Changeset 9146 for sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-profile.php

Timestamp:

09/23/2019 03:52:23 AM (6 years ago)

Author:

dd32

Message:

Login: Store user registrations in a custom table until they confirm their email address (at which time, we create the actual wp_users records).

This is to combat the significant number of unconfirmed accounts that are created, by separating them it's easier to purge them periodically, but also easier to add extra anti-spam checks as needed.

See #4739.

File:

• sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-profile.php (copied) (copied from sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/register-profile.php) (2 diffs)

sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/pending-profile.php

@@ -1 +1 @@
 <?php
 /**
- * The post-register profile-fields Template
+ * The post-pending-email-confirm profile-fields Template
  *
  * @package wporg-login
  */
 
-$profile_user = isset( WP_WPOrg_SSO::$matched_route_params['profile_user'] ) ? WP_WPOrg_SSO::$matched_route_params['profile_user'] : false;
-$profile_nonce  = isset( WP_WPOrg_SSO::$matched_route_params['profile_nonce'] ) ? WP_WPOrg_SSO::$matched_route_params['profile_nonce'] : false;
+$profile_user = WP_WPOrg_SSO::$matched_route_params['profile_user'] ?? false;
+$profile_key  = WP_WPOrg_SSO::$matched_route_params['profile_key']  ?? false;
+
+$pending_user = wporg_get_pending_user( $profile_user );
 
 $can_access = false;
-if (
-    $profile_user && $profile_nonce &&
-    ( $user = get_user_by( 'login', $profile_user ) ) &&
-    $user->exists()
-) {
-    wp_set_current_user( $user->ID );
-    $can_access = wp_verify_nonce( $profile_nonce, 'login-register-profile-edit' );
+if ( $pending_user && $pending_user['user_profile_key'] ) {
+    $expiration_duration = DAY_IN_SECONDS; // The profile-edit screen is short lived.
+
+    list( $user_request_time, $hashed_profile_key ) = explode( ':', $pending_user['user_profile_key'], 2 );
+    $expiration_time                                = $user_request_time + $expiration_duration;
+
+    $hash_is_correct = wp_check_password( $profile_key, $hashed_profile_key );
+
+    if ( $hash_is_correct && time() < $expiration_time ) {
+        $can_access = true;
+    }
 }
 
-if ( ! $can_access ) {
-    wp_set_current_user( 0 );
+if ( $can_access && $pending_user['created']  ) {
+    wp_safe_redirect( 'https://wordpress.org/support/' );
+    die();
+} elseif ( ! $can_access ) {
     wp_safe_redirect( '/' );
     die();
 }
 
-wporg_login_save_profile_fields();
-
+if ( wporg_login_save_profile_fields( $pending_user ) ) {
+    // re-fetch the user, it's probably changed.
+    $pending_user = wporg_get_pending_user( $profile_user );
+}
 wp_enqueue_script( 'wporg-registration' );
 
@@ -47 +57 @@
 <form name="registerform" id="registerform" action="" method="post">
 
-    <?php include __DIR__ . '/partials/register-profilefields.php'; ?>
+    <?php
+        $fields = &$pending_user['meta'];
+        include __DIR__ . '/partials/register-profilefields.php';
+    ?>
 
     <p class="login-submit">