Changeset 9146 for sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php

Timestamp:

09/23/2019 03:52:23 AM (5 years ago)

Author:

dd32

Message:

Login: Store user registrations in a custom table until they confirm their email address (at which time, we create the actual wp_users records).

This is to combat the significant number of unconfirmed accounts that are created, by separating them it's easier to purge them periodically, but also easier to add extra anti-spam checks as needed.

See #4739.

File:

• sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php (modified) (6 diffs)

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php

@@ -13 +13 @@
 
     $resp = wp_remote_post( 'https://www.google.com/recaptcha/api/siteverify', array( 'body' => $verify ) );
-
     if ( is_wp_error( $resp ) || 200 != wp_remote_retrieve_response_code( $resp ) ) {
         return false;
@@ -24 +23 @@
 
 /**
- * Handles registrations and redirects thereafter
- */
-function wporg_login_create_user( $user_login, $user_email, $user_mailinglist = false ) {
-    global $wpdb;
+ * Handles creating a "Pending" registration that will later be converted to an actual user  account.
+ */
+function wporg_login_create_pending_user( $user_login, $user_email, $user_mailinglist = false  ) {
+    global $wpdb, $wp_hasher;
 
     // Allow for w.org plugins to block registrations based on spam checks, etc.
@@ -37 +36 @@
     }
 
-    $user_id = wpmu_create_user( wp_slash( $user_login ), wp_generate_password(), wp_slash( $user_email ) );
-    if ( ! $user_id ) {
+    $activation_key = wp_generate_password( 24, false, false );
+    $profile_key    = wp_generate_password( 24, false, false );
+
+    $hashed_activation_key = time() . ':' . wp_hash_password( $activation_key );
+    $hashed_profile_key    = time() . ':' . wp_hash_password( $profile_key );
+
+    $pending_user = array(
+        'user_login' => $user_login,
+        'user_email' => $user_email,
+        'user_registered' => gmdate('Y-m-d  H:i:s'),
+        'user_activation_key' => $hashed_activation_key,
+        'user_profile_key' => $hashed_profile_key,
+        'meta' => array(
+            'user_mailinglist' => $user_mailinglist,
+            'registration_ip'  => $_SERVER['REMOTE_ADDR'], // Spam & fraud control. Will be discarded after the account is created.
+        ),
+        'scores' => array()
+    );
+
+    $inserted = wporg_update_pending_user( $pending_user );
+    if ( ! $inserted ) {
         wp_die( __( 'Error! Something went wrong with your registration. Try again?', 'wporg' ) );
-    }
-
-    // Insert a hashed activation key
-    $activation_key = wp_generate_password( 24, false, false );
-    if ( empty( $wp_hasher ) ) {
-        require_once ABSPATH . WPINC . '/class-phpass.php';
-        $wp_hasher = new PasswordHash( 8, true );
-    }
-    $hashed_activation_key = time() . ':' . $wp_hasher->HashPassword( $activation_key );
-
-    $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed_activation_key ), array( 'ID' => $user_id ) );
-    clean_user_cache( $user_id );
-
-    if ( $user_mailinglist ) {
-        update_user_meta( $user_id, 'notify_list', 'true' );
     }
 
@@ -62 +65 @@
     $body .= sprintf( __( 'Your username is: %s', 'wporg' ), $user_login ) . "\n";
     $body .= __( 'You can create a password at the following URL:', 'wporg' ) . "\n";
-    $body .= home_url( "/register/confirm/{$user_login}/{$activation_key}/" );
+    $body .= home_url( "/register/create/{$user_login}/{$activation_key}/" );
     $body .= "\n\n";
     $body .= __( '-- The WordPress.org Team', 'wporg' );
@@ -75 +78 @@
     );
 
-    wp_set_current_user( $user_id );
-    $nonce = wp_create_nonce( 'login-register-profile-edit' );
-    wp_set_current_user( 0 );
-
-    wp_safe_redirect( '/register/profile/' . $user_login . '/' . $nonce );
+    $url = home_url( sprintf(
+        '/register/create-profile/%s/%s/',
+        $user_login,
+        $profile_key
+    ) );
+
+    wp_safe_redirect( $url );
     die();
 }
 
-function wporg_login_save_profile_fields() {
+/**
+ * Fetches a pending user record from the database by username or Email.
+ */
+function wporg_get_pending_user( $login_or_email ) {
+    global $wpdb;
+
+    $pending_user = $wpdb->get_row( $wpdb->prepare(
+        "SELECT * FROM `{$wpdb->base_prefix}user_pending_registrations` WHERE ( `user_login` = %s OR `user_email` = %s ) LIMIT 1",
+        $login_or_email,
+        $login_or_email
+    ), ARRAY_A );
+
+    if ( ! $pending_user ) {
+        return false;
+    }
+
+    $pending_user['meta']   = json_decode( $pending_user['meta'], true );
+    $pending_user['scores'] = json_decode( $pending_user['scores'], true );
+
+    return $pending_user;
+}
+
+/**
+ * Update the pending user record, similar to `wp_update_user()` but for the not-yet-created user record.
+ */
+function wporg_update_pending_user( $pending_user ) {
+    global $wpdb;
+    $pending_user['meta']   = json_encode( $pending_user['meta'] );
+    $pending_user['scores'] = json_encode( $pending_user['scores'] );
+
+    if ( empty( $pending_user['pending_id'] ) ) {
+        unset( $pending_user['pending_id'] );
+        return $wpdb->insert(
+            "{$wpdb->base_prefix}user_pending_registrations",
+            $pending_user
+        );
+    } else {
+        return $wpdb->update(
+            "{$wpdb->base_prefix}user_pending_registrations",
+            $pending_user,
+            array( 'pending_id' => $pending_user['pending_id'] )
+        );
+    }
+
+}
+
+/**
+ * Create a user record from a pending record. 
+ */
+function wporg_login_create_user_from_pending( $pending_user, $password = false ) {
+    global $wpdb;
+
+    // Insert user, no password tho.
+    $user_login = $pending_user['user_login'];
+    $user_email = $pending_user['user_email'];
+    $user_mailinglist = !empty( $pending_user['meta']['user_mailinglist'] ) && $pending_user['meta']['user_mailinglist'];
+
+    if ( ! $password ) {
+        $password = wp_generate_password();
+    }
+
+    $user_id = wpmu_create_user(
+        wp_slash( $user_login ),
+        $password,
+        wp_slash( $user_email )
+    );
+    if ( ! $user_id ) {
+        wp_die( __( 'Error! Something went wrong with your registration. Try again?', 'wporg' ) );
+    }
+
+    // Update the registration date to the earlier one.
+    wp_update_user( array(
+        'ID' => $user_id,
+        'user_registered' => $pending_user['user_registered']
+    ) );
+
+    // Update the pending record with the new details.
+    $pending_user['created'] = 1;
+    $pending_user['created_date'] = gmdate( 'Y-m-d H:i:s' );
+    $pending_user['meta']['confirmed_ip'] = $_SERVER['REMOTE_ADDR']; // Spam/Fraud purposes, will be deleted once not needed.
+    wporg_update_pending_user( $pending_user );
+
+    if ( $user_mailinglist ) {
+        update_user_meta( $user_id, 'notify_list', 'true' );
+    }
+
+    foreach ( array( 'url', 'from', 'occ', 'interests' ) as $field ) {
+        if ( !empty( $pending_user['meta'][ $field ] ) ) {
+            $value = $pending_user['meta'][ $field ];
+            if ( 'url' == $field ) {
+                wp_update_user( array( 'ID' => $user_id, 'user_url' => $value ) );
+            } else {
+                if ( $value ) {
+                    update_user_meta( $user_id, $field, $value );
+                } else {
+                    delete_user_meta( $user_id, $field );
+                }
+            }
+        }
+    }
+
+    return get_user_by( 'id', $user_id );
+}
+
+/**
+ * Save the user profile fields, potentially prior to user creation and prior to email confirmation.
+ */
+function wporg_login_save_profile_fields( $pending_user = false ) {
     if ( ! $_POST || empty( $_POST['user_fields'] ) ) {
-        return;
+        return false;
     }
     $fields = array( 'url', 'from', 'occ', 'interests' );
@@ -93 +205 @@
             $value = sanitize_text_field( wp_unslash( $_POST['user_fields'][ $field ] ) );
             if ( 'url' == $field ) {
-                wp_update_user( array(
-                    'ID' => get_current_user_id(),
-                    'user_url' => esc_url_raw( $value ),
-                ) );
+                if ( $pending_user ) {
+                    $pending_user['meta'][ $field ] = esc_url_raw( $value );
+                } else {
+                    wp_update_user( array(
+                        'ID' => get_current_user_id(),
+                        'user_url' => esc_url_raw( $value ),
+                    ) );
+                }
             } else {
-                update_user_meta( get_current_user_id(), $field, $value );
+                if ( $pending_user ) {
+                    $pending_user['meta'][ $field ] = $value;
+                } else {
+                    if ( $value ) {
+                        update_user_meta( get_current_user_id(), $field, $value );
+                    } else {
+                        delete_user_meta( get_current_user_id(), $field );
+                    }
+                }
             }
         }
     }
-}
+
+    if ( $pending_user ) {
+        wporg_update_pending_user( $pending_user );
+    }
+
+    return true;
+}