Skip to:
Content

bbPress.org


Ignore:
Timestamp:
03/08/2022 05:32:02 AM (2 years ago)
Author:
johnjamesjacoby
Message:

Converter: improvements to bbp_user_maybe_convert_pass():

  • Unslash 'log' posted value
  • Trim 'pwd' posted value
  • Bail early if either are empty
  • Use get_user_by() and get_user_meta() instead of direct MySQL query
  • Bail if user/meta are not found
  • Bail if converter not string or not found

This change ensures that users who sign in via either their username or email are converted. Before this change, signing in via email would not trigger a conversion.

In trunk, for 2.7.0.

See #3419.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/includes/users/functions.php

    r7098 r7245  
    955955 *
    956956 * @since 2.1.0 bbPress (r3813)
     957 * @since 2.6.10 bbPress (r7244) Switched from direct query to get_user_by()
    957958 */
    958959function bbp_user_maybe_convert_pass() {
    959960
    960     // Sanitize username
    961     $username = ! empty( $_POST['log'] )
    962         ? sanitize_user( $_POST['log'] )
     961    // Sanitize login
     962    $login = ! empty( $_POST['log'] )
     963        ? sanitize_user( wp_unslash( $_POST['log'] ) )
    963964        : '';
    964965
    965     // Bail if no username
    966     if ( empty( $username ) ) {
    967         return;
    968     }
    969 
    970     // Bail if no user password to convert
    971     $bbp_db = bbp_db();
    972     $query  = $bbp_db->prepare( "SELECT * FROM {$bbp_db->users} INNER JOIN {$bbp_db->usermeta} ON user_id = ID WHERE meta_key = %s AND user_login = %s LIMIT 1", '_bbp_class', $username );
    973     $row    = $bbp_db->get_row( $query );
    974     if ( empty( $row ) || is_wp_error( $row ) ) {
     966    // Sanitize password
     967    $pass = ! empty( $_POST['pwd'] )
     968        ? trim( $_POST['pwd'] )
     969        : '';
     970
     971    // Bail if no username or password
     972    if ( empty( $login ) || empty( $pass ) ) {
     973        return;
     974    }
     975
     976    // Get user by login...
     977    $user = get_user_by( 'login', $login );
     978
     979    // ...or get user by email
     980    if ( empty( $user ) && strpos( $login, '@' ) ) {
     981        $user = get_user_by( 'email', $login );
     982    }
     983
     984    // Bail if no user
     985    if ( empty( $user ) ) {
     986        return;
     987    }
     988
     989    // Get converter class from usermeta
     990    $class = get_user_meta( $user->ID, '_bbp_class', true );
     991
     992    // Bail if no converter class in meta
     993    if ( empty( $class ) || ! is_string( $class ) ) {
    975994        return;
    976995    }
     
    979998    bbp_setup_converter();
    980999
    981     // Try to convert the old password for this user
    982     $converter = bbp_new_converter( $row->meta_value );
    983 
    984     // Try to call the conversion method
     1000    // Try to instantiate the converter class
     1001    $converter = bbp_new_converter( $class );
     1002
     1003    // Bail if no converter
     1004    if ( empty( $converter ) ) {
     1005        return;
     1006    }
     1007
     1008    // Try to call the password conversion callback method
    9851009    if ( ( $converter instanceof BBP_Converter_Base ) && method_exists( $converter, 'callback_pass' ) ) {
    986         $converter->callback_pass( $username, $_POST['pwd'] );
    987     }
    988 }
     1010        $converter->callback_pass( $login, $pass );
     1011    }
     1012}
Note: See TracChangeset for help on using the changeset viewer.