Changeset 10578
- Timestamp:
- 01/14/2021 05:44:38 AM (4 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-hooks.php
r10577 r10578 128 128 // Add a no-reply-to-email suggestion to topic subscription emails 129 129 add_filter( 'bbp_subscription_mail_message', array( $this, 'bbp_subscription_mail_message'), 5, 3 ); 130 131 // Break users sessions / passwords when they get blocked. 132 add_action( 'bbp_set_user_role', array( $this, 'user_blocked_password_handler' ), 10, 3 ); 130 133 } 131 134 … … 1279 1282 return $message; 1280 1283 } 1284 1285 /** 1286 * Catch a user being blocked / unblocked and set their password appropriately. 1287 */ 1288 public function user_blocked_password_handler( $new_role, $user_id, \WP_User $user ) { 1289 global $wpdb; 1290 1291 // ~~~ is a reset password on WordPress.org. Let's ignore those. 1292 if ( '~~~' === $user->user_pass ) { 1293 return; 1294 } 1295 1296 // bbPress 1.x used `{$user_pass}---{$secret}` while we're using the reverse here. 1297 // This is to ensure that anything that uses the password hash as part of a cookie no longer validates. 1298 $blocked_prefix = 'BLOCKED' . substr( wp_hash( 'bb_break_password' ), 0, 13 ) . '---'; 1299 $blocked_role = bbp_get_blocked_role(); 1300 $password_broken = ( 0 === strpos( $user->user_pass, $blocked_prefix ) ); 1301 1302 if ( $blocked_role === $new_role && ! $password_broken ) { 1303 // User has been blocked, break their password and sessions. 1304 // WordPress doesn't have a way to edit a user password without re-hashing it. 1305 $wpdb->update( 1306 $wpdb->users, 1307 array( 1308 'user_pass' => $blocked_prefix . $user->user_pass, 1309 ), 1310 array( 1311 'ID' => $user->ID 1312 ) 1313 ); 1314 1315 clean_user_cache( $user ); 1316 1317 // Destroy all of their WordPress sessions. 1318 $manager = \WP_Session_Tokens::get_instance( $user->ID ); 1319 $manager->destroy_all(); 1320 1321 } else if ( 1322 $password_broken && 1323 ! $user->has_role( $blocked_role ) 1324 ) { 1325 // User was blocked (broken password) but no longer is. 1326 // WordPress doesn't have a way to edit a user password without re-hashing it. 1327 $wpdb->update( 1328 $wpdb->users, 1329 array( 1330 'user_pass' => substr( $user->user_pass, strlen( $blocked_prefix ) ), 1331 ), 1332 array( 1333 'ID' => $user->ID 1334 ) 1335 ); 1336 1337 clean_user_cache( $user ); 1338 } 1339 } 1281 1340 }
Note: See TracChangeset
for help on using the changeset viewer.