WordPress.org
Get WordPress

Making WordPress.org

Changeset 11301


Ignore:
Timestamp:
11/01/2021 05:23:30 AM (4 years ago)
Author:
dd32
Message:

Support Forums: Don't allow users to attempt to change their email address to a domain that we don't allow to be used.

This prevents users ending up in a never-ending loop of not being able to change their email address.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-users.php

    r10655 r11301  
    3030        add_filter( 'query_vars',                      array( $this, 'add_query_vars' ) );
    3131        add_action( 'bbp_add_rewrite_rules',           array( $this, 'add_rewrite_rules' ) );
     32
     33        // Don't allow attempting to set an email to one that is banned-from-use on WordPress.org.
     34        add_action( 'bbp_post_request',                array( $this, 'check_email_safe_for_use' ), 0 ); // bbPress is at 1
    3235
    3336        // Parse user's topic and review queries.
     
    294297        add_rewrite_rule( $user_topics_replied_to_rule . $paged_rule, 'index.php?' . $user_id . '=$matches[1]&wporg_single_user_topics_replied_to=1&' . $paged_id . '=$matches[2]', $priority );
    295298        add_rewrite_rule( $user_topics_replied_to_rule . $feed_rule,  'index.php?' . $user_id . '=$matches[1]&wporg_single_user_topics_replied_to=1&' . $feed_id  . '=$matches[2]', $priority );
     299    }
     300
     301    /**
     302     * Verify that the a new email is valid for use.
     303     *
     304     * @param string $action The current action.
     305     */
     306    function check_email_safe_for_use( $action = '' ) {
     307        $user_id    = bbp_get_displayed_user_id();
     308        $user_email = bbp_get_displayed_user_field( 'user_email', 'raw' );
     309
     310        if (
     311            // Only on the front-end user edit form, and make sure the request is valid.
     312            'bbp-update-user' !== $action ||
     313            is_admin() ||
     314            empty( $_POST['email'] ) ||
     315            ! current_user_can( 'edit_user', $user_id ) ||
     316            ! bbp_verify_nonce_request( 'update-user_' . $user_id )
     317        ) {
     318            return;
     319        }
     320
     321        if (
     322            $user_email !== $_POST['email'] &&
     323            is_email( $_POST['email'] ) &&
     324            is_email_address_unsafe( $_POST['email'] )
     325        ) {
     326            bbp_add_error( 'bbp_user_email_invalid', __( '<strong>Error</strong>: That email address cannot be used.', 'support-forums' ), array( 'form-field' => 'email' ) );
     327
     328            // Override the post variable to ensure that bbPress & core doesn't use it.
     329            $_POST['email'] = $_REQUEST['email'] = $user_email;
     330        }
    296331    }
    297332
Note: See TracChangeset for help on using the changeset viewer.