Commit Graph

430 Commits

Author SHA1 Message Date
Jeremy Felt
a0f643da35 Admin: Allow for the consistent filtering of auth_redirect_scheme
Merge of [37651] to the 4.4 branch.

See #37047.

Built from https://develop.svn.wordpress.org/branches/4.4@37758


git-svn-id: http://core.svn.wordpress.org/branches/4.4@37723 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-06-21 14:11:28 +00:00
Sergey Biryukov
71788d7c89 Mail: Correct compact() usage in wp_mail().
Merges [36688] to the 4.4 branch.

Props Ankit K Gupta, maweder.
Fixes #35781.
Built from https://develop.svn.wordpress.org/branches/4.4@37081


git-svn-id: http://core.svn.wordpress.org/branches/4.4@37048 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-03-25 17:07:27 +00:00
Dominik Schilling
16414c4f90 Better validation of the URL used in HTTP redirects.
Merges [36444] to the 4.4 branch.
Built from https://develop.svn.wordpress.org/branches/4.4@36447


git-svn-id: http://core.svn.wordpress.org/branches/4.4@36414 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-02 16:59:28 +00:00
Dominik Schilling
0632e4ab84 Passwords: Support the pre-4.3 behavior of wp_new_user_notification().
Hello, it's me again. A pluggable function named `wp_new_user_notification()`. A few months ago, after [33023], I have lost my second parameter `$plaintext_pass`. But thanks to [33620] I got a new one.
Bad idea - It hasn't had the same behavior as my previous parameter.
To solve that the second parameter got deprecated and reintroduced as the third parameter in [34116]. I was happy again, for a short time.
You remember my lost friend `$plaintext_pass`? No? Well, if its value was empty no notification was sent to the user. This behavior was still lost. And that's what this change is about: Don't notify a user if a plugin uses `wp_new_user_notification( $user_id )`.

You're asking if I'm happy now? Dunno, but maybe you have learned something about pluggable functions, have you?

Props danielbachhuber.
Fixes #34377.
Built from https://develop.svn.wordpress.org/trunk@35735


git-svn-id: http://core.svn.wordpress.org/trunk@35699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-11-24 23:07:26 +00:00
Scott Taylor
34a9b6e428 Mail: in wp_notify_postauthor() and wp_notify_moderator(), ensure that special chars aren't HTML-encoded in the email message body.
Props solarissmoke, leemon.
Fixes #12584.

Built from https://develop.svn.wordpress.org/trunk@35415


git-svn-id: http://core.svn.wordpress.org/trunk@35379 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-28 18:03:24 +00:00
Dion Hulse
53afc72ab7 Update to Random_Compat 1.0.9.
This update includes fixes for Windows support & libSodium support, and removes the `Throwable` Polyfill due to PHP7 incompatibilities. 

Fixes #28633

Built from https://develop.svn.wordpress.org/trunk@35365


git-svn-id: http://core.svn.wordpress.org/trunk@35330 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-23 04:22:26 +00:00
Drew Jaynes
f954194a1c Comments: Introduce two new filters, notify_moderator and notify_post_author, both of which make it possible to selectively override site notification email settings for new comments.
The `notify_moderator` filter makes it possible to override the value for the `moderation_notify` option, which controls whether to send new comment emails to "site moderators", that is to say, the owner of the admin email for the site and the post author if they have the ability to modify the comment.

The `notify_post_author` filter likewise makes it possible to override the value for the `comments_notify` option, which controls whether to send new comment emails to the post author. If the post author is the comment author, default behavior is not to send the notification. Note: enabling or disabling notifications via this hook could also affect other recipients added via the 'comment_notification_recipients' filter in `wp_notify_postauthor()`, if hooked.

Passing a falsey value to either of the new filters will prevent notifications from being sent, regardless of their corresponding option values.

Adds tests.

Props coffee2code, adamsilverstein, DrewAPicture.
Fixes #761.

Built from https://develop.svn.wordpress.org/trunk@35339


git-svn-id: http://core.svn.wordpress.org/trunk@35305 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-21 18:35:31 +00:00
Drew Jaynes
217b661703 Docs: Add missing descriptions for the $wpdb global in DocBlocks all the places.
See #32246.

Built from https://develop.svn.wordpress.org/trunk@35170


git-svn-id: http://core.svn.wordpress.org/trunk@35136 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-14 23:44:25 +00:00
Sergey Biryukov
b40e362711 Fix typo in get_avatar() and get_avatar_data() docs.
Props johnjamesjacoby.
Fixes #34232.
Built from https://develop.svn.wordpress.org/trunk@34988


git-svn-id: http://core.svn.wordpress.org/trunk@34953 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-09 15:52:24 +00:00
Sergey Biryukov
072cdf116a Fix typo in wp_rand() docs.
See #28633.
Built from https://develop.svn.wordpress.org/trunk@34986


git-svn-id: http://core.svn.wordpress.org/trunk@34951 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-09 05:20:23 +00:00
Dion Hulse
4852cbf14b Use PHP7's random_int() CSPRNG functionality in wp_rand() with a fallback to the random_compat library for PHP 5.x.
`random_compat` offers a set of compatible functions for older versions of PHP, filling in the gap by using other PHP extensions when available.
We still include our existing `wp_rand()` functionality as a fallback for when no proper CSPRNG exists on the system.

Take Two, this was previously committed in [34922] but had an issue on PHP 5.2 which sarciszewski has now resolved.

Props sarciszewski
See #28633

Built from https://develop.svn.wordpress.org/trunk@34981


git-svn-id: http://core.svn.wordpress.org/trunk@34946 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-09 04:28:24 +00:00
Boone Gorges
48493cdf3a Allow a null id to do a name lookup in wp_set_current_user().
Previously, the `name` fallback was failing in the case where the current user
was 0, due to a loose comparison between 0 (the current user) and `null` (the
value that is used to trigger the `name` fallback).

Props bobbingwide.
Fixes #20845.
Built from https://develop.svn.wordpress.org/trunk@34947


git-svn-id: http://core.svn.wordpress.org/trunk@34912 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-08 17:29:24 +00:00
Dion Hulse
bb8ba86ed1 Revert [34922] pending PHP 5.2 compatibility.
See #28633

Built from https://develop.svn.wordpress.org/trunk@34924


git-svn-id: http://core.svn.wordpress.org/trunk@34889 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-08 00:17:24 +00:00
Dion Hulse
0e322469a6 Use PHP7's random_int() CSPRNG functionality in wp_rand() with a fallback to the random_compat library for PHP 5.x.
`random_compat` offers a set of compatible functions for older versions of PHP, filling in the gap by using other PHP extensions when available.
We still include our existing `wp_rand()` functionality as a fallback for when no proper CSPRNG exists on the system.

Props sarciszewski
See #28633

Built from https://develop.svn.wordpress.org/trunk@34922


git-svn-id: http://core.svn.wordpress.org/trunk@34887 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-08 00:02:24 +00:00
Jeremy Felt
9926983b66 Revert [34778], continue using _site_option() for the current network.
The `_network_option()` parameter order will be changing to accept `$network_id` first. The `_site_option()` functions will remain in use throughout core as our way of retrieving a network option for the current network.

See #28290.

Built from https://develop.svn.wordpress.org/trunk@34912


git-svn-id: http://core.svn.wordpress.org/trunk@34877 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-07 17:11:25 +00:00
Jeremy Felt
54512d64cb MS: Use *_network_option() functions throughout core.
Replaces all uses of `*_site_option()` with the corresponding "network" function.

This excludes one usage in `wp-admin/admin-footer.php` that needs more investigation.

Props spacedmonkey.
See #28290.

Built from https://develop.svn.wordpress.org/trunk@34778


git-svn-id: http://core.svn.wordpress.org/trunk@34743 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-10-02 19:08:26 +00:00
Scott Taylor
84da11d918 Pass false as the 2nd argument to class_exists() to disable autoloading and to not cause problems for those who define __autoload().
Fixes #20523.

Built from https://develop.svn.wordpress.org/trunk@34348


git-svn-id: http://core.svn.wordpress.org/trunk@34312 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-20 03:52:25 +00:00
Scott Taylor
956f076095 After [34160], also upgrade objects passed to get_avatar().
See #32619.


Built from https://develop.svn.wordpress.org/trunk@34244


git-svn-id: http://core.svn.wordpress.org/trunk@34208 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-16 17:34:24 +00:00
Sergey Biryukov
15b69a0862 Docs: Fix some syntactical issues with the DocBlock for wp_mail_failed action, introduced in [34221].
Fixes #18926.
Built from https://develop.svn.wordpress.org/trunk@34239


git-svn-id: http://core.svn.wordpress.org/trunk@34203 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-16 15:13:26 +00:00
Aaron Jorbin
1bd52ae1aa Fire Action when mail exception is thrown.
new action is wp_mail_failed which contains a WP_Error object with the phpmailerException code, message and an array with the mail information. Plugins can hook in and log when mails fail to send due to a phpmailer issue.

Props soulseekah
Fixes #18926


Built from https://develop.svn.wordpress.org/trunk@34221


git-svn-id: http://core.svn.wordpress.org/trunk@34185 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-15 23:51:23 +00:00
Scott Taylor
b1bc8a6522 More comment functions can accept a full object instead of comment_ID to reduce cache/db lookups.
See ##33638.


Built from https://develop.svn.wordpress.org/trunk@34129


git-svn-id: http://core.svn.wordpress.org/trunk@34097 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 21:40:24 +00:00
Boone Gorges
ef474c6970 Accept 'ID' as a valid $field in get_user_by().
We already accept 'id'. `ID` more closely matches the database and
`WP_User` schemas.

Props Shelob9.
Fixes #33869.
Built from https://develop.svn.wordpress.org/trunk@34125


git-svn-id: http://core.svn.wordpress.org/trunk@34093 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 18:58:26 +00:00
Dominik Schilling
4af3a3374e Passwords: Deprecate second parameter of wp_new_user_notification().
The second parameter `$plaintext_pass` was removed in [33023] and restored as `$notify` in [33620] with a different behavior. If you have a plugin overriding `wp_new_user_notification()` which hasn't been updated you would get a notification with your username and the password "both".
To prevent this the second parameter is now deprecated and reintroduced as the third parameter.

Adds unit tests.

Props kraftbj, adamsilverstein, welcher, ocean90.
Fixes #33654.

(Don't ask for new pluggables kthxbye)
Built from https://develop.svn.wordpress.org/trunk@34116


git-svn-id: http://core.svn.wordpress.org/trunk@34084 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 12:43:26 +00:00
Boone Gorges
b62bcef1b1 Send password-change email notifications via hook.
`wp_password_change_notification()` is now called at the 'after_password_reset'
action, rather than being invoked directly from the `reset_password()` function.

In order to make it possible to call `wp_password_change_notification()` as a
`do_action()` callback, the function signature has to be changed so that the
`$user` parameter is expected to be a value rather than a reference. Since
PHP 5.0, objects are passed by reference, so `&$user` was unnecessary anyway.

Props dshanske, thomaswm.
See #33587.
Built from https://develop.svn.wordpress.org/trunk@34107


git-svn-id: http://core.svn.wordpress.org/trunk@34075 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-14 02:45:25 +00:00
Dominik Schilling
a03488dbf6 Users: Import the global var $wp_hasher in wp_new_user_notification().
Adds `@global` entries to the DocBlock.

Fixes #33826.
Built from https://develop.svn.wordpress.org/trunk@34052


git-svn-id: http://core.svn.wordpress.org/trunk@34020 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 19:10:26 +00:00
Scott Taylor
db4f22bfb5 After [33961], pass $comment to get_comment_link() where possible to avoid extra cache/db lookups.
See #33638.

Built from https://develop.svn.wordpress.org/trunk@34042


git-svn-id: http://core.svn.wordpress.org/trunk@34010 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 06:21:25 +00:00
Scott Taylor
4465a83b95 After [34015], handle orphaned comments in the Dashboard comments widget. Pass full $comment versus just passing the comment ID when possible.
See #33710.

Built from https://develop.svn.wordpress.org/trunk@34038


git-svn-id: http://core.svn.wordpress.org/trunk@34006 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 05:56:24 +00:00
Scott Taylor
e73ee5ac98 Introduce WP_Comment class to model/strongly-type rows from the comments database table. Inclusion of this class is a pre-req for some more general comment cleanup and sanity.
* Takes inspiration from `WP_Post` and adds sanity to comment caching. 
* Clarifies when the current global value for `$comment` is returned. The current implementation in `get_comment()` introduces side effects and an occasion stale global value for `$comment` when comment caches are cleaned.
* Strongly-types `@param` docs
* This class is marked `final` for now

Props wonderboymusic, nacin.

See #32619.

Built from https://develop.svn.wordpress.org/trunk@33891


git-svn-id: http://core.svn.wordpress.org/trunk@33860 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-03 18:17:24 +00:00
Drew Jaynes
cf7694717b Docs: Clarify the DocBlock summary for wp_create_nonce() to mention that nonce-creation is also now dependent on user tokens, as of [29221].
Also adds a changelog entry for when user tokens were introduced into the nonce-creation process.

Props ericlewis
Fixes #33636.

Built from https://develop.svn.wordpress.org/trunk@33827


git-svn-id: http://core.svn.wordpress.org/trunk@33795 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-31 20:50:20 +00:00
Helen Hou-Sandí
1f500055a6 Drop the hyphen from e-mail and standardize on email.
The AP Stylebook changed this in 2011, and we're woefully inconsistent, so let's go with the standard.

props morganestes, voldemortensen, niallkennedy (for patching on the previous AP style).
fixes #26156.

Built from https://develop.svn.wordpress.org/trunk@33774


git-svn-id: http://core.svn.wordpress.org/trunk@33742 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-28 03:17:21 +00:00
Sergey Biryukov
1f4ae40c03 Add 'wp_verify_nonce_failed' action that fires when nonce verification fails.
props johnbillion, garza, Shelob9.
fixes #24030.
Built from https://develop.svn.wordpress.org/trunk@33744


git-svn-id: http://core.svn.wordpress.org/trunk@33712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-26 00:06:21 +00:00
Sergey Biryukov
b34af5586a Fire the check_ajax_referer action on failure as well as success.
See [33017] for `check_admin_referer`.

props egill.
fixes #33342.
Built from https://develop.svn.wordpress.org/trunk@33743


git-svn-id: http://core.svn.wordpress.org/trunk@33711 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 23:25:21 +00:00
Scott Taylor
ef87172270 foreach is a statement, not a function.
See #33491.

Built from https://develop.svn.wordpress.org/trunk@33734


git-svn-id: http://core.svn.wordpress.org/trunk@33702 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-25 20:28:22 +00:00
Scott Taylor
5510b519f5 In wp_sanitize_redirect(), don't eat @ characters. According to RFC 3986, "@" is a perfectly valid character in a URL path or query string.
Adds unit test.

Props markjaquith.
Fixes #18818.

Built from https://develop.svn.wordpress.org/trunk@33707


git-svn-id: http://core.svn.wordpress.org/trunk@33674 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-22 17:05:24 +00:00
Drew Jaynes
bec5bcf717 Docs: Mark the $notify parameter in the DocBlock for wp_new_user_notification() as optional, and provide additional context on the difference between the accepted values.
See [33620] and [33023] for background.

See #32246.

Built from https://develop.svn.wordpress.org/trunk@33664


git-svn-id: http://core.svn.wordpress.org/trunk@33631 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-20 18:26:26 +00:00
Konstantin Obenland
e6bc6242ad Passwords: Restore second parameter for wp_new_user_notification().
After [33023] users would always be notified, this restores previous behavior.

Props markjaquith, ocean90.
Fixes #33358.


Built from https://develop.svn.wordpress.org/trunk@33620


git-svn-id: http://core.svn.wordpress.org/trunk@33587 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-08-17 14:25:27 +00:00
Konstantin Obenland
7e3f0cf45e Passwords: New UI for install screen.
Also synchronises the use of `pw_weak` as an input name and removes trailing
periods from checkbox labels.

Props MikeHansenMe, adamsilverstein, obenland.
See #32589.


Built from https://develop.svn.wordpress.org/trunk@33246


git-svn-id: http://core.svn.wordpress.org/trunk@33218 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-13 22:22:24 +00:00
Drew Jaynes
92d342f0d2 Fix the parameter description syntax in the hook docs for the wp_safe_redirect_fallback filter, added in 4.3.
See #32891.

Built from https://develop.svn.wordpress.org/trunk@33233


git-svn-id: http://core.svn.wordpress.org/trunk@33205 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-13 21:46:25 +00:00
Mark Jaquith
423a1a7ca4 New password change/set UI.
* Generate the password for the user
* More tightly integrate password strength meter
* Warn on weak passwords

see #32589

props MikeHansenMe, adamsilverstein, binarykitten
Built from https://develop.svn.wordpress.org/trunk@33023


git-svn-id: http://core.svn.wordpress.org/trunk@32994 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-01 14:48:24 +00:00
Helen Hou-Sandí
275bff1895 Fire the check_admin_referer action on failure as well as success.
This enables things like logging nonce failures in the admin.

props markjaquith.
fixes #32207.

Built from https://develop.svn.wordpress.org/trunk@33017


git-svn-id: http://core.svn.wordpress.org/trunk@32988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-07-01 03:37:23 +00:00
Sergey Biryukov
74c7f59bb2 Revert [32702]. The URL may not have an s parameter as there are filters in place so that a plugin can return a URL with a completely different structure.
see #32572.
Built from https://develop.svn.wordpress.org/trunk@32969


git-svn-id: http://core.svn.wordpress.org/trunk@32940 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-27 08:35:24 +00:00
Scott Taylor
f23199caaa Remove the whois.arin.net link from wp_notify_postauthor() and wp_notify_moderator().
Also, remove from `edit-form-comment.php` and add a new filter: `edit_comment_misc_actions`. 

Props ozh, joedolson, rachelbaker.
Fixes #15281.

Built from https://develop.svn.wordpress.org/trunk@32929


git-svn-id: http://core.svn.wordpress.org/trunk@32900 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-24 20:56:27 +00:00
Scott Taylor
5c6b63d3a6 if is a statment, not a function.
See #32444.

Built from https://develop.svn.wordpress.org/trunk@32800


git-svn-id: http://core.svn.wordpress.org/trunk@32771 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-16 20:01:25 +00:00
Dion Hulse
2b2368d68f Add a filter to wp_safe_redirect() for the fallback URL.
Props anubisthejackle. Fixes #22612

Built from https://develop.svn.wordpress.org/trunk@32793


git-svn-id: http://core.svn.wordpress.org/trunk@32764 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-16 05:26:26 +00:00
Scott Taylor
f888767c73 $status shouldn't be loosely compared to true in wp_xmlrpc_server::wp_deleteComment().
`$initial` shouldn't be loosely compared to `true` in `get_calendar()`.
`current_user_can()` shouldn't be loosely compared to `false` in `kses_init()`
`$get_all` shouldn't be loosely compared to `true` in `get_blog_details()`.
`is_array()` and `in_array()` shouldn't be loosely compared in `wpmu_validate_user_signup()`.
`$result` should by strictly compared in `check_ajax_referer()`.
`wp_verify_nonce()` should by strictly compared in `_show_post_preview()`.
`is_user_logged_in()` should not be loosly compared against `false` in `wp-signup.php`.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32733


git-svn-id: http://core.svn.wordpress.org/trunk@32704 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-12 17:48:26 +00:00
Sergey Biryukov
c9dd28908a In get_avatar(), avoid a second get_avatar_data() call to get the 2x URL.
props ravinderk.
fixes #32572.
Built from https://develop.svn.wordpress.org/trunk@32702


git-svn-id: http://core.svn.wordpress.org/trunk@32672 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-07 14:58:26 +00:00
Boone Gorges
f88996bed7 In wp_notify_moderator(), don't throw notice when comment belongs to a post with no author.
Props Oxymoron.
Fixes #32566.
Built from https://develop.svn.wordpress.org/trunk@32692


git-svn-id: http://core.svn.wordpress.org/trunk@32662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-06-04 17:29:25 +00:00
Scott Taylor
26554549c7 Add missing doc blocks for pluggable.php.
Correct some `@return` values.
`is_user_logged_in()` can simply return the `->exists()` call instead of if/else'ing true/false.

See #32444.

Built from https://develop.svn.wordpress.org/trunk@32614


git-svn-id: http://core.svn.wordpress.org/trunk@32584 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-27 15:32:26 +00:00
John Blackbourn
bb02256966 Introduce a $token argument to wp_set_auth_cookie() so session tokens can be reused by custom authentication implementations.
Props rmccue

Fixes 30247

Built from https://develop.svn.wordpress.org/trunk@32465


git-svn-id: http://core.svn.wordpress.org/trunk@32435 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-09 00:28:27 +00:00
Gary Pendergast
7ca423d449 The UTF-8 regex can occasionally fail on very low memory machines. Reduce the amount of memory it uses.
See #32204.


Built from https://develop.svn.wordpress.org/trunk@32375


git-svn-id: http://core.svn.wordpress.org/trunk@32345 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-05-06 06:58:24 +00:00