $meta_value Optional. Metadata value. If provided, 1183 * rows will only be removed that match the value. 1184 * Must be serializable if non-scalar. Default empty. 1185 * @return bool True on success, false on failure. 1186 */ 1187 function delete_user_meta( $user_id, $meta_key, $meta_value = '' ) { 1188 return delete_metadata( 'user', $user_id, $meta_key, $meta_value ); 1189 } 1190 1191 /** 1192 * Retrieves user meta field for a user. 1193 * 1194 * @since 3.0.0 1195 * 1196 * @link https://developer.wordpress.org/reference/functions/get_user_meta/ 1197 * 1198 * @param int $user_id User ID. 1199 * @param string $key Optional. The meta key to retrieve. By default, 1200 * returns data for all keys. 1201 * @param bool $single Optional. Whether to return a single value. 1202 * This parameter has no effect if `$key` is not specified. 1203 * Default false. 1204 * @return mixed An array of values if `$single` is false. 1205 * The value of meta data field if `$single` is true. 1206 * False for an invalid `$user_id` (non-numeric, zero, or negative value). 1207 * An empty array if a valid but non-existing user ID is passed and `$single` is false. 1208 * An empty string if a valid but non-existing user ID is passed and `$single` is true. 1209 * Note: Non-serialized values are returned as strings: 1210 * - false values are returned as empty strings ('') 1211 * - true values are returned as '1' 1212 * - numbers (both integer and float) are returned as strings 1213 * Arrays and objects retain their original type. 1214 */ 1215 function get_user_meta( $user_id, $key = '', $single = false ) { 1216 return get_metadata( 'user', $user_id, $key, $single ); 1217 } 1218 1219 /** 1220 * Updates user meta field based on user ID. 1221 * 1222 * Use the $prev_value parameter to differentiate between meta fields with the 1223 * same key and user ID. 1224 * 1225 * If the meta field for the user does not exist, it will be added. 1226 * 1227 * @since 3.0.0 1228 * 1229 * @link https://developer.wordpress.org/reference/functions/update_user_meta/ 1230 * 1231 * @param int $user_id User ID. 1232 * @param string $meta_key Metadata key. 1233 * @param mixed $meta_value Metadata value. Must be serializable if non-scalar. 1234 * @param mixed $prev_value Optional. Previous value to check before updating. 1235 * If specified, only update existing metadata entries with 1236 * this value. Otherwise, update all entries. Default empty. 1237 * @return int|bool Meta ID if the key didn't exist, true on successful update, 1238 * false on failure or if the value passed to the function 1239 * is the same as the one that is already in the database. 1240 */ 1241 function update_user_meta( $user_id, $meta_key, $meta_value, $prev_value = '' ) { 1242 return update_metadata( 'user', $user_id, $meta_key, $meta_value, $prev_value ); 1243 } 1244 1245 /** 1246 * Counts number of users who have each of the user roles. 1247 * 1248 * Assumes there are neither duplicated nor orphaned capabilities meta_values. 1249 * Assumes role names are unique phrases. Same assumption made by WP_User_Query::prepare_query() 1250 * Using $strategy = 'time' this is CPU-intensive and should handle around 10^7 users. 1251 * Using $strategy = 'memory' this is memory-intensive and should handle around 10^5 users, but see WP Bug #12257. 1252 * 1253 * @since 3.0.0 1254 * @since 4.4.0 The number of users with no role is now included in the `none` element. 1255 * @since 4.9.0 The `$site_id` parameter was added to support multisite. 1256 * 1257 * @global wpdb $wpdb WordPress database abstraction object. 1258 * 1259 * @param string $strategy Optional. The computational strategy to use when counting the users. 1260 * Accepts either 'time' or 'memory'. Default 'time'. 1261 * @param int|null $site_id Optional. The site ID to count users for. Defaults to the current site. 1262 * @return array { 1263 * User counts. 1264 * 1265 * @type int $total_users Total number of users on the site. 1266 * @type int[] $avail_roles Array of user counts keyed by user role. 1267 * } 1268 */ 1269 function count_users( $strategy = 'time', $site_id = null ) { 1270 global $wpdb; 1271 1272 // Initialize. 1273 if ( ! $site_id ) { 1274 $site_id = get_current_blog_id(); 1275 } 1276 1277 /** 1278 * Filters the user count before queries are run. 1279 * 1280 * Return a non-null value to cause count_users() to return early. 1281 * 1282 * @since 5.1.0 1283 * 1284 * @param null|array $result The value to return instead. Default null to continue with the query. 1285 * @param string $strategy Optional. The computational strategy to use when counting the users. 1286 * Accepts either 'time' or 'memory'. Default 'time'. 1287 * @param int $site_id The site ID to count users for. 1288 */ 1289 $pre = apply_filters( 'pre_count_users', null, $strategy, $site_id ); 1290 1291 if ( null !== $pre ) { 1292 return $pre; 1293 } 1294 1295 $blog_prefix = $wpdb->get_blog_prefix( $site_id ); 1296 $result = array(); 1297 1298 if ( 'time' === $strategy ) { 1299 if ( is_multisite() && get_current_blog_id() !== $site_id ) { 1300 switch_to_blog( $site_id ); 1301 $avail_roles = wp_roles()->get_names(); 1302 restore_current_blog(); 1303 } else { 1304 $avail_roles = wp_roles()->get_names(); 1305 } 1306 1307 // Build a CPU-intensive query that will return concise information. 1308 $select_count = array(); 1309 foreach ( $avail_roles as $this_role => $name ) { 1310 $select_count[] = $wpdb->prepare( 'COUNT(NULLIF(`meta_value` LIKE %s, false))', '%' . $wpdb->esc_like( '"' . $this_role . '"' ) . '%' ); 1311 } 1312 $select_count[] = "COUNT(NULLIF(`meta_value` = 'a:0:{}', false))"; 1313 $select_count = implode( ', ', $select_count ); 1314 1315 // Add the meta_value index to the selection list, then run the query. 1316 $row = $wpdb->get_row( 1317 " 1318 SELECT {$select_count}, COUNT(*) 1319 FROM {$wpdb->usermeta} 1320 INNER JOIN {$wpdb->users} ON user_id = ID 1321 WHERE meta_key = '{$blog_prefix}capabilities' 1322 ", 1323 ARRAY_N 1324 ); 1325 1326 // Run the previous loop again to associate results with role names. 1327 $col = 0; 1328 $role_counts = array(); 1329 foreach ( $avail_roles as $this_role => $name ) { 1330 $count = (int) $row[ $col++ ]; 1331 if ( $count > 0 ) { 1332 $role_counts[ $this_role ] = $count; 1333 } 1334 } 1335 1336 $role_counts['none'] = (int) $row[ $col++ ]; 1337 1338 // Get the meta_value index from the end of the result set. 1339 $total_users = (int) $row[ $col ]; 1340 1341 $result['total_users'] = $total_users; 1342 $result['avail_roles'] =& $role_counts; 1343 } else { 1344 $avail_roles = array( 1345 'none' => 0, 1346 ); 1347 1348 $users_of_blog = $wpdb->get_col( 1349 " 1350 SELECT meta_value 1351 FROM {$wpdb->usermeta} 1352 INNER JOIN {$wpdb->users} ON user_id = ID 1353 WHERE meta_key = '{$blog_prefix}capabilities' 1354 " 1355 ); 1356 1357 foreach ( $users_of_blog as $caps_meta ) { 1358 $b_roles = maybe_unserialize( $caps_meta ); 1359 if ( ! is_array( $b_roles ) ) { 1360 continue; 1361 } 1362 if ( empty( $b_roles ) ) { 1363 ++$avail_roles['none']; 1364 } 1365 foreach ( $b_roles as $b_role => $val ) { 1366 if ( isset( $avail_roles[ $b_role ] ) ) { 1367 ++$avail_roles[ $b_role ]; 1368 } else { 1369 $avail_roles[ $b_role ] = 1; 1370 } 1371 } 1372 } 1373 1374 $result['total_users'] = count( $users_of_blog ); 1375 $result['avail_roles'] =& $avail_roles; 1376 } 1377 1378 return $result; 1379 } 1380 1381 /** 1382 * Returns the number of active users in your installation. 1383 * 1384 * Note that on a large site the count may be cached and only updated twice daily. 1385 * 1386 * @since MU (3.0.0) 1387 * @since 4.8.0 The `$network_id` parameter has been added. 1388 * @since 6.0.0 Moved to wp-includes/user.php. 1389 * 1390 * @param int|null $network_id ID of the network. Defaults to the current network. 1391 * @return int Number of active users on the network. 1392 */ 1393 function get_user_count( $network_id = null ) { 1394 if ( ! is_multisite() && null !== $network_id ) { 1395 _doing_it_wrong( 1396 __FUNCTION__, 1397 sprintf( 1398 /* translators: %s: $network_id */ 1399 __( 'Unable to pass %s if not using multisite.' ), 1400 '<code>$network_id</code>' 1401 ), 1402 '6.0.0' 1403 ); 1404 } 1405 1406 return (int) get_network_option( $network_id, 'user_count', -1 ); 1407 } 1408 1409 /** 1410 * Updates the total count of users on the site if live user counting is enabled. 1411 * 1412 * @since 6.0.0 1413 * 1414 * @param int|null $network_id ID of the network. Defaults to the current network. 1415 * @return bool Whether the update was successful. 1416 */ 1417 function wp_maybe_update_user_counts( $network_id = null ) { 1418 if ( ! is_multisite() && null !== $network_id ) { 1419 _doing_it_wrong( 1420 __FUNCTION__, 1421 sprintf( 1422 /* translators: %s: $network_id */ 1423 __( 'Unable to pass %s if not using multisite.' ), 1424 '<code>$network_id</code>' 1425 ), 1426 '6.0.0' 1427 ); 1428 } 1429 1430 $is_small_network = ! wp_is_large_user_count( $network_id ); 1431 /** This filter is documented in wp-includes/ms-functions.php */ 1432 if ( ! apply_filters( 'enable_live_network_counts', $is_small_network, 'users' ) ) { 1433 return false; 1434 } 1435 1436 return wp_update_user_counts( $network_id ); 1437 } 1438 1439 /** 1440 * Updates the total count of users on the site. 1441 * 1442 * @global wpdb $wpdb WordPress database abstraction object. 1443 * @since 6.0.0 1444 * 1445 * @param int|null $network_id ID of the network. Defaults to the current network. 1446 * @return bool Whether the update was successful. 1447 */ 1448 function wp_update_user_counts( $network_id = null ) { 1449 global $wpdb; 1450 1451 if ( ! is_multisite() && null !== $network_id ) { 1452 _doing_it_wrong( 1453 __FUNCTION__, 1454 sprintf( 1455 /* translators: %s: $network_id */ 1456 __( 'Unable to pass %s if not using multisite.' ), 1457 '<code>$network_id</code>' 1458 ), 1459 '6.0.0' 1460 ); 1461 } 1462 1463 $query = "SELECT COUNT(ID) as c FROM $wpdb->users"; 1464 if ( is_multisite() ) { 1465 $query .= " WHERE spam = '0' AND deleted = '0'"; 1466 } 1467 1468 $count = $wpdb->get_var( $query ); 1469 1470 return update_network_option( $network_id, 'user_count', $count ); 1471 } 1472 1473 /** 1474 * Schedules a recurring recalculation of the total count of users. 1475 * 1476 * @since 6.0.0 1477 */ 1478 function wp_schedule_update_user_counts() { 1479 if ( ! is_main_site() ) { 1480 return; 1481 } 1482 1483 if ( ! wp_next_scheduled( 'wp_update_user_counts' ) && ! wp_installing() ) { 1484 wp_schedule_event( time(), 'twicedaily', 'wp_update_user_counts' ); 1485 } 1486 } 1487 1488 /** 1489 * Determines whether the site has a large number of users. 1490 * 1491 * The default criteria for a large site is more than 10,000 users. 1492 * 1493 * @since 6.0.0 1494 * 1495 * @param int|null $network_id ID of the network. Defaults to the current network. 1496 * @return bool Whether the site has a large number of users. 1497 */ 1498 function wp_is_large_user_count( $network_id = null ) { 1499 if ( ! is_multisite() && null !== $network_id ) { 1500 _doing_it_wrong( 1501 __FUNCTION__, 1502 sprintf( 1503 /* translators: %s: $network_id */ 1504 __( 'Unable to pass %s if not using multisite.' ), 1505 '<code>$network_id</code>' 1506 ), 1507 '6.0.0' 1508 ); 1509 } 1510 1511 $count = get_user_count( $network_id ); 1512 1513 /** 1514 * Filters whether the site is considered large, based on its number of users. 1515 * 1516 * @since 6.0.0 1517 * 1518 * @param bool $is_large_user_count Whether the site has a large number of users. 1519 * @param int $count The total number of users. 1520 * @param int|null $network_id ID of the network. `null` represents the current network. 1521 */ 1522 return apply_filters( 'wp_is_large_user_count', $count > 10000, $count, $network_id ); 1523 } 1524 1525 // 1526 // Private helper functions. 1527 // 1528 1529 /** 1530 * Sets up global user vars. 1531 * 1532 * Used by wp_set_current_user() for back compat. Might be deprecated in the future. 1533 * 1534 * @since 2.0.4 1535 * 1536 * @global string $user_login The user username for logging in 1537 * @global WP_User $userdata User data. 1538 * @global int $user_level The level of the user 1539 * @global int $user_ID The ID of the user 1540 * @global string $user_email The email address of the user 1541 * @global string $user_url The url in the user's profile 1542 * @global string $user_identity The display name of the user 1543 * 1544 * @param int $for_user_id Optional. User ID to set up global data. Default 0. 1545 */ 1546 function setup_userdata( $for_user_id = 0 ) { 1547 global $user_login, $userdata, $user_level, $user_ID, $user_email, $user_url, $user_identity; 1548 1549 if ( ! $for_user_id ) { 1550 $for_user_id = get_current_user_id(); 1551 } 1552 $user = get_userdata( $for_user_id ); 1553 1554 if ( ! $user ) { 1555 $user_ID = 0; 1556 $user_level = 0; 1557 $userdata = null; 1558 $user_login = ''; 1559 $user_email = ''; 1560 $user_url = ''; 1561 $user_identity = ''; 1562 return; 1563 } 1564 1565 $user_ID = (int) $user->ID; 1566 $user_level = (int) $user->user_level; 1567 $userdata = $user; 1568 $user_login = $user->user_login; 1569 $user_email = $user->user_email; 1570 $user_url = $user->user_url; 1571 $user_identity = $user->display_name; 1572 } 1573 1574 /** 1575 * Creates dropdown HTML content of users. 1576 * 1577 * The content can either be displayed, which it is by default, or retrieved by 1578 * setting the 'echo' argument to false. The 'include' and 'exclude' arguments 1579 * are optional; if they are not specified, all users will be displayed. Only one 1580 * can be used in a single call, either 'include' or 'exclude', but not both. 1581 * 1582 * @since 2.3.0 1583 * @since 4.5.0 Added the 'display_name_with_login' value for 'show'. 1584 * @since 4.7.0 Added the 'role', 'role__in', and 'role__not_in' parameters. 1585 * @since 5.9.0 Added the 'capability', 'capability__in', and 'capability__not_in' parameters. 1586 * Deprecated the 'who' parameter. 1587 * 1588 * @param array|string $args { 1589 * Optional. Array or string of arguments to generate a drop-down of users. 1590 * See WP_User_Query::prepare_query() for additional available arguments. 1591 * 1592 * @type string $show_option_all Text to show as the drop-down default (all). 1593 * Default empty. 1594 * @type string $show_option_none Text to show as the drop-down default when no 1595 * users were found. Default empty. 1596 * @type int|string $option_none_value Value to use for `$show_option_none` when no users 1597 * were found. Default -1. 1598 * @type string $hide_if_only_one_author Whether to skip generating the drop-down 1599 * if only one user was found. Default empty. 1600 * @type string $orderby Field to order found users by. Accepts user fields. 1601 * Default 'display_name'. 1602 * @type string $order Whether to order users in ascending or descending 1603 * order. Accepts 'ASC' (ascending) or 'DESC' (descending). 1604 * Default 'ASC'. 1605 * @type int[]|string $include Array or comma-separated list of user IDs to include. 1606 * Default empty. 1607 * @type int[]|string $exclude Array or comma-separated list of user IDs to exclude. 1608 * Default empty. 1609 * @type bool|int $multi Whether to skip the ID attribute on the 'select' element. 1610 * Accepts 1|true or 0|false. Default 0|false. 1611 * @type string $show User data to display. If the selected item is empty 1612 * then the 'user_login' will be displayed in parentheses. 1613 * Accepts any user field, or 'display_name_with_login' to show 1614 * the display name with user_login in parentheses. 1615 * Default 'display_name'. 1616 * @type int|bool $echo Whether to echo or return the drop-down. Accepts 1|true (echo) 1617 * or 0|false (return). Default 1|true. 1618 * @type int $selected Which user ID should be selected. Default 0. 1619 * @type bool $include_selected Whether to always include the selected user ID in the drop- 1620 * down. Default false. 1621 * @type string $name Name attribute of select element. Default 'user'. 1622 * @type string $id ID attribute of the select element. Default is the value of `$name`. 1623 * @type string $class Class attribute of the select element. Default empty. 1624 * @type int $blog_id ID of blog (Multisite only). Default is ID of the current blog. 1625 * @type string $who Deprecated, use `$capability` instead. 1626 * Which type of users to query. Accepts only an empty string or 1627 * 'authors'. Default empty (all users). 1628 * @type string|string[] $role An array or a comma-separated list of role names that users 1629 * must match to be included in results. Note that this is 1630 * an inclusive list: users must match *each* role. Default empty. 1631 * @type string[] $role__in An array of role names. Matched users must have at least one 1632 * of these roles. Default empty array. 1633 * @type string[] $role__not_in An array of role names to exclude. Users matching one or more 1634 * of these roles will not be included in results. Default empty array. 1635 * @type string|string[] $capability An array or a comma-separated list of capability names that users 1636 * must match to be included in results. Note that this is 1637 * an inclusive list: users must match *each* capability. 1638 * Does NOT work for capabilities not in the database or filtered 1639 * via {@see 'map_meta_cap'}. Default empty. 1640 * @type string[] $capability__in An array of capability names. Matched users must have at least one 1641 * of these capabilities. 1642 * Does NOT work for capabilities not in the database or filtered 1643 * via {@see 'map_meta_cap'}. Default empty array. 1644 * @type string[] $capability__not_in An array of capability names to exclude. Users matching one or more 1645 * of these capabilities will not be included in results. 1646 * Does NOT work for capabilities not in the database or filtered 1647 * via {@see 'map_meta_cap'}. Default empty array. 1648 * } 1649 * @return string HTML dropdown list of users. 1650 */ 1651 function wp_dropdown_users( $args = '' ) { 1652 $defaults = array( 1653 'show_option_all' => '', 1654 'show_option_none' => '', 1655 'hide_if_only_one_author' => '', 1656 'orderby' => 'display_name', 1657 'order' => 'ASC', 1658 'include' => '', 1659 'exclude' => '', 1660 'multi' => 0, 1661 'show' => 'display_name', 1662 'echo' => 1, 1663 'selected' => 0, 1664 'name' => 'user', 1665 'class' => '', 1666 'id' => '', 1667 'blog_id' => get_current_blog_id(), 1668 'who' => '', 1669 'include_selected' => false, 1670 'option_none_value' => -1, 1671 'role' => '', 1672 'role__in' => array(), 1673 'role__not_in' => array(), 1674 'capability' => '', 1675 'capability__in' => array(), 1676 'capability__not_in' => array(), 1677 ); 1678 1679 $defaults['selected'] = is_author() ? get_query_var( 'author' ) : 0; 1680 1681 $parsed_args = wp_parse_args( $args, $defaults ); 1682 1683 $query_args = wp_array_slice_assoc( 1684 $parsed_args, 1685 array( 1686 'blog_id', 1687 'include', 1688 'exclude', 1689 'orderby', 1690 'order', 1691 'who', 1692 'role', 1693 'role__in', 1694 'role__not_in', 1695 'capability', 1696 'capability__in', 1697 'capability__not_in', 1698 ) 1699 ); 1700 1701 $fields = array( 'ID', 'user_login' ); 1702 1703 $show = ! empty( $parsed_args['show'] ) ? $parsed_args['show'] : 'display_name'; 1704 if ( 'display_name_with_login' === $show ) { 1705 $fields[] = 'display_name'; 1706 } else { 1707 $fields[] = $show; 1708 } 1709 1710 $query_args['fields'] = $fields; 1711 1712 $show_option_all = $parsed_args['show_option_all']; 1713 $show_option_none = $parsed_args['show_option_none']; 1714 $option_none_value = $parsed_args['option_none_value']; 1715 1716 /** 1717 * Filters the query arguments for the list of users in the dropdown. 1718 * 1719 * @since 4.4.0 1720 * 1721 * @param array $query_args The query arguments for get_users(). 1722 * @param array $parsed_args The arguments passed to wp_dropdown_users() combined with the defaults. 1723 */ 1724 $query_args = apply_filters( 'wp_dropdown_users_args', $query_args, $parsed_args ); 1725 1726 $users = get_users( $query_args ); 1727 1728 $output = ''; 1729 if ( ! empty( $users ) && ( empty( $parsed_args['hide_if_only_one_author'] ) || count( $users ) > 1 ) ) { 1730 $name = esc_attr( $parsed_args['name'] ); 1731 if ( $parsed_args['multi'] && ! $parsed_args['id'] ) { 1732 $id = ''; 1733 } else { 1734 $id = $parsed_args['id'] ? " id='" . esc_attr( $parsed_args['id'] ) . "'" : " id='$name'"; 1735 } 1736 $output = "<select name='{$name}'{$id} class='" . $parsed_args['class'] . "'>\n"; 1737 1738 if ( $show_option_all ) { 1739 $output .= "\t<option value='0'>$show_option_all</option>\n"; 1740 } 1741 1742 if ( $show_option_none ) { 1743 $_selected = selected( $option_none_value, $parsed_args['selected'], false ); 1744 $output .= "\t<option value='" . esc_attr( $option_none_value ) . "'$_selected>$show_option_none</option>\n"; 1745 } 1746 1747 if ( $parsed_args['include_selected'] && ( $parsed_args['selected'] > 0 ) ) { 1748 $found_selected = false; 1749 $parsed_args['selected'] = (int) $parsed_args['selected']; 1750 1751 foreach ( (array) $users as $user ) { 1752 $user->ID = (int) $user->ID; 1753 if ( $user->ID === $parsed_args['selected'] ) { 1754 $found_selected = true; 1755 } 1756 } 1757 1758 if ( ! $found_selected ) { 1759 $selected_user = get_userdata( $parsed_args['selected'] ); 1760 if ( $selected_user ) { 1761 $users[] = $selected_user; 1762 } 1763 } 1764 } 1765 1766 foreach ( (array) $users as $user ) { 1767 if ( 'display_name_with_login' === $show ) { 1768 /* translators: 1: User's display name, 2: User login. */ 1769 $display = sprintf( _x( '%1$s (%2$s)', 'user dropdown' ), $user->display_name, $user->user_login ); 1770 } elseif ( ! empty( $user->$show ) ) { 1771 $display = $user->$show; 1772 } else { 1773 $display = '(' . $user->user_login . ')'; 1774 } 1775 1776 $_selected = selected( $user->ID, $parsed_args['selected'], false ); 1777 $output .= "\t<option value='$user->ID'$_selected>" . esc_html( $display ) . "</option>\n"; 1778 } 1779 1780 $output .= '</select>'; 1781 } 1782 1783 /** 1784 * Filters the wp_dropdown_users() HTML output. 1785 * 1786 * @since 2.3.0 1787 * 1788 * @param string $output HTML output generated by wp_dropdown_users(). 1789 */ 1790 $html = apply_filters( 'wp_dropdown_users', $output ); 1791 1792 if ( $parsed_args['echo'] ) { 1793 echo $html; 1794 } 1795 return $html; 1796 } 1797 1798 /** 1799 * Sanitizes user field based on context. 1800 * 1801 * Possible context values are: 'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The 1802 * 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display' 1803 * when calling filters. 1804 * 1805 * @since 2.3.0 1806 * 1807 * @param string $field The user Object field name. 1808 * @param mixed $value The user Object value. 1809 * @param int $user_id User ID. 1810 * @param string $context How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display', 1811 * 'attribute' and 'js'. 1812 * @return mixed Sanitized value. 1813 */ 1814 function sanitize_user_field( $field, $value, $user_id, $context ) { 1815 $int_fields = array( 'ID' ); 1816 if ( in_array( $field, $int_fields, true ) ) { 1817 $value = (int) $value; 1818 } 1819 1820 if ( 'raw' === $context ) { 1821 return $value; 1822 } 1823 1824 if ( ! is_string( $value ) && ! is_numeric( $value ) ) { 1825 return $value; 1826 } 1827 1828 $prefixed = str_contains( $field, 'user_' ); 1829 1830 if ( 'edit' === $context ) { 1831 if ( $prefixed ) { 1832 1833 /** This filter is documented in wp-includes/post.php */ 1834 $value = apply_filters( "edit_{$field}", $value, $user_id ); 1835 } else { 1836 1837 /** 1838 * Filters a user field value in the 'edit' context. 1839 * 1840 * The dynamic portion of the hook name, `$field`, refers to the prefixed user 1841 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc. 1842 * 1843 * @since 2.9.0 1844 * 1845 * @param mixed $value Value of the prefixed user field. 1846 * @param int $user_id User ID. 1847 */ 1848 $value = apply_filters( "edit_user_{$field}", $value, $user_id ); 1849 } 1850 1851 if ( 'description' === $field ) { 1852 $value = esc_html( $value ); // textarea_escaped? 1853 } else { 1854 $value = esc_attr( $value ); 1855 } 1856 } elseif ( 'db' === $context ) { 1857 if ( $prefixed ) { 1858 /** This filter is documented in wp-includes/post.php */ 1859 $value = apply_filters( "pre_{$field}", $value ); 1860 } else { 1861 1862 /** 1863 * Filters the value of a user field in the 'db' context. 1864 * 1865 * The dynamic portion of the hook name, `$field`, refers to the prefixed user 1866 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc. 1867 * 1868 * @since 2.9.0 1869 * 1870 * @param mixed $value Value of the prefixed user field. 1871 */ 1872 $value = apply_filters( "pre_user_{$field}", $value ); 1873 } 1874 } else { 1875 // Use display filters by default. 1876 if ( $prefixed ) { 1877 1878 /** This filter is documented in wp-includes/post.php */ 1879 $value = apply_filters( "{$field}", $value, $user_id, $context ); 1880 } else { 1881 1882 /** 1883 * Filters the value of a user field in a standard context. 1884 * 1885 * The dynamic portion of the hook name, `$field`, refers to the prefixed user 1886 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc. 1887 * 1888 * @since 2.9.0 1889 * 1890 * @param mixed $value The user object value to sanitize. 1891 * @param int $user_id User ID. 1892 * @param string $context The context to filter within. 1893 */ 1894 $value = apply_filters( "user_{$field}", $value, $user_id, $context ); 1895 } 1896 } 1897 1898 if ( 'user_url' === $field ) { 1899 $value = esc_url( $value ); 1900 } 1901 1902 if ( 'attribute' === $context ) { 1903 $value = esc_attr( $value ); 1904 } elseif ( 'js' === $context ) { 1905 $value = esc_js( $value ); 1906 } 1907 1908 // Restore the type for integer fields after esc_attr(). 1909 if ( in_array( $field, $int_fields, true ) ) { 1910 $value = (int) $value; 1911 } 1912 1913 return $value; 1914 } 1915 1916 /** 1917 * Updates all user caches. 1918 * 1919 * @since 3.0.0 1920 * 1921 * @param object|WP_User $user User object or database row to be cached 1922 * @return void|false Void on success, false on failure. 1923 */ 1924 function update_user_caches( $user ) { 1925 if ( $user instanceof WP_User ) { 1926 if ( ! $user->exists() ) { 1927 return false; 1928 } 1929 1930 $user = $user->data; 1931 } 1932 1933 wp_cache_add( $user->ID, $user, 'users' ); 1934 wp_cache_add( $user->user_login, $user->ID, 'userlogins' ); 1935 wp_cache_add( $user->user_nicename, $user->ID, 'userslugs' ); 1936 1937 if ( ! empty( $user->user_email ) ) { 1938 wp_cache_add( $user->user_email, $user->ID, 'useremail' ); 1939 } 1940 } 1941 1942 /** 1943 * Cleans all user caches. 1944 * 1945 * @since 3.0.0 1946 * @since 4.4.0 'clean_user_cache' action was added. 1947 * @since 6.2.0 User metadata caches are now cleared. 1948 * 1949 * @param WP_User|int $user User object or ID to be cleaned from the cache 1950 */ 1951 function clean_user_cache( $user ) { 1952 if ( is_numeric( $user ) ) { 1953 $user = new WP_User( $user ); 1954 } 1955 1956 if ( ! $user->exists() ) { 1957 return; 1958 } 1959 1960 wp_cache_delete( $user->ID, 'users' ); 1961 wp_cache_delete( $user->user_login, 'userlogins' ); 1962 wp_cache_delete( $user->user_nicename, 'userslugs' ); 1963 1964 if ( ! empty( $user->user_email ) ) { 1965 wp_cache_delete( $user->user_email, 'useremail' ); 1966 } 1967 1968 wp_cache_delete( $user->ID, 'user_meta' ); 1969 wp_cache_set_users_last_changed(); 1970 1971 /** 1972 * Fires immediately after the given user's cache is cleaned. 1973 * 1974 * @since 4.4.0 1975 * 1976 * @param int $user_id User ID. 1977 * @param WP_User $user User object. 1978 */ 1979 do_action( 'clean_user_cache', $user->ID, $user ); 1980 } 1981 1982 /** 1983 * Determines whether the given username exists. 1984 * 1985 * For more information on this and similar theme functions, check out 1986 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 1987 * Conditional Tags} article in the Theme Developer Handbook. 1988 * 1989 * @since 2.0.0 1990 * 1991 * @param string $username The username to check for existence. 1992 * @return int|false The user ID on success, false on failure. 1993 */ 1994 function username_exists( $username ) { 1995 $user = get_user_by( 'login', $username ); 1996 if ( $user ) { 1997 $user_id = $user->ID; 1998 } else { 1999 $user_id = false; 2000 } 2001 2002 /** 2003 * Filters whether the given username exists. 2004 * 2005 * @since 4.9.0 2006 * 2007 * @param int|false $user_id The user ID associated with the username, 2008 * or false if the username does not exist. 2009 * @param string $username The username to check for existence. 2010 */ 2011 return apply_filters( 'username_exists', $user_id, $username ); 2012 } 2013 2014 /** 2015 * Determines whether the given email exists. 2016 * 2017 * For more information on this and similar theme functions, check out 2018 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 2019 * Conditional Tags} article in the Theme Developer Handbook. 2020 * 2021 * @since 2.1.0 2022 * 2023 * @param string $email The email to check for existence. 2024 * @return int|false The user ID on success, false on failure. 2025 */ 2026 function email_exists( $email ) { 2027 $user = get_user_by( 'email', $email ); 2028 if ( $user ) { 2029 $user_id = $user->ID; 2030 } else { 2031 $user_id = false; 2032 } 2033 2034 /** 2035 * Filters whether the given email exists. 2036 * 2037 * @since 5.6.0 2038 * 2039 * @param int|false $user_id The user ID associated with the email, 2040 * or false if the email does not exist. 2041 * @param string $email The email to check for existence. 2042 */ 2043 return apply_filters( 'email_exists', $user_id, $email ); 2044 } 2045 2046 /** 2047 * Checks whether a username is valid. 2048 * 2049 * @since 2.0.1 2050 * @since 4.4.0 Empty sanitized usernames are now considered invalid. 2051 * 2052 * @param string $username Username. 2053 * @return bool Whether username given is valid. 2054 */ 2055 function validate_username( $username ) { 2056 $sanitized = sanitize_user( $username, true ); 2057 $valid = ( $sanitized === $username && ! empty( $sanitized ) ); 2058 2059 /** 2060 * Filters whether the provided username is valid. 2061 * 2062 * @since 2.0.1 2063 * 2064 * @param bool $valid Whether given username is valid. 2065 * @param string $username Username to check. 2066 */ 2067 return apply_filters( 'validate_username', $valid, $username ); 2068 } 2069 2070 /** 2071 * Inserts a user into the database. 2072 * 2073 * Most of the `$userdata` array fields have filters associated with the values. Exceptions are 2074 * 'ID', 'rich_editing', 'syntax_highlighting', 'comment_shortcuts', 'admin_color', 'use_ssl', 2075 * 'user_registered', 'user_activation_key', 'spam', and 'role'. The filters have the prefix 2076 * 'pre_user_' followed by the field name. An example using 'description' would have the filter 2077 * called 'pre_user_description' that can be hooked into. 2078 * 2079 * @since 2.0.0 2080 * @since 3.6.0 The `aim`, `jabber`, and `yim` fields were removed as default user contact 2081 * methods for new installations. See wp_get_user_contact_methods(). 2082 * @since 4.7.0 The `locale` field can be passed to `$userdata`. 2083 * @since 5.3.0 The `user_activation_key` field can be passed to `$userdata`. 2084 * @since 5.3.0 The `spam` field can be passed to `$userdata` (Multisite only). 2085 * @since 5.9.0 The `meta_input` field can be passed to `$userdata` to allow addition of user meta data. 2086 * 2087 * @global wpdb $wpdb WordPress database abstraction object. 2088 * 2089 * @param array|object|WP_User $userdata { 2090 * An array, object, or WP_User object of user data arguments. 2091 * 2092 * @type int $ID User ID. If supplied, the user will be updated. 2093 * @type string $user_pass The plain-text user password for new users. 2094 * Hashed password for existing users. 2095 * @type string $user_login The user's login username. 2096 * @type string $user_nicename The URL-friendly user name. 2097 * @type string $user_url The user URL. 2098 * @type string $user_email The user email address. 2099 * @type string $display_name The user's display name. 2100 * Default is the user's username. 2101 * @type string $nickname The user's nickname. 2102 * Default is the user's username. 2103 * @type string $first_name The user's first name. For new users, will be used 2104 * to build the first part of the user's display name 2105 * if `$display_name` is not specified. 2106 * @type string $last_name The user's last name. For new users, will be used 2107 * to build the second part of the user's display name 2108 * if `$display_name` is not specified. 2109 * @type string $description The user's biographical description. 2110 * @type string $rich_editing Whether to enable the rich-editor for the user. 2111 * Accepts 'true' or 'false' as a string literal, 2112 * not boolean. Default 'true'. 2113 * @type string $syntax_highlighting Whether to enable the rich code editor for the user. 2114 * Accepts 'true' or 'false' as a string literal, 2115 * not boolean. Default 'true'. 2116 * @type string $comment_shortcuts Whether to enable comment moderation keyboard 2117 * shortcuts for the user. Accepts 'true' or 'false' 2118 * as a string literal, not boolean. Default 'false'. 2119 * @type string $admin_color Admin color scheme for the user. Default 'fresh'. 2120 * @type bool $use_ssl Whether the user should always access the admin over 2121 * https. Default false. 2122 * @type string $user_registered Date the user registered in UTC. Format is 'Y-m-d H:i:s'. 2123 * @type string $user_activation_key Password reset key. Default empty. 2124 * @type bool $spam Multisite only. Whether the user is marked as spam. 2125 * Default false. 2126 * @type string $show_admin_bar_front Whether to display the Admin Bar for the user 2127 * on the site's front end. Accepts 'true' or 'false' 2128 * as a string literal, not boolean. Default 'true'. 2129 * @type string $role User's role. 2130 * @type string $locale User's locale. Default empty. 2131 * @type array $meta_input Array of custom user meta values keyed by meta key. 2132 * Default empty. 2133 * } 2134 * @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not 2135 * be created. 2136 */ 2137 function wp_insert_user( $userdata ) { 2138 global $wpdb; 2139 2140 if ( $userdata instanceof stdClass ) { 2141 $userdata = get_object_vars( $userdata ); 2142 } elseif ( $userdata instanceof WP_User ) { 2143 $userdata = $userdata->to_array(); 2144 } 2145 2146 // Are we updating or creating? 2147 if ( ! empty( $userdata['ID'] ) ) { 2148 $user_id = (int) $userdata['ID']; 2149 $update = true; 2150 $old_user_data = get_userdata( $user_id ); 2151 2152 if ( ! $old_user_data ) { 2153 return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) ); 2154 } 2155 2156 // Slash current user email to compare it later with slashed new user email. 2157 $old_user_data->user_email = wp_slash( $old_user_data->user_email ); 2158 2159 // Hashed in wp_update_user(), plaintext if called directly. 2160 $user_pass = ! empty( $userdata['user_pass'] ) ? $userdata['user_pass'] : $old_user_data->user_pass; 2161 } else { 2162 $update = false; 2163 // Hash the password. 2164 $user_pass = wp_hash_password( $userdata['user_pass'] ); 2165 } 2166 2167 $sanitized_user_login = sanitize_user( $userdata['user_login'], true ); 2168 2169 /** 2170 * Filters a username after it has been sanitized. 2171 * 2172 * This filter is called before the user is created or updated. 2173 * 2174 * @since 2.0.3 2175 * 2176 * @param string $sanitized_user_login Username after it has been sanitized. 2177 */ 2178 $pre_user_login = apply_filters( 'pre_user_login', $sanitized_user_login ); 2179 2180 // Remove any non-printable chars from the login string to see if we have ended up with an empty username. 2181 $user_login = trim( $pre_user_login ); 2182 2183 // user_login must be between 0 and 60 characters. 2184 if ( empty( $user_login ) ) { 2185 return new WP_Error( 'empty_user_login', __( 'Cannot create a user with an empty login name.' ) ); 2186 } elseif ( mb_strlen( $user_login ) > 60 ) { 2187 return new WP_Error( 'user_login_too_long', __( 'Username may not be longer than 60 characters.' ) ); 2188 } 2189 2190 if ( ! $update && username_exists( $user_login ) ) { 2191 return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) ); 2192 } 2193 2194 /** 2195 * Filters the list of disallowed usernames. 2196 * 2197 * @since 4.4.0 2198 * 2199 * @param array $usernames Array of disallowed usernames. 2200 */ 2201 $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() ); 2202 2203 if ( in_array( strtolower( $user_login ), array_map( 'strtolower', $illegal_logins ), true ) ) { 2204 return new WP_Error( 'invalid_username', __( 'Sorry, that username is not allowed.' ) ); 2205 } 2206 2207 /* 2208 * If a nicename is provided, remove unsafe user characters before using it. 2209 * Otherwise build a nicename from the user_login. 2210 */ 2211 if ( ! empty( $userdata['user_nicename'] ) ) { 2212 $user_nicename = sanitize_user( $userdata['user_nicename'], true ); 2213 } else { 2214 $user_nicename = mb_substr( $user_login, 0, 50 ); 2215 } 2216 2217 $user_nicename = sanitize_title( $user_nicename ); 2218 2219 /** 2220 * Filters a user's nicename before the user is created or updated. 2221 * 2222 * @since 2.0.3 2223 * 2224 * @param string $user_nicename The user's nicename. 2225 */ 2226 $user_nicename = apply_filters( 'pre_user_nicename', $user_nicename ); 2227 2228 if ( mb_strlen( $user_nicename ) > 50 ) { 2229 return new WP_Error( 'user_nicename_too_long', __( 'Nicename may not be longer than 50 characters.' ) ); 2230 } 2231 2232 $user_nicename_check = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1", $user_nicename, $user_login ) ); 2233 2234 if ( $user_nicename_check ) { 2235 $suffix = 2; 2236 while ( $user_nicename_check ) { 2237 // user_nicename allows 50 chars. Subtract one for a hyphen, plus the length of the suffix. 2238 $base_length = 49 - mb_strlen( $suffix ); 2239 $alt_user_nicename = mb_substr( $user_nicename, 0, $base_length ) . "-$suffix"; 2240 $user_nicename_check = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1", $alt_user_nicename, $user_login ) ); 2241 ++$suffix; 2242 } 2243 $user_nicename = $alt_user_nicename; 2244 } 2245 2246 $raw_user_email = empty( $userdata['user_email'] ) ? '' : $userdata['user_email']; 2247 2248 /** 2249 * Filters a user's email before the user is created or updated. 2250 * 2251 * @since 2.0.3 2252 * 2253 * @param string $raw_user_email The user's email. 2254 */ 2255 $user_email = apply_filters( 'pre_user_email', $raw_user_email ); 2256 2257 /* 2258 * If there is no update, just check for `email_exists`. If there is an update, 2259 * check if current email and new email are the same, and check `email_exists` 2260 * accordingly. 2261 */ 2262 if ( ( ! $update || ( ! empty( $old_user_data ) && 0 !== strcasecmp( $user_email, $old_user_data->user_email ) ) ) 2263 && ! defined( 'WP_IMPORTING' ) 2264 && email_exists( $user_email ) 2265 ) { 2266 return new WP_Error( 'existing_user_email', __( 'Sorry, that email address is already used!' ) ); 2267 } 2268 2269 $raw_user_url = empty( $userdata['user_url'] ) ? '' : $userdata['user_url']; 2270 2271 /** 2272 * Filters a user's URL before the user is created or updated. 2273 * 2274 * @since 2.0.3 2275 * 2276 * @param string $raw_user_url The user's URL. 2277 */ 2278 $user_url = apply_filters( 'pre_user_url', $raw_user_url ); 2279 2280 if ( mb_strlen( $user_url ) > 100 ) { 2281 return new WP_Error( 'user_url_too_long', __( 'User URL may not be longer than 100 characters.' ) ); 2282 } 2283 2284 $user_registered = empty( $userdata['user_registered'] ) ? gmdate( 'Y-m-d H:i:s' ) : $userdata['user_registered']; 2285 2286 $user_activation_key = empty( $userdata['user_activation_key'] ) ? '' : $userdata['user_activation_key']; 2287 2288 if ( ! empty( $userdata['spam'] ) && ! is_multisite() ) { 2289 return new WP_Error( 'no_spam', __( 'Sorry, marking a user as spam is only supported on Multisite.' ) ); 2290 } 2291 2292 $spam = empty( $userdata['spam'] ) ? 0 : (bool) $userdata['spam']; 2293 2294 // Store values to save in user meta. 2295 $meta = array(); 2296 2297 $nickname = empty( $userdata['nickname'] ) ? $user_login : $userdata['nickname']; 2298 2299 /** 2300 * Filters a user's nickname before the user is created or updated. 2301 * 2302 * @since 2.0.3 2303 * 2304 * @param string $nickname The user's nickname. 2305 */ 2306 $meta['nickname'] = apply_filters( 'pre_user_nickname', $nickname ); 2307 2308 $first_name = empty( $userdata['first_name'] ) ? '' : $userdata['first_name']; 2309 2310 /** 2311 * Filters a user's first name before the user is created or updated. 2312 * 2313 * @since 2.0.3 2314 * 2315 * @param string $first_name The user's first name. 2316 */ 2317 $meta['first_name'] = apply_filters( 'pre_user_first_name', $first_name ); 2318 2319 $last_name = empty( $userdata['last_name'] ) ? '' : $userdata['last_name']; 2320 2321 /** 2322 * Filters a user's last name before the user is created or updated. 2323 * 2324 * @since 2.0.3 2325 * 2326 * @param string $last_name The user's last name. 2327 */ 2328 $meta['last_name'] = apply_filters( 'pre_user_last_name', $last_name ); 2329 2330 if ( empty( $userdata['display_name'] ) ) { 2331 if ( $update ) { 2332 $display_name = $user_login; 2333 } elseif ( $meta['first_name'] && $meta['last_name'] ) { 2334 $display_name = sprintf( 2335 /* translators: 1: User's first name, 2: Last name. */ 2336 _x( '%1$s %2$s', 'Display name based on first name and last name' ), 2337 $meta['first_name'], 2338 $meta['last_name'] 2339 ); 2340 } elseif ( $meta['first_name'] ) { 2341 $display_name = $meta['first_name']; 2342 } elseif ( $meta['last_name'] ) { 2343 $display_name = $meta['last_name']; 2344 } else { 2345 $display_name = $user_login; 2346 } 2347 } else { 2348 $display_name = $userdata['display_name']; 2349 } 2350 2351 /** 2352 * Filters a user's display name before the user is created or updated. 2353 * 2354 * @since 2.0.3 2355 * 2356 * @param string $display_name The user's display name. 2357 */ 2358 $display_name = apply_filters( 'pre_user_display_name', $display_name ); 2359 2360 $description = empty( $userdata['description'] ) ? '' : $userdata['description']; 2361 2362 /** 2363 * Filters a user's description before the user is created or updated. 2364 * 2365 * @since 2.0.3 2366 * 2367 * @param string $description The user's description. 2368 */ 2369 $meta['description'] = apply_filters( 'pre_user_description', $description ); 2370 2371 $meta['rich_editing'] = empty( $userdata['rich_editing'] ) ? 'true' : $userdata['rich_editing']; 2372 2373 $meta['syntax_highlighting'] = empty( $userdata['syntax_highlighting'] ) ? 'true' : $userdata['syntax_highlighting']; 2374 2375 $meta['comment_shortcuts'] = empty( $userdata['comment_shortcuts'] ) || 'false' === $userdata['comment_shortcuts'] ? 'false' : 'true'; 2376 2377 $admin_color = empty( $userdata['admin_color'] ) ? 'fresh' : $userdata['admin_color']; 2378 $meta['admin_color'] = preg_replace( '|[^a-z0-9 _.\-@]|i', '', $admin_color ); 2379 2380 $meta['use_ssl'] = empty( $userdata['use_ssl'] ) ? '0' : '1'; 2381 2382 $meta['show_admin_bar_front'] = empty( $userdata['show_admin_bar_front'] ) ? 'true' : $userdata['show_admin_bar_front']; 2383 2384 $meta['locale'] = isset( $userdata['locale'] ) ? $userdata['locale'] : ''; 2385 2386 $compacted = compact( 'user_pass', 'user_nicename', 'user_email', 'user_url', 'user_registered', 'user_activation_key', 'display_name' ); 2387 $data = wp_unslash( $compacted ); 2388 2389 if ( ! $update ) { 2390 $data = $data + compact( 'user_login' ); 2391 } 2392 2393 if ( is_multisite() ) { 2394 $data = $data + compact( 'spam' ); 2395 } 2396 2397 /** 2398 * Filters user data before the record is created or updated. 2399 * 2400 * It only includes data in the users table, not any user metadata. 2401 * 2402 * @since 4.9.0 2403 * @since 5.8.0 The `$userdata` parameter was added. 2404 * 2405 * @param array $data { 2406 * Values and keys for the user. 2407 * 2408 * @type string $user_login The user's login. Only included if $update == false 2409 * @type string $user_pass The user's password. 2410 * @type string $user_email The user's email. 2411 * @type string $user_url The user's url. 2412 * @type string $user_nicename The user's nice name. Defaults to a URL-safe version of user's login. 2413 * @type string $display_name The user's display name. 2414 * @type string $user_registered MySQL timestamp describing the moment when the user registered. Defaults to 2415 * the current UTC timestamp. 2416 * } 2417 * @param bool $update Whether the user is being updated rather than created. 2418 * @param int|null $user_id ID of the user to be updated, or NULL if the user is being created. 2419 * @param array $userdata The raw array of data passed to wp_insert_user(). 2420 */ 2421 $data = apply_filters( 'wp_pre_insert_user_data', $data, $update, ( $update ? $user_id : null ), $userdata ); 2422 2423 if ( empty( $data ) || ! is_array( $data ) ) { 2424 return new WP_Error( 'empty_data', __( 'Not enough data to create this user.' ) ); 2425 } 2426 2427 if ( $update ) { 2428 if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) { 2429 $data['user_activation_key'] = ''; 2430 } 2431 $wpdb->update( $wpdb->users, $data, array( 'ID' => $user_id ) ); 2432 } else { 2433 $wpdb->insert( $wpdb->users, $data ); 2434 $user_id = (int) $wpdb->insert_id; 2435 } 2436 2437 $user = new WP_User( $user_id ); 2438 2439 /** 2440 * Filters a user's meta values and keys immediately after the user is created or updated 2441 * and before any user meta is inserted or updated. 2442 * 2443 * Does not include contact methods. These are added using `wp_get_user_contact_methods( $user )`. 2444 * 2445 * For custom meta fields, see the {@see 'insert_custom_user_meta'} filter. 2446 * 2447 * @since 4.4.0 2448 * @since 5.8.0 The `$userdata` parameter was added. 2449 * 2450 * @param array $meta { 2451 * Default meta values and keys for the user. 2452 * 2453 * @type string $nickname The user's nickname. Default is the user's username. 2454 * @type string $first_name The user's first name. 2455 * @type string $last_name The user's last name. 2456 * @type string $description The user's description. 2457 * @type string $rich_editing Whether to enable the rich-editor for the user. Default 'true'. 2458 * @type string $syntax_highlighting Whether to enable the rich code editor for the user. Default 'true'. 2459 * @type string $comment_shortcuts Whether to enable keyboard shortcuts for the user. Default 'false'. 2460 * @type string $admin_color The color scheme for a user's admin screen. Default 'fresh'. 2461 * @type int|bool $use_ssl Whether to force SSL on the user's admin area. 0|false if SSL 2462 * is not forced. 2463 * @type string $show_admin_bar_front Whether to show the admin bar on the front end for the user. 2464 * Default 'true'. 2465 * @type string $locale User's locale. Default empty. 2466 * } 2467 * @param WP_User $user User object. 2468 * @param bool $update Whether the user is being updated rather than created. 2469 * @param array $userdata The raw array of data passed to wp_insert_user(). 2470 */ 2471 $meta = apply_filters( 'insert_user_meta', $meta, $user, $update, $userdata ); 2472 2473 $custom_meta = array(); 2474 if ( array_key_exists( 'meta_input', $userdata ) && is_array( $userdata['meta_input'] ) && ! empty( $userdata['meta_input'] ) ) { 2475 $custom_meta = $userdata['meta_input']; 2476 } 2477 2478 /** 2479 * Filters a user's custom meta values and keys immediately after the user is created or updated 2480 * and before any user meta is inserted or updated. 2481 * 2482 * For non-custom meta fields, see the {@see 'insert_user_meta'} filter. 2483 * 2484 * @since 5.9.0 2485 * 2486 * @param array $custom_meta Array of custom user meta values keyed by meta key. 2487 * @param WP_User $user User object. 2488 * @param bool $update Whether the user is being updated rather than created. 2489 * @param array $userdata The raw array of data passed to wp_insert_user(). 2490 */ 2491 $custom_meta = apply_filters( 'insert_custom_user_meta', $custom_meta, $user, $update, $userdata ); 2492 2493 $meta = array_merge( $meta, $custom_meta ); 2494 2495 if ( $update ) { 2496 // Update user meta. 2497 foreach ( $meta as $key => $value ) { 2498 update_user_meta( $user_id, $key, $value ); 2499 } 2500 } else { 2501 // Add user meta. 2502 foreach ( $meta as $key => $value ) { 2503 add_user_meta( $user_id, $key, $value ); 2504 } 2505 } 2506 2507 foreach ( wp_get_user_contact_methods( $user ) as $key => $value ) { 2508 if ( isset( $userdata[ $key ] ) ) { 2509 update_user_meta( $user_id, $key, $userdata[ $key ] ); 2510 } 2511 } 2512 2513 if ( isset( $userdata['role'] ) ) { 2514 $user->set_role( $userdata['role'] ); 2515 } elseif ( ! $update ) { 2516 $user->set_role( get_option( 'default_role' ) ); 2517 } 2518 2519 clean_user_cache( $user_id ); 2520 2521 if ( $update ) { 2522 /** 2523 * Fires immediately after an existing user is updated. 2524 * 2525 * @since 2.0.0 2526 * @since 5.8.0 The `$userdata` parameter was added. 2527 * 2528 * @param int $user_id User ID. 2529 * @param WP_User $old_user_data Object containing user's data prior to update. 2530 * @param array $userdata The raw array of data passed to wp_insert_user(). 2531 */ 2532 do_action( 'profile_update', $user_id, $old_user_data, $userdata ); 2533 2534 if ( isset( $userdata['spam'] ) && $userdata['spam'] !== $old_user_data->spam ) { 2535 if ( '1' === $userdata['spam'] ) { 2536 /** 2537 * Fires after the user is marked as a SPAM user. 2538 * 2539 * @since 3.0.0 2540 * 2541 * @param int $user_id ID of the user marked as SPAM. 2542 */ 2543 do_action( 'make_spam_user', $user_id ); 2544 } else { 2545 /** 2546 * Fires after the user is marked as a HAM user. Opposite of SPAM. 2547 * 2548 * @since 3.0.0 2549 * 2550 * @param int $user_id ID of the user marked as HAM. 2551 */ 2552 do_action( 'make_ham_user', $user_id ); 2553 } 2554 } 2555 } else { 2556 /** 2557 * Fires immediately after a new user is registered. 2558 * 2559 * @since 1.5.0 2560 * @since 5.8.0 The `$userdata` parameter was added. 2561 * 2562 * @param int $user_id User ID. 2563 * @param array $userdata The raw array of data passed to wp_insert_user(). 2564 */ 2565 do_action( 'user_register', $user_id, $userdata ); 2566 } 2567 2568 return $user_id; 2569 } 2570 2571 /** 2572 * Updates a user in the database. 2573 * 2574 * It is possible to update a user's password by specifying the 'user_pass' 2575 * value in the $userdata parameter array. 2576 * 2577 * If current user's password is being updated, then the cookies will be 2578 * cleared. 2579 * 2580 * @since 2.0.0 2581 * 2582 * @see wp_insert_user() For what fields can be set in $userdata. 2583 * 2584 * @param array|object|WP_User $userdata An array of user data or a user object of type stdClass or WP_User. 2585 * @return int|WP_Error The updated user's ID or a WP_Error object if the user could not be updated. 2586 */ 2587 function wp_update_user( $userdata ) { 2588 if ( $userdata instanceof stdClass ) { 2589 $userdata = get_object_vars( $userdata ); 2590 } elseif ( $userdata instanceof WP_User ) { 2591 $userdata = $userdata->to_array(); 2592 } 2593 2594 $userdata_raw = $userdata; 2595 2596 $user_id = isset( $userdata['ID'] ) ? (int) $userdata['ID'] : 0; 2597 if ( ! $user_id ) { 2598 return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) ); 2599 } 2600 2601 // First, get all of the original fields. 2602 $user_obj = get_userdata( $user_id ); 2603 if ( ! $user_obj ) { 2604 return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) ); 2605 } 2606 2607 $user = $user_obj->to_array(); 2608 2609 // Add additional custom fields. 2610 foreach ( _get_additional_user_keys( $user_obj ) as $key ) { 2611 $user[ $key ] = get_user_meta( $user_id, $key, true ); 2612 } 2613 2614 // Escape data pulled from DB. 2615 $user = add_magic_quotes( $user ); 2616 2617 if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) { 2618 // If password is changing, hash it now. 2619 $plaintext_pass = $userdata['user_pass']; 2620 $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] ); 2621 2622 /** 2623 * Filters whether to send the password change email. 2624 * 2625 * @since 4.3.0 2626 * 2627 * @see wp_insert_user() For `$user` and `$userdata` fields. 2628 * 2629 * @param bool $send Whether to send the email. 2630 * @param array $user The original user array. 2631 * @param array $userdata The updated user array. 2632 */ 2633 $send_password_change_email = apply_filters( 'send_password_change_email', true, $user, $userdata ); 2634 } 2635 2636 if ( isset( $userdata['user_email'] ) && $user['user_email'] !== $userdata['user_email'] ) { 2637 /** 2638 * Filters whether to send the email change email. 2639 * 2640 * @since 4.3.0 2641 * 2642 * @see wp_insert_user() For `$user` and `$userdata` fields. 2643 * 2644 * @param bool $send Whether to send the email. 2645 * @param array $user The original user array. 2646 * @param array $userdata The updated user array. 2647 */ 2648 $send_email_change_email = apply_filters( 'send_email_change_email', true, $user, $userdata ); 2649 } 2650 2651 clean_user_cache( $user_obj ); 2652 2653 // Merge old and new fields with new fields overwriting old ones. 2654 $userdata = array_merge( $user, $userdata ); 2655 $user_id = wp_insert_user( $userdata ); 2656 2657 if ( is_wp_error( $user_id ) ) { 2658 return $user_id; 2659 } 2660 2661 $blog_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 2662 2663 $switched_locale = false; 2664 if ( ! empty( $send_password_change_email ) || ! empty( $send_email_change_email ) ) { 2665 $switched_locale = switch_to_user_locale( $user_id ); 2666 } 2667 2668 if ( ! empty( $send_password_change_email ) ) { 2669 /* translators: Do not translate USERNAME, ADMIN_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */ 2670 $pass_change_text = __( 2671 'Hi ###USERNAME###, 2672 2673 This notice confirms that your password was changed on ###SITENAME###. 2674 2675 If you did not change your password, please contact the Site Administrator at 2676 ###ADMIN_EMAIL### 2677 2678 This email has been sent to ###EMAIL### 2679 2680 Regards, 2681 All at ###SITENAME### 2682 ###SITEURL###' 2683 ); 2684 2685 $pass_change_email = array( 2686 'to' => $user['user_email'], 2687 /* translators: Password change notification email subject. %s: Site title. */ 2688 'subject' => __( '[%s] Password Changed' ), 2689 'message' => $pass_change_text, 2690 'headers' => '', 2691 ); 2692 2693 /** 2694 * Filters the contents of the email sent when the user's password is changed. 2695 * 2696 * @since 4.3.0 2697 * 2698 * @param array $pass_change_email { 2699 * Used to build wp_mail(). 2700 * 2701 * @type string $to The intended recipients. Add emails in a comma separated string. 2702 * @type string $subject The subject of the email. 2703 * @type string $message The content of the email. 2704 * The following strings have a special meaning and will get replaced dynamically: 2705 * - ###USERNAME### The current user's username. 2706 * - ###ADMIN_EMAIL### The admin email in case this was unexpected. 2707 * - ###EMAIL### The user's email address. 2708 * - ###SITENAME### The name of the site. 2709 * - ###SITEURL### The URL to the site. 2710 * @type string $headers Headers. Add headers in a newline (\r\n) separated string. 2711 * } 2712 * @param array $user The original user array. 2713 * @param array $userdata The updated user array. 2714 */ 2715 $pass_change_email = apply_filters( 'password_change_email', $pass_change_email, $user, $userdata ); 2716 2717 $pass_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $pass_change_email['message'] ); 2718 $pass_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $pass_change_email['message'] ); 2719 $pass_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $pass_change_email['message'] ); 2720 $pass_change_email['message'] = str_replace( '###SITENAME###', $blog_name, $pass_change_email['message'] ); 2721 $pass_change_email['message'] = str_replace( '###SITEURL###', home_url(), $pass_change_email['message'] ); 2722 2723 wp_mail( $pass_change_email['to'], sprintf( $pass_change_email['subject'], $blog_name ), $pass_change_email['message'], $pass_change_email['headers'] ); 2724 } 2725 2726 if ( ! empty( $send_email_change_email ) ) { 2727 /* translators: Do not translate USERNAME, ADMIN_EMAIL, NEW_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */ 2728 $email_change_text = __( 2729 'Hi ###USERNAME###, 2730 2731 This notice confirms that your email address on ###SITENAME### was changed to ###NEW_EMAIL###. 2732 2733 If you did not change your email, please contact the Site Administrator at 2734 ###ADMIN_EMAIL### 2735 2736 This email has been sent to ###EMAIL### 2737 2738 Regards, 2739 All at ###SITENAME### 2740 ###SITEURL###' 2741 ); 2742 2743 $email_change_email = array( 2744 'to' => $user['user_email'], 2745 /* translators: Email change notification email subject. %s: Site title. */ 2746 'subject' => __( '[%s] Email Changed' ), 2747 'message' => $email_change_text, 2748 'headers' => '', 2749 ); 2750 2751 /** 2752 * Filters the contents of the email sent when the user's email is changed. 2753 * 2754 * @since 4.3.0 2755 * 2756 * @param array $email_change_email { 2757 * Used to build wp_mail(). 2758 * 2759 * @type string $to The intended recipients. 2760 * @type string $subject The subject of the email. 2761 * @type string $message The content of the email. 2762 * The following strings have a special meaning and will get replaced dynamically: 2763 * - ###USERNAME### The current user's username. 2764 * - ###ADMIN_EMAIL### The admin email in case this was unexpected. 2765 * - ###NEW_EMAIL### The new email address. 2766 * - ###EMAIL### The old email address. 2767 * - ###SITENAME### The name of the site. 2768 * - ###SITEURL### The URL to the site. 2769 * @type string $headers Headers. 2770 * } 2771 * @param array $user The original user array. 2772 * @param array $userdata The updated user array. 2773 */ 2774 $email_change_email = apply_filters( 'email_change_email', $email_change_email, $user, $userdata ); 2775 2776 $email_change_email['message'] = str_replace( '###USERNAME###', $user['user_login'], $email_change_email['message'] ); 2777 $email_change_email['message'] = str_replace( '###ADMIN_EMAIL###', get_option( 'admin_email' ), $email_change_email['message'] ); 2778 $email_change_email['message'] = str_replace( '###NEW_EMAIL###', $userdata['user_email'], $email_change_email['message'] ); 2779 $email_change_email['message'] = str_replace( '###EMAIL###', $user['user_email'], $email_change_email['message'] ); 2780 $email_change_email['message'] = str_replace( '###SITENAME###', $blog_name, $email_change_email['message'] ); 2781 $email_change_email['message'] = str_replace( '###SITEURL###', home_url(), $email_change_email['message'] ); 2782 2783 wp_mail( $email_change_email['to'], sprintf( $email_change_email['subject'], $blog_name ), $email_change_email['message'], $email_change_email['headers'] ); 2784 } 2785 2786 if ( $switched_locale ) { 2787 restore_previous_locale(); 2788 } 2789 2790 // Update the cookies if the password changed. 2791 $current_user = wp_get_current_user(); 2792 if ( $current_user->ID === $user_id ) { 2793 if ( isset( $plaintext_pass ) ) { 2794 /* 2795 * Here we calculate the expiration length of the current auth cookie and compare it to the default expiration. 2796 * If it's greater than this, then we know the user checked 'Remember Me' when they logged in. 2797 */ 2798 $logged_in_cookie = wp_parse_auth_cookie( '', 'logged_in' ); 2799 /** This filter is documented in wp-includes/pluggable.php */ 2800 $default_cookie_life = apply_filters( 'auth_cookie_expiration', ( 2 * DAY_IN_SECONDS ), $user_id, false ); 2801 2802 wp_clear_auth_cookie(); 2803 2804 $remember = false; 2805 $token = ''; 2806 2807 if ( false !== $logged_in_cookie ) { 2808 $token = $logged_in_cookie['token']; 2809 } 2810 2811 if ( false !== $logged_in_cookie && ( (int) $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) { 2812 $remember = true; 2813 } 2814 2815 wp_set_auth_cookie( $user_id, $remember, '', $token ); 2816 } 2817 } 2818 2819 /** 2820 * Fires after the user has been updated and emails have been sent. 2821 * 2822 * @since 6.3.0 2823 * 2824 * @param int $user_id The ID of the user that was just updated. 2825 * @param array $userdata The array of user data that was updated. 2826 * @param array $userdata_raw The unedited array of user data that was updated. 2827 */ 2828 do_action( 'wp_update_user', $user_id, $userdata, $userdata_raw ); 2829 2830 return $user_id; 2831 } 2832 2833 /** 2834 * Provides a simpler way of inserting a user into the database. 2835 * 2836 * Creates a new user with just the username, password, and email. For more 2837 * complex user creation use wp_insert_user() to specify more information. 2838 * 2839 * @since 2.0.0 2840 * 2841 * @see wp_insert_user() More complete way to create a new user. 2842 * 2843 * @param string $username The user's username. 2844 * @param string $password The user's password. 2845 * @param string $email Optional. The user's email. Default empty. 2846 * @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not 2847 * be created. 2848 */ 2849 function wp_create_user( $username, $password, $email = '' ) { 2850 $user_login = wp_slash( $username ); 2851 $user_email = wp_slash( $email ); 2852 $user_pass = $password; 2853 2854 $userdata = compact( 'user_login', 'user_email', 'user_pass' ); 2855 return wp_insert_user( $userdata ); 2856 } 2857 2858 /** 2859 * Returns a list of meta keys to be (maybe) populated in wp_update_user(). 2860 * 2861 * The list of keys returned via this function are dependent on the presence 2862 * of those keys in the user meta data to be set. 2863 * 2864 * @since 3.3.0 2865 * @access private 2866 * 2867 * @param WP_User $user WP_User instance. 2868 * @return string[] List of user keys to be populated in wp_update_user(). 2869 */ 2870 function _get_additional_user_keys( $user ) { 2871 $keys = array( 'first_name', 'last_name', 'nickname', 'description', 'rich_editing', 'syntax_highlighting', 'comment_shortcuts', 'admin_color', 'use_ssl', 'show_admin_bar_front', 'locale' ); 2872 return array_merge( $keys, array_keys( wp_get_user_contact_methods( $user ) ) ); 2873 } 2874 2875 /** 2876 * Sets up the user contact methods. 2877 * 2878 * Default contact methods were removed in 3.6. A filter dictates contact methods. 2879 * 2880 * @since 3.7.0 2881 * 2882 * @param WP_User|null $user Optional. WP_User object. 2883 * @return string[] Array of contact method labels keyed by contact method. 2884 */ 2885 function wp_get_user_contact_methods( $user = null ) { 2886 $methods = array(); 2887 if ( get_site_option( 'initial_db_version' ) < 23588 ) { 2888 $methods = array( 2889 'aim' => __( 'AIM' ), 2890 'yim' => __( 'Yahoo IM' ), 2891 'jabber' => __( 'Jabber / Google Talk' ), 2892 ); 2893 } 2894 2895 /** 2896 * Filters the user contact methods. 2897 * 2898 * @since 2.9.0 2899 * 2900 * @param string[] $methods Array of contact method labels keyed by contact method. 2901 * @param WP_User|null $user WP_User object or null if none was provided. 2902 */ 2903 return apply_filters( 'user_contactmethods', $methods, $user ); 2904 } 2905 2906 /** 2907 * The old private function for setting up user contact methods. 2908 * 2909 * Use wp_get_user_contact_methods() instead. 2910 * 2911 * @since 2.9.0 2912 * @access private 2913 * 2914 * @param WP_User|null $user Optional. WP_User object. Default null. 2915 * @return string[] Array of contact method labels keyed by contact method. 2916 */ 2917 function _wp_get_user_contactmethods( $user = null ) { 2918 return wp_get_user_contact_methods( $user ); 2919 } 2920 2921 /** 2922 * Gets the text suggesting how to create strong passwords. 2923 * 2924 * @since 4.1.0 2925 * 2926 * @return string The password hint text. 2927 */ 2928 function wp_get_password_hint() { 2929 $hint = __( 'Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ & ).' ); 2930 2931 /** 2932 * Filters the text describing the site's password complexity policy. 2933 * 2934 * @since 4.1.0 2935 * 2936 * @param string $hint The password hint text. 2937 */ 2938 return apply_filters( 'password_hint', $hint ); 2939 } 2940 2941 /** 2942 * Creates, stores, then returns a password reset key for user. 2943 * 2944 * @since 4.4.0 2945 * 2946 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 2947 * 2948 * @param WP_User $user User to retrieve password reset key for. 2949 * @return string|WP_Error Password reset key on success. WP_Error on error. 2950 */ 2951 function get_password_reset_key( $user ) { 2952 global $wp_hasher; 2953 2954 if ( ! ( $user instanceof WP_User ) ) { 2955 return new WP_Error( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) ); 2956 } 2957 2958 /** 2959 * Fires before a new password is retrieved. 2960 * 2961 * Use the {@see 'retrieve_password'} hook instead. 2962 * 2963 * @since 1.5.0 2964 * @deprecated 1.5.1 Misspelled. Use {@see 'retrieve_password'} hook instead. 2965 * 2966 * @param string $user_login The user login name. 2967 */ 2968 do_action_deprecated( 'retreive_password', array( $user->user_login ), '1.5.1', 'retrieve_password' ); 2969 2970 /** 2971 * Fires before a new password is retrieved. 2972 * 2973 * @since 1.5.1 2974 * 2975 * @param string $user_login The user login name. 2976 */ 2977 do_action( 'retrieve_password', $user->user_login ); 2978 2979 $password_reset_allowed = wp_is_password_reset_allowed_for_user( $user ); 2980 if ( ! $password_reset_allowed ) { 2981 return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) ); 2982 } elseif ( is_wp_error( $password_reset_allowed ) ) { 2983 return $password_reset_allowed; 2984 } 2985 2986 // Generate something random for a password reset key. 2987 $key = wp_generate_password( 20, false ); 2988 2989 /** 2990 * Fires when a password reset key is generated. 2991 * 2992 * @since 2.5.0 2993 * 2994 * @param string $user_login The username for the user. 2995 * @param string $key The generated password reset key. 2996 */ 2997 do_action( 'retrieve_password_key', $user->user_login, $key ); 2998 2999 // Now insert the key, hashed, into the DB. 3000 if ( empty( $wp_hasher ) ) { 3001 require_once ABSPATH . WPINC . '/class-phpass.php'; 3002 $wp_hasher = new PasswordHash( 8, true ); 3003 } 3004 3005 $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); 3006 3007 $key_saved = wp_update_user( 3008 array( 3009 'ID' => $user->ID, 3010 'user_activation_key' => $hashed, 3011 ) 3012 ); 3013 3014 if ( is_wp_error( $key_saved ) ) { 3015 return $key_saved; 3016 } 3017 3018 return $key; 3019 } 3020 3021 /** 3022 * Retrieves a user row based on password reset key and login. 3023 * 3024 * A key is considered 'expired' if it exactly matches the value of the 3025 * user_activation_key field, rather than being matched after going through the 3026 * hashing process. This field is now hashed; old values are no longer accepted 3027 * but have a different WP_Error code so good user feedback can be provided. 3028 * 3029 * @since 3.1.0 3030 * 3031 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 3032 * 3033 * @param string $key Hash to validate sending user's password. 3034 * @param string $login The user login. 3035 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys. 3036 */ 3037 function check_password_reset_key( $key, $login ) { 3038 global $wp_hasher; 3039 3040 $key = preg_replace( '/[^a-z0-9]/i', '', $key ); 3041 3042 if ( empty( $key ) || ! is_string( $key ) ) { 3043 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3044 } 3045 3046 if ( empty( $login ) || ! is_string( $login ) ) { 3047 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3048 } 3049 3050 $user = get_user_by( 'login', $login ); 3051 3052 if ( ! $user ) { 3053 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3054 } 3055 3056 if ( empty( $wp_hasher ) ) { 3057 require_once ABSPATH . WPINC . '/class-phpass.php'; 3058 $wp_hasher = new PasswordHash( 8, true ); 3059 } 3060 3061 /** 3062 * Filters the expiration time of password reset keys. 3063 * 3064 * @since 4.3.0 3065 * 3066 * @param int $expiration The expiration time in seconds. 3067 */ 3068 $expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS ); 3069 3070 if ( str_contains( $user->user_activation_key, ':' ) ) { 3071 list( $pass_request_time, $pass_key ) = explode( ':', $user->user_activation_key, 2 ); 3072 $expiration_time = $pass_request_time + $expiration_duration; 3073 } else { 3074 $pass_key = $user->user_activation_key; 3075 $expiration_time = false; 3076 } 3077 3078 if ( ! $pass_key ) { 3079 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3080 } 3081 3082 $hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key ); 3083 3084 if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) { 3085 return $user; 3086 } elseif ( $hash_is_correct && $expiration_time ) { 3087 // Key has an expiration time that's passed. 3088 return new WP_Error( 'expired_key', __( 'Invalid key.' ) ); 3089 } 3090 3091 if ( hash_equals( $user->user_activation_key, $key ) || ( $hash_is_correct && ! $expiration_time ) ) { 3092 $return = new WP_Error( 'expired_key', __( 'Invalid key.' ) ); 3093 $user_id = $user->ID; 3094 3095 /** 3096 * Filters the return value of check_password_reset_key() when an 3097 * old-style key is used. 3098 * 3099 * @since 3.7.0 Previously plain-text keys were stored in the database. 3100 * @since 4.3.0 Previously key hashes were stored without an expiration time. 3101 * 3102 * @param WP_Error $return A WP_Error object denoting an expired key. 3103 * Return a WP_User object to validate the key. 3104 * @param int $user_id The matched user ID. 3105 */ 3106 return apply_filters( 'password_reset_key_expired', $return, $user_id ); 3107 } 3108 3109 return new WP_Error( 'invalid_key', __( 'Invalid key.' ) ); 3110 } 3111 3112 /** 3113 * Handles sending a password retrieval email to a user. 3114 * 3115 * @since 2.5.0 3116 * @since 5.7.0 Added `$user_login` parameter. 3117 * 3118 * @global wpdb $wpdb WordPress database abstraction object. 3119 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 3120 * 3121 * @param string $user_login Optional. Username to send a password retrieval email for. 3122 * Defaults to `$_POST['user_login']` if not set. 3123 * @return true|WP_Error True when finished, WP_Error object on error. 3124 */ 3125 function retrieve_password( $user_login = '' ) { 3126 $errors = new WP_Error(); 3127 $user_data = false; 3128 3129 // Use the passed $user_login if available, otherwise use $_POST['user_login']. 3130 if ( ! $user_login && ! empty( $_POST['user_login'] ) ) { 3131 $user_login = $_POST['user_login']; 3132 } 3133 3134 $user_login = trim( wp_unslash( $user_login ) ); 3135 3136 if ( empty( $user_login ) ) { 3137 $errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username or email address.' ) ); 3138 } elseif ( strpos( $user_login, '@' ) ) { 3139 $user_data = get_user_by( 'email', $user_login ); 3140 3141 if ( empty( $user_data ) ) { 3142 $user_data = get_user_by( 'login', $user_login ); 3143 } 3144 3145 if ( empty( $user_data ) ) { 3146 $errors->add( 'invalid_email', __( '<strong>Error:</strong> There is no account with that username or email address.' ) ); 3147 } 3148 } else { 3149 $user_data = get_user_by( 'login', $user_login ); 3150 } 3151 3152 /** 3153 * Filters the user data during a password reset request. 3154 * 3155 * Allows, for example, custom validation using data other than username or email address. 3156 * 3157 * @since 5.7.0 3158 * 3159 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist. 3160 * @param WP_Error $errors A WP_Error object containing any errors generated 3161 * by using invalid credentials. 3162 */ 3163 $user_data = apply_filters( 'lostpassword_user_data', $user_data, $errors ); 3164 3165 /** 3166 * Fires before errors are returned from a password reset request. 3167 * 3168 * @since 2.1.0 3169 * @since 4.4.0 Added the `$errors` parameter. 3170 * @since 5.4.0 Added the `$user_data` parameter. 3171 * 3172 * @param WP_Error $errors A WP_Error object containing any errors generated 3173 * by using invalid credentials. 3174 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist. 3175 */ 3176 do_action( 'lostpassword_post', $errors, $user_data ); 3177 3178 /** 3179 * Filters the errors encountered on a password reset request. 3180 * 3181 * The filtered WP_Error object may, for example, contain errors for an invalid 3182 * username or email address. A WP_Error object should always be returned, 3183 * but may or may not contain errors. 3184 * 3185 * If any errors are present in $errors, this will abort the password reset request. 3186 * 3187 * @since 5.5.0 3188 * 3189 * @param WP_Error $errors A WP_Error object containing any errors generated 3190 * by using invalid credentials. 3191 * @param WP_User|false $user_data WP_User object if found, false if the user does not exist. 3192 */ 3193 $errors = apply_filters( 'lostpassword_errors', $errors, $user_data ); 3194 3195 if ( $errors->has_errors() ) { 3196 return $errors; 3197 } 3198 3199 if ( ! $user_data ) { 3200 $errors->add( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) ); 3201 return $errors; 3202 } 3203 3204 /** 3205 * Filters whether to send the retrieve password email. 3206 * 3207 * Return false to disable sending the email. 3208 * 3209 * @since 6.0.0 3210 * 3211 * @param bool $send Whether to send the email. 3212 * @param string $user_login The username for the user. 3213 * @param WP_User $user_data WP_User object. 3214 */ 3215 if ( ! apply_filters( 'send_retrieve_password_email', true, $user_login, $user_data ) ) { 3216 return true; 3217 } 3218 3219 // Redefining user_login ensures we return the right case in the email. 3220 $user_login = $user_data->user_login; 3221 $user_email = $user_data->user_email; 3222 $key = get_password_reset_key( $user_data ); 3223 3224 if ( is_wp_error( $key ) ) { 3225 return $key; 3226 } 3227 3228 // Localize password reset message content for user. 3229 $locale = get_user_locale( $user_data ); 3230 3231 $switched_locale = switch_to_user_locale( $user_data->ID ); 3232 3233 if ( is_multisite() ) { 3234 $site_name = get_network()->site_name; 3235 } else { 3236 /* 3237 * The blogname option is escaped with esc_html on the way into the database 3238 * in sanitize_option. We want to reverse this for the plain text arena of emails. 3239 */ 3240 $site_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 3241 } 3242 3243 $message = __( 'Someone has requested a password reset for the following account:' ) . "\r\n\r\n"; 3244 /* translators: %s: Site name. */ 3245 $message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n"; 3246 /* translators: %s: User login. */ 3247 $message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n"; 3248 $message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n"; 3249 $message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n"; 3250 3251 /* 3252 * Since some user login names end in a period, this could produce ambiguous URLs that 3253 * end in a period. To avoid the ambiguity, ensure that the login is not the last query 3254 * arg in the URL. If moving it to the end, a trailing period will need to be escaped. 3255 * 3256 * @see https://core.trac.wordpress.org/tickets/42957 3257 */ 3258 $message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n"; 3259 3260 if ( ! is_user_logged_in() ) { 3261 $requester_ip = $_SERVER['REMOTE_ADDR']; 3262 if ( $requester_ip ) { 3263 $message .= sprintf( 3264 /* translators: %s: IP address of password reset requester. */ 3265 __( 'This password reset request originated from the IP address %s.' ), 3266 $requester_ip 3267 ) . "\r\n"; 3268 } 3269 } 3270 3271 /* translators: Password reset notification email subject. %s: Site title. */ 3272 $title = sprintf( __( '[%s] Password Reset' ), $site_name ); 3273 3274 /** 3275 * Filters the subject of the password reset email. 3276 * 3277 * @since 2.8.0 3278 * @since 4.4.0 Added the `$user_login` and `$user_data` parameters. 3279 * 3280 * @param string $title Email subject. 3281 * @param string $user_login The username for the user. 3282 * @param WP_User $user_data WP_User object. 3283 */ 3284 $title = apply_filters( 'retrieve_password_title', $title, $user_login, $user_data ); 3285 3286 /** 3287 * Filters the message body of the password reset mail. 3288 * 3289 * If the filtered message is empty, the password reset email will not be sent. 3290 * 3291 * @since 2.8.0 3292 * @since 4.1.0 Added `$user_login` and `$user_data` parameters. 3293 * 3294 * @param string $message Email message. 3295 * @param string $key The activation key. 3296 * @param string $user_login The username for the user. 3297 * @param WP_User $user_data WP_User object. 3298 */ 3299 $message = apply_filters( 'retrieve_password_message', $message, $key, $user_login, $user_data ); 3300 3301 // Short-circuit on falsey $message value for backwards compatibility. 3302 if ( ! $message ) { 3303 return true; 3304 } 3305 3306 /* 3307 * Wrap the single notification email arguments in an array 3308 * to pass them to the retrieve_password_notification_email filter. 3309 */ 3310 $defaults = array( 3311 'to' => $user_email, 3312 'subject' => $title, 3313 'message' => $message, 3314 'headers' => '', 3315 ); 3316 3317 /** 3318 * Filters the contents of the reset password notification email sent to the user. 3319 * 3320 * @since 6.0.0 3321 * 3322 * @param array $defaults { 3323 * The default notification email arguments. Used to build wp_mail(). 3324 * 3325 * @type string $to The intended recipient - user email address. 3326 * @type string $subject The subject of the email. 3327 * @type string $message The body of the email. 3328 * @type string $headers The headers of the email. 3329 * } 3330 * @param string $key The activation key. 3331 * @param string $user_login The username for the user. 3332 * @param WP_User $user_data WP_User object. 3333 */ 3334 $notification_email = apply_filters( 'retrieve_password_notification_email', $defaults, $key, $user_login, $user_data ); 3335 3336 if ( $switched_locale ) { 3337 restore_previous_locale(); 3338 } 3339 3340 if ( is_array( $notification_email ) ) { 3341 // Force key order and merge defaults in case any value is missing in the filtered array. 3342 $notification_email = array_merge( $defaults, $notification_email ); 3343 } else { 3344 $notification_email = $defaults; 3345 } 3346 3347 list( $to, $subject, $message, $headers ) = array_values( $notification_email ); 3348 3349 $subject = wp_specialchars_decode( $subject ); 3350 3351 if ( ! wp_mail( $to, $subject, $message, $headers ) ) { 3352 $errors->add( 3353 'retrieve_password_email_failure', 3354 sprintf( 3355 /* translators: %s: Documentation URL. */ 3356 __( '<strong>Error:</strong> The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ), 3357 esc_url( __( 'https://wordpress.org/documentation/article/reset-your-password/' ) ) 3358 ) 3359 ); 3360 return $errors; 3361 } 3362 3363 return true; 3364 } 3365 3366 /** 3367 * Handles resetting the user's password. 3368 * 3369 * @since 2.5.0 3370 * 3371 * @param WP_User $user The user 3372 * @param string $new_pass New password for the user in plaintext 3373 */ 3374 function reset_password( $user, $new_pass ) { 3375 /** 3376 * Fires before the user's password is reset. 3377 * 3378 * @since 1.5.0 3379 * 3380 * @param WP_User $user The user. 3381 * @param string $new_pass New user password. 3382 */ 3383 do_action( 'password_reset', $user, $new_pass ); 3384 3385 wp_set_password( $new_pass, $user->ID ); 3386 update_user_meta( $user->ID, 'default_password_nag', false ); 3387 3388 /** 3389 * Fires after the user's password is reset. 3390 * 3391 * @since 4.4.0 3392 * 3393 * @param WP_User $user The user. 3394 * @param string $new_pass New user password. 3395 */ 3396 do_action( 'after_password_reset', $user, $new_pass ); 3397 } 3398 3399 /** 3400 * Handles registering a new user. 3401 * 3402 * @since 2.5.0 3403 * 3404 * @param string $user_login User's username for logging in 3405 * @param string $user_email User's email address to send password and add 3406 * @return int|WP_Error Either user's ID or error on failure. 3407 */ 3408 function register_new_user( $user_login, $user_email ) { 3409 $errors = new WP_Error(); 3410 3411 $sanitized_user_login = sanitize_user( $user_login ); 3412 /** 3413 * Filters the email address of a user being registered. 3414 * 3415 * @since 2.1.0 3416 * 3417 * @param string $user_email The email address of the new user. 3418 */ 3419 $user_email = apply_filters( 'user_registration_email', $user_email ); 3420 3421 // Check the username. 3422 if ( '' === $sanitized_user_login ) { 3423 $errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username.' ) ); 3424 } elseif ( ! validate_username( $user_login ) ) { 3425 $errors->add( 'invalid_username', __( '<strong>Error:</strong> This username is invalid because it uses illegal characters. Please enter a valid username.' ) ); 3426 $sanitized_user_login = ''; 3427 } elseif ( username_exists( $sanitized_user_login ) ) { 3428 $errors->add( 'username_exists', __( '<strong>Error:</strong> This username is already registered. Please choose another one.' ) ); 3429 } else { 3430 /** This filter is documented in wp-includes/user.php */ 3431 $illegal_user_logins = (array) apply_filters( 'illegal_user_logins', array() ); 3432 if ( in_array( strtolower( $sanitized_user_login ), array_map( 'strtolower', $illegal_user_logins ), true ) ) { 3433 $errors->add( 'invalid_username', __( '<strong>Error:</strong> Sorry, that username is not allowed.' ) ); 3434 } 3435 } 3436 3437 // Check the email address. 3438 if ( '' === $user_email ) { 3439 $errors->add( 'empty_email', __( '<strong>Error:</strong> Please type your email address.' ) ); 3440 } elseif ( ! is_email( $user_email ) ) { 3441 $errors->add( 'invalid_email', __( '<strong>Error:</strong> The email address is not correct.' ) ); 3442 $user_email = ''; 3443 } elseif ( email_exists( $user_email ) ) { 3444 $errors->add( 3445 'email_exists', 3446 sprintf( 3447 /* translators: %s: Link to the login page. */ 3448 __( '<strong>Error:</strong> This email address is already registered. <a href="%s">Log in</a> with this address or choose another one.' ), 3449 wp_login_url() 3450 ) 3451 ); 3452 } 3453 3454 /** 3455 * Fires when submitting registration form data, before the user is created. 3456 * 3457 * @since 2.1.0 3458 * 3459 * @param string $sanitized_user_login The submitted username after being sanitized. 3460 * @param string $user_email The submitted email. 3461 * @param WP_Error $errors Contains any errors with submitted username and email, 3462 * e.g., an empty field, an invalid username or email, 3463 * or an existing username or email. 3464 */ 3465 do_action( 'register_post', $sanitized_user_login, $user_email, $errors ); 3466 3467 /** 3468 * Filters the errors encountered when a new user is being registered. 3469 * 3470 * The filtered WP_Error object may, for example, contain errors for an invalid 3471 * or existing username or email address. A WP_Error object should always be returned, 3472 * but may or may not contain errors. 3473 * 3474 * If any errors are present in $errors, this will abort the user's registration. 3475 * 3476 * @since 2.1.0 3477 * 3478 * @param WP_Error $errors A WP_Error object containing any errors encountered 3479 * during registration. 3480 * @param string $sanitized_user_login User's username after it has been sanitized. 3481 * @param string $user_email User's email. 3482 */ 3483 $errors = apply_filters( 'registration_errors', $errors, $sanitized_user_login, $user_email ); 3484 3485 if ( $errors->has_errors() ) { 3486 return $errors; 3487 } 3488 3489 $user_pass = wp_generate_password( 12, false ); 3490 $user_id = wp_create_user( $sanitized_user_login, $user_pass, $user_email ); 3491 if ( ! $user_id || is_wp_error( $user_id ) ) { 3492 $errors->add( 3493 'registerfail', 3494 sprintf( 3495 /* translators: %s: Admin email address. */ 3496 __( '<strong>Error:</strong> Could not register you… please contact the <a href="mailto:%s">site admin</a>!' ), 3497 get_option( 'admin_email' ) 3498 ) 3499 ); 3500 return $errors; 3501 } 3502 3503 update_user_meta( $user_id, 'default_password_nag', true ); // Set up the password change nag. 3504 3505 if ( ! empty( $_COOKIE['wp_lang'] ) ) { 3506 $wp_lang = sanitize_text_field( $_COOKIE['wp_lang'] ); 3507 if ( in_array( $wp_lang, get_available_languages(), true ) ) { 3508 update_user_meta( $user_id, 'locale', $wp_lang ); // Set user locale if defined on registration. 3509 } 3510 } 3511 3512 /** 3513 * Fires after a new user registration has been recorded. 3514 * 3515 * @since 4.4.0 3516 * 3517 * @param int $user_id ID of the newly registered user. 3518 */ 3519 do_action( 'register_new_user', $user_id ); 3520 3521 return $user_id; 3522 } 3523 3524 /** 3525 * Initiates email notifications related to the creation of new users. 3526 * 3527 * Notifications are sent both to the site admin and to the newly created user. 3528 * 3529 * @since 4.4.0 3530 * @since 4.6.0 Converted the `$notify` parameter to accept 'user' for sending 3531 * notifications only to the user created. 3532 * 3533 * @param int $user_id ID of the newly created user. 3534 * @param string $notify Optional. Type of notification that should happen. Accepts 'admin' 3535 * or an empty string (admin only), 'user', or 'both' (admin and user). 3536 * Default 'both'. 3537 */ 3538 function wp_send_new_user_notifications( $user_id, $notify = 'both' ) { 3539 wp_new_user_notification( $user_id, null, $notify ); 3540 } 3541 3542 /** 3543 * Retrieves the current session token from the logged_in cookie. 3544 * 3545 * @since 4.0.0 3546 * 3547 * @return string Token. 3548 */ 3549 function wp_get_session_token() { 3550 $cookie = wp_parse_auth_cookie( '', 'logged_in' ); 3551 return ! empty( $cookie['token'] ) ? $cookie['token'] : ''; 3552 } 3553 3554 /** 3555 * Retrieves a list of sessions for the current user. 3556 * 3557 * @since 4.0.0 3558 * 3559 * @return array Array of sessions. 3560 */ 3561 function wp_get_all_sessions() { 3562 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3563 return $manager->get_all(); 3564 } 3565 3566 /** 3567 * Removes the current session token from the database. 3568 * 3569 * @since 4.0.0 3570 */ 3571 function wp_destroy_current_session() { 3572 $token = wp_get_session_token(); 3573 if ( $token ) { 3574 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3575 $manager->destroy( $token ); 3576 } 3577 } 3578 3579 /** 3580 * Removes all but the current session token for the current user for the database. 3581 * 3582 * @since 4.0.0 3583 */ 3584 function wp_destroy_other_sessions() { 3585 $token = wp_get_session_token(); 3586 if ( $token ) { 3587 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3588 $manager->destroy_others( $token ); 3589 } 3590 } 3591 3592 /** 3593 * Removes all session tokens for the current user from the database. 3594 * 3595 * @since 4.0.0 3596 */ 3597 function wp_destroy_all_sessions() { 3598 $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); 3599 $manager->destroy_all(); 3600 } 3601 3602 /** 3603 * Gets the user IDs of all users with no role on this site. 3604 * 3605 * @since 4.4.0 3606 * @since 4.9.0 The `$site_id` parameter was added to support multisite. 3607 * 3608 * @global wpdb $wpdb WordPress database abstraction object. 3609 * 3610 * @param int|null $site_id Optional. The site ID to get users with no role for. Defaults to the current site. 3611 * @return string[] Array of user IDs as strings. 3612 */ 3613 function wp_get_users_with_no_role( $site_id = null ) { 3614 global $wpdb; 3615 3616 if ( ! $site_id ) { 3617 $site_id = get_current_blog_id(); 3618 } 3619 3620 $prefix = $wpdb->get_blog_prefix( $site_id ); 3621 3622 if ( is_multisite() && get_current_blog_id() !== $site_id ) { 3623 switch_to_blog( $site_id ); 3624 $role_names = wp_roles()->get_names(); 3625 restore_current_blog(); 3626 } else { 3627 $role_names = wp_roles()->get_names(); 3628 } 3629 3630 $regex = implode( '|', array_keys( $role_names ) ); 3631 $regex = preg_replace( '/[^a-zA-Z_\|-]/', '', $regex ); 3632 $users = $wpdb->get_col( 3633 $wpdb->prepare( 3634 "SELECT user_id 3635 FROM $wpdb->usermeta 3636 WHERE meta_key = '{$prefix}capabilities' 3637 AND meta_value NOT REGEXP %s", 3638 $regex 3639 ) 3640 ); 3641 3642 return $users; 3643 } 3644 3645 /** 3646 * Retrieves the current user object. 3647 * 3648 * Will set the current user, if the current user is not set. The current user 3649 * will be set to the logged-in person. If no user is logged-in, then it will 3650 * set the current user to 0, which is invalid and won't have any permissions. 3651 * 3652 * This function is used by the pluggable functions wp_get_current_user() and 3653 * get_currentuserinfo(), the latter of which is deprecated but used for backward 3654 * compatibility. 3655 * 3656 * @since 4.5.0 3657 * @access private 3658 * 3659 * @see wp_get_current_user() 3660 * @global WP_User $current_user Checks if the current user is set. 3661 * 3662 * @return WP_User Current WP_User instance. 3663 */ 3664 function _wp_get_current_user() { 3665 global $current_user; 3666 3667 if ( ! empty( $current_user ) ) { 3668 if ( $current_user instanceof WP_User ) { 3669 return $current_user; 3670 } 3671 3672 // Upgrade stdClass to WP_User. 3673 if ( is_object( $current_user ) && isset( $current_user->ID ) ) { 3674 $cur_id = $current_user->ID; 3675 $current_user = null; 3676 wp_set_current_user( $cur_id ); 3677 return $current_user; 3678 } 3679 3680 // $current_user has a junk value. Force to WP_User with ID 0. 3681 $current_user = null; 3682 wp_set_current_user( 0 ); 3683 return $current_user; 3684 } 3685 3686 if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { 3687 wp_set_current_user( 0 ); 3688 return $current_user; 3689 } 3690 3691 /** 3692 * Filters the current user. 3693 * 3694 * The default filters use this to determine the current user from the 3695 * request's cookies, if available. 3696 * 3697 * Returning a value of false will effectively short-circuit setting 3698 * the current user. 3699 * 3700 * @since 3.9.0 3701 * 3702 * @param int|false $user_id User ID if one has been determined, false otherwise. 3703 */ 3704 $user_id = apply_filters( 'determine_current_user', false ); 3705 if ( ! $user_id ) { 3706 wp_set_current_user( 0 ); 3707 return $current_user; 3708 } 3709 3710 wp_set_current_user( $user_id ); 3711 3712 return $current_user; 3713 } 3714 3715 /** 3716 * Sends a confirmation request email when a change of user email address is attempted. 3717 * 3718 * @since 3.0.0 3719 * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific. 3720 * 3721 * @global WP_Error $errors WP_Error object. 3722 */ 3723 function send_confirmation_on_profile_email() { 3724 global $errors; 3725 3726 $current_user = wp_get_current_user(); 3727 if ( ! is_object( $errors ) ) { 3728 $errors = new WP_Error(); 3729 } 3730 3731 if ( $current_user->ID !== (int) $_POST['user_id'] ) { 3732 return false; 3733 } 3734 3735 if ( $current_user->user_email !== $_POST['email'] ) { 3736 if ( ! is_email( $_POST['email'] ) ) { 3737 $errors->add( 3738 'user_email', 3739 __( '<strong>Error:</strong> The email address is not correct.' ), 3740 array( 3741 'form-field' => 'email', 3742 ) 3743 ); 3744 3745 return; 3746 } 3747 3748 if ( email_exists( $_POST['email'] ) ) { 3749 $errors->add( 3750 'user_email', 3751 __( '<strong>Error:</strong> The email address is already used.' ), 3752 array( 3753 'form-field' => 'email', 3754 ) 3755 ); 3756 delete_user_meta( $current_user->ID, '_new_email' ); 3757 3758 return; 3759 } 3760 3761 $hash = md5( $_POST['email'] . time() . wp_rand() ); 3762 $new_user_email = array( 3763 'hash' => $hash, 3764 'newemail' => $_POST['email'], 3765 ); 3766 update_user_meta( $current_user->ID, '_new_email', $new_user_email ); 3767 3768 $sitename = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 3769 3770 /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */ 3771 $email_text = __( 3772 'Howdy ###USERNAME###, 3773 3774 You recently requested to have the email address on your account changed. 3775 3776 If this is correct, please click on the following link to change it: 3777 ###ADMIN_URL### 3778 3779 You can safely ignore and delete this email if you do not want to 3780 take this action. 3781 3782 This email has been sent to ###EMAIL### 3783 3784 Regards, 3785 All at ###SITENAME### 3786 ###SITEURL###' 3787 ); 3788 3789 /** 3790 * Filters the text of the email sent when a change of user email address is attempted. 3791 * 3792 * The following strings have a special meaning and will get replaced dynamically: 3793 * - ###USERNAME### The current user's username. 3794 * - ###ADMIN_URL### The link to click on to confirm the email change. 3795 * - ###EMAIL### The new email. 3796 * - ###SITENAME### The name of the site. 3797 * - ###SITEURL### The URL to the site. 3798 * 3799 * @since MU (3.0.0) 3800 * @since 4.9.0 This filter is no longer Multisite specific. 3801 * 3802 * @param string $email_text Text in the email. 3803 * @param array $new_user_email { 3804 * Data relating to the new user email address. 3805 * 3806 * @type string $hash The secure hash used in the confirmation link URL. 3807 * @type string $newemail The proposed new email address. 3808 * } 3809 */ 3810 $content = apply_filters( 'new_user_email_content', $email_text, $new_user_email ); 3811 3812 $content = str_replace( '###USERNAME###', $current_user->user_login, $content ); 3813 $content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'profile.php?newuseremail=' . $hash ) ), $content ); 3814 $content = str_replace( '###EMAIL###', $_POST['email'], $content ); 3815 $content = str_replace( '###SITENAME###', $sitename, $content ); 3816 $content = str_replace( '###SITEURL###', home_url(), $content ); 3817 3818 /* translators: New email address notification email subject. %s: Site title. */ 3819 wp_mail( $_POST['email'], sprintf( __( '[%s] Email Change Request' ), $sitename ), $content ); 3820 3821 $_POST['email'] = $current_user->user_email; 3822 } 3823 } 3824 3825 /** 3826 * Adds an admin notice alerting the user to check for confirmation request email 3827 * after email address change. 3828 * 3829 * @since 3.0.0 3830 * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific. 3831 * 3832 * @global string $pagenow The filename of the current screen. 3833 */ 3834 function new_user_email_admin_notice() { 3835 global $pagenow; 3836 3837 if ( 'profile.php' === $pagenow && isset( $_GET['updated'] ) ) { 3838 $email = get_user_meta( get_current_user_id(), '_new_email', true ); 3839 if ( $email ) { 3840 $message = sprintf( 3841 /* translators: %s: New email address. */ 3842 __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), 3843 '<code>' . esc_html( $email['newemail'] ) . '</code>' 3844 ); 3845 wp_admin_notice( $message, array( 'type' => 'info' ) ); 3846 } 3847 } 3848 } 3849 3850 /** 3851 * Gets all personal data request types. 3852 * 3853 * @since 4.9.6 3854 * @access private 3855 * 3856 * @return string[] List of core privacy action types. 3857 */ 3858 function _wp_privacy_action_request_types() { 3859 return array( 3860 'export_personal_data', 3861 'remove_personal_data', 3862 ); 3863 } 3864 3865 /** 3866 * Registers the personal data exporter for users. 3867 * 3868 * @since 4.9.6 3869 * 3870 * @param array[] $exporters An array of personal data exporters. 3871 * @return array[] An array of personal data exporters. 3872 */ 3873 function wp_register_user_personal_data_exporter( $exporters ) { 3874 $exporters['wordpress-user'] = array( 3875 'exporter_friendly_name' => __( 'WordPress User' ), 3876 'callback' => 'wp_user_personal_data_exporter', 3877 ); 3878 3879 return $exporters; 3880 } 3881 3882 /** 3883 * Finds and exports personal data associated with an email address from the user and user_meta table. 3884 * 3885 * @since 4.9.6 3886 * @since 5.4.0 Added 'Community Events Location' group to the export data. 3887 * @since 5.4.0 Added 'Session Tokens' group to the export data. 3888 * 3889 * @param string $email_address The user's email address. 3890 * @return array { 3891 * An array of personal data. 3892 * 3893 * @type array[] $data An array of personal data arrays. 3894 * @type bool $done Whether the exporter is finished. 3895 * } 3896 */ 3897 function wp_user_personal_data_exporter( $email_address ) { 3898 $email_address = trim( $email_address ); 3899 3900 $data_to_export = array(); 3901 3902 $user = get_user_by( 'email', $email_address ); 3903 3904 if ( ! $user ) { 3905 return array( 3906 'data' => array(), 3907 'done' => true, 3908 ); 3909 } 3910 3911 $user_meta = get_user_meta( $user->ID ); 3912 3913 $user_props_to_export = array( 3914 'ID' => __( 'User ID' ), 3915 'user_login' => __( 'User Login Name' ), 3916 'user_nicename' => __( 'User Nice Name' ), 3917 'user_email' => __( 'User Email' ), 3918 'user_url' => __( 'User URL' ), 3919 'user_registered' => __( 'User Registration Date' ), 3920 'display_name' => __( 'User Display Name' ), 3921 'nickname' => __( 'User Nickname' ), 3922 'first_name' => __( 'User First Name' ), 3923 'last_name' => __( 'User Last Name' ), 3924 'description' => __( 'User Description' ), 3925 ); 3926 3927 $user_data_to_export = array(); 3928 3929 foreach ( $user_props_to_export as $key => $name ) { 3930 $value = ''; 3931 3932 switch ( $key ) { 3933 case 'ID': 3934 case 'user_login': 3935 case 'user_nicename': 3936 case 'user_email': 3937 case 'user_url': 3938 case 'user_registered': 3939 case 'display_name': 3940 $value = $user->data->$key; 3941 break; 3942 case 'nickname': 3943 case 'first_name': 3944 case 'last_name': 3945 case 'description': 3946 $value = $user_meta[ $key ][0]; 3947 break; 3948 } 3949 3950 if ( ! empty( $value ) ) { 3951 $user_data_to_export[] = array( 3952 'name' => $name, 3953 'value' => $value, 3954 ); 3955 } 3956 } 3957 3958 // Get the list of reserved names. 3959 $reserved_names = array_values( $user_props_to_export ); 3960 3961 /** 3962 * Filters the user's profile data for the privacy exporter. 3963 * 3964 * @since 5.4.0 3965 * 3966 * @param array $additional_user_profile_data { 3967 * An array of name-value pairs of additional user data items. Default empty array. 3968 * 3969 * @type string $name The user-facing name of an item name-value pair,e.g. 'IP Address'. 3970 * @type string $value The user-facing value of an item data pair, e.g. '50.60.70.0'. 3971 * } 3972 * @param WP_User $user The user whose data is being exported. 3973 * @param string[] $reserved_names An array of reserved names. Any item in `$additional_user_data` 3974 * that uses one of these for its `name` will not be included in the export. 3975 */ 3976 $_extra_data = apply_filters( 'wp_privacy_additional_user_profile_data', array(), $user, $reserved_names ); 3977 3978 if ( is_array( $_extra_data ) && ! empty( $_extra_data ) ) { 3979 // Remove items that use reserved names. 3980 $extra_data = array_filter( 3981 $_extra_data, 3982 static function ( $item ) use ( $reserved_names ) { 3983 return ! in_array( $item['name'], $reserved_names, true ); 3984 } 3985 ); 3986 3987 if ( count( $extra_data ) !== count( $_extra_data ) ) { 3988 _doing_it_wrong( 3989 __FUNCTION__, 3990 sprintf( 3991 /* translators: %s: wp_privacy_additional_user_profile_data */ 3992 __( 'Filter %s returned items with reserved names.' ), 3993 '<code>wp_privacy_additional_user_profile_data</code>' 3994 ), 3995 '5.4.0' 3996 ); 3997 } 3998 3999 if ( ! empty( $extra_data ) ) { 4000 $user_data_to_export = array_merge( $user_data_to_export, $extra_data ); 4001 } 4002 } 4003 4004 $data_to_export[] = array( 4005 'group_id' => 'user', 4006 'group_label' => __( 'User' ), 4007 'group_description' => __( 'User’s profile data.' ), 4008 'item_id' => "user-{$user->ID}", 4009 'data' => $user_data_to_export, 4010 ); 4011 4012 if ( isset( $user_meta['community-events-location'] ) ) { 4013 $location = maybe_unserialize( $user_meta['community-events-location'][0] ); 4014 4015 $location_props_to_export = array( 4016 'description' => __( 'City' ), 4017 'country' => __( 'Country' ), 4018 'latitude' => __( 'Latitude' ), 4019 'longitude' => __( 'Longitude' ), 4020 'ip' => __( 'IP' ), 4021 ); 4022 4023 $location_data_to_export = array(); 4024 4025 foreach ( $location_props_to_export as $key => $name ) { 4026 if ( ! empty( $location[ $key ] ) ) { 4027 $location_data_to_export[] = array( 4028 'name' => $name, 4029 'value' => $location[ $key ], 4030 ); 4031 } 4032 } 4033 4034 $data_to_export[] = array( 4035 'group_id' => 'community-events-location', 4036 'group_label' => __( 'Community Events Location' ), 4037 'group_description' => __( 'User’s location data used for the Community Events in the WordPress Events and News dashboard widget.' ), 4038 'item_id' => "community-events-location-{$user->ID}", 4039 'data' => $location_data_to_export, 4040 ); 4041 } 4042 4043 if ( isset( $user_meta['session_tokens'] ) ) { 4044 $session_tokens = maybe_unserialize( $user_meta['session_tokens'][0] ); 4045 4046 $session_tokens_props_to_export = array( 4047 'expiration' => __( 'Expiration' ), 4048 'ip' => __( 'IP' ), 4049 'ua' => __( 'User Agent' ), 4050 'login' => __( 'Last Login' ), 4051 ); 4052 4053 foreach ( $session_tokens as $token_key => $session_token ) { 4054 $session_tokens_data_to_export = array(); 4055 4056 foreach ( $session_tokens_props_to_export as $key => $name ) { 4057 if ( ! empty( $session_token[ $key ] ) ) { 4058 $value = $session_token[ $key ]; 4059 if ( in_array( $key, array( 'expiration', 'login' ), true ) ) { 4060 $value = date_i18n( 'F d, Y H:i A', $value ); 4061 } 4062 $session_tokens_data_to_export[] = array( 4063 'name' => $name, 4064 'value' => $value, 4065 ); 4066 } 4067 } 4068 4069 $data_to_export[] = array( 4070 'group_id' => 'session-tokens', 4071 'group_label' => __( 'Session Tokens' ), 4072 'group_description' => __( 'User’s Session Tokens data.' ), 4073 'item_id' => "session-tokens-{$user->ID}-{$token_key}", 4074 'data' => $session_tokens_data_to_export, 4075 ); 4076 } 4077 } 4078 4079 return array( 4080 'data' => $data_to_export, 4081 'done' => true, 4082 ); 4083 } 4084 4085 /** 4086 * Updates log when privacy request is confirmed. 4087 * 4088 * @since 4.9.6 4089 * @access private 4090 * 4091 * @param int $request_id ID of the request. 4092 */ 4093 function _wp_privacy_account_request_confirmed( $request_id ) { 4094 $request = wp_get_user_request( $request_id ); 4095 4096 if ( ! $request ) { 4097 return; 4098 } 4099 4100 if ( ! in_array( $request->status, array( 'request-pending', 'request-failed' ), true ) ) { 4101 return; 4102 } 4103 4104 update_post_meta( $request_id, '_wp_user_request_confirmed_timestamp', time() ); 4105 wp_update_post( 4106 array( 4107 'ID' => $request_id, 4108 'post_status' => 'request-confirmed', 4109 ) 4110 ); 4111 } 4112 4113 /** 4114 * Notifies the site administrator via email when a request is confirmed. 4115 * 4116 * Without this, the admin would have to manually check the site to see if any 4117 * action was needed on their part yet. 4118 * 4119 * @since 4.9.6 4120 * 4121 * @param int $request_id The ID of the request. 4122 */ 4123 function _wp_privacy_send_request_confirmation_notification( $request_id ) { 4124 $request = wp_get_user_request( $request_id ); 4125 4126 if ( ! ( $request instanceof WP_User_Request ) || 'request-confirmed' !== $request->status ) { 4127 return; 4128 } 4129 4130 $already_notified = (bool) get_post_meta( $request_id, '_wp_admin_notified', true ); 4131 4132 if ( $already_notified ) { 4133 return; 4134 } 4135 4136 if ( 'export_personal_data' === $request->action_name ) { 4137 $manage_url = admin_url( 'export-personal-data.php' ); 4138 } elseif ( 'remove_personal_data' === $request->action_name ) { 4139 $manage_url = admin_url( 'erase-personal-data.php' ); 4140 } 4141 $action_description = wp_user_request_action_description( $request->action_name ); 4142 4143 /** 4144 * Filters the recipient of the data request confirmation notification. 4145 * 4146 * In a Multisite environment, this will default to the email address of the 4147 * network admin because, by default, single site admins do not have the 4148 * capabilities required to process requests. Some networks may wish to 4149 * delegate those capabilities to a single-site admin, or a dedicated person 4150 * responsible for managing privacy requests. 4151 * 4152 * @since 4.9.6 4153 * 4154 * @param string $admin_email The email address of the notification recipient. 4155 * @param WP_User_Request $request The request that is initiating the notification. 4156 */ 4157 $admin_email = apply_filters( 'user_request_confirmed_email_to', get_site_option( 'admin_email' ), $request ); 4158 4159 $email_data = array( 4160 'request' => $request, 4161 'user_email' => $request->email, 4162 'description' => $action_description, 4163 'manage_url' => $manage_url, 4164 'sitename' => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), 4165 'siteurl' => home_url(), 4166 'admin_email' => $admin_email, 4167 ); 4168 4169 $subject = sprintf( 4170 /* translators: Privacy data request confirmed notification email subject. 1: Site title, 2: Name of the confirmed action. */ 4171 __( '[%1$s] Action Confirmed: %2$s' ), 4172 $email_data['sitename'], 4173 $action_description 4174 ); 4175 4176 /** 4177 * Filters the subject of the user request confirmation email. 4178 * 4179 * @since 4.9.8 4180 * 4181 * @param string $subject The email subject. 4182 * @param string $sitename The name of the site. 4183 * @param array $email_data { 4184 * Data relating to the account action email. 4185 * 4186 * @type WP_User_Request $request User request object. 4187 * @type string $user_email The email address confirming a request. 4188 * @type string $description Description of the action being performed so the user knows what the email is for. 4189 * @type string $manage_url The link to click manage privacy requests of this type. 4190 * @type string $sitename The site name sending the mail. 4191 * @type string $siteurl The site URL sending the mail. 4192 * @type string $admin_email The administrator email receiving the mail. 4193 * } 4194 */ 4195 $subject = apply_filters( 'user_request_confirmed_email_subject', $subject, $email_data['sitename'], $email_data ); 4196 4197 /* translators: Do not translate SITENAME, USER_EMAIL, DESCRIPTION, MANAGE_URL, SITEURL; those are placeholders. */ 4198 $content = __( 4199 'Howdy, 4200 4201 A user data privacy request has been confirmed on ###SITENAME###: 4202 4203 User: ###USER_EMAIL### 4204 Request: ###DESCRIPTION### 4205 4206 You can view and manage these data privacy requests here: 4207 4208 ###MANAGE_URL### 4209 4210 Regards, 4211 All at ###SITENAME### 4212 ###SITEURL###' 4213 ); 4214 4215 /** 4216 * Filters the body of the user request confirmation email. 4217 * 4218 * The email is sent to an administrator when a user request is confirmed. 4219 * 4220 * The following strings have a special meaning and will get replaced dynamically: 4221 * 4222 * ###SITENAME### The name of the site. 4223 * ###USER_EMAIL### The user email for the request. 4224 * ###DESCRIPTION### Description of the action being performed so the user knows what the email is for. 4225 * ###MANAGE_URL### The URL to manage requests. 4226 * ###SITEURL### The URL to the site. 4227 * 4228 * @since 4.9.6 4229 * @deprecated 5.8.0 Use {@see 'user_request_confirmed_email_content'} instead. 4230 * For user erasure fulfillment email content 4231 * use {@see 'user_erasure_fulfillment_email_content'} instead. 4232 * 4233 * @param string $content The email content. 4234 * @param array $email_data { 4235 * Data relating to the account action email. 4236 * 4237 * @type WP_User_Request $request User request object. 4238 * @type string $user_email The email address confirming a request. 4239 * @type string $description Description of the action being performed 4240 * so the user knows what the email is for. 4241 * @type string $manage_url The link to click manage privacy requests of this type. 4242 * @type string $sitename The site name sending the mail. 4243 * @type string $siteurl The site URL sending the mail. 4244 * @type string $admin_email The administrator email receiving the mail. 4245 * } 4246 */ 4247 $content = apply_filters_deprecated( 4248 'user_confirmed_action_email_content', 4249 array( $content, $email_data ), 4250 '5.8.0', 4251 sprintf( 4252 /* translators: 1 & 2: Deprecation replacement options. */ 4253 __( '%1$s or %2$s' ), 4254 'user_request_confirmed_email_content', 4255 'user_erasure_fulfillment_email_content' 4256 ) 4257 ); 4258 4259 /** 4260 * Filters the body of the user request confirmation email. 4261 * 4262 * The email is sent to an administrator when a user request is confirmed. 4263 * The following strings have a special meaning and will get replaced dynamically: 4264 * 4265 * ###SITENAME### The name of the site. 4266 * ###USER_EMAIL### The user email for the request. 4267 * ###DESCRIPTION### Description of the action being performed so the user knows what the email is for. 4268 * ###MANAGE_URL### The URL to manage requests. 4269 * ###SITEURL### The URL to the site. 4270 * 4271 * @since 5.8.0 4272 * 4273 * @param string $content The email content. 4274 * @param array $email_data { 4275 * Data relating to the account action email. 4276 * 4277 * @type WP_User_Request $request User request object. 4278 * @type string $user_email The email address confirming a request. 4279 * @type string $description Description of the action being performed so the user knows what the email is for. 4280 * @type string $manage_url The link to click manage privacy requests of this type. 4281 * @type string $sitename The site name sending the mail. 4282 * @type string $siteurl The site URL sending the mail. 4283 * @type string $admin_email The administrator email receiving the mail. 4284 * } 4285 */ 4286 $content = apply_filters( 'user_request_confirmed_email_content', $content, $email_data ); 4287 4288 $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); 4289 $content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content ); 4290 $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); 4291 $content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content ); 4292 $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); 4293 4294 $headers = ''; 4295 4296 /** 4297 * Filters the headers of the user request confirmation email. 4298 * 4299 * @since 5.4.0 4300 * 4301 * @param string|array $headers The email headers. 4302 * @param string $subject The email subject. 4303 * @param string $content The email content. 4304 * @param int $request_id The request ID. 4305 * @param array $email_data { 4306 * Data relating to the account action email. 4307 * 4308 * @type WP_User_Request $request User request object. 4309 * @type string $user_email The email address confirming a request. 4310 * @type string $description Description of the action being performed so the user knows what the email is for. 4311 * @type string $manage_url The link to click manage privacy requests of this type. 4312 * @type string $sitename The site name sending the mail. 4313 * @type string $siteurl The site URL sending the mail. 4314 * @type string $admin_email The administrator email receiving the mail. 4315 * } 4316 */ 4317 $headers = apply_filters( 'user_request_confirmed_email_headers', $headers, $subject, $content, $request_id, $email_data ); 4318 4319 $email_sent = wp_mail( $email_data['admin_email'], $subject, $content, $headers ); 4320 4321 if ( $email_sent ) { 4322 update_post_meta( $request_id, '_wp_admin_notified', true ); 4323 } 4324 } 4325 4326 /** 4327 * Notifies the user when their erasure request is fulfilled. 4328 * 4329 * Without this, the user would never know if their data was actually erased. 4330 * 4331 * @since 4.9.6 4332 * 4333 * @param int $request_id The privacy request post ID associated with this request. 4334 */ 4335 function _wp_privacy_send_erasure_fulfillment_notification( $request_id ) { 4336 $request = wp_get_user_request( $request_id ); 4337 4338 if ( ! ( $request instanceof WP_User_Request ) || 'request-completed' !== $request->status ) { 4339 return; 4340 } 4341 4342 $already_notified = (bool) get_post_meta( $request_id, '_wp_user_notified', true ); 4343 4344 if ( $already_notified ) { 4345 return; 4346 } 4347 4348 // Localize message content for user; fallback to site default for visitors. 4349 if ( ! empty( $request->user_id ) ) { 4350 $switched_locale = switch_to_user_locale( $request->user_id ); 4351 } else { 4352 $switched_locale = switch_to_locale( get_locale() ); 4353 } 4354 4355 /** 4356 * Filters the recipient of the data erasure fulfillment notification. 4357 * 4358 * @since 4.9.6 4359 * 4360 * @param string $user_email The email address of the notification recipient. 4361 * @param WP_User_Request $request The request that is initiating the notification. 4362 */ 4363 $user_email = apply_filters( 'user_erasure_fulfillment_email_to', $request->email, $request ); 4364 4365 $email_data = array( 4366 'request' => $request, 4367 'message_recipient' => $user_email, 4368 'privacy_policy_url' => get_privacy_policy_url(), 4369 'sitename' => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), 4370 'siteurl' => home_url(), 4371 ); 4372 4373 $subject = sprintf( 4374 /* translators: Erasure request fulfilled notification email subject. %s: Site title. */ 4375 __( '[%s] Erasure Request Fulfilled' ), 4376 $email_data['sitename'] 4377 ); 4378 4379 /** 4380 * Filters the subject of the email sent when an erasure request is completed. 4381 * 4382 * @since 4.9.8 4383 * @deprecated 5.8.0 Use {@see 'user_erasure_fulfillment_email_subject'} instead. 4384 * 4385 * @param string $subject The email subject. 4386 * @param string $sitename The name of the site. 4387 * @param array $email_data { 4388 * Data relating to the account action email. 4389 * 4390 * @type WP_User_Request $request User request object. 4391 * @type string $message_recipient The address that the email will be sent to. Defaults 4392 * to the value of `$request->email`, but can be changed 4393 * by the `user_erasure_fulfillment_email_to` filter. 4394 * @type string $privacy_policy_url Privacy policy URL. 4395 * @type string $sitename The site name sending the mail. 4396 * @type string $siteurl The site URL sending the mail. 4397 * } 4398 */ 4399 $subject = apply_filters_deprecated( 4400 'user_erasure_complete_email_subject', 4401 array( $subject, $email_data['sitename'], $email_data ), 4402 '5.8.0', 4403 'user_erasure_fulfillment_email_subject' 4404 ); 4405 4406 /** 4407 * Filters the subject of the email sent when an erasure request is completed. 4408 * 4409 * @since 5.8.0 4410 * 4411 * @param string $subject The email subject. 4412 * @param string $sitename The name of the site. 4413 * @param array $email_data { 4414 * Data relating to the account action email. 4415 * 4416 * @type WP_User_Request $request User request object. 4417 * @type string $message_recipient The address that the email will be sent to. Defaults 4418 * to the value of `$request->email`, but can be changed 4419 * by the `user_erasure_fulfillment_email_to` filter. 4420 * @type string $privacy_policy_url Privacy policy URL. 4421 * @type string $sitename The site name sending the mail. 4422 * @type string $siteurl The site URL sending the mail. 4423 * } 4424 */ 4425 $subject = apply_filters( 'user_erasure_fulfillment_email_subject', $subject, $email_data['sitename'], $email_data ); 4426 4427 /* translators: Do not translate SITENAME, SITEURL; those are placeholders. */ 4428 $content = __( 4429 'Howdy, 4430 4431 Your request to erase your personal data on ###SITENAME### has been completed. 4432 4433 If you have any follow-up questions or concerns, please contact the site administrator. 4434 4435 Regards, 4436 All at ###SITENAME### 4437 ###SITEURL###' 4438 ); 4439 4440 if ( ! empty( $email_data['privacy_policy_url'] ) ) { 4441 /* translators: Do not translate SITENAME, SITEURL, PRIVACY_POLICY_URL; those are placeholders. */ 4442 $content = __( 4443 'Howdy, 4444 4445 Your request to erase your personal data on ###SITENAME### has been completed. 4446 4447 If you have any follow-up questions or concerns, please contact the site administrator. 4448 4449 For more information, you can also read our privacy policy: ###PRIVACY_POLICY_URL### 4450 4451 Regards, 4452 All at ###SITENAME### 4453 ###SITEURL###' 4454 ); 4455 } 4456 4457 /** 4458 * Filters the body of the data erasure fulfillment notification. 4459 * 4460 * The email is sent to a user when their data erasure request is fulfilled 4461 * by an administrator. 4462 * 4463 * The following strings have a special meaning and will get replaced dynamically: 4464 * 4465 * ###SITENAME### The name of the site. 4466 * ###PRIVACY_POLICY_URL### Privacy policy page URL. 4467 * ###SITEURL### The URL to the site. 4468 * 4469 * @since 4.9.6 4470 * @deprecated 5.8.0 Use {@see 'user_erasure_fulfillment_email_content'} instead. 4471 * For user request confirmation email content 4472 * use {@see 'user_request_confirmed_email_content'} instead. 4473 * 4474 * @param string $content The email content. 4475 * @param array $email_data { 4476 * Data relating to the account action email. 4477 * 4478 * @type WP_User_Request $request User request object. 4479 * @type string $message_recipient The address that the email will be sent to. Defaults 4480 * to the value of `$request->email`, but can be changed 4481 * by the `user_erasure_fulfillment_email_to` filter. 4482 * @type string $privacy_policy_url Privacy policy URL. 4483 * @type string $sitename The site name sending the mail. 4484 * @type string $siteurl The site URL sending the mail. 4485 * } 4486 */ 4487 $content = apply_filters_deprecated( 4488 'user_confirmed_action_email_content', 4489 array( $content, $email_data ), 4490 '5.8.0', 4491 sprintf( 4492 /* translators: 1 & 2: Deprecation replacement options. */ 4493 __( '%1$s or %2$s' ), 4494 'user_erasure_fulfillment_email_content', 4495 'user_request_confirmed_email_content' 4496 ) 4497 ); 4498 4499 /** 4500 * Filters the body of the data erasure fulfillment notification. 4501 * 4502 * The email is sent to a user when their data erasure request is fulfilled 4503 * by an administrator. 4504 * 4505 * The following strings have a special meaning and will get replaced dynamically: 4506 * 4507 * ###SITENAME### The name of the site. 4508 * ###PRIVACY_POLICY_URL### Privacy policy page URL. 4509 * ###SITEURL### The URL to the site. 4510 * 4511 * @since 5.8.0 4512 * 4513 * @param string $content The email content. 4514 * @param array $email_data { 4515 * Data relating to the account action email. 4516 * 4517 * @type WP_User_Request $request User request object. 4518 * @type string $message_recipient The address that the email will be sent to. Defaults 4519 * to the value of `$request->email`, but can be changed 4520 * by the `user_erasure_fulfillment_email_to` filter. 4521 * @type string $privacy_policy_url Privacy policy URL. 4522 * @type string $sitename The site name sending the mail. 4523 * @type string $siteurl The site URL sending the mail. 4524 * } 4525 */ 4526 $content = apply_filters( 'user_erasure_fulfillment_email_content', $content, $email_data ); 4527 4528 $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); 4529 $content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content ); 4530 $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); 4531 4532 $headers = ''; 4533 4534 /** 4535 * Filters the headers of the data erasure fulfillment notification. 4536 * 4537 * @since 5.4.0 4538 * @deprecated 5.8.0 Use {@see 'user_erasure_fulfillment_email_headers'} instead. 4539 * 4540 * @param string|array $headers The email headers. 4541 * @param string $subject The email subject. 4542 * @param string $content The email content. 4543 * @param int $request_id The request ID. 4544 * @param array $email_data { 4545 * Data relating to the account action email. 4546 * 4547 * @type WP_User_Request $request User request object. 4548 * @type string $message_recipient The address that the email will be sent to. Defaults 4549 * to the value of `$request->email`, but can be changed 4550 * by the `user_erasure_fulfillment_email_to` filter. 4551 * @type string $privacy_policy_url Privacy policy URL. 4552 * @type string $sitename The site name sending the mail. 4553 * @type string $siteurl The site URL sending the mail. 4554 * } 4555 */ 4556 $headers = apply_filters_deprecated( 4557 'user_erasure_complete_email_headers', 4558 array( $headers, $subject, $content, $request_id, $email_data ), 4559 '5.8.0', 4560 'user_erasure_fulfillment_email_headers' 4561 ); 4562 4563 /** 4564 * Filters the headers of the data erasure fulfillment notification. 4565 * 4566 * @since 5.8.0 4567 * 4568 * @param string|array $headers The email headers. 4569 * @param string $subject The email subject. 4570 * @param string $content The email content. 4571 * @param int $request_id The request ID. 4572 * @param array $email_data { 4573 * Data relating to the account action email. 4574 * 4575 * @type WP_User_Request $request User request object. 4576 * @type string $message_recipient The address that the email will be sent to. Defaults 4577 * to the value of `$request->email`, but can be changed 4578 * by the `user_erasure_fulfillment_email_to` filter. 4579 * @type string $privacy_policy_url Privacy policy URL. 4580 * @type string $sitename The site name sending the mail. 4581 * @type string $siteurl The site URL sending the mail. 4582 * } 4583 */ 4584 $headers = apply_filters( 'user_erasure_fulfillment_email_headers', $headers, $subject, $content, $request_id, $email_data ); 4585 4586 $email_sent = wp_mail( $user_email, $subject, $content, $headers ); 4587 4588 if ( $switched_locale ) { 4589 restore_previous_locale(); 4590 } 4591 4592 if ( $email_sent ) { 4593 update_post_meta( $request_id, '_wp_user_notified', true ); 4594 } 4595 } 4596 4597 /** 4598 * Returns request confirmation message HTML. 4599 * 4600 * @since 4.9.6 4601 * @access private 4602 * 4603 * @param int $request_id The request ID being confirmed. 4604 * @return string The confirmation message. 4605 */ 4606 function _wp_privacy_account_request_confirmed_message( $request_id ) { 4607 $request = wp_get_user_request( $request_id ); 4608 4609 $message = '<p class="success">' . __( 'Action has been confirmed.' ) . '</p>'; 4610 $message .= '<p>' . __( 'The site administrator has been notified and will fulfill your request as soon as possible.' ) . '</p>'; 4611 4612 if ( $request && in_array( $request->action_name, _wp_privacy_action_request_types(), true ) ) { 4613 if ( 'export_personal_data' === $request->action_name ) { 4614 $message = '<p class="success">' . __( 'Thanks for confirming your export request.' ) . '</p>'; 4615 $message .= '<p>' . __( 'The site administrator has been notified. You will receive a link to download your export via email when they fulfill your request.' ) . '</p>'; 4616 } elseif ( 'remove_personal_data' === $request->action_name ) { 4617 $message = '<p class="success">' . __( 'Thanks for confirming your erasure request.' ) . '</p>'; 4618 $message .= '<p>' . __( 'The site administrator has been notified. You will receive an email confirmation when they erase your data.' ) . '</p>'; 4619 } 4620 } 4621 4622 /** 4623 * Filters the message displayed to a user when they confirm a data request. 4624 * 4625 * @since 4.9.6 4626 * 4627 * @param string $message The message to the user. 4628 * @param int $request_id The ID of the request being confirmed. 4629 */ 4630 $message = apply_filters( 'user_request_action_confirmed_message', $message, $request_id ); 4631 4632 return $message; 4633 } 4634 4635 /** 4636 * Creates and logs a user request to perform a specific action. 4637 * 4638 * Requests are stored inside a post type named `user_request` since they can apply to both 4639 * users on the site, or guests without a user account. 4640 * 4641 * @since 4.9.6 4642 * @since 5.7.0 Added the `$status` parameter. 4643 * 4644 * @param string $email_address User email address. This can be the address of a registered 4645 * or non-registered user. 4646 * @param string $action_name Name of the action that is being confirmed. Required. 4647 * @param array $request_data Misc data you want to send with the verification request and pass 4648 * to the actions once the request is confirmed. 4649 * @param string $status Optional request status (pending or confirmed). Default 'pending'. 4650 * @return int|WP_Error Returns the request ID if successful, or a WP_Error object on failure. 4651 */ 4652 function wp_create_user_request( $email_address = '', $action_name = '', $request_data = array(), $status = 'pending' ) { 4653 $email_address = sanitize_email( $email_address ); 4654 $action_name = sanitize_key( $action_name ); 4655 4656 if ( ! is_email( $email_address ) ) { 4657 return new WP_Error( 'invalid_email', __( 'Invalid email address.' ) ); 4658 } 4659 4660 if ( ! in_array( $action_name, _wp_privacy_action_request_types(), true ) ) { 4661 return new WP_Error( 'invalid_action', __( 'Invalid action name.' ) ); 4662 } 4663 4664 if ( ! in_array( $status, array( 'pending', 'confirmed' ), true ) ) { 4665 return new WP_Error( 'invalid_status', __( 'Invalid request status.' ) ); 4666 } 4667 4668 $user = get_user_by( 'email', $email_address ); 4669 $user_id = $user && ! is_wp_error( $user ) ? $user->ID : 0; 4670 4671 // Check for duplicates. 4672 $requests_query = new WP_Query( 4673 array( 4674 'post_type' => 'user_request', 4675 'post_name__in' => array( $action_name ), // Action name stored in post_name column. 4676 'title' => $email_address, // Email address stored in post_title column. 4677 'post_status' => array( 4678 'request-pending', 4679 'request-confirmed', 4680 ), 4681 'fields' => 'ids', 4682 ) 4683 ); 4684 4685 if ( $requests_query->found_posts ) { 4686 return new WP_Error( 'duplicate_request', __( 'An incomplete personal data request for this email address already exists.' ) ); 4687 } 4688 4689 $request_id = wp_insert_post( 4690 array( 4691 'post_author' => $user_id, 4692 'post_name' => $action_name, 4693 'post_title' => $email_address, 4694 'post_content' => wp_json_encode( $request_data ), 4695 'post_status' => 'request-' . $status, 4696 'post_type' => 'user_request', 4697 'post_date' => current_time( 'mysql', false ), 4698 'post_date_gmt' => current_time( 'mysql', true ), 4699 ), 4700 true 4701 ); 4702 4703 return $request_id; 4704 } 4705 4706 /** 4707 * Gets action description from the name and return a string. 4708 * 4709 * @since 4.9.6 4710 * 4711 * @param string $action_name Action name of the request. 4712 * @return string Human readable action name. 4713 */ 4714 function wp_user_request_action_description( $action_name ) { 4715 switch ( $action_name ) { 4716 case 'export_personal_data': 4717 $description = __( 'Export Personal Data' ); 4718 break; 4719 case 'remove_personal_data': 4720 $description = __( 'Erase Personal Data' ); 4721 break; 4722 default: 4723 /* translators: %s: Action name. */ 4724 $description = sprintf( __( 'Confirm the "%s" action' ), $action_name ); 4725 break; 4726 } 4727 4728 /** 4729 * Filters the user action description. 4730 * 4731 * @since 4.9.6 4732 * 4733 * @param string $description The default description. 4734 * @param string $action_name The name of the request. 4735 */ 4736 return apply_filters( 'user_request_action_description', $description, $action_name ); 4737 } 4738 4739 /** 4740 * Send a confirmation request email to confirm an action. 4741 * 4742 * If the request is not already pending, it will be updated. 4743 * 4744 * @since 4.9.6 4745 * 4746 * @param string $request_id ID of the request created via wp_create_user_request(). 4747 * @return true|WP_Error True on success, `WP_Error` on failure. 4748 */ 4749 function wp_send_user_request( $request_id ) { 4750 $request_id = absint( $request_id ); 4751 $request = wp_get_user_request( $request_id ); 4752 4753 if ( ! $request ) { 4754 return new WP_Error( 'invalid_request', __( 'Invalid personal data request.' ) ); 4755 } 4756 4757 // Localize message content for user; fallback to site default for visitors. 4758 if ( ! empty( $request->user_id ) ) { 4759 $switched_locale = switch_to_user_locale( $request->user_id ); 4760 } else { 4761 $switched_locale = switch_to_locale( get_locale() ); 4762 } 4763 4764 $email_data = array( 4765 'request' => $request, 4766 'email' => $request->email, 4767 'description' => wp_user_request_action_description( $request->action_name ), 4768 'confirm_url' => add_query_arg( 4769 array( 4770 'action' => 'confirmaction', 4771 'request_id' => $request_id, 4772 'confirm_key' => wp_generate_user_request_key( $request_id ), 4773 ), 4774 wp_login_url() 4775 ), 4776 'sitename' => wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ), 4777 'siteurl' => home_url(), 4778 ); 4779 4780 /* translators: Confirm privacy data request notification email subject. 1: Site title, 2: Name of the action. */ 4781 $subject = sprintf( __( '[%1$s] Confirm Action: %2$s' ), $email_data['sitename'], $email_data['description'] ); 4782 4783 /** 4784 * Filters the subject of the email sent when an account action is attempted. 4785 * 4786 * @since 4.9.6 4787 * 4788 * @param string $subject The email subject. 4789 * @param string $sitename The name of the site. 4790 * @param array $email_data { 4791 * Data relating to the account action email. 4792 * 4793 * @type WP_User_Request $request User request object. 4794 * @type string $email The email address this is being sent to. 4795 * @type string $description Description of the action being performed so the user knows what the email is for. 4796 * @type string $confirm_url The link to click on to confirm the account action. 4797 * @type string $sitename The site name sending the mail. 4798 * @type string $siteurl The site URL sending the mail. 4799 * } 4800 */ 4801 $subject = apply_filters( 'user_request_action_email_subject', $subject, $email_data['sitename'], $email_data ); 4802 4803 /* translators: Do not translate DESCRIPTION, CONFIRM_URL, SITENAME, SITEURL: those are placeholders. */ 4804 $content = __( 4805 'Howdy, 4806 4807 A request has been made to perform the following action on your account: 4808 4809 ###DESCRIPTION### 4810 4811 To confirm this, please click on the following link: 4812 ###CONFIRM_URL### 4813 4814 You can safely ignore and delete this email if you do not want to 4815 take this action. 4816 4817 Regards, 4818 All at ###SITENAME### 4819 ###SITEURL###' 4820 ); 4821 4822 /** 4823 * Filters the text of the email sent when an account action is attempted. 4824 * 4825 * The following strings have a special meaning and will get replaced dynamically: 4826 * 4827 * ###DESCRIPTION### Description of the action being performed so the user knows what the email is for. 4828 * ###CONFIRM_URL### The link to click on to confirm the account action. 4829 * ###SITENAME### The name of the site. 4830 * ###SITEURL### The URL to the site. 4831 * 4832 * @since 4.9.6 4833 * 4834 * @param string $content Text in the email. 4835 * @param array $email_data { 4836 * Data relating to the account action email. 4837 * 4838 * @type WP_User_Request $request User request object. 4839 * @type string $email The email address this is being sent to. 4840 * @type string $description Description of the action being performed so the user knows what the email is for. 4841 * @type string $confirm_url The link to click on to confirm the account action. 4842 * @type string $sitename The site name sending the mail. 4843 * @type string $siteurl The site URL sending the mail. 4844 * } 4845 */ 4846 $content = apply_filters( 'user_request_action_email_content', $content, $email_data ); 4847 4848 $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content ); 4849 $content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content ); 4850 $content = str_replace( '###EMAIL###', $email_data['email'], $content ); 4851 $content = str_replace( '###SITENAME###', $email_data['sitename'], $content ); 4852 $content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content ); 4853 4854 $headers = ''; 4855 4856 /** 4857 * Filters the headers of the email sent when an account action is attempted. 4858 * 4859 * @since 5.4.0 4860 * 4861 * @param string|array $headers The email headers. 4862 * @param string $subject The email subject. 4863 * @param string $content The email content. 4864 * @param int $request_id The request ID. 4865 * @param array $email_data { 4866 * Data relating to the account action email. 4867 * 4868 * @type WP_User_Request $request User request object. 4869 * @type string $email The email address this is being sent to. 4870 * @type string $description Description of the action being performed so the user knows what the email is for. 4871 * @type string $confirm_url The link to click on to confirm the account action. 4872 * @type string $sitename The site name sending the mail. 4873 * @type string $siteurl The site URL sending the mail. 4874 * } 4875 */ 4876 $headers = apply_filters( 'user_request_action_email_headers', $headers, $subject, $content, $request_id, $email_data ); 4877 4878 $email_sent = wp_mail( $email_data['email'], $subject, $content, $headers ); 4879 4880 if ( $switched_locale ) { 4881 restore_previous_locale(); 4882 } 4883 4884 if ( ! $email_sent ) { 4885 return new WP_Error( 'privacy_email_error', __( 'Unable to send personal data export confirmation email.' ) ); 4886 } 4887 4888 return true; 4889 } 4890 4891 /** 4892 * Returns a confirmation key for a user action and stores the hashed version for future comparison. 4893 * 4894 * @since 4.9.6 4895 * 4896 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 4897 * 4898 * @param int $request_id Request ID. 4899 * @return string Confirmation key. 4900 */ 4901 function wp_generate_user_request_key( $request_id ) { 4902 global $wp_hasher; 4903 4904 // Generate something random for a confirmation key. 4905 $key = wp_generate_password( 20, false ); 4906 4907 // Return the key, hashed. 4908 if ( empty( $wp_hasher ) ) { 4909 require_once ABSPATH . WPINC . '/class-phpass.php'; 4910 $wp_hasher = new PasswordHash( 8, true ); 4911 } 4912 4913 wp_update_post( 4914 array( 4915 'ID' => $request_id, 4916 'post_status' => 'request-pending', 4917 'post_password' => $wp_hasher->HashPassword( $key ), 4918 ) 4919 ); 4920 4921 return $key; 4922 } 4923 4924 /** 4925 * Validates a user request by comparing the key with the request's key. 4926 * 4927 * @since 4.9.6 4928 * 4929 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance. 4930 * 4931 * @param string $request_id ID of the request being confirmed. 4932 * @param string $key Provided key to validate. 4933 * @return true|WP_Error True on success, WP_Error on failure. 4934 */ 4935 function wp_validate_user_request_key( $request_id, $key ) { 4936 global $wp_hasher; 4937 4938 $request_id = absint( $request_id ); 4939 $request = wp_get_user_request( $request_id ); 4940 $saved_key = $request->confirm_key; 4941 $key_request_time = $request->modified_timestamp; 4942 4943 if ( ! $request || ! $saved_key || ! $key_request_time ) { 4944 return new WP_Error( 'invalid_request', __( 'Invalid personal data request.' ) ); 4945 } 4946 4947 if ( ! in_array( $request->status, array( 'request-pending', 'request-failed' ), true ) ) { 4948 return new WP_Error( 'expired_request', __( 'This personal data request has expired.' ) ); 4949 } 4950 4951 if ( empty( $key ) ) { 4952 return new WP_Error( 'missing_key', __( 'The confirmation key is missing from this personal data request.' ) ); 4953 } 4954 4955 if ( empty( $wp_hasher ) ) { 4956 require_once ABSPATH . WPINC . '/class-phpass.php'; 4957 $wp_hasher = new PasswordHash( 8, true ); 4958 } 4959 4960 /** 4961 * Filters the expiration time of confirm keys. 4962 * 4963 * @since 4.9.6 4964 * 4965 * @param int $expiration The expiration time in seconds. 4966 */ 4967 $expiration_duration = (int) apply_filters( 'user_request_key_expiration', DAY_IN_SECONDS ); 4968 $expiration_time = $key_request_time + $expiration_duration; 4969 4970 if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) { 4971 return new WP_Error( 'invalid_key', __( 'The confirmation key is invalid for this personal data request.' ) ); 4972 } 4973 4974 if ( ! $expiration_time || time() > $expiration_time ) { 4975 return new WP_Error( 'expired_key', __( 'The confirmation key has expired for this personal data request.' ) ); 4976 } 4977 4978 return true; 4979 } 4980 4981 /** 4982 * Returns the user request object for the specified request ID. 4983 * 4984 * @since 4.9.6 4985 * 4986 * @param int $request_id The ID of the user request. 4987 * @return WP_User_Request|false 4988 */ 4989 function wp_get_user_request( $request_id ) { 4990 $request_id = absint( $request_id ); 4991 $post = get_post( $request_id ); 4992 4993 if ( ! $post || 'user_request' !== $post->post_type ) { 4994 return false; 4995 } 4996 4997 return new WP_User_Request( $post ); 4998 } 4999 5000 /** 5001 * Checks if Application Passwords is supported. 5002 * 5003 * Application Passwords is supported only by sites using SSL or local environments 5004 * but may be made available using the {@see 'wp_is_application_passwords_available'} filter. 5005 * 5006 * @since 5.9.0 5007 * 5008 * @return bool 5009 */ 5010 function wp_is_application_passwords_supported() { 5011 return is_ssl() || 'local' === wp_get_environment_type(); 5012 } 5013 5014 /** 5015 * Checks if Application Passwords is globally available. 5016 * 5017 * By default, Application Passwords is available to all sites using SSL or to local environments. 5018 * Use the {@see 'wp_is_application_passwords_available'} filter to adjust its availability. 5019 * 5020 * @since 5.6.0 5021 * 5022 * @return bool 5023 */ 5024 function wp_is_application_passwords_available() { 5025 /** 5026 * Filters whether Application Passwords is available. 5027 * 5028 * @since 5.6.0 5029 * 5030 * @param bool $available True if available, false otherwise. 5031 */ 5032 return apply_filters( 'wp_is_application_passwords_available', wp_is_application_passwords_supported() ); 5033 } 5034 5035 /** 5036 * Checks if Application Passwords is available for a specific user. 5037 * 5038 * By default all users can use Application Passwords. Use {@see 'wp_is_application_passwords_available_for_user'} 5039 * to restrict availability to certain users. 5040 * 5041 * @since 5.6.0 5042 * 5043 * @param int|WP_User $user The user to check. 5044 * @return bool 5045 */ 5046 function wp_is_application_passwords_available_for_user( $user ) { 5047 if ( ! wp_is_application_passwords_available() ) { 5048 return false; 5049 } 5050 5051 if ( ! is_object( $user ) ) { 5052 $user = get_userdata( $user ); 5053 } 5054 5055 if ( ! $user || ! $user->exists() ) { 5056 return false; 5057 } 5058 5059 /** 5060 * Filters whether Application Passwords is available for a specific user. 5061 * 5062 * @since 5.6.0 5063 * 5064 * @param bool $available True if available, false otherwise. 5065 * @param WP_User $user The user to check. 5066 */ 5067 return apply_filters( 'wp_is_application_passwords_available_for_user', true, $user ); 5068 } 5069 5070 /** 5071 * Registers the user meta property for persisted preferences. 5072 * 5073 * This property is used to store user preferences across page reloads and is 5074 * currently used by the block editor for preferences like 'fullscreenMode' and 5075 * 'fixedToolbar'. 5076 * 5077 * @since 6.1.0 5078 * @access private 5079 * 5080 * @global wpdb $wpdb WordPress database abstraction object. 5081 */ 5082 function wp_register_persisted_preferences_meta() { 5083 /* 5084 * Create a meta key that incorporates the blog prefix so that each site 5085 * on a multisite can have distinct user preferences. 5086 */ 5087 global $wpdb; 5088 $meta_key = $wpdb->get_blog_prefix() . 'persisted_preferences'; 5089 5090 register_meta( 5091 'user', 5092 $meta_key, 5093 array( 5094 'type' => 'object', 5095 'single' => true, 5096 'show_in_rest' => array( 5097 'name' => 'persisted_preferences', 5098 'type' => 'object', 5099 'schema' => array( 5100 'type' => 'object', 5101 'context' => array( 'edit' ), 5102 'properties' => array( 5103 '_modified' => array( 5104 'description' => __( 'The date and time the preferences were updated.' ), 5105 'type' => 'string', 5106 'format' => 'date-time', 5107 'readonly' => false, 5108 ), 5109 ), 5110 'additionalProperties' => true, 5111 ), 5112 ), 5113 ) 5114 ); 5115 } 5116 5117 /** 5118 * Sets the last changed time for the 'users' cache group. 5119 * 5120 * @since 6.3.0 5121 */ 5122 function wp_cache_set_users_last_changed() { 5123 wp_cache_set_last_changed( 'users' ); 5124 } 5125 5126 /** 5127 * Checks if password reset is allowed for a specific user. 5128 * 5129 * @since 6.3.0 5130 * 5131 * @param int|WP_User $user The user to check. 5132 * @return bool|WP_Error True if allowed, false or WP_Error otherwise. 5133 */ 5134 function wp_is_password_reset_allowed_for_user( $user ) { 5135 if ( ! is_object( $user ) ) { 5136 $user = get_userdata( $user ); 5137 } 5138 5139 if ( ! $user || ! $user->exists() ) { 5140 return false; 5141 } 5142 $allow = true; 5143 if ( is_multisite() && is_user_spammy( $user ) ) { 5144 $allow = false; 5145 } 5146 5147 /** 5148 * Filters whether to allow a password to be reset. 5149 * 5150 * @since 2.7.0 5151 * 5152 * @param bool $allow Whether to allow the password to be reset. Default true. 5153 * @param int $user_id The ID of the user attempting to reset a password. 5154 */ 5155 return apply_filters( 'allow_password_reset', $allow, $user->ID ); 5156 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated : Tue Jan 21 08:20:01 2025 | Cross-referenced by PHPXref |