X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/4f9d63e13cd8c6e275797c75b401b074b82937bc..8d3bb1a5dcfdea9857d3c88c3751f09593e34dc8:/wp-login.php diff --git a/wp-login.php b/wp-login.php index c97edd93..01c754f0 100644 --- a/wp-login.php +++ b/wp-login.php @@ -12,86 +12,172 @@ require( dirname(__FILE__) . '/wp-load.php' ); // Redirect to https login if forced to use SSL -if ( force_ssl_admin() && !is_ssl() ) { +if ( force_ssl_admin() && ! is_ssl() ) { if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) { - wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI'])); + wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) ); exit(); } else { - wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); + wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); exit(); } } /** - * Outputs the header for the login page. + * Output the login page header. * - * @uses do_action() Calls the 'login_head' for outputting HTML in the Log In - * header. - * @uses apply_filters() Calls 'login_headerurl' for the top login link. - * @uses apply_filters() Calls 'login_headertitle' for the top login title. - * @uses apply_filters() Calls 'login_message' on the message to display in the - * header. - * @uses $error The error global, which is checked for displaying errors. - * - * @param string $title Optional. WordPress Log In Page title to display in - * element. - * @param string $message Optional. Message to display in header. - * @param WP_Error $wp_error Optional. WordPress Error Object + * @param string $title Optional. WordPress login Page title to display in the `<title>` element. + * Default 'Log In'. + * @param string $message Optional. Message to display in header. Default empty. + * @param WP_Error $wp_error Optional. The error to pass. Default empty. */ -function login_header($title = 'Log In', $message = '', $wp_error = '') { - global $error, $is_iphone, $interim_login, $current_site; +function login_header( $title = 'Log In', $message = '', $wp_error = '' ) { + global $error, $interim_login, $action; // Don't index any of these forms - add_filter( 'pre_option_blog_public', '__return_zero' ); - add_action( 'login_head', 'noindex' ); + add_action( 'login_head', 'wp_no_robots' ); + + if ( wp_is_mobile() ) + add_action( 'login_head', 'wp_login_viewport_meta' ); if ( empty($wp_error) ) $wp_error = new WP_Error(); // Shake it! $shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' ); + /** + * Filters the error codes array for shaking the login form. + * + * @since 3.0.0 + * + * @param array $shake_error_codes Error codes that shake the login form. + */ $shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes ); if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) ) add_action( 'login_head', 'wp_shake_js', 12 ); - ?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>> -<head> - <title><?php bloginfo('name'); ?> › <?php echo $title; ?> + $separator = is_rtl() ? ' › ' : ' ‹ '; + + ?> + + + > + + - - - - - - + get_error_code() ) { + ?> + + - - - -

- -

-site_name; + } else { + $login_header_url = __( 'https://wordpress.org/' ); + $login_header_title = __( 'Powered by WordPress' ); + } - $message = apply_filters('login_message', $message); - if ( !empty( $message ) ) echo $message . "\n"; + /** + * Filters link URL of the header logo above login form. + * + * @since 2.1.0 + * + * @param string $login_header_url Login header logo URL. + */ + $login_header_url = apply_filters( 'login_headerurl', $login_header_url ); + + /** + * Filters the title attribute of the header logo above login form. + * + * @since 2.1.0 + * + * @param string $login_header_title Login header logo title attribute. + */ + $login_header_title = apply_filters( 'login_headertitle', $login_header_title ); + + $classes = array( 'login-action-' . $action, 'wp-core-ui' ); + if ( wp_is_mobile() ) + $classes[] = 'mobile'; + if ( is_rtl() ) + $classes[] = 'rtl'; + if ( $interim_login ) { + $classes[] = 'interim-login'; + ?> + + + + + +
+

+ add('error', $error); unset($error); @@ -101,23 +187,80 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') { $errors = ''; $messages = ''; foreach ( $wp_error->get_error_codes() as $code ) { - $severity = $wp_error->get_error_data($code); - foreach ( $wp_error->get_error_messages($code) as $error ) { + $severity = $wp_error->get_error_data( $code ); + foreach ( $wp_error->get_error_messages( $code ) as $error_message ) { if ( 'message' == $severity ) - $messages .= ' ' . $error . "
\n"; + $messages .= ' ' . $error_message . "
\n"; else - $errors .= ' ' . $error . "
\n"; + $errors .= ' ' . $error_message . "
\n"; } } - if ( !empty($errors) ) - echo '
' . apply_filters('login_errors', $errors) . "
\n"; - if ( !empty($messages) ) - echo '

' . apply_filters('login_messages', $messages) . "

\n"; + if ( ! empty( $errors ) ) { + /** + * Filters the error messages displayed above the login form. + * + * @since 2.1.0 + * + * @param string $errors Login error message. + */ + echo '
' . apply_filters( 'login_errors', $errors ) . "
\n"; + } + if ( ! empty( $messages ) ) { + /** + * Filters instructional messages displayed above the login form. + * + * @since 2.5.0 + * + * @param string $messages Login messages. + */ + echo '

' . apply_filters( 'login_messages', $messages ) . "

\n"; + } } } // End of login_header() + +/** + * Outputs the footer for the login page. + * + * @param string $input_id Which input to auto-focus + */ +function login_footer($input_id = '') { + global $interim_login; + + // Don't allow interim logins to navigate away from the page. + if ( ! $interim_login ): ?> +

+ + +
+ + + + + + +
+ + + - - get_error_code() === 'expired_key' ) + wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=expiredkey' ) ); + else + wp_redirect( site_url( 'wp-login.php?action=lostpassword&error=invalidkey' ) ); + exit; + } + + $errors = new WP_Error(); + + if ( isset($_POST['pass1']) && $_POST['pass1'] != $_POST['pass2'] ) + $errors->add( 'password_reset_mismatch', __( 'The passwords do not match.' ) ); + + /** + * Fires before the password reset procedure is validated. + * + * @since 3.5.0 + * + * @param object $errors WP Error object. + * @param WP_User|WP_Error $user WP_User object if the login and reset key match. WP_Error object otherwise. + */ + do_action( 'validate_password_reset', $errors, $user ); + + if ( ( ! $errors->get_error_code() ) && isset( $_POST['pass1'] ) && !empty( $_POST['pass1'] ) ) { + reset_password($user, $_POST['pass1']); + setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true ); + login_header( __( 'Password Reset' ), '

' . __( 'Your password has been reset.' ) . ' ' . __( 'Log in' ) . '

' ); + login_footer(); + exit; + } + + wp_enqueue_script('utils'); + wp_enqueue_script('user-profile'); + + login_header(__('Reset Password'), '

' . __('Enter your new password below.') . '

', $errors ); + +?> +
+ + +
+

+ +

+ +
+ + + +
+
+
+ +

+
+ +

+ +

+
+ + + +

+
+ + +' . __('Register For This Site') . '

', $errors); ?> - -
+

- +

- +

- -

+ +


-

+

-
- -

- - - - ID) ) { $secure_cookie = true; force_ssl_admin(true); @@ -525,29 +793,59 @@ default: $reauth = empty($_REQUEST['reauth']) ? false : true; - // If the user was redirected to a secure login form from a non-secure admin page, and secure login is required but secure admin is not, then don't use a secure - // cookie and redirect back to the referring non-secure admin page. This allows logins to always be POSTed over SSL while allowing the user to choose visiting - // the admin via http or https. - if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) ) - $secure_cookie = false; + $user = wp_signon( array(), $secure_cookie ); - $user = wp_signon('', $secure_cookie); + if ( empty( $_COOKIE[ LOGGED_IN_COOKIE ] ) ) { + if ( headers_sent() ) { + $user = new WP_Error( 'test_cookie', sprintf( __( 'ERROR: Cookies are blocked due to unexpected output. For help, please see this documentation or try the support forums.' ), + __( 'https://codex.wordpress.org/Cookies' ), __( 'https://wordpress.org/support/' ) ) ); + } elseif ( isset( $_POST['testcookie'] ) && empty( $_COOKIE[ TEST_COOKIE ] ) ) { + // If cookies are disabled we can't log in even with a valid user+pass + $user = new WP_Error( 'test_cookie', sprintf( __( 'ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.' ), + __( 'https://codex.wordpress.org/Cookies' ) ) ); + } + } - $redirect_to = apply_filters('login_redirect', $redirect_to, isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '', $user); + $requested_redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; + /** + * Filters the login redirect URL. + * + * @since 3.0.0 + * + * @param string $redirect_to The redirect destination URL. + * @param string $requested_redirect_to The requested redirect destination URL passed as a parameter. + * @param WP_User|WP_Error $user WP_User object if login was successful, WP_Error object otherwise. + */ + $redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user ); if ( !is_wp_error($user) && !$reauth ) { if ( $interim_login ) { $message = '

' . __('You have logged in successfully.') . '

'; + $interim_login = 'success'; login_header( '', $message ); ?> - -

-

-
+ + + + + + has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) - $redirect_to = admin_url('profile.php'); + + if ( ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) { + // If the user doesn't belong to a blog, send them to user admin. If the user can't edit posts, send them to their profile. + if ( is_multisite() && !get_active_blog_for_user($user->ID) && !is_super_admin( $user->ID ) ) + $redirect_to = user_admin_url(); + elseif ( is_multisite() && !$user->has_cap('read') ) + $redirect_to = get_dashboard_url( $user->ID ); + elseif ( !$user->has_cap('edit_posts') ) + $redirect_to = $user->has_cap( 'read' ) ? admin_url( 'profile.php' ) : home_url(); + + wp_redirect( $redirect_to ); + exit(); + } wp_safe_redirect($redirect_to); exit(); } @@ -557,23 +855,34 @@ default: if ( !empty($_GET['loggedout']) || $reauth ) $errors = new WP_Error(); - // If cookies are disabled we can't log in even with a valid user+pass - if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) ) - $errors->add('test_cookie', __("ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.")); - - // Some parts of this script use the main login form to display a message - if ( isset($_GET['loggedout']) && TRUE == $_GET['loggedout'] ) - $errors->add('loggedout', __('You are now logged out.'), 'message'); - elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) - $errors->add('registerdisabled', __('User registration is currently not allowed.')); - elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] ) - $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message'); - elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] ) - $errors->add('newpass', __('Check your e-mail for your new password.'), 'message'); - elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ) - $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message'); - elseif ( $interim_login ) - $errors->add('expired', __('Your session has expired. Please log-in again.'), 'message'); + if ( $interim_login ) { + if ( ! $errors->get_error_code() ) + $errors->add( 'expired', __( 'Your session has expired. Please log in to continue where you left off.' ), 'message' ); + } else { + // Some parts of this script use the main login form to display a message + if ( isset($_GET['loggedout']) && true == $_GET['loggedout'] ) + $errors->add('loggedout', __('You are now logged out.'), 'message'); + elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) + $errors->add('registerdisabled', __('User registration is currently not allowed.')); + elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] ) + $errors->add('confirm', __('Check your email for the confirmation link.'), 'message'); + elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] ) + $errors->add('newpass', __('Check your email for your new password.'), 'message'); + elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ) + $errors->add('registered', __('Registration complete. Please check your email.'), 'message'); + elseif ( strpos( $redirect_to, 'about.php?updated' ) ) + $errors->add('updated', __( 'You have successfully updated WordPress! Please log back in to see what’s new.' ), 'message' ); + } + + /** + * Filters the login page errors. + * + * @since 3.6.0 + * + * @param object $errors WP Error object. + * @param string $redirect_to Redirect destination URL. + */ + $errors = apply_filters( 'wp_login_errors', $errors, $redirect_to ); // Clear any stale cookies. if ( $reauth ) @@ -582,58 +891,79 @@ default: login_header(__('Log In'), '', $errors); if ( isset($_POST['log']) ) - $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : ''; + $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(wp_unslash($_POST['log'])) : ''; $rememberme = ! empty( $_POST['rememberme'] ); + + if ( ! empty( $errors->errors ) ) { + $aria_describedby_error = ' aria-describedby="login_error"'; + } else { + $aria_describedby_error = ''; + } ?> -
+

- +

- +

- -

+ +

- + + + +

- + - -

- - - - -