X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/98a4d31e52bd56c908617df281730bd4ba58d110..58f607a1de715c9bca69340a4d6fb9e1b9c2bed2:/wp-admin/includes/user.php diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php index 8c6bf2b7..b31c38bd 100644 --- a/wp-admin/includes/user.php +++ b/wp-admin/includes/user.php @@ -10,7 +10,7 @@ * Creates a new user from the "Users" form using $_POST information. * * It seems that the first half is for backwards compatibility, but only - * has the ability to alter the user's role. Wordpress core seems to + * has the ability to alter the user's role. WordPress core seems to * use this function only in the second way, running edit_user() with * no id so as to create a new user. * @@ -21,19 +21,20 @@ */ function add_user() { if ( func_num_args() ) { // The hackiest hack that ever did hack - global $current_user, $wp_roles; + global $wp_roles; $user_id = (int) func_get_arg( 0 ); if ( isset( $_POST['role'] ) ) { + $new_role = sanitize_text_field( $_POST['role'] ); // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. - if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) { + if ( $user_id != get_current_user_id() || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' ) ) { // If the new role isn't editable by the logged-in user die with error $editable_roles = get_editable_roles(); - if (!$editable_roles[$_POST['role']]) + if ( empty( $editable_roles[$new_role] ) ) wp_die(__('You can’t give users that role.')); $user = new WP_User( $user_id ); - $user->set_role( $_POST['role'] ); + $user->set_role( $new_role ); } } } else { @@ -53,7 +54,7 @@ function add_user() { * @return int user id of the updated user */ function edit_user( $user_id = 0 ) { - global $current_user, $wp_roles, $wpdb; + global $wp_roles, $wpdb; if ( $user_id != 0 ) { $update = true; $user->ID = (int) $user_id; @@ -64,8 +65,8 @@ function edit_user( $user_id = 0 ) { $user = ''; } - if ( isset( $_POST['user_login'] )) - $user->user_login = esc_html( trim( $_POST['user_login'] )); + if ( !$update && isset( $_POST['user_login'] ) ) + $user->user_login = sanitize_user($_POST['user_login'], true); $pass1 = $pass2 = ''; if ( isset( $_POST['pass1'] )) @@ -74,63 +75,57 @@ function edit_user( $user_id = 0 ) { $pass2 = $_POST['pass2']; if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { - + $new_role = sanitize_text_field( $_POST['role'] ); + $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. - if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' )) - $user->role = $_POST['role']; + // Multisite super admins can freely edit their blog roles -- they possess all caps. + if ( ( is_multisite() && current_user_can( 'manage_sites' ) ) || $user_id != get_current_user_id() || ($potential_role && $potential_role->has_cap( 'edit_users' ) ) ) + $user->role = $new_role; // If the new role isn't editable by the logged-in user die with error $editable_roles = get_editable_roles(); - if (!$editable_roles[$_POST['role']]) + if ( ! empty( $new_role ) && empty( $editable_roles[$new_role] ) ) wp_die(__('You can’t give users that role.')); } if ( isset( $_POST['email'] )) - $user->user_email = esc_html( trim( $_POST['email'] )); + $user->user_email = sanitize_text_field( $_POST['email'] ); if ( isset( $_POST['url'] ) ) { if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { $user->user_url = ''; } else { - $user->user_url = esc_url( trim( $_POST['url'] )); + $user->user_url = esc_url_raw( $_POST['url'] ); $user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url; } } - if ( isset( $_POST['first_name'] )) - $user->first_name = esc_html( trim( $_POST['first_name'] )); - if ( isset( $_POST['last_name'] )) - $user->last_name = esc_html( trim( $_POST['last_name'] )); - if ( isset( $_POST['nickname'] )) - $user->nickname = esc_html( trim( $_POST['nickname'] )); - if ( isset( $_POST['display_name'] )) - $user->display_name = esc_html( trim( $_POST['display_name'] )); - if ( isset( $_POST['description'] )) + if ( isset( $_POST['first_name'] ) ) + $user->first_name = sanitize_text_field( $_POST['first_name'] ); + if ( isset( $_POST['last_name'] ) ) + $user->last_name = sanitize_text_field( $_POST['last_name'] ); + if ( isset( $_POST['nickname'] ) ) + $user->nickname = sanitize_text_field( $_POST['nickname'] ); + if ( isset( $_POST['display_name'] ) ) + $user->display_name = sanitize_text_field( $_POST['display_name'] ); + + if ( isset( $_POST['description'] ) ) $user->description = trim( $_POST['description'] ); - if ( isset( $_POST['jabber'] )) - $user->jabber = esc_html( trim( $_POST['jabber'] )); - if ( isset( $_POST['aim'] )) - $user->aim = esc_html( trim( $_POST['aim'] )); - if ( isset( $_POST['yim'] )) - $user->yim = esc_html( trim( $_POST['yim'] )); - if ( !$update ) - $user->rich_editing = 'true'; // Default to true for new users. - else if ( isset( $_POST['rich_editing'] ) ) - $user->rich_editing = $_POST['rich_editing']; - else - $user->rich_editing = 'true'; - $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] )? $_POST['comment_shortcuts'] : ''; + foreach ( _wp_get_user_contactmethods() as $method => $name ) { + if ( isset( $_POST[$method] )) + $user->$method = sanitize_text_field( $_POST[$method] ); + } + + if ( $update ) { + $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true'; + $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh'; + } + + $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : ''; $user->use_ssl = 0; if ( !empty($_POST['use_ssl']) ) $user->use_ssl = 1; - if ( !$update ) - $user->admin_color = 'fresh'; // Default to fresh for new users. - else if ( isset( $_POST['admin_color'] ) ) - $user->admin_color = $_POST['admin_color']; - else - $user->admin_color = 'fresh'; - $errors = new WP_Error(); /* checking that username has been typed */ @@ -160,34 +155,34 @@ function edit_user( $user_id = 0 ) { if ( $pass1 != $pass2 ) $errors->add( 'pass', __( 'ERROR: Please enter the same password in the two password fields.' ), array( 'form-field' => 'pass1' ) ); - if (!empty ( $pass1 )) + if ( !empty( $pass1 ) ) $user->user_pass = $pass1; - if ( !$update && !validate_username( $user->user_login ) ) - $errors->add( 'user_login', __( 'ERROR: This username is invalid. Please enter a valid username.' )); + if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) ) + $errors->add( 'user_login', __( 'ERROR: This username is invalid because it uses illegal characters. Please enter a valid username.' )); - if (!$update && username_exists( $user->user_login )) + if ( !$update && username_exists( $user->user_login ) ) $errors->add( 'user_login', __( 'ERROR: This username is already registered. Please choose another one.' )); /* checking e-mail address */ - if ( empty ( $user->user_email ) ) { + if ( empty( $user->user_email ) ) { $errors->add( 'empty_email', __( 'ERROR: Please enter an e-mail address.' ), array( 'form-field' => 'email' ) ); - } elseif (!is_email( $user->user_email ) ) { + } elseif ( !is_email( $user->user_email ) ) { $errors->add( 'invalid_email', __( 'ERROR: The e-mail address isn’t correct.' ), array( 'form-field' => 'email' ) ); } elseif ( ( $owner_id = email_exists($user->user_email) ) && $owner_id != $user->ID ) { $errors->add( 'email_exists', __('ERROR: This email is already registered, please choose another one.'), array( 'form-field' => 'email' ) ); } - // Allow plugins to return there own errors. + // Allow plugins to return their own errors. do_action_ref_array('user_profile_update_errors', array ( &$errors, $update, &$user ) ); if ( $errors->get_error_codes() ) return $errors; if ( $update ) { - $user_id = wp_update_user( get_object_vars( $user )); + $user_id = wp_update_user( get_object_vars( $user ) ); } else { - $user_id = wp_insert_user( get_object_vars( $user )); + $user_id = wp_insert_user( get_object_vars( $user ) ); wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' ); } return $user_id; @@ -204,7 +199,11 @@ function edit_user( $user_id = 0 ) { */ function get_author_user_ids() { global $wpdb; - $level_key = $wpdb->prefix . 'user_level'; + if ( !is_multisite() ) + $level_key = $wpdb->get_blog_prefix() . 'user_level'; + else + $level_key = $wpdb->get_blog_prefix() . 'capabilities'; // wpmu site admins don't have user_levels + return $wpdb->get_col( $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s AND meta_value != '0'", $level_key) ); } @@ -223,7 +222,7 @@ function get_editable_authors( $user_id ) { $editable = get_editable_user_ids( $user_id ); - if( !$editable ) { + if ( !$editable ) { return false; } else { $editable = join(',', $editable); @@ -248,15 +247,19 @@ function get_editable_user_ids( $user_id, $exclude_zeros = true, $post_type = 'p global $wpdb; $user = new WP_User( $user_id ); + $post_type_obj = get_post_type_object($post_type); - if ( ! $user->has_cap("edit_others_{$post_type}s") ) { - if ( $user->has_cap("edit_{$post_type}s") || $exclude_zeros == false ) + if ( ! $user->has_cap($post_type_obj->cap->edit_others_posts) ) { + if ( $user->has_cap($post_type_obj->cap->edit_posts) || ! $exclude_zeros ) return array($user->id); else return array(); } - $level_key = $wpdb->prefix . 'user_level'; + if ( !is_multisite() ) + $level_key = $wpdb->get_blog_prefix() . 'user_level'; + else + $level_key = $wpdb->get_blog_prefix() . 'capabilities'; // wpmu site admins don't have user_levels $query = $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s", $level_key); if ( $exclude_zeros ) @@ -301,7 +304,11 @@ function get_editable_roles() { */ function get_nonauthor_user_ids() { global $wpdb; - $level_key = $wpdb->prefix . 'user_level'; + + if ( !is_multisite() ) + $level_key = $wpdb->get_blog_prefix() . 'user_level'; + else + $level_key = $wpdb->get_blog_prefix() . 'capabilities'; // wpmu site admins don't have user_levels return $wpdb->get_col( $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s AND meta_value = '0'", $level_key) ); } @@ -327,7 +334,7 @@ function get_others_unpublished_posts($user_id, $type='any') { $dir = ( 'pending' == $type ) ? 'ASC' : 'DESC'; - if( !$editable ) { + if ( !$editable ) { $other_unpubs = ''; } else { $editable = join(',', $editable); @@ -371,17 +378,17 @@ function get_others_pending($user_id) { */ function get_user_to_edit( $user_id ) { $user = new WP_User( $user_id ); - $user->user_login = esc_attr($user->user_login); - $user->user_email = esc_attr($user->user_email); - $user->user_url = esc_url($user->user_url); - $user->first_name = esc_attr($user->first_name); - $user->last_name = esc_attr($user->last_name); - $user->display_name = esc_attr($user->display_name); - $user->nickname = esc_attr($user->nickname); - $user->aim = isset( $user->aim ) && !empty( $user->aim ) ? esc_attr($user->aim) : ''; - $user->yim = isset( $user->yim ) && !empty( $user->yim ) ? esc_attr($user->yim) : ''; - $user->jabber = isset( $user->jabber ) && !empty( $user->jabber ) ? esc_attr($user->jabber) : ''; - $user->description = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : ''; + + $user_contactmethods = _wp_get_user_contactmethods(); + foreach ($user_contactmethods as $method => $name) { + if ( empty( $user->{$method} ) ) + $user->{$method} = ''; + } + + if ( empty($user->description) ) + $user->description = ''; + + $user = sanitize_user_object($user, 'edit'); return $user; } @@ -415,20 +422,19 @@ function get_users_drafts( $user_id ) { * @param int $reassign Optional. Reassign posts and links to new User ID. * @return bool True when finished. */ -function wp_delete_user($id, $reassign = 'novalue') { +function wp_delete_user( $id, $reassign = 'novalue' ) { global $wpdb; $id = (int) $id; - $user = new WP_User($id); // allow for transaction statement do_action('delete_user', $id); - if ($reassign == 'novalue') { + if ( 'novalue' === $reassign || null === $reassign ) { $post_ids = $wpdb->get_col( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_author = %d", $id) ); - if ($post_ids) { - foreach ($post_ids as $post_id) + if ( $post_ids ) { + foreach ( $post_ids as $post_id ) wp_delete_post($post_id); } @@ -439,22 +445,22 @@ function wp_delete_user($id, $reassign = 'novalue') { foreach ( $link_ids as $link_id ) wp_delete_link($link_id); } - } else { $reassign = (int) $reassign; - $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE post_author = %d", $reassign, $id) ); - $wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d", $reassign, $id) ); + $wpdb->update( $wpdb->posts, array('post_author' => $reassign), array('post_author' => $id) ); + $wpdb->update( $wpdb->links, array('link_owner' => $reassign), array('link_owner' => $id) ); } - // FINALLY, delete user - - $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d", $id) ); - $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $id) ); + clean_user_cache($id); - wp_cache_delete($id, 'users'); - wp_cache_delete($user->user_login, 'userlogins'); - wp_cache_delete($user->user_email, 'useremail'); - wp_cache_delete($user->user_nicename, 'userslugs'); + // FINALLY, delete user + if ( !is_multisite() ) { + $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d", $id) ); + $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $id) ); + } else { + $level_key = $wpdb->get_blog_prefix() . 'capabilities'; // wpmu site admins don't have user_levels + $wpdb->query("DELETE FROM $wpdb->usermeta WHERE user_id = $id AND meta_key = '{$level_key}'"); + } // allow for commit transaction do_action('deleted_user', $id); @@ -481,7 +487,6 @@ if ( !class_exists('WP_User_Search') ) : * WordPress User Search class. * * @since unknown - * @author Mark Jaquith */ class WP_User_Search { @@ -562,27 +567,36 @@ class WP_User_Search { * * @since unknown * @access private - * @var unknown_type + * @var string */ var $query_limit; /** * {@internal Missing Description}} * - * @since unknown + * @since 3.0.0 * @access private - * @var unknown_type + * @var string */ - var $query_sort; + var $query_orderby; /** * {@internal Missing Description}} * - * @since unknown + * @since 3.0.0 * @access private - * @var unknown_type + * @var string + */ + var $query_from; + + /** + * {@internal Missing Description}} + * + * @since 3.0.0 + * @access private + * @var string */ - var $query_from_where; + var $query_where; /** * {@internal Missing Description}} @@ -653,8 +667,10 @@ class WP_User_Search { function prepare_query() { global $wpdb; $this->first_user = ($this->page - 1) * $this->users_per_page; + $this->query_limit = $wpdb->prepare(" LIMIT %d, %d", $this->first_user, $this->users_per_page); - $this->query_sort = ' ORDER BY user_login'; + $this->query_orderby = ' ORDER BY user_login'; + $search_sql = ''; if ( $this->search_term ) { $searches = array(); @@ -665,13 +681,19 @@ class WP_User_Search { $search_sql .= ')'; } - $this->query_from_where = "FROM $wpdb->users"; - if ( $this->role ) - $this->query_from_where .= $wpdb->prepare(" INNER JOIN $wpdb->usermeta ON $wpdb->users.ID = $wpdb->usermeta.user_id WHERE $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE %s", '%' . $this->role . '%'); - else - $this->query_from_where .= " WHERE 1=1"; - $this->query_from_where .= " $search_sql"; + $this->query_from = " FROM $wpdb->users"; + $this->query_where = " WHERE 1=1 $search_sql"; + if ( $this->role ) { + $this->query_from .= " INNER JOIN $wpdb->usermeta ON $wpdb->users.ID = $wpdb->usermeta.user_id"; + $this->query_where .= $wpdb->prepare(" AND $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE %s", '%' . $this->role . '%'); + } elseif ( is_multisite() ) { + $level_key = $wpdb->prefix . 'capabilities'; // wpmu site admins don't have user_levels + $this->query_from .= ", $wpdb->usermeta"; + $this->query_where .= " AND $wpdb->users.ID = $wpdb->usermeta.user_id AND meta_key = '{$level_key}'"; + } + + do_action_ref_array( 'pre_user_search', array( &$this ) ); } /** @@ -684,10 +706,11 @@ class WP_User_Search { */ function query() { global $wpdb; - $this->results = $wpdb->get_col('SELECT ID ' . $this->query_from_where . $this->query_sort . $this->query_limit); + + $this->results = $wpdb->get_col("SELECT DISTINCT($wpdb->users.ID)" . $this->query_from . $this->query_where . $this->query_orderby . $this->query_limit); if ( $this->results ) - $this->total_users_for_query = $wpdb->get_var('SELECT COUNT(ID) ' . $this->query_from_where); // no limit + $this->total_users_for_query = $wpdb->get_var("SELECT COUNT(DISTINCT($wpdb->users.ID))" . $this->query_from . $this->query_where); // no limit else $this->search_errors = new WP_Error('no_matching_users_found', __('No matching users were found!')); } @@ -799,39 +822,41 @@ endif; add_action('admin_init', 'default_password_nag_handler'); function default_password_nag_handler($errors = false) { global $user_ID; - if ( ! get_usermeta($user_ID, 'default_password_nag') ) //Short circuit it. + if ( ! get_user_option('default_password_nag') ) //Short circuit it. return; //get_user_setting = JS saved UI setting. else no-js-falback code. if ( 'hide' == get_user_setting('default_password_nag') || isset($_GET['default_password_nag']) && '0' == $_GET['default_password_nag'] ) { delete_user_setting('default_password_nag'); - update_usermeta($user_ID, 'default_password_nag', false); + update_user_option($user_ID, 'default_password_nag', false, true); } } add_action('profile_update', 'default_password_nag_edit_user', 10, 2); function default_password_nag_edit_user($user_ID, $old_data) { - global $user_ID; - if ( ! get_usermeta($user_ID, 'default_password_nag') ) //Short circuit it. + if ( ! get_user_option('default_password_nag', $user_ID) ) //Short circuit it. return; $new_data = get_userdata($user_ID); if ( $new_data->user_pass != $old_data->user_pass ) { //Remove the nag if the password has been changed. - delete_user_setting('default_password_nag'); - update_usermeta($user_ID, 'default_password_nag', false); + delete_user_setting('default_password_nag', $user_ID); + update_user_option($user_ID, 'default_password_nag', false, true); } } add_action('admin_notices', 'default_password_nag'); function default_password_nag() { - global $user_ID; - if ( ! get_usermeta($user_ID, 'default_password_nag') ) + if ( ! get_user_option('default_password_nag') ) //Short circuit it. return; - echo '

'; - printf(__("Notice: you're using the auto-generated password for your account. Would you like to change it to something you'll remember easier?
- Yes, Take me to my profile page | No Thanks, Do not remind me again."), admin_url('profile.php') . '#password', '?default_password_nag=0'); + echo '

'; + echo '

'; + echo '' . __('Notice:') . ' '; + _e('You’re using the auto-generated password for your account. Would you like to change it to something you’ll remember easier?'); + echo '

'; + printf( '' . __('Yes, take me to my profile page') . ' | ', admin_url('profile.php') . '#password' ); + printf( '' . __('No thanks, do not remind me again') . '', '?default_password_nag=0' ); echo '

'; }