On the profile edit screen in ``wp-admin, the username was previously displayed using an input field with the `disabled` attribute. This field was skipped by screen readers, which leads to a loss of information for visually impaired users. This changeset switches it to a `readonly` attribute, which is exactly the purpose of this field.
Props roytanck, audrasjb, rajinsharwar, joedolson.
Fixes#60774.
Built from https://develop.svn.wordpress.org/trunk@58280
git-svn-id: http://core.svn.wordpress.org/trunk@57740 1a063a9b-81f0-0310-95a4-ce76da25c4cd
The way `wp_reset_vars()` sets global variables based on `$_POST` and `$_GET` values makes code hard to understand and maintain. It also makes it easy to forget to sanitize input.
This change removes the few places where `wp_reset_vars()` is used in the admin to explicitly use `$_REQUEST` and sanitize any input.
Props swissspidy, audrasjb, davideferre, killua99, weijland, voldemortensen.
Fixes#38073.
Built from https://develop.svn.wordpress.org/trunk@58069
git-svn-id: http://core.svn.wordpress.org/trunk@57534 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In a handful of admin notices, a `tabindex` attribute is set so that JS can move focus to the notice `div`. Rather than adding `tabindex` to globally accepted attributes for `wp_kses_post()`, move the assignment of `tabindex` into the JS handlers that display those notices. The attribute is only relevant if JS is running, so there is no reason to add it in the original HTML notice.
Follow up to [56408], [56409], [56410], [56518], [56570], [56571], [56572], [56573], [56576], [56589], [56590], [56597], [56599], [56600], [56601].
Props costdev, joedolson.
See #57791.
Built from https://develop.svn.wordpress.org/trunk@56602
git-svn-id: http://core.svn.wordpress.org/trunk@56114 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add additional usage of `wp_admin_notice()` in `wp-admin/` on `.error` and miscellaneous usages previously overlooked.
Follow up to [56408], [56409], [56410], [56518], [56570], [56571], [56572], [56573], [56576], [56589], [56590], [56597], [56599].
Props costdev, joedolson.
See #57791.
Built from https://develop.svn.wordpress.org/trunk@56600
git-svn-id: http://core.svn.wordpress.org/trunk@56112 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This also introduces `wp_is_password_reset_allowed_for_user()` which returns `false` when password reset is not allowed for a specific user. This can be
filtered by developers using the existing `allow_password_reset` hook.
Props ocean90, cshark, robinwpdeveloper, tahmina1du, kraftbj.
Fixes#58194.
Built from https://develop.svn.wordpress.org/trunk@56150
git-svn-id: http://core.svn.wordpress.org/trunk@55662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a show/hide toggle for new passwords in initial user creation and database access during install and setup process using the same model as on user profiles. Add a new password toggle script. Change setup config table to two columns, matching the install table layout.
Props xmarcos, matt, markjaquith, nazgul, akbigdog, intoxination, rob1n, MichaelH, empireoflight, rmccue, markoheijnen, r0uter, amansurov, bi0xid, DrewAPicture, Narthur, wpnook, markparnell, costdev, clorith, ryokuhi, sabernhardt, bgoewert, ironprogrammer, adeltahri, joedolson, mukesh27, audrasjb, sergeybiryukov.
Fixes#3534.
Built from https://develop.svn.wordpress.org/trunk@56008
git-svn-id: http://core.svn.wordpress.org/trunk@55520 1a063a9b-81f0-0310-95a4-ce76da25c4cd
`str_contains()` was introduced in PHP 8.0 to perform a case-sensitive check indicating if the string to search in (haystack) contains the given substring (needle).
WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9.
This commit replaces `false !== strpos( ... )` with `str_contains()` in core files, making the code more readable and consistent, as well as better aligned with modern development practices.
Follow-up to [52039], [52040], [52326], [55703], [55710], [55987].
Props Soean, spacedmonkey, costdev, dingo_d, azaozz, mikeschroder, flixos90, peterwilsoncc, SergeyBiryukov.
Fixes#58206.
Built from https://develop.svn.wordpress.org/trunk@55988
git-svn-id: http://core.svn.wordpress.org/trunk@55500 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This hidden field added in [24552] to fix an issue with Chrome that was ignoring `autocomplete="off"` in `<input>`, by using a hidden, non-named, non-empty
input right before the password field. However this input was only hidden via CSS and didn't have any label, which is considered as an accessibility issue.
This changeset replaces `class="hidden"` with `type="hidden"` to properly indicate to user agents that it is an hidden field.
Follow-up to [24552].
Props smit08, audrasjb, sabernhardt, ryokuhi, tushar284, ashikurwp, siddhantwadhwani, pavanpatil1.
Fixes#56776.
--Cette ligne, et les suivantes
ci-dessous, seront ignorées--
M trunk/src/wp-admin/user-edit.php
M trunk/src/wp-admin/user-new.php
Built from https://develop.svn.wordpress.org/trunk@55892
git-svn-id: http://core.svn.wordpress.org/trunk@55404 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This fixes a few WPCS warnings along the lines of:
* Array double arrow not aligned correctly
* Equals sign not aligned with surrounding statements
* Usage of ELSE IF is discouraged; use ELSEIF instead
Follow-up to [55099], [55192], [55194], [55271].
Props davidbaumwald, jrf, SergeyBiryukov.
Fixes#57994.
Built from https://develop.svn.wordpress.org/trunk@55606
git-svn-id: http://core.svn.wordpress.org/trunk@55118 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to provide better context for translators and make it easier to determine that some strings contain hidden accessibility text and are not displayed in the UI.
Props kebbet, mercime, pavelevap, ocean90, swissspidy, Chouby, jipmoors, afercia, desrosj, costdev, audrasjb, SergeyBiryukov.
Fixes#29748.
Built from https://develop.svn.wordpress.org/trunk@55276
git-svn-id: http://core.svn.wordpress.org/trunk@54809 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Up until now, new translations could only be installed via Settings -> General.
When editing the user profile, one could only select locales that were already installed.
This change allows also installing new translations if the editing user has the necessary capabilities.
Props barryceelen, johnbillion, ocean90, swissspidy.
Fixes#38664.
Built from https://develop.svn.wordpress.org/trunk@55099
git-svn-id: http://core.svn.wordpress.org/trunk@54632 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset adds `spellcheck="false"` attribute to various password fields.
The spellcheck global attribute defines whether the element may be checked for spelling errors. The `false` value indicates that the element should not be checked for spelling errors, which is relevant for a password field.
Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set `spellcheck` attribute to `false` for elements that can contain sensitive information. Which is the case for password fields.
Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes#56763.
Built from https://develop.svn.wordpress.org/trunk@55094
git-svn-id: http://core.svn.wordpress.org/trunk@54627 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changeset adds an anchor in Comments keyboard shortcut documentation links to direct the user to a more specific section of the HelpHub documentation. It also removes `target="_blank" from a link, since preventing data loss when clicking any on User Edit and Comment Edit screens is already handled by another existing ticket (#40493).
Props NekoJonez, SergeyBiryukov, sabernhardt, dennisatyoast, robinwpdeveloper.
Fixes#56920.
Built from https://develop.svn.wordpress.org/trunk@55042
git-svn-id: http://core.svn.wordpress.org/trunk@54575 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This aims to improve performance by calling `sanitize_url()` directly, instead of the `esc_url_raw()` wrapper. As of WordPress 6.1, `sanitize_url()` is the recommended function for sanitizing a URL for database or redirect usage.
Follow-up to [11383], [13096], [51597], [53452].
Props benjgrolleau, peterwilsoncc, SergeyBiryukov.
Fixes#55852.
Built from https://develop.svn.wordpress.org/trunk@53455
git-svn-id: http://core.svn.wordpress.org/trunk@53044 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This changes updates many strings to remove self-references to an undefined "we" collective across the WordPress Administration.
The goal of this change is to better match the guidelines and recommendations set forth in the make/core handbook, specifically:
> the word "we" should be avoided (…) unless its made very clear which group is speaking.
Props johnbillion, shital-patel, audrasjb, marybaum, SergeyBiryukov, peterwilsoncc, johnjamesjacoby, kebbet, costdev, chaion07, davidbaumwald.
Fixes#46057.
Built from https://develop.svn.wordpress.org/trunk@53131
git-svn-id: http://core.svn.wordpress.org/trunk@52720 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Previously, the helper text of the application password section was misleading for a Super Admin because an application password for a Super Admin grants access to all sites on the network, not just ones that they are a member of. This changeset provides a slightly different message for Super admin role.
Props johnbillion, rsiddharth, audrasjb.
Fixes#53234
Built from https://develop.svn.wordpress.org/trunk@53101
git-svn-id: http://core.svn.wordpress.org/trunk@52690 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change improves the formatting of `/wp-admin/user-edit.php` to avoid PHPCS failures when adding new code, which previously required new code to be indented multiple times, breaking alignment of the HTML parts. This change avoids disabling/enabling PHPCS for failing sniffs.
Props costdev, johnregan3, peterwilsoncc.
Fixes#54673.
Built from https://develop.svn.wordpress.org/trunk@52820
git-svn-id: http://core.svn.wordpress.org/trunk@52409 1a063a9b-81f0-0310-95a4-ce76da25c4cd
When `add_filter( 'wp_is_application_passwords_available', '__return_false' )` exists, HTTPS requirement message is shown even if HTTPS is enabled on the site. This happens because `wp_is_application_passwords_available_for_user()` first invokes `wp_is_application_passwords_available()` which is filterable. The situation could happen if the `'wp_is_application_passwords_available_for_user'` filter returns `false`.
To fix this, the check for HTTPS (or if in a 'local' environment) is moved to a new function called `wp_is_application_passwords_supported()`. Then the return from this function is used as an OR condition for the Application Passwords section and for displaying the HTTPS required message.
Tests are included for both `wp_is_application_passwords_supported()` and `wp_is_application_passwords_available()`.
Follow-up to [51980], [51988].
Props davidbinda, SergeyBiryukov, ocean90, felipeelia, costdev, hellofromTonya.
Fixes#53658.
Built from https://develop.svn.wordpress.org/trunk@52398
git-svn-id: http://core.svn.wordpress.org/trunk@51990 1a063a9b-81f0-0310-95a4-ce76da25c4cd
* Add missing translators comment.
* Add missing space, correct indentation.
* Put opening and closing PHP tag on a line by itself.
* Remove unnecessary escaping for consistency with other strings.
Follow-up to [51980].
See #53658.
Built from https://develop.svn.wordpress.org/trunk@51988
git-svn-id: http://core.svn.wordpress.org/trunk@51577 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This change intends to avoid confusion around the requirements of the Application Passwords feature, specific to it requiring HTTPS and the `WP_ENVIRONMENT_TYPE` constant.
It does this by conditionally hiding the traditional UI and showing some insightful explanations instead, including a translatable link to the `WP_ENVIRONMENT_TYPE` documentation on the "Editing wp-config.php" support page.
Props ashfame, audrasjb, iluy, johnbillion.
Fixes #53658.
Built from https://develop.svn.wordpress.org/trunk@51980
git-svn-id: http://core.svn.wordpress.org/trunk@51569 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [49294, 49752], the `placeholder` attribute changed to `"WordPress App on My Phone"`. This change causes confusion as the field can be used in a variety of ways and is not limited to a phone.
Given a label exists for each field and clearly identifies its purpose, this commit removes the `placeholder` attribute from the `input` field.
Follow-up to [49109], [49294], [49752].
Props seedsca, audrasjb, joedolson, rehanali.
Fixes#54047.
Built from https://develop.svn.wordpress.org/trunk@51878
git-svn-id: http://core.svn.wordpress.org/trunk@51471 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Fix the enter key in profile form fields moving focus to the application password input instead of submitting the profile update for. Replace the submit button type used for application passwords with `button type="button"` and ensure that the enter key's native behavior isn't overwritten.
props audrasjb, alexstine, promz, sabernhardt.
Fixes#52849.
Built from https://develop.svn.wordpress.org/trunk@51086
git-svn-id: http://core.svn.wordpress.org/trunk@50695 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Add a feature so Admins can send users a 'password reset' email. This doesn't change the password or force a password change. It only emails the user the password reset link.
The feature appears in several places:
* A "Send Reset Link" button on user profile screen.
* A "Send password reset" option in the user list bulk action dropdown.
* A "Send password reset" quick action when hovering over a username in the user list.
Props Ipstenu, DrewAPicture, eventualo, wonderboymusic, knutsp, ericlewis, afercia, JoshuaWold, johnbillion, paaljoachim, hedgefield.
Fixes#34281.
Built from https://develop.svn.wordpress.org/trunk@50129
git-svn-id: http://core.svn.wordpress.org/trunk@49808 1a063a9b-81f0-0310-95a4-ce76da25c4cd
In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.
This commit extracts the Basic Auth check into a reusable function, `wp_is_site_protected_by_basic_auth()`, which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.
In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a `WWW-Authenticate` header to make this detection more robust out of the box.
Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.
Fixes#52066.
Built from https://develop.svn.wordpress.org/trunk@50006
git-svn-id: http://core.svn.wordpress.org/trunk@49707 1a063a9b-81f0-0310-95a4-ce76da25c4cd
Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.
Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.
Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.
Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Fixes#51939.
Built from https://develop.svn.wordpress.org/trunk@49752
git-svn-id: http://core.svn.wordpress.org/trunk@49475 1a063a9b-81f0-0310-95a4-ce76da25c4cd