element. * @param string $message Optional. Message to display in header. * @param WP_Error $wp_error Optional. WordPress Error Object */ -function login_header($title = 'Login', $message = '', $wp_error = '') { - global $error; +function login_header($title = 'Log In', $message = '', $wp_error = '') { + global $error, $is_iphone; + + // Don't index any of these forms + add_filter( 'pre_option_blog_public', create_function( '$a', 'return 0;' ) ); + add_action( 'login_head', 'noindex' ); if ( empty($wp_error) ) $wp_error = new WP_Error(); @@ -53,13 +56,25 @@ function login_header($title = 'Login', $message = '', $wp_error = '') { <?php wp_admin_css( 'login', true ); wp_admin_css( 'colors-fresh', true ); + + if ( $is_iphone ) { + ?> + <meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /> + <style type="text/css" media="screen"> + form { margin-left: 0px; } + #login { margin-top: 20px; } + </style> + <?php + } + do_action('login_head'); ?> </head> <body class="login"> <div id="login"><h1><a href="<?php echo apply_filters('login_headerurl', 'http://wordpress.org/'); ?>" title="<?php echo apply_filters('login_headertitle', __('Powered by WordPress')); ?>"><?php bloginfo('name'); ?></a></h1> <?php - if ( !empty( $message ) ) echo apply_filters('login_message', $message) . "\n"; + $message = apply_filters('login_message', $message); + if ( !empty( $message ) ) echo $message . "\n"; // Incase a plugin uses $error rather than the $errors object if ( !empty( $error ) ) { @@ -87,9 +102,7 @@ function login_header($title = 'Login', $message = '', $wp_error = '') { } // End of login_header() /** - * retrieve_password() - Handles sending password retrieval email to user - * - * {@internal Missing Long Description}} + * Handles sending password retrieval email to user. * * @uses $wpdb WordPress Database object * @@ -103,7 +116,7 @@ function retrieve_password() { if ( empty( $_POST['user_login'] ) && empty( $_POST['user_email'] ) ) $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.')); - if ( strstr($_POST['user_login'], '@') ) { + if ( strpos($_POST['user_login'], '@') ) { $user_data = get_user_by_email(trim($_POST['user_login'])); if ( empty($user_data) ) $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.')); @@ -135,14 +148,14 @@ function retrieve_password() { return new WP_Error('no_password_reset', __('Password reset is not allowed for this user')); else if ( is_wp_error($allow) ) return $allow; - + $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login)); if ( empty($key) ) { // Generate something random for a key... $key = wp_generate_password(20, false); do_action('retrieve_password_key', $user_login, $key); // Now insert the new md5 key into the db - $wpdb->query($wpdb->prepare("UPDATE $wpdb->users SET user_activation_key = %s WHERE user_login = %s", $key, $user_login)); + $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login)); } $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n"; $message .= get_option('siteurl') . "\r\n\r\n"; @@ -150,16 +163,19 @@ function retrieve_password() { $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n"; $message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n"; - if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) ) + $title = sprintf(__('[%s] Password Reset'), get_option('blogname')); + + $title = apply_filters('retrieve_password_title', $title); + $message = apply_filters('retrieve_password_message', $message, $key); + + if ( $message && !wp_mail($user_email, $title, $message) ) die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>'); return true; } /** - * reset_password() - Handles resetting the user's password - * - * {@internal Missing Long Description}} + * Handles resetting the user's password. * * @uses $wpdb WordPress Database object * @@ -178,32 +194,32 @@ function reset_password($key) { if ( empty( $user ) ) return new WP_Error('invalid_key', __('Invalid key')); - do_action('password_reset', $user); - // Generate something random for a password... $new_pass = wp_generate_password(); + + do_action('password_reset', $user, $new_pass); + wp_set_password($new_pass, $user->ID); + update_usermeta($user->ID, 'default_password_nag', true); //Set up the Password change nag. $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n"; $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n"; $message .= site_url('wp-login.php', 'login') . "\r\n"; - if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) ) - die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>'); + $title = sprintf(__('[%s] Your new password'), get_option('blogname')); - // send a copy of password change notification to the admin - // but check to see if it's the admin whose password we're changing, and skip this - if ( $user->user_email != get_option('admin_email') ) { - $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n"; - wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), get_option('blogname')), $message); - } + $title = apply_filters('password_reset_title', $title); + $message = apply_filters('password_reset_message', $message, $new_pass); + + if ( $message && !wp_mail($user->user_email, $title, $message) ) + die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>'); + + wp_password_change_notification($user); return true; } /** - * register_new_user() - Handles registering a new user - * - * {@internal Missing Long Description}} + * Handles registering a new user. * * @param string $user_login User's username for logging in * @param string $user_email User's email address to send password and add @@ -256,12 +272,16 @@ function register_new_user($user_login, $user_email) { // Main // -$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ''; +$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login'; $errors = new WP_Error(); if ( isset($_GET['key']) ) $action = 'resetpass'; +// validate action so as to default to the login screen +if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) ) + $action = 'login'; + nocache_headers(); header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset')); @@ -280,11 +300,14 @@ setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN); if ( SITECOOKIEPATH != COOKIEPATH ) setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN); +// allow plugins to override the default actions, and to add extra actions if they want +do_action('login_form_' . $action); + $http_post = ('POST' == $_SERVER['REQUEST_METHOD']); switch ($action) { case 'logout' : - + check_admin_referer('log-out'); wp_logout(); $redirect_to = 'wp-login.php?loggedout=true'; @@ -306,19 +329,22 @@ case 'retrievepassword' : } } - if ( 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.')); + if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.')); do_action('lost_password'); login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or e-mail address. You will receive a new password via e-mail.') . '</p>', $errors); + + $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : ''; + ?> <form name="lostpasswordform" id="lostpasswordform" action="<?php echo site_url('wp-login.php?action=lostpassword', 'login_post') ?>" method="post"> <p> <label><?php _e('Username or E-mail:') ?><br /> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_login'])); ?>" size="20" tabindex="10" /></label> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" tabindex="10" /></label> </p> <?php do_action('lostpassword_form'); ?> - <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Get New Password'); ?>" tabindex="100" /></p> + <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php esc_attr_e('Get New Password'); ?>" tabindex="100" /></p> </form> <p id="nav"> @@ -332,7 +358,7 @@ case 'retrievepassword' : </div> -<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('« Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> +<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('← Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> <script type="text/javascript"> try{document.getElementById('user_login').focus();}catch(e){} @@ -382,15 +408,16 @@ case 'register' : <form name="registerform" id="registerform" action="<?php echo site_url('wp-login.php?action=register', 'login_post') ?>" method="post"> <p> <label><?php _e('Username') ?><br /> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label> </p> <p> <label><?php _e('E-mail') ?><br /> - <input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label> + <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label> </p> <?php do_action('register_form'); ?> <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p> - <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Register'); ?>" tabindex="100" /></p> + <br class="clear" /> + <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php esc_attr_e('Register'); ?>" tabindex="100" /></p> </form> <p id="nav"> @@ -400,7 +427,7 @@ case 'register' : </div> -<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('« Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> +<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('← Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> <script type="text/javascript"> try{document.getElementById('user_login').focus();}catch(e){} @@ -412,15 +439,30 @@ break; case 'login' : default: - if ( isset( $_REQUEST['redirect_to'] ) ) + $secure_cookie = ''; + + // If the user wants ssl but the session is not ssl, force a secure cookie. + if ( !empty($_POST['log']) && !force_ssl_admin() ) { + $user_name = sanitize_user($_POST['log']); + if ( $user = get_userdatabylogin($user_name) ) { + if ( get_user_option('use_ssl', $user->ID) ) { + $secure_cookie = true; + force_ssl_admin(true); + } + } + } + + if ( isset( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; - else + // Redirect to https if user wants ssl + if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') ) + $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to); + } else { $redirect_to = admin_url(); + } - if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) ) + if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) ) $secure_cookie = false; - else - $secure_cookie = ''; $user = wp_signon('', $secure_cookie); @@ -428,7 +470,7 @@ default: if ( !is_wp_error($user) ) { // If the user can't edit posts, send them to their profile. - if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) + if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) $redirect_to = admin_url('profile.php'); wp_safe_redirect($redirect_to); exit(); @@ -445,35 +487,36 @@ default: // Some parts of this script use the main login form to display a message if ( isset($_GET['loggedout']) && TRUE == $_GET['loggedout'] ) $errors->add('loggedout', __('You are now logged out.'), 'message'); - elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) $errors->add('registerdiabled', __('User registration is currently not allowed.')); + elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) $errors->add('registerdisabled', __('User registration is currently not allowed.')); elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] ) $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message'); elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] ) $errors->add('newpass', __('Check your e-mail for your new password.'), 'message'); elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ) $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message'); - login_header(__('Login'), '', $errors); + login_header(__('Log In'), '', $errors); + + if ( isset($_POST['log']) ) + $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : ''; ?> -<form name="loginform" id="loginform" action="<?php echo site_url('wp-login.php', 'login_post') ?>" method="post"> <?php if ( !isset($_GET['checkemail']) || !in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?> +<form name="loginform" id="loginform" action="<?php echo site_url('wp-login.php', 'login_post') ?>" method="post"> <p> <label><?php _e('Username') ?><br /> - <input type="text" name="log" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label> + <input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" tabindex="10" /></label> </p> <p> <label><?php _e('Password') ?><br /> <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" tabindex="20" /></label> </p> <?php do_action('login_form'); ?> - <p class="forgetmenot"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" tabindex="90" /> <?php _e('Remember Me'); ?></label></p> + <p class="forgetmenot"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" tabindex="90" /> <?php esc_attr_e('Remember Me'); ?></label></p> <p class="submit"> - <input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Log In'); ?>" tabindex="100" /> - <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($redirect_to); ?>" /> + <input type="submit" name="wp-submit" id="wp-submit" value="<?php esc_attr_e('Log In'); ?>" tabindex="100" /> + <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" /> <input type="hidden" name="testcookie" value="1" /> </p> -<?php else : ?> - <p> </p> -<?php endif; ?> </form> +<?php endif; ?> <p id="nav"> <?php if ( isset($_GET['checkemail']) && in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?> @@ -487,10 +530,19 @@ default: </div> -<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('« Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> +<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('← Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> <script type="text/javascript"> +<?php if ( $user_login ) { ?> +setTimeout( function(){ try{ +d = document.getElementById('user_pass'); +d.value = ''; +d.focus(); +} catch(e){} +}, 200); +<?php } else { ?> try{document.getElementById('user_login').focus();}catch(e){} +<?php } ?> </script> </body> </html> @@ -498,4 +550,4 @@ try{document.getElementById('user_login').focus();}catch(e){} break; } // end action switch -?> \ No newline at end of file +?>

X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/76aea3697c6043c1613370f172395b4f65ee71f0..refs/tags/wordpress-2.8-scripts:/wp-login.php diff --git a/wp-login.php b/wp-login.php index 265a223f..62898123 100644 --- a/wp-login.php +++ b/wp-login.php @@ -8,7 +8,7 @@ * @package WordPress */ -/** Make sure that the WordPress bootstrap has ran before continuing. */ +/** Make sure that the WordPress bootstrap has run before continuing. */ require( dirname(__FILE__) . '/wp-load.php' ); // Redirect to https login if forced to use SSL @@ -18,15 +18,14 @@ if ( force_ssl_admin() && !is_ssl() ) { exit(); } else { wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); - exit(); + exit(); } } /** - * login_header() - Outputs the header for the login page + * Outputs the header for the login page. * - * @package WordPress - * @uses do_action() Calls the 'login_head' for outputting HTML in the Login + * @uses do_action() Calls the 'login_head' for outputting HTML in the Log In * header. * @uses apply_filters() Calls 'login_headerurl' for the top login link. * @uses apply_filters() Calls 'login_headertitle' for the top login title. @@ -34,13 +33,17 @@ if ( force_ssl_admin() && !is_ssl() ) { * header. * @uses $error The error global, which is checked for displaying errors. * - * @param string $title Optional. WordPress Login Page title to display in + * @param string $title Optional. WordPress Log In Page title to display in * element. * @param string $message Optional. Message to display in header. * @param WP_Error $wp_error Optional. WordPress Error Object */ -function login_header($title = 'Login', $message = '', $wp_error = '') { - global $error; +function login_header($title = 'Log In', $message = '', $wp_error = '') { + global $error, $is_iphone; + + // Don't index any of these forms + add_filter( 'pre_option_blog_public', create_function( '$a', 'return 0;' ) ); + add_action( 'login_head', 'noindex' ); if ( empty($wp_error) ) $wp_error = new WP_Error(); @@ -53,13 +56,25 @@ function login_header($title = 'Login', $message = '', $wp_error = '') { <?php wp_admin_css( 'login', true ); wp_admin_css( 'colors-fresh', true ); + + if ( $is_iphone ) { + ?> + <meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /> + <style type="text/css" media="screen"> + form { margin-left: 0px; } + #login { margin-top: 20px; } + </style> + <?php + } + do_action('login_head'); ?> </head> <body class="login"> <div id="login"><h1><a href="<?php echo apply_filters('login_headerurl', 'http://wordpress.org/'); ?>" title="<?php echo apply_filters('login_headertitle', __('Powered by WordPress')); ?>"><?php bloginfo('name'); ?></a></h1> <?php - if ( !empty( $message ) ) echo apply_filters('login_message', $message) . "\n"; + $message = apply_filters('login_message', $message); + if ( !empty( $message ) ) echo $message . "\n"; // Incase a plugin uses $error rather than the $errors object if ( !empty( $error ) ) { @@ -87,9 +102,7 @@ function login_header($title = 'Login', $message = '', $wp_error = '') { } // End of login_header() /** - * retrieve_password() - Handles sending password retrieval email to user - * - * {@internal Missing Long Description}} + * Handles sending password retrieval email to user. * * @uses $wpdb WordPress Database object * @@ -103,7 +116,7 @@ function retrieve_password() { if ( empty( $_POST['user_login'] ) && empty( $_POST['user_email'] ) ) $errors->add('empty_username', __('<strong>ERROR</strong>: Enter a username or e-mail address.')); - if ( strstr($_POST['user_login'], '@') ) { + if ( strpos($_POST['user_login'], '@') ) { $user_data = get_user_by_email(trim($_POST['user_login'])); if ( empty($user_data) ) $errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.')); @@ -135,14 +148,14 @@ function retrieve_password() { return new WP_Error('no_password_reset', __('Password reset is not allowed for this user')); else if ( is_wp_error($allow) ) return $allow; - + $key = $wpdb->get_var($wpdb->prepare("SELECT user_activation_key FROM $wpdb->users WHERE user_login = %s", $user_login)); if ( empty($key) ) { // Generate something random for a key... $key = wp_generate_password(20, false); do_action('retrieve_password_key', $user_login, $key); // Now insert the new md5 key into the db - $wpdb->query($wpdb->prepare("UPDATE $wpdb->users SET user_activation_key = %s WHERE user_login = %s", $key, $user_login)); + $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login)); } $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n"; $message .= get_option('siteurl') . "\r\n\r\n"; @@ -150,16 +163,19 @@ function retrieve_password() { $message .= __('To reset your password visit the following address, otherwise just ignore this email and nothing will happen.') . "\r\n\r\n"; $message .= site_url("wp-login.php?action=rp&key=$key", 'login') . "\r\n"; - if ( !wp_mail($user_email, sprintf(__('[%s] Password Reset'), get_option('blogname')), $message) ) + $title = sprintf(__('[%s] Password Reset'), get_option('blogname')); + + $title = apply_filters('retrieve_password_title', $title); + $message = apply_filters('retrieve_password_message', $message, $key); + + if ( $message && !wp_mail($user_email, $title, $message) ) die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>'); return true; } /** - * reset_password() - Handles resetting the user's password - * - * {@internal Missing Long Description}} + * Handles resetting the user's password. * * @uses $wpdb WordPress Database object * @@ -178,32 +194,32 @@ function reset_password($key) { if ( empty( $user ) ) return new WP_Error('invalid_key', __('Invalid key')); - do_action('password_reset', $user); - // Generate something random for a password... $new_pass = wp_generate_password(); + + do_action('password_reset', $user, $new_pass); + wp_set_password($new_pass, $user->ID); + update_usermeta($user->ID, 'default_password_nag', true); //Set up the Password change nag. $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n"; $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n"; $message .= site_url('wp-login.php', 'login') . "\r\n"; - if ( !wp_mail($user->user_email, sprintf(__('[%s] Your new password'), get_option('blogname')), $message) ) - die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>'); + $title = sprintf(__('[%s] Your new password'), get_option('blogname')); - // send a copy of password change notification to the admin - // but check to see if it's the admin whose password we're changing, and skip this - if ( $user->user_email != get_option('admin_email') ) { - $message = sprintf(__('Password Lost and Changed for user: %s'), $user->user_login) . "\r\n"; - wp_mail(get_option('admin_email'), sprintf(__('[%s] Password Lost/Changed'), get_option('blogname')), $message); - } + $title = apply_filters('password_reset_title', $title); + $message = apply_filters('password_reset_message', $message, $new_pass); + + if ( $message && !wp_mail($user->user_email, $title, $message) ) + die('<p>' . __('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...') . '</p>'); + + wp_password_change_notification($user); return true; } /** - * register_new_user() - Handles registering a new user - * - * {@internal Missing Long Description}} + * Handles registering a new user. * * @param string $user_login User's username for logging in * @param string $user_email User's email address to send password and add @@ -256,12 +272,16 @@ function register_new_user($user_login, $user_email) { // Main // -$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ''; +$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login'; $errors = new WP_Error(); if ( isset($_GET['key']) ) $action = 'resetpass'; +// validate action so as to default to the login screen +if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) ) + $action = 'login'; + nocache_headers(); header('Content-Type: '.get_bloginfo('html_type').'; charset='.get_bloginfo('charset')); @@ -280,11 +300,14 @@ setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN); if ( SITECOOKIEPATH != COOKIEPATH ) setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN); +// allow plugins to override the default actions, and to add extra actions if they want +do_action('login_form_' . $action); + $http_post = ('POST' == $_SERVER['REQUEST_METHOD']); switch ($action) { case 'logout' : - + check_admin_referer('log-out'); wp_logout(); $redirect_to = 'wp-login.php?loggedout=true'; @@ -306,19 +329,22 @@ case 'retrievepassword' : } } - if ( 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.')); + if ( isset($_GET['error']) && 'invalidkey' == $_GET['error'] ) $errors->add('invalidkey', __('Sorry, that key does not appear to be valid.')); do_action('lost_password'); login_header(__('Lost Password'), '<p class="message">' . __('Please enter your username or e-mail address. You will receive a new password via e-mail.') . '</p>', $errors); + + $user_login = isset($_POST['user_login']) ? stripslashes($_POST['user_login']) : ''; + ?> <form name="lostpasswordform" id="lostpasswordform" action="<?php echo site_url('wp-login.php?action=lostpassword', 'login_post') ?>" method="post"> <p> <label><?php _e('Username or E-mail:') ?><br /> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_login'])); ?>" size="20" tabindex="10" /></label> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" tabindex="10" /></label> </p> <?php do_action('lostpassword_form'); ?> - <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Get New Password'); ?>" tabindex="100" /></p> + <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php esc_attr_e('Get New Password'); ?>" tabindex="100" /></p> </form> <p id="nav"> @@ -332,7 +358,7 @@ case 'retrievepassword' : </div> -<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('« Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> +<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('← Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> <script type="text/javascript"> try{document.getElementById('user_login').focus();}catch(e){} @@ -382,15 +408,16 @@ case 'register' : <form name="registerform" id="registerform" action="<?php echo site_url('wp-login.php?action=register', 'login_post') ?>" method="post"> <p> <label><?php _e('Username') ?><br /> - <input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label> + <input type="text" name="user_login" id="user_login" class="input" value="<?php echo esc_attr(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label> </p> <p> <label><?php _e('E-mail') ?><br /> - <input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label> + <input type="text" name="user_email" id="user_email" class="input" value="<?php echo esc_attr(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label> </p> <?php do_action('register_form'); ?> <p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p> - <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Register'); ?>" tabindex="100" /></p> + <br class="clear" /> + <p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php esc_attr_e('Register'); ?>" tabindex="100" /></p> </form> <p id="nav"> @@ -400,7 +427,7 @@ case 'register' : </div> -<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('« Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> +<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('← Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> <script type="text/javascript"> try{document.getElementById('user_login').focus();}catch(e){} @@ -412,15 +439,30 @@ break; case 'login' : default: - if ( isset( $_REQUEST['redirect_to'] ) ) + $secure_cookie = ''; + + // If the user wants ssl but the session is not ssl, force a secure cookie. + if ( !empty($_POST['log']) && !force_ssl_admin() ) { + $user_name = sanitize_user($_POST['log']); + if ( $user = get_userdatabylogin($user_name) ) { + if ( get_user_option('use_ssl', $user->ID) ) { + $secure_cookie = true; + force_ssl_admin(true); + } + } + } + + if ( isset( $_REQUEST['redirect_to'] ) ) { $redirect_to = $_REQUEST['redirect_to']; - else + // Redirect to https if user wants ssl + if ( $secure_cookie && false !== strpos($redirect_to, 'wp-admin') ) + $redirect_to = preg_replace('|^http://|', 'https://', $redirect_to); + } else { $redirect_to = admin_url(); + } - if ( is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) ) + if ( !$secure_cookie && is_ssl() && force_ssl_login() && !force_ssl_admin() && ( 0 !== strpos($redirect_to, 'https') ) && ( 0 === strpos($redirect_to, 'http') ) ) $secure_cookie = false; - else - $secure_cookie = ''; $user = wp_signon('', $secure_cookie); @@ -428,7 +470,7 @@ default: if ( !is_wp_error($user) ) { // If the user can't edit posts, send them to their profile. - if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) + if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' || $redirect_to == admin_url() ) ) $redirect_to = admin_url('profile.php'); wp_safe_redirect($redirect_to); exit(); @@ -445,35 +487,36 @@ default: // Some parts of this script use the main login form to display a message if ( isset($_GET['loggedout']) && TRUE == $_GET['loggedout'] ) $errors->add('loggedout', __('You are now logged out.'), 'message'); - elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) $errors->add('registerdiabled', __('User registration is currently not allowed.')); + elseif ( isset($_GET['registration']) && 'disabled' == $_GET['registration'] ) $errors->add('registerdisabled', __('User registration is currently not allowed.')); elseif ( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] ) $errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message'); elseif ( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] ) $errors->add('newpass', __('Check your e-mail for your new password.'), 'message'); elseif ( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] ) $errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message'); - login_header(__('Login'), '', $errors); + login_header(__('Log In'), '', $errors); + + if ( isset($_POST['log']) ) + $user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? esc_attr(stripslashes($_POST['log'])) : ''; ?> -<form name="loginform" id="loginform" action="<?php echo site_url('wp-login.php', 'login_post') ?>" method="post"> <?php if ( !isset($_GET['checkemail']) || !in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?> +<form name="loginform" id="loginform" action="<?php echo site_url('wp-login.php', 'login_post') ?>" method="post"> <p> <label><?php _e('Username') ?><br /> - <input type="text" name="log" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label> + <input type="text" name="log" id="user_login" class="input" value="<?php echo esc_attr($user_login); ?>" size="20" tabindex="10" /></label> </p> <p> <label><?php _e('Password') ?><br /> <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" tabindex="20" /></label> </p> <?php do_action('login_form'); ?> - <p class="forgetmenot"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" tabindex="90" /> <?php _e('Remember Me'); ?></label></p> + <p class="forgetmenot"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" tabindex="90" /> <?php esc_attr_e('Remember Me'); ?></label></p> <p class="submit"> - <input type="submit" name="wp-submit" id="wp-submit" value="<?php _e('Log In'); ?>" tabindex="100" /> - <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($redirect_to); ?>" /> + <input type="submit" name="wp-submit" id="wp-submit" value="<?php esc_attr_e('Log In'); ?>" tabindex="100" /> + <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" /> <input type="hidden" name="testcookie" value="1" /> </p> -<?php else : ?> - <p> </p> -<?php endif; ?> </form> +<?php endif; ?> <p id="nav"> <?php if ( isset($_GET['checkemail']) && in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?> @@ -487,10 +530,19 @@ default: </div> -<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('« Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> +<p id="backtoblog"><a href="<?php bloginfo('url'); ?>/" title="<?php _e('Are you lost?') ?>"><?php printf(__('← Back to %s'), get_bloginfo('title', 'display' )); ?></a></p> <script type="text/javascript"> +<?php if ( $user_login ) { ?> +setTimeout( function(){ try{ +d = document.getElementById('user_pass'); +d.value = ''; +d.focus(); +} catch(e){} +}, 200); +<?php } else { ?> try{document.getElementById('user_login').focus();}catch(e){} +<?php } ?> </script> </body> </html> @@ -498,4 +550,4 @@ try{document.getElementById('user_login').focus();}catch(e){} break; } // end action switch -?> \ No newline at end of file +?>