This changeset ensures the `user_activation_key` is flushed after successful login, so reset password links can not be used anymore after the user successfully log into their dashboard.
Props nsinelnikov, rajinsharwar, Rahmohn, oglekler, hellofromTonya.
Fixes#58901.
See #32429
Built from https://develop.svn.wordpress.org/trunk@58333
git-svn-id: http://core.svn.wordpress.org/trunk@57789 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Any usage of `'who' => 'authors'` should be updated to use capability queries instead.
Includes documenting the capability query parameters in `wp_dropdown_users()`.
Follow-up to [51943].
Props kkmuffme, swissspidy, SergeyBiryukov.
See #61243.
Built from https://develop.svn.wordpress.org/trunk@58172
git-svn-id: http://core.svn.wordpress.org/trunk@57635 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset introduces two functions:
* `wp_is_serving_rest_request()` returns a boolean for whether WordPress is serving an actual REST API request.
* `wp_is_rest_endpoint()` returns a boolean for whether a WordPress REST API endpoint is currently being used. While this is always the case if `wp_is_serving_rest_request()` returns `true`, the function additionally covers the scenario of internal REST API requests, i.e. where WordPress calls a REST API endpoint within the same request.
Both functions should only be used after the `parse_request` action.
All relevant manual checks have been adjusted to use one of the new functions, depending on the use-case. They were all using the same constant check so far, while in fact some of them were intending to check for an actual REST API request while others were intending to check for REST endpoint usage.
A new filter `wp_is_rest_endpoint` can be used to alter the return value of the `wp_is_rest_endpoint()` function.
Props lots.0.logs, TimothyBlynJacobs, flixos90, joehoyle, peterwilsoncc, swissspidy, SergeyBiryukov, pento, mikejolley, iandunn, hellofromTonya, Cybr, petitphp.
Fixes#42061.
Built from https://develop.svn.wordpress.org/trunk@57312
git-svn-id: http://core.svn.wordpress.org/trunk@56818 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This is a micro-optimization that removes a few unnecessary function calls.
Follow-up to [31188], [34369], [38986], [41159], [43211], [43230], [44606], [45757].
Props ayeshrajans, jrf, rajinsharwar, costdev, mukesh27, SergeyBiryukov.
Fixes#58943.
Built from https://develop.svn.wordpress.org/trunk@56352
git-svn-id: http://core.svn.wordpress.org/trunk@55864 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This also introduces `wp_is_password_reset_allowed_for_user()` which returns `false` when password reset is not allowed for a specific user. This can be
filtered by developers using the existing `allow_password_reset` hook.
Props ocean90, cshark, robinwpdeveloper, tahmina1du, kraftbj.
Fixes#58194.
Built from https://develop.svn.wordpress.org/trunk@56150
git-svn-id: http://core.svn.wordpress.org/trunk@55662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` and `str_ends_with()` were introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins or ends with the given substring (needle).
WordPress core includes a polyfill for these functions on PHP < 8.0 as of WordPress 5.9.
This commit uses `str_starts_with()` and `str_ends_with()` in core files where appropriate:
* `$needle === substr( $string, 0, $length )`, where `$length` is the length of `$needle`, is replaced with `str_starts_with( $haystack, $needle )`.
* `$needle === substr( $string, $offset )`, where `$offset` is negative and the absolute value of `$offset` is the length of `$needle`, is replaced with `str_ends_with( $haystack, $needle )`.
This aims to make the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987], [55988].
Props Soean, spacedmonkey, Clorith, ocean90, azaozz, sabernhardt, SergeyBiryukov.
Fixes#58220.
Built from https://develop.svn.wordpress.org/trunk@55990
git-svn-id: http://core.svn.wordpress.org/trunk@55502 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [36566] a framework to lazily load metadata was introduced. This supported term and comment meta by default. In this commit, extends support for site ( blog ) meta. Site meta is not heavily used by core and is used by developers to extend multisite. In this change, `_prime_site_caches` and `WP_Site_Query` now call the new function `wp_lazyload_site_meta`. The function `wp_lazyload_site_meta` accepts an array of ids and adds them to the queue of metadata to be lazily loaded. The function `get_blogs_of_user` was updated to now lazily load site meta.
Follow on from [55671].
Props spacedmonkey, johnjamesjacoby, peterwilsoncc, mukesh27.
Fixes#58185.
Built from https://develop.svn.wordpress.org/trunk@55747
git-svn-id: http://core.svn.wordpress.org/trunk@55259 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_starts_with()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) begins with the given substring (needle).
WordPress core includes a polyfill for `str_starts_with()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `0 === strpos( ... )` with `str_starts_with()` in core files, making the code more readable and consistent, as well as improving performance.
While `strpos()` is slightly faster than the polyfill on PHP < 8.0, `str_starts_with()` is noticeably faster on PHP 8.0+, as it is optimized to avoid unnecessarily searching along the whole haystack if it does not find the needle.
Follow-up to [52039], [52040], [52326].
Props spacedmonkey, costdev, sabernhardt, mukesh27, desrosj, jorbin, TobiasBg, ayeshrajans, lgadzhev, SergeyBiryukov.
Fixes#58012.
Built from https://develop.svn.wordpress.org/trunk@55703
git-svn-id: http://core.svn.wordpress.org/trunk@55215 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a helper function called `wp_cache_set_last_changed` to set the last changed value for cache groups. This function has a new action called `wp_cache_set_last_changed`, allowing for developers to cache invalidate when last changed value is changed.
Props tillkruess, spacedmonkey, peterwilsoncc, mukesh27, johnjamesjacoby.
Fixes#57905.
Built from https://develop.svn.wordpress.org/trunk@55702
git-svn-id: http://core.svn.wordpress.org/trunk@55214 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Cache the results of database queries within `WP_User_Query` class. Only cache queries that are requesting 3 or less fields so that caches are not storing full user objects. Cache results are stored in a new global cache group named `users-queries`. Add a new parameter to `WP_User_Query` called `cache_results` to allow developers to opt out of a receiving cached results. `cache_results` parameter defaults to true. Also add a new helper function called `wp_cache_set_users_last_changed`, similar to `wp_cache_set_posts_last_changed` that incroments last changed value in cache group `users`. Ensure that `wp_cache_set_users_last_changed` is called whenever user / user meta is modified for proper cache invalidation.
Props johnjamesjacoby, spacedmonkey, westi, dd32, strategio, srikanthmeenakshi, OllieJones, khoipro, rjasdfiii, flixos90, mukesh27, peterwilsoncc.
Fixes#40613.
Built from https://develop.svn.wordpress.org/trunk@55657
git-svn-id: http://core.svn.wordpress.org/trunk@55169 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This reverts the changes implemented in [55358] and [55360].
Changeset [55358] was committed to prevent login name collision when one user registers with the email address `user@example.com` and a second user tries to register with the username `user@example.com`. However, it also introduced a potential backward compatibility issues for plugins that use `wp_update_user()`. When updating an existing user, it throws an `existing_user_email_as_login` error if the email address is also used for the user login, due to the code introduced in [55358].
This changeset removes the new scenario added in [55358] and [55360], restoring the `wp_insert_user()` function back to its previous state.
Props polevaultweb, audrasjb, costdev, peterwilsoncc, hellofromTonya, SergeyBiryukov, azaozz.
See #57967, #57394.
Built from https://develop.svn.wordpress.org/trunk@55584
git-svn-id: http://core.svn.wordpress.org/trunk@55096 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes a regression introduced in [41163], where the link in change confirmation emails for users with no roles in a multisite install was incorrect, causing them to be unable to change their email address. This changeset replaces `admin_url()` with `self_admin_url()` to restore the previous fix.
Follow-up to [38876], [40632], [41165], [41163].
Props roytanck, SergeyBiryukov, johnbillion, afrin29.
Fixes#57164.
Built from https://develop.svn.wordpress.org/trunk@55396
git-svn-id: http://core.svn.wordpress.org/trunk@54929 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The `$credentials['user_login']` and `$credentials['user_password']` parameters are passed by reference to the `wp_authenticate` action, and are at that point [https://www.php.net/manual/en/language.references.pass.php#124383 created as null] if they don't exist in the array.
This commit sets those values to an empty string, resolving two PHP 8.1 deprecation notices:
* One from `preg_replace()` in `wp_strip_all_tags()` via `sanitize_user()` in `wp_authenticate()`:
{{{
Deprecated: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated
}}}
* One from `trim()` in `wp_authenticate()` itself:
{{{
Deprecated: trim(): Passing null to parameter #1 ($string) of type string is deprecated
}}}
Includes documenting the `$credentials` parameter using hash notation.
Follow-up to [6643], [37697].
Props lenasterg, TobiasBg, ocean90, afragen, lkraav, SergeyBiryukov.
Fixes#56850.
Built from https://develop.svn.wordpress.org/trunk@55301
git-svn-id: http://core.svn.wordpress.org/trunk@54834 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This new function makes it easier to switch to a specific user’s locale by reducing duplicate code and storing the user’s ID as additional context for plugins to consume. Existing usage of `switch_to_locale()` in core has been replaced with `switch_to_user_locale()` where appropriate.
Also, this change ensures `WP_Locale_Switcher` properly filters `determine_locale` so that anyyone using the `determine_locale()` function will get the correct locale information when switching is in effect.
Props costdev.
Fixes#57123.
See #26511.
Built from https://develop.svn.wordpress.org/trunk@55161
git-svn-id: http://core.svn.wordpress.org/trunk@54694 1a063a9b-81f0-0310-95a4-ce76da25c4cd
While using reserved PHP keywords as parameter name labels is allowed, in the context of function calls using named parameters in PHP 8.0+, this will easily lead to confusion. To avoid that, it is recommended not to use reserved keywords as function parameter names.
This commit renames the `$global` parameter to `$is_global` in:
* `update_user_option()`
* `delete_user_option()`
Follow-up to [52946], [52996], [52997], [52998], [53003], [53014], [53029], [53039], [53116], [53117], [53137], [53174], [53184], [53185], [53192], [53193], [53198], [53203], [53207], [53215], [53216], [53220], [53230], [53232], [53236], [53239], [53240], [53242], [53243], [53245], [53246], [53257], [53269], [53270], [53271], [53272], [53273], [53274], [53275], [53276], [53277], [53281], [53283], [53284], [53285], [53287], [53364], [53365], [54927], [54929], [54930], [54931], [54932], [54933], [54938], [54943], [54944], [54945], [54946], [54947], [54948], [54950], [54951], [54952], [54956], [54959], [54960], [54961], [54962], [54964], [54965], [54969], [54970], [54971], [54972], [54996], [55000], [55011], [55013], [55014].
Props jrf, aristath, poena, justinahinon, SergeyBiryukov.
See #56788.
Built from https://develop.svn.wordpress.org/trunk@55015
git-svn-id: http://core.svn.wordpress.org/trunk@54548 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Unlike other clean cache functions like `clean_post_cache`, `clean_user_cache` did not also clear user meta caches. This is inconsistent and can result in some strange side effects. Update the `clean_user_cache` function to also clear user meta caches when called.
Props dd32, spacedmonkey, peterwilsoncc.
Fixes#54316.
Built from https://develop.svn.wordpress.org/trunk@54940
git-svn-id: http://core.svn.wordpress.org/trunk@54492 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This ensures that sending a password reset link works as expected if the user's login and email were initially the same, but the email address was subsequently updated and no longer matches the login, which is still set to the old address.
Follow-up to [6643], [18513], [19056], [37474], [50129], [50140].
Props donmhico, pbearne, azouamauriac, boblindner, daxelrod, audrasjb, SergeyBiryukov.
Fixes#53634.
Built from https://develop.svn.wordpress.org/trunk@54477
git-svn-id: http://core.svn.wordpress.org/trunk@54036 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The user meta `context` property in `wp_register_persisted_preferences_meta()` was incorrectly configured. It should be part of the `schema` array, not the `show_in_rest` array.
Follow-up to [54182].
Props talldanwp, dd32.
Fixes#56665. See #56467.
Built from https://develop.svn.wordpress.org/trunk@54329
git-svn-id: http://core.svn.wordpress.org/trunk@53888 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit adds three filters to customize the `wp_list_authors()` and `wp_list_users()` output:
* `wp_list_authors_args`: Filters the query arguments for the list of all authors of the site.
* `pre_wp_list_authors_post_counts_query`: Filters whether to short-circuit performing the query for author post counts. This may be useful to account for custom post types or post statuses.
* `wp_list_users_args`: Filters the query arguments for the list of all users of the site.
Follow-up to [979], [3848], [5135], [5727], [31653], [52064], [53486], [53501].
Props kevinB, wonderboymusic, DrewAPicture, Mte90, audrasjb, rafiahmedd, costdev, nacin, afercia, chetan200891, hellofromTonya, TimothyBlynJacobs, chaion07, SergeyBiryukov.
Fixes#17025.
Built from https://develop.svn.wordpress.org/trunk@54262
git-svn-id: http://core.svn.wordpress.org/trunk@53821 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Adds a new feature to persist editor UI preferences between page loads and browsers.
* Adds a new preferences persistence API.
* Saves editor preferences in user meta instead of in browser's local storage.
Why?
Due to the transient nature of browser storage, this persistence is not as sticky as it is expected to be, including: switching browsers (unique storage between browsers), or using private browsing tabs (storage cleared between sessions), or the same user across a network of sites (storage unique by domain).
This is a backport from Gutenberg.[https://github.com/WordPress/gutenberg/pull/39795 See WordPress/gutenberg PR 39795].
Props talldanwp, youknowriad, noisysocks, mamaduka, costdev, ironprogrammer, hellofromTonya.
See #56467.
Built from https://develop.svn.wordpress.org/trunk@54182
git-svn-id: http://core.svn.wordpress.org/trunk@53741 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Some plugins may call the `wp_cache_*()` functions with an empty string, `false`, or `null` as cache key, usually as a result of not checking the return value of another function that's used as the key.
Previously, this was silently failing, leading to odd behavior at best and often breakage due to key collisions.
A valid cache key must be either an integer number or a non-empty string.
This commit introduces a quick type check on the given cache keys and adds a `_doing_it_wrong()` message that should help plugin developers to notice these issues quicker.
Includes:
* A check in `update_user_caches()` and `clean_user_cache()` to make sure user email is not empty before being cached or removed from cache, as it is technically possible to create a user with empty email via `wp_insert_user()`.
* Some minor cleanup in unit tests where the email was passed to `wp_insert_user()` incorrectly or was unintentionally reset.
Props tillkruess, malthert, dd32, spacedmonkey, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#56198.
Built from https://develop.svn.wordpress.org/trunk@53818
git-svn-id: http://core.svn.wordpress.org/trunk@53377 1a063a9b-81f0-0310-95a4-ce76da25c4cd
That allows locales to switch the order of the first name and last name, should they prefer to do so.
The string was previously used in `wp_insert_user()` and is now reused in other places for consistency:
* `WP_MS_Users_List_Table::column_name()`
* `WP_Users_List_Table::column_name()`
* `wp_list_authors()`
* `wp_list_users()`
Note: This also removes the `wp_list_author_full_name` filter, introduced for the same purpose in `wp_list_authors()`, as redundant for now.
Follow-up to [53486].
See #17025.
Built from https://develop.svn.wordpress.org/trunk@53501
git-svn-id: http://core.svn.wordpress.org/trunk@53090 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
Built from https://develop.svn.wordpress.org/trunk@53455
git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
For consistency with some similar filters like `send_password_change_email` or `send_email_change_email`, and for more flexibility, pass `$user_login` and `$user_data` parameters directly to the new `send_retrieve_password_email` and `retrieve_password_notification_email` filters.
Follow-up to [52604], [52605], [52606], [52607].
Props SergeyBiryukov, costdev, peterwilsoncc.
Fixes#54690.
Built from https://develop.svn.wordpress.org/trunk@53178
git-svn-id: http://core.svn.wordpress.org/trunk@52767 1a063a9b-81f0-0310-95a4-ce76da25c4cd