+/**
+ * WordPress User Page
+ *
+ * Handles authentication, registering, resetting passwords, forgot password,
+ * and other user handling.
+ *
+ * @package WordPress
+ */
+
+/** Make sure that the WordPress bootstrap has run before continuing. */
+require( dirname(__FILE__) . '/wp-load.php' );
+
+// Redirect to https login if forced to use SSL
+if ( force_ssl_admin() && !is_ssl() ) {
+ if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
+ wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']));
+ exit();
+ } else {
+ wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
+ exit();
+ }
+}
+
+/**
+ * Outputs the header for the login page.
+ *
+ * @uses do_action() Calls the 'login_head' for outputting HTML in the Log In
+ * header.
+ * @uses apply_filters() Calls 'login_headerurl' for the top login link.
+ * @uses apply_filters() Calls 'login_headertitle' for the top login title.
+ * @uses apply_filters() Calls 'login_message' on the message to display in the
+ * header.
+ * @uses $error The error global, which is checked for displaying errors.
+ *
+ * @param string $title Optional. WordPress Log In Page title to display in
+ * <title/> element.
+ * @param string $message Optional. Message to display in header.
+ * @param WP_Error $wp_error Optional. WordPress Error Object
+ */
+function login_header($title = 'Log In', $message = '', $wp_error = '') {
+ global $error, $is_iphone;
+
+ // Don't index any of these forms
+ add_filter( 'pre_option_blog_public', create_function( '$a', 'return 0;' ) );
+ add_action( 'login_head', 'noindex' );
+
+ if ( empty($wp_error) )
+ $wp_error = new WP_Error();
+ ?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
+<head>
+ <title><?php bloginfo('name'); ?> › <?php echo $title; ?></title>
+ <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
+ <?php
+ wp_admin_css( 'login', true );
+ wp_admin_css( 'colors-fresh', true );
+
+ if ( $is_iphone ) {
+ ?>
+ <meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" />
+ <style type="text/css" media="screen">
+ form { margin-left: 0px; }
+ #login { margin-top: 20px; }
+ </style>
+ <?php
+ }
+
+ do_action('login_head'); ?>
+</head>
+<body class="login">
+
+<div id="login"><h1><a href="<?php echo apply_filters('login_headerurl', 'http://wordpress.org/'); ?>" title="<?php echo apply_filters('login_headertitle', __('Powered by WordPress')); ?>"><?php bloginfo('name'); ?></a></h1>
+<?php
+ $message = apply_filters('login_message', $message);
+ if ( !empty( $message ) ) echo $message . "\n";
+
+ // Incase a plugin uses $error rather than the $errors object
+ if ( !empty( $error ) ) {
+ $wp_error->add('error', $error);
+ unset($error);
+ }
+
+ if ( $wp_error->get_error_code() ) {
+ $errors = '';
+ $messages = '';
+ foreach ( $wp_error->get_error_codes() as $code ) {
+ $severity = $wp_error->get_error_data($code);
+ foreach ( $wp_error->get_error_messages($code) as $error ) {
+ if ( 'message' == $severity )
+ $messages .= ' ' . $error . "<br />\n";
+ else
+ $errors .= ' ' . $error . "<br />\n";
+ }
+ }
+ if ( !empty($errors) )
+ echo '<div id="login_error">' . apply_filters('login_errors', $errors) . "</div>\n";
+ if ( !empty($messages) )
+ echo '<p class="message">' . apply_filters('login_messages', $messages) . "</p>\n";
+ }
+} // End of login_header()
+
+/**
+ * Handles sending password retrieval email to user.
+ *
+ * @uses $wpdb WordPress Database object
+ *
+ * @return bool|WP_Error True: when finish. WP_Error on error
+ */
+function retrieve_password() {
+ global $wpdb;
+
+ $errors = new WP_Error();
+
+ if ( empty( $_POST['user_login'] ) && empty( $_POST['user_email'] ) )
+ $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.'));
+
+ if ( strpos($_POST['user_login'], '@') ) {
+ $user_data = get_user_by_email(trim($_POST['user_login']));
+ if ( empty($user_data) )
+ $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
+ } else {
+ $login = trim($_POST['user_login']);
+ $user_data = get_userdatabylogin($login);
+ }
+
+ do_action('lostpassword_post');
+
+ if ( $errors->get_error_code() )
+ return $errors;
+
+ if ( !$user_data ) {
+ $errors->add('invalidcombo', __('<strong>ERROR</strong>: Invalid username or e-mail.'));
+ return $errors;
+ }
+
+ // redefining user_login ensures we return the right case in the email
+ $user_login = $user_data->user_login;
+ $user_email = $user_data->user_email;
+
+ do_action('retreive_password', $user_login); // Misspelled and deprecated
+ do_action('retrieve_password', $user_login);
+
+ $allow = apply_filters('allow_password_reset', true, $user_data->ID);
+
+ if ( ! $allow )
+ return new WP_Error('no_password_reset', __('Password reset is not allowed for this user'));
+ else if ( is_wp_error($allow) )
+ return $allow;
+
+ $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login));
+ if ( empty($key) ) {
+ // Generate something random for a key...
+ $key = wp_generate_password(20, false);
+ do_action('retrieve_password_key', $user_login, $key);
+ // Now insert the new md5 key into the db
+ $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
+ }
+ $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n";
+ $message .= get_option('siteurl') . "\r\n\r\n";
+ $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
+ $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n";
+ $message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n";
+
+ $title = sprintf(__('[%s] Password Reset'), get_option('blogname'));
+
+ $title = apply_filters('retrieve_password_title', $title);
+ $message = apply_filters('retrieve_password_message', $message, $key);
+
+ if ( $message && !wp_mail($user_email, $title, $message) )
+ die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>');
+
+ return true;
+}
+
+/**
+ * Handles resetting the user's password.
+ *
+ * @uses $wpdb WordPress Database object
+ *
+ * @param string $key Hash to validate sending user's password
+ * @return bool|WP_Error
+ */
+function reset_password($key) {
+ global $wpdb;
+
+ $key = preg_replace('/[^a-z0-9]/i', '', $key);
+
+ if ( empty( $key ) )
+ return new WP_Error('invalid_key', __('Invalid key'));
+
+ $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
+ if ( empty( $user ) )
+ return new WP_Error('invalid_key', __('Invalid key'));
+
+ // Generate something random for a password...
+ $new_pass = wp_generate_password();
+
+ do_action('password_reset', $user, $new_pass);
+
+ wp_set_password($new_pass, $user->ID);
+ update_usermeta($user->ID, 'default_password_nag', true); //Set up the Password change nag.
+ $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n";
+ $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n";
+ $message .= site_url('wp-login.php', 'login') . "\r\n";
+
+ $title = sprintf(__('[%s] Your new password'), get_option('blogname'));
+
+ $title = apply_filters('password_reset_title', $title);
+ $message = apply_filters('password_reset_message', $message, $new_pass);