<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[43069] branches/4.9/src/wp-login.php: Add a method to confirm user requests by email.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/43069">43069</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/43069","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>SergeyBiryukov</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2018-05-01 23:33:17 +0000 (Tue, 01 May 2018)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Add a method to confirm user requests by email. First run.
Props mikejolley.
Merges <a href="https://core.trac.wordpress.org/changeset/42791">[42791]</a> to the 4.9 branch.
See <a href="https://core.trac.wordpress.org/ticket/43443">#43443</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branches49srcwpincludesuserphp">branches/4.9/src/wp-includes/user.php</a></li>
<li><a href="#branches49srcwploginphp">branches/4.9/src/wp-login.php</a></li>
</ul>
<h3>Property Changed</h3>
<ul>
<li><a href="#branches49">branches/4.9/</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<span class="cx" style="display: block; padding: 0 10px">Index: branches/4.9
</span><span class="cx" style="display: block; padding: 0 10px">===================================================================
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">--- branches/4.9 2018-05-01 22:30:29 UTC (rev 43068)
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+++ branches/4.9 2018-05-01 23:33:17 UTC (rev 43069)
</ins><a id="branches49"></a>
<div class="propset"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Property changes: branches/4.9</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: svn:mergeinfo</h4></div>
<span class="cx" style="display: block; padding: 0 10px"> /branches/3.1:18031
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/3.3:20543
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/3.4:21757
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-/trunk:18512,42132,42134,42136,42138,42140,42144,42146,42148,42150,42152-42153,42155,42157,42159,42161,42163,42169,42171,42173,42175,42177,42181,42183,42185,42187,42189,42191,42193,42199,42203,42210,42214,42220,42222,42226,42242,42244,42247,42251,42256-42261,42350,42358,42362,42364-42368,42374,42388,42390,42401,42417,42421,42423-42425,42430,42433,42437,42441,42443,42446-42447,42449,42451,42453,42457,42459,42462,42491,42521,42529,42531,42533,42536,42538,42541,42543,42545,42549,42566,42568,42570,42572,42574,42576,42579,42581-42582,42584-42585,42587-42588,42590,42592,42594-42595,42598-42599,42602,42604,42606,42611-42613,42615,42617,42624-42625,42639,42648,42652-42653,42665,42687,42711,42713,42719,42722,42739-42740,42744,42758,42792,42801,42817-42818,42830,42837,42839,42841,42844,42851-42852,42860,42864,42881,42892-42894,42930,42998,43001,43004,43007,43025,43027,43030,43032,43034,43036,43039
,43056,43062-43063,43065
</del><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/trunk:18512,42132,42134,42136,42138,42140,42144,42146,42148,42150,42152-42153,42155,42157,42159,42161,42163,42169,42171,42173,42175,42177,42181,42183,42185,42187,42189,42191,42193,42199,42203,42210,42214,42220,42222,42226,42242,42244,42247,42251,42256-42261,42350,42358,42362,42364-42368,42374,42388,42390,42401,42417,42421,42423-42425,42430,42433,42437,42441,42443,42446-42447,42449,42451,42453,42457,42459,42462,42491,42521,42529,42531,42533,42536,42538,42541,42543,42545,42549,42566,42568,42570,42572,42574,42576,42579,42581-42582,42584-42585,42587-42588,42590,42592,42594-42595,42598-42599,42602,42604,42606,42611-42613,42615,42617,42624-42625,42639,42648,42652-42653,42665,42687,42711,42713,42719,42722,42739-42740,42744,42758,42791-42792,42801,42817-42818,42830,42837,42839,42841,42844,42851-42852,42860,42864,42881,42892-42894,42930,42998,43001,43004,43007,43025,43027,43030,43032,43034,43036
,43039,43056,43062-43063,43065
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="branches49srcwpincludesuserphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.9/src/wp-includes/user.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.9/src/wp-includes/user.php 2018-05-01 22:30:29 UTC (rev 43068)
+++ branches/4.9/src/wp-includes/user.php 2018-05-01 23:33:17 UTC (rev 43069)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2731,3 +2731,258 @@
</span><span class="cx" style="display: block; padding: 0 10px"> echo '<div class="notice notice-info"><p>' . sprintf( __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), '<code>' . esc_html( $email['newemail'] ) . '</code>' ) . '</p></div>';
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+/**
+ * Send a confirmation request email to confirm an action.
+ *
+ * @since 5.0.0
+ *
+ * @param string $action_name Name of the action that is being confirmed.
+ * @param string $action_description User facing description of the action they will be confirming.
+ * @param string $email User email address. This can be the address of a registered or non-registered user. Defaults to logged in user email address.
+ *
+ * @return WP_ERROR|bool Will return true/false based on the success of sending the email, or a WP_Error object.
+ */
+function send_confirm_account_action_email( $action_name, $action_description = '', $email = '' ) {
+ $action_name = sanitize_key( $action_name );
+ $action_description = wp_kses_post( $action_description );
+
+ if ( empty( $action_name ) ) {
+ return new WP_Error( 'invalid_action', __( 'Invalid action' ) );
+ }
+
+ if ( empty( $email ) ) {
+ $user = wp_get_current_user();
+ $email = $user->ID ? $user->user_email : '';
+ } else {
+ $user = false;
+ }
+
+ $email = sanitize_email( $email );
+
+ if ( ! is_email( $email ) ) {
+ return new WP_Error( 'invalid_email', __( 'Invalid email address' ) );
+ }
+
+ if ( ! $user ) {
+ $user = get_user_by( 'email', $email );
+ }
+
+ // We could be dealing with a registered user account, or a visitor.
+ $is_registered_user = $user && ! is_wp_error( $user );
+ $uid = $is_registered_user ? $user->ID : hash( 'sha256', $email );
+ $confirm_key = get_confirm_account_action_key( $action_name, $email );
+
+ if ( is_wp_error( $confirm_key ) ) {
+ return $confirm_key;
+ }
+
+ // Prepare the email content.
+ if ( ! $action_description ) {
+ $action_description = $action_name;
+ }
+
+ /* translators: Do not translate DESCRIPTION, CONFIRM_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
+ $email_text = __(
+ 'Howdy,
+
+An account linked to your email address has requested to perform
+the following action:
+
+ ###DESCRIPTION###
+
+To confirm this action, please click on the following link:
+###CONFIRM_URL###
+
+You can safely ignore and delete this email if you do not want to
+take this action.
+
+This email has been sent to ###EMAIL###.
+
+Regards,
+All at ###SITENAME###
+###SITEURL###'
+ );
+
+ $email_data = array(
+ 'action_name' => $action_name,
+ 'email' => $email,
+ 'description' => $action_description,
+ 'confirm_url' => add_query_arg( array(
+ 'action' => 'emailconfirm',
+ 'confirm_action' => $action_name,
+ 'uid' => $uid,
+ 'confirm_key' => $confirm_key,
+ ), site_url( 'wp-login.php' ) ),
+ 'sitename' => is_multisite() ? get_site_option( 'site_name' ) : get_option( 'blogname' ),
+ 'siteurl' => network_home_url(),
+ );
+
+ /**
+ * Filters the text of the email sent when an account action is attempted.
+ *
+ * The following strings have a special meaning and will get replaced dynamically:
+ * ###USERNAME### The user's username, if the user has an account. Prefixed with single space. Otherwise left blank.
+ * ###DESCRIPTION### Description of the action being performed so the user knows what the email is for.
+ * ###CONFIRM_URL### The link to click on to confirm the account action.
+ * ###EMAIL### The email we are sending to.
+ * ###SITENAME### The name of the site.
+ * ###SITEURL### The URL to the site.
+ *
+ * @param string $email_text Text in the email.
+ * @param array $email_data {
+ * Data relating to the account action email.
+ *
+ * @type string $action_name Name of the action being performed.
+ * @type string $email The email address this is being sent to.
+ * @type string $description Description of the action being performed so the user knows what the email is for.
+ * @type string $confirm_url The link to click on to confirm the account action.
+ * @type string $sitename The site name sending the mail.
+ * @type string $siteurl The site URL sending the mail.
+ * }
+ */
+ $content = apply_filters( 'confirm_account_action_email_content', $email_text, $email_data );
+
+ $content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
+ $content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
+ $content = str_replace( '###EMAIL###', $email_data['email'], $content );
+ $content = str_replace( '###SITENAME###', wp_specialchars_decode( $email_data['sitename'], ENT_QUOTES ), $content );
+ $content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
+
+ /* translators: %s Site name. */
+ return wp_mail( $email_data['email'], sprintf( __( '[%s] Confirm Account Action' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
+}
+
+/**
+ * Creates, stores, then returns a confirmation key for an account action.
+ *
+ * @since 5.0.0
+ *
+ * @param string $action_name Name of the action this key is being generated for.
+ * @param string $email User email address. This can be the address of a registered or non-registered user.
+ *
+ * @return string|WP_Error Confirmation key on success. WP_Error on error.
+ */
+function get_confirm_account_action_key( $action_name, $email ) {
+ global $wp_hasher;
+
+ if ( ! is_email( $email ) ) {
+ return new WP_Error( 'invalid_email', __( 'Invalid email address' ) );
+ }
+
+ if ( empty( $action_name ) ) {
+ return new WP_Error( 'invalid_action', __( 'Invalid action' ) );
+ }
+
+ $user = get_user_by( 'email', $email );
+
+ // We could be dealing with a registered user account, or a visitor.
+ $is_registered_user = $user && ! is_wp_error( $user );
+
+ // Generate something random for a confirmation key.
+ $key = wp_generate_password( 20, false );
+
+ // Now insert the key, hashed, into the DB.
+ if ( empty( $wp_hasher ) ) {
+ require_once ABSPATH . WPINC . '/class-phpass.php';
+ $wp_hasher = new PasswordHash( 8, true );
+ }
+
+ $hashed_key = $wp_hasher->HashPassword( $key );
+
+ if ( $is_registered_user ) {
+ $key_saved = (bool) update_user_meta( $user->ID, '_account_action_' . $action_name, implode( ':', array( time(), $hashed_key ) ) );
+ } else {
+ $key_saved = (bool) update_site_option( '_account_action_' . hash( 'sha256', $email ) . '_' . $action_name, implode( ':', array( time(), $hashed_key, $email ) ) );
+ }
+
+ if ( false === $key_saved ) {
+ return new WP_Error( 'no_confirm_account_action_key_update', __( 'Could not save confirm account action key to database.' ) );
+ }
+
+ return $key;
+}
+
+/**
+ * Checks if a key is valid and handles the action based on this.
+ *
+ * @since 5.0.0
+ *
+ * @param string $action_name Name of the action this key is being generated for.
+ * @param string $key Key to confirm.
+ * @param string $uid Email hash or user ID.
+ *
+ * @return array|WP_Error WP_Error on failure, action name and user email address on success.
+ */
+function check_confirm_account_action_key( $action_name, $key, $uid ) {
+ global $wp_hasher;
+
+ if ( ! empty( $action_name ) && ! empty( $key ) && ! empty( $uid ) ) {
+ $user = false;
+
+ if ( is_numeric( $uid ) ) {
+ $user = get_user_by( 'id', absint( $uid ) );
+ }
+
+ // We could be dealing with a registered user account, or a visitor.
+ $is_registered_user = $user && ! is_wp_error( $user );
+ $key_request_time = '';
+ $saved_key = '';
+ $email = '';
+
+ if ( empty( $wp_hasher ) ) {
+ require_once ABSPATH . WPINC . '/class-phpass.php';
+ $wp_hasher = new PasswordHash( 8, true );
+ }
+
+ // Get the saved key from the database.
+ if ( $is_registered_user ) {
+ $confirm_action_data = get_user_meta( $user->ID, '_account_action_' . $action_name, true );
+ $email = $user->user_email;
+
+ if ( false !== strpos( $confirm_action_data, ':' ) ) {
+ list( $key_request_time, $saved_key ) = explode( ':', $confirm_action_data, 2 );
+ }
+ } else {
+ $confirm_action_data = get_site_option( '_account_action_' . $uid . '_' . $action_name, '' );
+
+ if ( false !== strpos( $confirm_action_data, ':' ) ) {
+ list( $key_request_time, $saved_key, $email ) = explode( ':', $confirm_action_data, 3 );
+ }
+ }
+
+ if ( ! $saved_key ) {
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+ }
+
+ /**
+ * Filters the expiration time of confirm keys.
+ *
+ * @param int $expiration The expiration time in seconds.
+ */
+ $expiration_duration = apply_filters( 'account_action_expiration', DAY_IN_SECONDS );
+ $expiration_time = $key_request_time + $expiration_duration;
+
+ if ( $wp_hasher->CheckPassword( $key, $saved_key ) ) {
+ if ( $expiration_time && time() < $expiration_time ) {
+ $return = array(
+ 'action' => $action_name,
+ 'email' => $email,
+ );
+ } else {
+ $return = new WP_Error( 'expired_key', __( 'The confirmation email has expired.' ) );
+ }
+
+ // Clean up stored keys.
+ if ( $is_registered_user ) {
+ delete_user_meta( $user->ID, '_account_action_' . $action_name );
+ } else {
+ delete_site_option( '_account_action_' . $uid . '_' . $action_name );
+ }
+
+ return $return;
+ }
+ }
+
+ return new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+}
</ins></span></pre></div>
<a id="branches49srcwploginphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.9/src/wp-login.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.9/src/wp-login.php 2018-05-01 22:30:29 UTC (rev 43068)
+++ branches/4.9/src/wp-login.php 2018-05-01 23:33:17 UTC (rev 43069)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -413,7 +413,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $action = 'resetpass';
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // validate action so as to default to the login screen
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login', 'emailconfirm' ), true ) && false === has_filter( 'login_form_' . $action ) )
</ins><span class="cx" style="display: block; padding: 0 10px"> $action = 'login';
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> nocache_headers();
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -838,6 +838,52 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> break;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+case 'emailconfirm' :
+ if ( isset( $_GET['confirm_action'], $_GET['confirm_key'], $_GET['uid'] ) ) {
+ $action_name = sanitize_key( wp_unslash( $_GET['confirm_action'] ) );
+ $key = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
+ $uid = sanitize_text_field( wp_unslash( $_GET['uid'] ) );
+ $result = check_confirm_account_action_key( $action_name, $key, $uid );
+ } else {
+ $result = new WP_Error( 'invalid_key', __( 'Invalid key' ) );
+ }
+
+ if ( is_wp_error( $result ) ) {
+ /**
+ * Fires an action hook when the account action was not confirmed.
+ *
+ * After running this action hook the page will die.
+ *
+ * @param WP_Error $result Error object.
+ */
+ do_action( 'account_action_failed', $result );
+
+ wp_die( $result );
+ }
+
+ /**
+ * Fires an action hook when the account action has been confirmed by the user.
+ *
+ * Using this you can assume the user has agreed to perform the action by
+ * clicking on the link in the confirmation email.
+ *
+ * After firing this action hook the page will redirect to wp-login a callback
+ * redirects or exits first.
+ *
+ * @param array $result {
+ * Data about the action which was confirmed.
+ *
+ * @type string $action Name of the action that was confirmed.
+ * @type string $email Email of the user who confirmed the action.
+ * }
+ */
+ do_action( 'account_action_confirmed', $result );
+
+ $message = '<p class="message">' . __( 'Action has been confirmed.' ) . '</p>';
+ login_header( '', $message );
+ login_footer();
+ exit;
+
</ins><span class="cx" style="display: block; padding: 0 10px"> case 'login' :
</span><span class="cx" style="display: block; padding: 0 10px"> default:
</span><span class="cx" style="display: block; padding: 0 10px"> $secure_cookie = '';
</span></span></pre>
</div>
</div>
</body>
</html>