Changeset 9146 for sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-create.php

Timestamp:

09/23/2019 03:52:23 AM (6 years ago)

Author:

dd32

Message:

Login: Store user registrations in a custom table until they confirm their email address (at which time, we create the actual wp_users records).

This is to combat the significant number of unconfirmed accounts that are created, by separating them it's easier to purge them periodically, but also easier to add extra anti-spam checks as needed.

See #4739.

File:

• sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-create.php (copied) (copied from sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/register-confirm.php) (2 diffs)

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-create.php

@@ -1 +1 @@
 <?php
 /**
- * The post-register profile-fields Template
+ * The post-email-confirm Template
  *
  * @package wporg-login
  */
 
-    //      'register-confirm' => '/register/confirm/(?P<confirm_user>[^/]+)/(?P<confirm_key>[^/]+)',
+$activation_user = WP_WPOrg_SSO::$matched_route_params['confirm_user'] ?? false;
+$activation_key  = WP_WPOrg_SSO::$matched_route_params['confirm_key']  ?? false;
 
-$confirm_user = isset( WP_WPOrg_SSO::$matched_route_params['confirm_user'] ) ? WP_WPOrg_SSO::$matched_route_params['confirm_user'] : false;
-$confirm_key  = isset( WP_WPOrg_SSO::$matched_route_params['confirm_key'] ) ? WP_WPOrg_SSO::$matched_route_params['confirm_key'] : false;
+$pending_user = wporg_get_pending_user( $activation_user );
+if ( ! $pending_user ) {
+    // TODO: add a handler for "Link is expired". The pending user record has been purged.
+    // See Line 33 below for the second case where this is needed.
+}
 
-$can_access = true;
-if (
-    $confirm_user && $confirm_key &&
-    ( $user = get_user_by( 'login', $confirm_user ) ) &&
-    $user->exists()
-) {
-    wp_set_current_user( $user->ID );
+$can_access = false;
+if ( $pending_user && $pending_user['user_activation_key'] && ! $pending_user['created'] ) {
+    $expiration_duration = WEEK_IN_SECONDS; // Time that the user has to confirm the account.
 
-    $user_activation_key = $user->user_activation_key;
-    if ( ! $user_activation_key ) {
-        // The activation key may not be in the cached user object, so we'll fetch it manually.
-        $user_activation_key = $wpdb->get_var( $wpdb->prepare( "SELECT user_activation_key FROM {$wpdb->users} WHERE ID = %d", $user->ID ) );
+    list( $user_request_time, $hashed_activation_key ) = explode( ':', $pending_user['user_activation_key'], 2 );
+    $expiration_time                                   = $user_request_time + $expiration_duration;
+
+    $hash_is_correct = wp_check_password( $activation_key, $hashed_activation_key );
+
+    if ( $hash_is_correct && time() < $expiration_time ) {
+        $can_access = true;
+    } elseif ( $hash_is_correct ) {
+        // TODO: Add a handler for "Link is expired".
+        // For now, ignore the expiry date on the email links.
+        // This URL is invalidated once the user is created anyway.
+        $can_access = true; 
     }
-
-    list( $reset_time, $hashed_activation_key ) = explode( ':', $user_activation_key, 2 );
-
-    if ( empty( $wp_hasher ) ) {
-        require_once ABSPATH . WPINC . '/class-phpass.php';
-        $wp_hasher = new PasswordHash( 8, true );
-    }
-    $can_access = $wp_hasher->CheckPassword( $confirm_key, $hashed_activation_key );
-
-    // Keys are only valid for 7 days (or until used)
-    $can_access = $can_access && ( $reset_time + ( 7*DAY_IN_SECONDS ) > time() );
+} elseif ( $pending_user && $pending_user['created'] ) {
+    wp_safe_redirect( 'https://wordpress.org/support/' );
+    die();
 }
 
 if ( ! $can_access ) {
-    wp_set_current_user( 0 );
     wp_safe_redirect( "/" );
     die();
-} elseif ( !empty( $_POST['user_pass'] ) ) {
+}
+
+if ( isset( $_POST['user_pass'] ) ) {
     $user_pass = wp_unslash( $_POST['user_pass'] );
+
+    if ( $pending_user && ! $pending_user['created'] ) {
+        $user = wporg_login_create_user_from_pending( $pending_user, $user_pass );
+        if ( $user ) {
+            wp_set_current_user( $user->ID );
+            wp_set_auth_cookie( $user->ID, true );
+        }
+    }
 
     wporg_login_save_profile_fields();
 
-    add_filter( 'send_password_change_email', '__return_false' );
-    if ( wp_update_user( wp_slash( array(
-        'ID' => $user->ID,
-        'user_pass' => $user_pass,
-    ) ) ) ) {
-        $wpdb->update( $wpdb->users, array( 'user_activation_key' => '' ), array( 'ID' => $user->ID ) );
-        wp_set_auth_cookie( $user->ID, true );
-        wp_safe_redirect( 'https://wordpress.org/support/' );
-        die();
-    }
+    wp_safe_redirect( 'https://wordpress.org/support/' );
+    die();
 }
 
@@ -86 +87 @@
 <!--    <p class="description indicator-hint"><?php _e( 'Hint: The password should be at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! " ? $ % ^ &amp; ).', 'wporg' ); ?></p> -->
 
-    <?php include __DIR__ . '/partials/register-profilefields.php'; ?>
+    <?php
+        $fields = &$pending_user['meta'];
+        include __DIR__ . '/partials/register-profilefields.php';
+    ?>
 
     <p class="login-submit">