2007-05-25 09:16:21 +02:00
< ? php
2008-10-02 03:03:26 +02:00
/**
* WordPress user administration API .
*
* @ package WordPress
* @ subpackage Administration
*/
/**
* Creates a new user from the " Users " form using $_POST information .
*
2009-01-06 23:00:05 +01:00
* It seems that the first half is for backwards compatibility , but only
2009-12-08 20:59:34 +01:00
* has the ability to alter the user ' s role . WordPress core seems to
2009-01-06 23:00:05 +01:00
* use this function only in the second way , running edit_user () with
* no id so as to create a new user .
2008-10-02 03:03:26 +02:00
*
2009-01-06 23:00:05 +01:00
* @ since 2.0
2008-10-02 03:03:26 +02:00
*
* @ param int $user_id Optional . User ID .
* @ return null | WP_Error | int Null when adding user , WP_Error or User ID integer when no parameters .
*/
2007-05-25 09:16:21 +02:00
function add_user () {
if ( func_num_args () ) { // The hackiest hack that ever did hack
2010-06-24 17:01:29 +02:00
global $wp_roles ;
2007-05-25 09:16:21 +02:00
$user_id = ( int ) func_get_arg ( 0 );
if ( isset ( $_POST [ 'role' ] ) ) {
2009-09-14 15:57:48 +02:00
$new_role = sanitize_text_field ( $_POST [ 'role' ] );
2009-01-06 23:00:05 +01:00
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
2010-06-24 17:01:29 +02:00
if ( $user_id != get_current_user_id () || $wp_roles -> role_objects [ $new_role ] -> has_cap ( 'edit_users' ) ) {
2009-01-06 23:00:05 +01:00
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles ();
2010-04-03 10:08:12 +02:00
if ( empty ( $editable_roles [ $new_role ] ) )
2009-01-06 23:00:05 +01:00
wp_die ( __ ( 'You can’t give users that role.' ));
2009-03-18 03:43:45 +01:00
2007-05-25 09:16:21 +02:00
$user = new WP_User ( $user_id );
2009-09-14 15:57:48 +02:00
$user -> set_role ( $new_role );
2007-05-25 09:16:21 +02:00
}
}
} else {
add_action ( 'user_register' , 'add_user' ); // See above
return edit_user ();
}
}
2008-10-02 03:03:26 +02:00
/**
2009-01-06 23:00:05 +01:00
* Edit user settings based on contents of $_POST
2008-10-02 03:03:26 +02:00
*
2009-01-06 23:00:05 +01:00
* Used on user - edit . php and profile . php to manage and process user options , passwords etc .
2008-10-02 03:03:26 +02:00
*
2009-01-06 23:00:05 +01:00
* @ since 2.0
2008-10-02 03:03:26 +02:00
*
* @ param int $user_id Optional . User ID .
2009-01-06 23:00:05 +01:00
* @ return int user id of the updated user
2008-10-02 03:03:26 +02:00
*/
2007-05-25 09:16:21 +02:00
function edit_user ( $user_id = 0 ) {
2010-06-24 17:01:29 +02:00
global $wp_roles , $wpdb ;
2010-11-15 07:38:10 +01:00
$user = new WP_User ( $user_id );
if ( $user_id ) {
2007-05-25 09:16:21 +02:00
$update = true ;
$user -> ID = ( int ) $user_id ;
$userdata = get_userdata ( $user_id );
$user -> user_login = $wpdb -> escape ( $userdata -> user_login );
} else {
$update = false ;
}
2009-09-14 15:57:48 +02:00
if ( ! $update && isset ( $_POST [ 'user_login' ] ) )
2009-09-18 22:47:24 +02:00
$user -> user_login = sanitize_user ( $_POST [ 'user_login' ], true );
2007-05-25 09:16:21 +02:00
$pass1 = $pass2 = '' ;
if ( isset ( $_POST [ 'pass1' ] ))
$pass1 = $_POST [ 'pass1' ];
if ( isset ( $_POST [ 'pass2' ] ))
$pass2 = $_POST [ 'pass2' ];
2007-09-04 01:32:58 +02:00
if ( isset ( $_POST [ 'role' ] ) && current_user_can ( 'edit_users' ) ) {
2009-09-14 15:57:48 +02:00
$new_role = sanitize_text_field ( $_POST [ 'role' ] );
2010-02-27 19:07:25 +01:00
$potential_role = isset ( $wp_roles -> role_objects [ $new_role ]) ? $wp_roles -> role_objects [ $new_role ] : false ;
2009-01-06 23:00:05 +01:00
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
2010-04-02 06:30:00 +02:00
// Multisite super admins can freely edit their blog roles -- they possess all caps.
2010-06-24 17:01:29 +02:00
if ( ( is_multisite () && current_user_can ( 'manage_sites' ) ) || $user_id != get_current_user_id () || ( $potential_role && $potential_role -> has_cap ( 'edit_users' ) ) )
2009-09-14 15:57:48 +02:00
$user -> role = $new_role ;
2009-01-06 23:00:05 +01:00
// If the new role isn't editable by the logged-in user die with error
$editable_roles = get_editable_roles ();
2010-04-03 10:08:12 +02:00
if ( ! empty ( $new_role ) && empty ( $editable_roles [ $new_role ] ) )
2009-01-06 23:00:05 +01:00
wp_die ( __ ( 'You can’t give users that role.' ));
2007-05-25 09:16:21 +02:00
}
if ( isset ( $_POST [ 'email' ] ))
2009-09-14 15:57:48 +02:00
$user -> user_email = sanitize_text_field ( $_POST [ 'email' ] );
2007-05-25 09:16:21 +02:00
if ( isset ( $_POST [ 'url' ] ) ) {
2009-05-14 00:41:05 +02:00
if ( empty ( $_POST [ 'url' ] ) || $_POST [ 'url' ] == 'http://' ) {
$user -> user_url = '' ;
} else {
2010-02-13 11:35:10 +01:00
$user -> user_url = esc_url_raw ( $_POST [ 'url' ] );
2009-05-14 00:41:05 +02:00
$user -> user_url = preg_match ( '/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is' , $user -> user_url ) ? $user -> user_url : 'http://' . $user -> user_url ;
}
2007-05-25 09:16:21 +02:00
}
2009-09-14 15:57:48 +02:00
if ( isset ( $_POST [ 'first_name' ] ) )
$user -> first_name = sanitize_text_field ( $_POST [ 'first_name' ] );
if ( isset ( $_POST [ 'last_name' ] ) )
$user -> last_name = sanitize_text_field ( $_POST [ 'last_name' ] );
if ( isset ( $_POST [ 'nickname' ] ) )
$user -> nickname = sanitize_text_field ( $_POST [ 'nickname' ] );
if ( isset ( $_POST [ 'display_name' ] ) )
$user -> display_name = sanitize_text_field ( $_POST [ 'display_name' ] );
if ( isset ( $_POST [ 'description' ] ) )
2007-05-25 09:16:21 +02:00
$user -> description = trim ( $_POST [ 'description' ] );
2009-09-14 15:57:48 +02:00
2010-10-21 17:42:06 +02:00
foreach ( _wp_get_user_contactmethods ( $user ) as $method => $name ) {
2009-08-06 23:59:52 +02:00
if ( isset ( $_POST [ $method ] ))
2009-09-14 15:57:48 +02:00
$user -> $method = sanitize_text_field ( $_POST [ $method ] );
}
if ( $update ) {
$user -> rich_editing = isset ( $_POST [ 'rich_editing' ] ) && 'false' == $_POST [ 'rich_editing' ] ? 'false' : 'true' ;
$user -> admin_color = isset ( $_POST [ 'admin_color' ] ) ? sanitize_text_field ( $_POST [ 'admin_color' ] ) : 'fresh' ;
2009-08-06 23:59:52 +02:00
}
2007-05-25 09:16:21 +02:00
2009-09-14 15:57:48 +02:00
$user -> comment_shortcuts = isset ( $_POST [ 'comment_shortcuts' ] ) && 'true' == $_POST [ 'comment_shortcuts' ] ? 'true' : '' ;
2008-12-09 19:03:31 +01:00
2008-08-21 19:40:38 +02:00
$user -> use_ssl = 0 ;
if ( ! empty ( $_POST [ 'use_ssl' ]) )
$user -> use_ssl = 1 ;
2007-05-25 09:16:21 +02:00
$errors = new WP_Error ();
/* checking that username has been typed */
if ( $user -> user_login == '' )
$errors -> add ( 'user_login' , __ ( '<strong>ERROR</strong>: Please enter a username.' ));
/* checking the password has been typed twice */
do_action_ref_array ( 'check_passwords' , array ( $user -> user_login , & $pass1 , & $pass2 ));
2007-11-01 07:23:16 +01:00
if ( $update ) {
if ( empty ( $pass1 ) && ! empty ( $pass2 ) )
$errors -> add ( 'pass' , __ ( '<strong>ERROR</strong>: You entered your new password only once.' ), array ( 'form-field' => 'pass1' ) );
elseif ( ! empty ( $pass1 ) && empty ( $pass2 ) )
$errors -> add ( 'pass' , __ ( '<strong>ERROR</strong>: You entered your new password only once.' ), array ( 'form-field' => 'pass2' ) );
2007-05-25 09:16:21 +02:00
} else {
2007-11-01 07:23:16 +01:00
if ( empty ( $pass1 ) )
$errors -> add ( 'pass' , __ ( '<strong>ERROR</strong>: Please enter your password.' ), array ( 'form-field' => 'pass1' ) );
elseif ( empty ( $pass2 ) )
$errors -> add ( 'pass' , __ ( '<strong>ERROR</strong>: Please enter your password twice.' ), array ( 'form-field' => 'pass2' ) );
2007-05-25 09:16:21 +02:00
}
/* Check for "\" in password */
2009-05-12 07:21:32 +02:00
if ( false !== strpos ( stripslashes ( $pass1 ), " \\ " ) )
2007-11-01 07:23:16 +01:00
$errors -> add ( 'pass' , __ ( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array ( 'form-field' => 'pass1' ) );
2007-05-25 09:16:21 +02:00
/* checking the password has been typed twice the same */
if ( $pass1 != $pass2 )
2007-11-01 07:23:16 +01:00
$errors -> add ( 'pass' , __ ( '<strong>ERROR</strong>: Please enter the same password in the two password fields.' ), array ( 'form-field' => 'pass1' ) );
2007-05-25 09:16:21 +02:00
2009-09-14 15:57:48 +02:00
if ( ! empty ( $pass1 ) )
2007-05-25 09:16:21 +02:00
$user -> user_pass = $pass1 ;
2010-05-04 01:46:42 +02:00
if ( ! $update && isset ( $_POST [ 'user_login' ] ) && ! validate_username ( $_POST [ 'user_login' ] ) )
$errors -> add ( 'user_login' , __ ( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
2007-05-25 09:16:21 +02:00
2009-09-14 15:57:48 +02:00
if ( ! $update && username_exists ( $user -> user_login ) )
2007-10-04 21:38:35 +02:00
$errors -> add ( 'user_login' , __ ( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ));
2007-05-25 09:16:21 +02:00
/* checking e-mail address */
2009-09-14 15:57:48 +02:00
if ( empty ( $user -> user_email ) ) {
2009-04-17 20:43:40 +02:00
$errors -> add ( 'empty_email' , __ ( '<strong>ERROR</strong>: Please enter an e-mail address.' ), array ( 'form-field' => 'email' ) );
2009-09-14 15:57:48 +02:00
} elseif ( ! is_email ( $user -> user_email ) ) {
2009-05-05 06:28:05 +02:00
$errors -> add ( 'invalid_email' , __ ( '<strong>ERROR</strong>: The e-mail address isn’t correct.' ), array ( 'form-field' => 'email' ) );
2010-10-13 22:26:43 +02:00
} elseif ( ( $owner_id = email_exists ( $user -> user_email ) ) && ( ! $update || ( $owner_id != $user -> ID ) ) ) {
2009-04-17 20:43:40 +02:00
$errors -> add ( 'email_exists' , __ ( '<strong>ERROR</strong>: This email is already registered, please choose another one.' ), array ( 'form-field' => 'email' ) );
}
2007-05-25 09:16:21 +02:00
2009-09-14 15:57:48 +02:00
// Allow plugins to return their own errors.
2009-05-25 01:47:49 +02:00
do_action_ref_array ( 'user_profile_update_errors' , array ( & $errors , $update , & $user ) );
2007-05-25 09:16:21 +02:00
if ( $errors -> get_error_codes () )
return $errors ;
if ( $update ) {
2009-09-14 15:57:48 +02:00
$user_id = wp_update_user ( get_object_vars ( $user ) );
2007-05-25 09:16:21 +02:00
} else {
2009-09-14 15:57:48 +02:00
$user_id = wp_insert_user ( get_object_vars ( $user ) );
2009-05-14 00:35:17 +02:00
wp_new_user_notification ( $user_id , isset ( $_POST [ 'send_password' ]) ? $pass1 : '' );
2007-05-25 09:16:21 +02:00
}
return $user_id ;
}
2009-01-06 23:00:05 +01:00
/**
2009-03-18 03:43:45 +01:00
* Fetch a filtered list of user roles that the current user is
* allowed to edit .
2009-01-06 23:00:05 +01:00
*
2009-03-18 03:43:45 +01:00
* Simple function who ' s main purpose is to allow filtering of the
2009-01-06 23:00:05 +01:00
* list of roles in the $wp_roles object so that plugins can remove
* innappropriate ones depending on the situation or user making edits .
* Specifically because without filtering anyone with the edit_users
* capability can edit others to be administrators , even if they are
* only editors or authors . This filter allows admins to delegate
2009-03-18 03:43:45 +01:00
* user management .
2009-01-06 23:00:05 +01:00
*
* @ since 2.8
*
* @ return unknown
*/
function get_editable_roles () {
global $wp_roles ;
$all_roles = $wp_roles -> roles ;
2009-03-18 03:43:45 +01:00
$editable_roles = apply_filters ( 'editable_roles' , $all_roles );
2009-01-06 23:00:05 +01:00
return $editable_roles ;
}
2008-10-02 03:03:26 +02:00
/**
* Retrieve user data and filter it .
*
* @ since unknown
*
* @ param int $user_id User ID .
* @ return object WP_User object with user data .
*/
2007-05-25 09:16:21 +02:00
function get_user_to_edit ( $user_id ) {
$user = new WP_User ( $user_id );
2009-08-06 23:59:52 +02:00
2010-10-21 17:42:06 +02:00
$user_contactmethods = _wp_get_user_contactmethods ( $user );
2009-08-06 23:59:52 +02:00
foreach ( $user_contactmethods as $method => $name ) {
2009-09-14 15:57:48 +02:00
if ( empty ( $user -> { $method } ) )
$user -> { $method } = '' ;
2009-08-06 23:59:52 +02:00
}
2009-09-14 15:57:48 +02:00
if ( empty ( $user -> description ) )
$user -> description = '' ;
$user = sanitize_user_object ( $user , 'edit' );
2007-05-25 09:16:21 +02:00
return $user ;
}
2008-10-02 03:03:26 +02:00
/**
* Retrieve the user ' s drafts .
*
* @ since unknown
*
* @ param int $user_id User ID .
* @ return array
*/
2007-05-25 09:16:21 +02:00
function get_users_drafts ( $user_id ) {
global $wpdb ;
2008-04-14 18:13:25 +02:00
$query = $wpdb -> prepare ( " SELECT ID, post_title FROM $wpdb->posts WHERE post_type = 'post' AND post_status = 'draft' AND post_author = %d ORDER BY post_modified DESC " , $user_id );
2007-05-25 09:16:21 +02:00
$query = apply_filters ( 'get_users_drafts' , $query );
return $wpdb -> get_results ( $query );
}
2008-10-02 03:03:26 +02:00
/**
* Remove user and optionally reassign posts and links to another user .
*
* If the $reassign parameter is not assigned to an User ID , then all posts will
* be deleted of that user . The action 'delete_user' that is passed the User ID
* being deleted will be run after the posts are either reassigned or deleted .
* The user meta will also be deleted that are for that User ID .
*
* @ since unknown
*
* @ param int $id User ID .
* @ param int $reassign Optional . Reassign posts and links to new User ID .
* @ return bool True when finished .
*/
2010-01-19 20:23:11 +01:00
function wp_delete_user ( $id , $reassign = 'novalue' ) {
2007-05-25 09:16:21 +02:00
global $wpdb ;
$id = ( int ) $id ;
2009-04-17 04:13:00 +02:00
2009-04-08 21:01:10 +02:00
// allow for transaction statement
do_action ( 'delete_user' , $id );
2007-05-25 09:16:21 +02:00
2010-01-19 20:23:11 +01:00
if ( 'novalue' === $reassign || null === $reassign ) {
2008-04-14 18:13:25 +02:00
$post_ids = $wpdb -> get_col ( $wpdb -> prepare ( " SELECT ID FROM $wpdb->posts WHERE post_author = %d " , $id ) );
2007-05-25 09:16:21 +02:00
2010-01-19 20:23:11 +01:00
if ( $post_ids ) {
foreach ( $post_ids as $post_id )
2007-05-25 09:16:21 +02:00
wp_delete_post ( $post_id );
}
// Clean links
2009-04-17 04:13:00 +02:00
$link_ids = $wpdb -> get_col ( $wpdb -> prepare ( " SELECT link_id FROM $wpdb->links WHERE link_owner = %d " , $id ) );
if ( $link_ids ) {
foreach ( $link_ids as $link_id )
wp_delete_link ( $link_id );
}
2007-05-25 09:16:21 +02:00
} else {
$reassign = ( int ) $reassign ;
2010-01-07 21:13:54 +01:00
$wpdb -> update ( $wpdb -> posts , array ( 'post_author' => $reassign ), array ( 'post_author' => $id ) );
$wpdb -> update ( $wpdb -> links , array ( 'link_owner' => $reassign ), array ( 'link_owner' => $id ) );
2007-05-25 09:16:21 +02:00
}
2010-05-04 01:04:42 +02:00
clean_user_cache ( $id );
2007-05-25 09:16:21 +02:00
// FINALLY, delete user
2010-01-15 01:21:13 +01:00
if ( ! is_multisite () ) {
$wpdb -> query ( $wpdb -> prepare ( " DELETE FROM $wpdb->usermeta WHERE user_id = %d " , $id ) );
$wpdb -> query ( $wpdb -> prepare ( " DELETE FROM $wpdb->users WHERE ID = %d " , $id ) );
} else {
$level_key = $wpdb -> get_blog_prefix () . 'capabilities' ; // wpmu site admins don't have user_levels
$wpdb -> query ( " DELETE FROM $wpdb->usermeta WHERE user_id = $id AND meta_key = ' { $level_key } ' " );
}
2007-05-25 09:16:21 +02:00
2009-04-08 21:01:10 +02:00
// allow for commit transaction
do_action ( 'deleted_user' , $id );
2007-05-25 09:16:21 +02:00
return true ;
}
2008-10-02 03:03:26 +02:00
/**
* Remove all capabilities from user .
*
* @ since unknown
*
* @ param int $id User ID .
*/
2007-05-25 09:16:21 +02:00
function wp_revoke_user ( $id ) {
$id = ( int ) $id ;
$user = new WP_User ( $id );
$user -> remove_all_caps ();
}
2009-05-03 19:06:29 +02:00
add_action ( 'admin_init' , 'default_password_nag_handler' );
2009-05-06 18:19:40 +02:00
function default_password_nag_handler ( $errors = false ) {
global $user_ID ;
2010-02-06 07:20:38 +01:00
if ( ! get_user_option ( 'default_password_nag' ) ) //Short circuit it.
2009-05-06 18:19:40 +02:00
return ;
//get_user_setting = JS saved UI setting. else no-js-falback code.
2009-05-25 01:47:49 +02:00
if ( 'hide' == get_user_setting ( 'default_password_nag' ) || isset ( $_GET [ 'default_password_nag' ]) && '0' == $_GET [ 'default_password_nag' ] ) {
2009-05-03 19:06:29 +02:00
delete_user_setting ( 'default_password_nag' );
2010-02-06 07:20:38 +01:00
update_user_option ( $user_ID , 'default_password_nag' , false , true );
2009-05-03 19:06:29 +02:00
}
}
2009-05-06 18:19:40 +02:00
add_action ( 'profile_update' , 'default_password_nag_edit_user' , 10 , 2 );
function default_password_nag_edit_user ( $user_ID , $old_data ) {
2010-05-13 23:08:01 +02:00
if ( ! get_user_option ( 'default_password_nag' , $user_ID ) ) //Short circuit it.
2009-05-06 18:19:40 +02:00
return ;
$new_data = get_userdata ( $user_ID );
if ( $new_data -> user_pass != $old_data -> user_pass ) { //Remove the nag if the password has been changed.
2010-05-13 23:08:01 +02:00
delete_user_setting ( 'default_password_nag' , $user_ID );
2010-02-06 07:20:38 +01:00
update_user_option ( $user_ID , 'default_password_nag' , false , true );
2009-05-06 18:19:40 +02:00
}
}
2009-05-03 19:06:29 +02:00
add_action ( 'admin_notices' , 'default_password_nag' );
function default_password_nag () {
2010-09-13 18:49:04 +02:00
global $pagenow ;
if ( 'profile.php' == $pagenow || ! get_user_option ( 'default_password_nag' ) ) //Short circuit it.
2009-05-03 19:06:29 +02:00
return ;
2010-04-20 19:15:07 +02:00
echo '<div class="error default-password-nag">' ;
echo '<p>' ;
echo '<strong>' . __ ( 'Notice:' ) . '</strong> ' ;
2010-10-07 10:04:15 +02:00
_e ( 'You’re using the auto-generated password for your account. Would you like to change it to something easier to remember?' );
2010-04-27 23:57:18 +02:00
echo '</p><p>' ;
printf ( '<a href="%s">' . __ ( 'Yes, take me to my profile page' ) . '</a> | ' , admin_url ( 'profile.php' ) . '#password' );
printf ( '<a href="%s" id="default-password-nag-no">' . __ ( 'No thanks, do not remind me again' ) . '</a>' , '?default_password_nag=0' );
2009-05-03 19:06:29 +02:00
echo '</p></div>' ;
}
2009-05-14 00:41:05 +02:00
?>