Commit Graph

332 Commits

Author SHA1 Message Date
Andrew Nacin
74488bdcb0 Spell out duplicate hook locations.
props DrewAPicture.
fixes #25658.

Built from https://develop.svn.wordpress.org/trunk@25868


git-svn-id: http://core.svn.wordpress.org/trunk@25780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-22 17:22:11 +00:00
Drew Jaynes
9ba8ffb5e3 Inline documentation for hooks in wp-login.php.
Props ShinichiN, kpdesign.
Fixes #25393.

Built from https://develop.svn.wordpress.org/trunk@25701


git-svn-id: http://core.svn.wordpress.org/trunk@25616 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-06 16:24:09 +00:00
Andrew Nacin
6113669e22 Hash password reset keys in the database.
All existing, unused password reset keys are now considered "expired" and the user will be told they should try again.

Introduces a password_reset_key_expired filter to allow plugins to introduce a grace period.

fixes #24783.

Built from https://develop.svn.wordpress.org/trunk@25696


git-svn-id: http://core.svn.wordpress.org/trunk@25611 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-06 11:29:11 +00:00
Helen Hou-Sandí
77a7702deb Simplify the login page viewport meta for mobile devices, so it's less restrictive on the user. Allows for developers to override if necessary via the login_head action. props azaozz. fixes #24777.
Built from https://develop.svn.wordpress.org/trunk@25619


git-svn-id: http://core.svn.wordpress.org/trunk@25536 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-25 15:20:09 +00:00
Andrew Nacin
70edef0df4 Introduce post_password_expires filter to control the expiration of the post password cookie.
props Viper007Bond for initial patch.
fixes #21466.

Built from https://develop.svn.wordpress.org/trunk@25450


git-svn-id: http://core.svn.wordpress.org/trunk@25371 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-16 17:40:10 +00:00
Sergey Biryukov
1d79b0bdf3 Move check_password_reset_key(), reset_password(), and register_new_user() from wp-login.php to wp-includes/user.php, to make them reusable. props beaulebens for initial patch. fixes #20279.
Built from https://develop.svn.wordpress.org/trunk@25231


git-svn-id: http://core.svn.wordpress.org/trunk@25201 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-04 08:59:09 +00:00
Sergey Biryukov
b1dc91c447 Clear 'default_password_nag' flag when resetting a user's password, since the new password is entered manually. props wikicms. fixes #25206.
Built from https://develop.svn.wordpress.org/trunk@25203


git-svn-id: http://core.svn.wordpress.org/trunk@25175 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-02 03:18:10 +00:00
Andrew Nacin
cf02025fe0 Check for a WP_Error return from wp_create_user() in register_new_user().
props coffee2code.
fixes #14290.

Built from https://develop.svn.wordpress.org/trunk@25174


git-svn-id: http://core.svn.wordpress.org/trunk@25148 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-29 22:16:09 +00:00
Andrew Ozz
29739b2508 In wp-login.php check if cookies are enabled before attempting to log the user in with wp_signon(), fixes #24961.
Built from https://develop.svn.wordpress.org/trunk@25045


git-svn-id: http://core.svn.wordpress.org/trunk@25032 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-17 01:01:09 +00:00
Andrew Nacin
d2224d687c Use commas, not semicolons, to separate meta viewport values. props bobbravo2. see #24777.
git-svn-id: http://core.svn.wordpress.org/trunk@24779 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-23 07:27:56 +00:00
Mark Jaquith
c8853cff92 Set autocomplete="off" on the password reset form itself, in addition to the individual inputs, to work around a Chrome bug.
fixes #24364. props azaozz.

git-svn-id: http://core.svn.wordpress.org/trunk@24553 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-03 21:29:53 +00:00
Andrew Nacin
95800ae4f2 Validate post password hash.
git-svn-id: http://core.svn.wordpress.org/trunk@24466 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-06-21 03:00:26 +00:00
Andrew Nacin
cfa947193f Revert [24291] pending further discussion and sleuthing. see #24364.
git-svn-id: http://core.svn.wordpress.org/trunk@24317 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-22 18:37:43 +00:00
Andrew Ozz
dbda48bd2a Fix Chrome disregarding autocomplete="off" for password fields. Add autocomplete="off" to forms where the users can choose new password. Fixes #24364.
git-svn-id: http://core.svn.wordpress.org/trunk@24291 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-18 22:56:21 +00:00
Andrew Ozz
19c3b4bfdc Logged out warnings:
- Don't use <base> tag to set target="_blank". It can break form submission. Instead, set target only on links with JS.
- Fix same domain comparison in wp_auth_check_html() when FORCE_SSL_LOGIN == true.
- Properly show/hide the "Close" button when the dialog is shown multiple times.
See #23295

git-svn-id: http://core.svn.wordpress.org/trunk@24208 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-08 22:45:58 +00:00
Sergey Biryukov
57c10eadbb Use ellipsis instead of three dots. props tjsingleton, jordie23, wojtek.szkutnik, DrewAPicture, SergeyBiryukov. see #8714.
git-svn-id: http://core.svn.wordpress.org/trunk@24207 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-08 21:27:31 +00:00
Andrew Ozz
badaefce06 Logged out warnings:
- Don't remove login error messages coming from wp_signon().
- When the login form is shown in iframe, open all links in a new tab/window.
- Add filter for the login form error message.
See #23295

git-svn-id: http://core.svn.wordpress.org/trunk@24179 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-05-06 21:35:50 +00:00
Andrew Nacin
a9712e0183 Add wp_registration_url() and register_url filter.
props scribu, JustinSainton, SergeyBiryukov.
fixes #17950.



git-svn-id: http://core.svn.wordpress.org/trunk@24053 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-04-22 20:21:22 +00:00
Andrew Ozz
04c5aefbea Logged out warnings: add fallback text dialog for:
- The login page has "X-Frame-Options: DENY" header.
- Cross-domain when displaying on the front-end on multisite with domain mapping.
- The site forces ssl login but not ssl admin.

Add onbeforeunload prompt to counter (frame-busting) JS redirects. Move the JS and CSS into separate files. See #23295.

git-svn-id: http://core.svn.wordpress.org/trunk@23805 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-27 08:43:11 +00:00
Andrew Ozz
5398ac438c Logged out warnings: clear previous errors when interim_login is set, see #23295
git-svn-id: http://core.svn.wordpress.org/trunk@23691 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-13 23:32:52 +00:00
Andrew Ozz
e9245269a7 Autosave to the browser's sessionStorage, compare this autosave to the post content on page load and let the user restore it when the data is not the same. First run, see #23220
git-svn-id: http://core.svn.wordpress.org/trunk@23683 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-13 10:08:16 +00:00
Mark Jaquith
3fcf3e1134 Unhyphenate "log-in". see #23295
git-svn-id: http://core.svn.wordpress.org/trunk@23625 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-06 20:06:19 +00:00
Ryan Boren
315bfb019a Use wp_unslash() instead of stripslashes() and stripslashes_deep(). Use wp_slash() instead of add_magic_quotes().
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23594 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-03 21:11:40 +00:00
Sergey Biryukov
ed830a979b Consistently apply 'register' filter. props wonderboymusic for initial patch. fixes #14406.
git-svn-id: http://core.svn.wordpress.org/trunk@23558 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:43:18 +00:00
Ryan Boren
43a7e695e9 Revert 23416, 23419, 23445 except for wp_reset_vars() changes. We are going a different direction with the slashing cleanup, so resetting to a clean slate. see #21767
git-svn-id: http://core.svn.wordpress.org/trunk@23554 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-03-01 16:28:40 +00:00
Andrew Ozz
0910d5755e Improved logged out warnings, first run, props mintindeed, see #23295
git-svn-id: http://core.svn.wordpress.org/trunk@23504 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-28 08:57:17 +00:00
Ryan Boren
cc5ed3a485 Change all core API to expect unslashed rather than slashed arguments.
The exceptions to this are update_post_meta() and add_post_meta() which are often used by plugins in POST handlers and will continue accepting slashed data for now.

Introduce wp_upate_post_meta() and wp_add_post_meta() as unslashed alternatives to update_post_meta() and add_post_meta(). These functions could become methods in WP_Post so don't use them too heavily yet.

Remove all escape() calls from wp_xmlrpc_server. Now that core expects unslashed data this is no longer needed.

Remove addslashes(), addslashes_gpc(), add_magic_quotes() calls on data being prepared for handoff to core functions that until now expected slashed data. Adding slashes in no longer necessary.

Introduce wp_unslash() and use to it remove slashes from GPCS data before using it in core API. Almost every instance of stripslashes() in core should now be wp_unslash(). In the future (a release or three) when GPCS is no longer slashed, wp_unslash() will stop stripping slashes and simply return what is passed. At this point wp_unslash() calls can be removed from core.

Introduce wp_slash() for slashing GPCS data. This will also turn into a noop once GPCS is no longer slashed. wp_slash() should almost never be used. It is mainly of use in unit tests.

Plugins should use wp_unslash() on data being passed to core API.

Plugins should no longer slash data being passed to core. So when you get_post() and then wp_insert_post() the post data from get_post() no longer needs addslashes(). Most plugins were not bothering with this. They will magically start doing the right thing. Unfortunately, those few souls who did it properly will now have to avoid calling addslashes() for 3.6 and newer.

Use wp_kses_post() and wp_kses_data(), which expect unslashed data, instead of wp_filter_post_kses() and wp_filter_kses(), which expect slashed data. Filters are no longer passed slashed data.

Remove many no longer necessary calls to $wpdb->escape() and esc_sql().

In wp_get_referer() and wp_get_original_referer(), return unslashed data.

Remove old stripslashes() calls from WP_Widget::update() handlers. These haven't been necessary since WP_Widget.

Switch several queries over to prepare().

Expect something to break.

Props alexkingorg
see #21767


git-svn-id: http://core.svn.wordpress.org/trunk@23416 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-02-14 22:51:06 +00:00
Sergey Biryukov
94e5df7d3e Simplify the logic for printing "Lost your password?" link. props ktdreyer. fixes #16498.
git-svn-id: http://core.svn.wordpress.org/trunk@23336 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-01-23 02:08:44 +00:00
Ryan Boren
d4abd95449 Scope button classes so they can be used on the frontend without interfering with theme styles.
Props helenyhou, koopersmith
fixes #22644


git-svn-id: http://core.svn.wordpress.org/trunk@22948 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-30 13:40:59 +00:00
Andrew Nacin
10b381a047 Revert type="email" on the registration form to avoid validation issues. see #22183.
git-svn-id: http://core.svn.wordpress.org/trunk@22413 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-11-07 07:47:52 +00:00
Andrew Ozz
8c4d96b05a Buttons: slightly bolder :focus styles, make the "Log In" button '.button-large', props lessbloat, see #21598
git-svn-id: http://core.svn.wordpress.org/trunk@22288 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-24 01:27:56 +00:00
Ryan Boren
51920e1858 Consolidate some strings. Props pavelevap, SergeyBiryukov. see #21728
git-svn-id: http://core.svn.wordpress.org/trunk@22124 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-10-05 19:04:34 +00:00
Andrew Nacin
71d750b450 Add a login_body_class filter to login_header(). fixes #21133.
git-svn-id: http://core.svn.wordpress.org/trunk@22000 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-25 09:13:06 +00:00
Andrew Nacin
557d9313a7 Introduce constants to allow for easier expression of time periods in seconds. Adds MINUTE_IN_SECONDS, HOUR_IN_SECONDS, DAY_IN_SECONDS, WEEK_IN_SECONDS, YEAR_IN_SECONDS. props nbachiyski, SergeyBiryukov. fixes #20987.
git-svn-id: http://core.svn.wordpress.org/trunk@21996 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-25 05:26:19 +00:00
Peter Westwood
e1b861e1cb Passwords: Make it possible for plugins to enforce extra password strength / validity rules during the reset process.
Adds a filter in the password reset process so that a plugin can enforce particular password rules on users to compliment the existing filtering in the Profile modification process.
Fixes #21778.


git-svn-id: http://core.svn.wordpress.org/trunk@21923 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-20 11:01:29 +00:00
Andrew Nacin
87c947a987 Use network_site_url() for wp-signup.php. props markjaquith. see #19796.
git-svn-id: http://core.svn.wordpress.org/trunk@21813 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-11 12:27:25 +00:00
Ryan Boren
c55cf716da Use set_url_scheme(). Props johnbillion, MarcusPope. see #19037 #20759
git-svn-id: http://core.svn.wordpress.org/trunk@21664 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-30 13:33:00 +00:00
Ryan Boren
8eb21fd381 Use admin_url() instead of get_edit_user_link() in wp-login.php since cookies are not yet set. Props SergeyBiryukov. fixes #14787
git-svn-id: http://core.svn.wordpress.org/trunk@21507 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-08-14 19:10:37 +00:00
ryan
7b49ad8493 Introduce get_edit_user_link(). Props scribu, georgestephanis, johnbillion. fixes #14787 see #20307
git-svn-id: http://core.svn.wordpress.org/trunk@21364 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-30 18:30:03 +00:00
azaozz
34535097b7 Remove nearly all tabindex attributes from the admin, leaving them only where absolutely necessary (for now that's only the toolbar).
Add tabindex="-1" for the menu images links to avoid double tab stops there when the menu is expanded.

Fix/add auto-focus on the first input fields on the Add/Edit Post, all taxonomy, all edit taxonomy, Log In and Edit Comment screens.

See #21340.

git-svn-id: http://core.svn.wordpress.org/trunk@21311 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-24 00:15:15 +00:00
nacin
489f6828d8 Only obey the RELOCATE move flag if it evaluates to true. props TomAuger, JustinSainton, fixes #20636.
git-svn-id: http://core.svn.wordpress.org/trunk@21251 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-07-09 19:32:09 +00:00
nacin
69112517ed Refresh nonces in the customizer. props koopersmith. see #20876.
git-svn-id: http://core.svn.wordpress.org/trunk@21135 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-26 18:48:18 +00:00
ryan
9115435213 Customizer: Gravefully handle cookie expipration. Prompt for log in in the preview. Props ocean90, koopersmith, nacin. fixes #20876
git-svn-id: http://core.svn.wordpress.org/trunk@21031 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-06-08 19:22:11 +00:00
nacin
9f97ddf45c When auth_redirect() detects a logged out user and the target
page was about.php?updated, then issue a message welcoming them.

This is to prevent it from being so jolting if you are taken to
the login screen after an update.

In WordPress 3.4, the changes to wp_salt() provide for extra
security, but will cause a log-out for any installs without 8
unique keys and salts in wp-config.php (with some exceptions).
Properly re-issuing cookies, even for the logged in user, is
not easily doable via admin/includes/update-core.php, as that
file is included long after the headers are sent.

see #19599.



git-svn-id: http://core.svn.wordpress.org/trunk@20887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-05-24 21:22:09 +00:00
azaozz
000b7a9313 Move mobile devices CSS from wp-login.php to wp-admin.css, props SergeyBiryukov, fixes #19673
git-svn-id: http://svn.automattic.com/wordpress/trunk@20430 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-04-11 01:45:01 +00:00
azaozz
1d12cd07b0 Introduce wp_is_mobile() and use it instead of $is_iphone global, see #20014
git-svn-id: http://svn.automattic.com/wordpress/trunk@20417 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-04-10 01:19:30 +00:00
ryan
0dfe24e69b Set post password cookies via an action in wp-login.php. Retire wp-pass.php (one less root file). Obey login ssl preferences for post password form submission. Props SergeyBiryukov. fixes #19798
git-svn-id: http://svn.automattic.com/wordpress/trunk@19925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-02-14 18:29:22 +00:00
nacin
e41d7ad161 Translate http://wordpress.org/ for the wp-login.php header image URL. Clean up. props zeo, fixes #19364.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19783 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-29 18:47:41 +00:00
ryan
e3b46b25d3 Lose EOF ?>. Clean up EOF newlines. fixes #12307
git-svn-id: http://svn.automattic.com/wordpress/trunk@19712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-08 17:01:11 +00:00
nacin
ed9d705b83 Use home URL, not siteurl, in the password reset email. fixes #19767.
git-svn-id: http://svn.automattic.com/wordpress/trunk@19705 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-07 18:54:08 +00:00