diff --git a/src/wp-admin/includes/admin-filters.php b/src/wp-admin/includes/admin-filters.php index 141e8aa08e..24b42c16fe 100644 --- a/src/wp-admin/includes/admin-filters.php +++ b/src/wp-admin/includes/admin-filters.php @@ -99,9 +99,12 @@ add_action( 'install_themes_pre_theme-information', 'install_theme_information' add_action( 'admin_init', 'default_password_nag_handler' ); add_action( 'admin_notices', 'default_password_nag' ); +add_action( 'admin_notices', 'new_user_email_admin_notice' ); add_action( 'profile_update', 'default_password_nag_edit_user', 10, 2 ); +add_action( 'personal_options_update', 'send_confirmation_on_profile_email' ); + // Update hooks. add_action( 'load-plugins.php', 'wp_plugin_update_rows', 20 ); // After wp_update_plugins() is called. add_action( 'load-themes.php', 'wp_theme_update_rows', 20 ); // After wp_update_themes() is called. diff --git a/src/wp-admin/includes/ms-admin-filters.php b/src/wp-admin/includes/ms-admin-filters.php index fb4f678a3a..619ef0963b 100644 --- a/src/wp-admin/includes/ms-admin-filters.php +++ b/src/wp-admin/includes/ms-admin-filters.php @@ -11,15 +11,12 @@ add_filter( 'wp_handle_upload_prefilter', 'check_upload_size' ); // User Hooks -add_action( 'admin_notices', 'new_user_email_admin_notice' ); add_action( 'user_admin_notices', 'new_user_email_admin_notice' ); add_action( 'admin_page_access_denied', '_access_denied_splash', 99 ); add_action( 'add_option_new_admin_email', 'update_option_new_admin_email', 10, 2 ); -add_action( 'personal_options_update', 'send_confirmation_on_profile_email' ); - add_action( 'update_option_new_admin_email', 'update_option_new_admin_email', 10, 2 ); // Site Hooks. diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php index 866db3f698..6a1b397875 100644 --- a/src/wp-admin/includes/ms.php +++ b/src/wp-admin/includes/ms.php @@ -335,109 +335,6 @@ All at ###SITENAME### } } -/** - * Sends an email when an email address change is requested. - * - * @since 3.0.0 - * - * @global WP_Error $errors WP_Error object. - * @global wpdb $wpdb WordPress database object. - */ -function send_confirmation_on_profile_email() { - global $errors, $wpdb; - $current_user = wp_get_current_user(); - if ( ! is_object($errors) ) - $errors = new WP_Error(); - - if ( $current_user->ID != $_POST['user_id'] ) - return false; - - if ( $current_user->user_email != $_POST['email'] ) { - if ( !is_email( $_POST['email'] ) ) { - $errors->add( 'user_email', __( "ERROR: The email address isn’t correct." ), array( 'form-field' => 'email' ) ); - return; - } - - if ( $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM {$wpdb->users} WHERE user_email=%s", $_POST['email'] ) ) ) { - $errors->add( 'user_email', __( "ERROR: The email address is already used." ), array( 'form-field' => 'email' ) ); - delete_user_meta( $current_user->ID, '_new_email' ); - return; - } - - $hash = md5( $_POST['email'] . time() . mt_rand() ); - $new_user_email = array( - 'hash' => $hash, - 'newemail' => $_POST['email'] - ); - update_user_meta( $current_user->ID, '_new_email', $new_user_email ); - - $switched_locale = switch_to_locale( get_user_locale() ); - - /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */ - $email_text = __( 'Howdy ###USERNAME###, - -You recently requested to have the email address on your account changed. - -If this is correct, please click on the following link to change it: -###ADMIN_URL### - -You can safely ignore and delete this email if you do not want to -take this action. - -This email has been sent to ###EMAIL### - -Regards, -All at ###SITENAME### -###SITEURL###' ); - - /** - * Filters the email text sent when a user changes emails. - * - * The following strings have a special meaning and will get replaced dynamically: - * ###USERNAME### The current user's username. - * ###ADMIN_URL### The link to click on to confirm the email change. - * ###EMAIL### The new email. - * ###SITENAME### The name of the site. - * ###SITEURL### The URL to the site. - * - * @since MU - * - * @param string $email_text Text in the email. - * @param string $new_user_email New user email that the current user has changed to. - */ - $content = apply_filters( 'new_user_email_content', $email_text, $new_user_email ); - - $content = str_replace( '###USERNAME###', $current_user->user_login, $content ); - $content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'profile.php?newuseremail=' . $hash ) ), $content ); - $content = str_replace( '###EMAIL###', $_POST['email'], $content); - $content = str_replace( '###SITENAME###', wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ), $content ); - $content = str_replace( '###SITEURL###', network_home_url(), $content ); - - wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content ); - $_POST['email'] = $current_user->user_email; - - if ( $switched_locale ) { - restore_previous_locale(); - } - } -} - -/** - * Adds an admin notice alerting the user to check for confirmation email - * after email address change. - * - * @since 3.0.0 - * - * @global string $pagenow - */ -function new_user_email_admin_notice() { - global $pagenow; - if ( 'profile.php' === $pagenow && isset( $_GET['updated'] ) && $email = get_user_meta( get_current_user_id(), '_new_email', true ) ) { - /* translators: %s: New email address */ - echo '

' . sprintf( __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), '' . esc_html( $email['newemail'] ) . '' ) . '

'; - } -} - /** * Check whether a site has used its allotted upload space. * diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php index 80cef618e5..e034163da4 100644 --- a/src/wp-admin/user-edit.php +++ b/src/wp-admin/user-edit.php @@ -88,13 +88,13 @@ if ( is_multisite() } // Execute confirmed email change. See send_confirmation_on_profile_email(). -if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) { +if ( IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) { $new_email = get_user_meta( $current_user->ID, '_new_email', true ); if ( $new_email && hash_equals( $new_email[ 'hash' ], $_GET[ 'newuseremail' ] ) ) { $user = new stdClass; $user->ID = $current_user->ID; $user->user_email = esc_html( trim( $new_email[ 'newemail' ] ) ); - if ( $wpdb->get_var( $wpdb->prepare( "SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $current_user->user_login ) ) ) { + if ( is_multisite() && $wpdb->get_var( $wpdb->prepare( "SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $current_user->user_login ) ) ) { $wpdb->query( $wpdb->prepare( "UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $user->user_email, $current_user->user_login ) ); } wp_update_user( $user ); @@ -104,7 +104,7 @@ if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $c } else { wp_redirect( add_query_arg( array( 'error' => 'new-email' ), self_admin_url( 'profile.php' ) ) ); } -} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) { +} elseif ( IS_PROFILE_PAGE && ! empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) { check_admin_referer( 'dismiss-' . $current_user->ID . '_new_email' ); delete_user_meta( $current_user->ID, '_new_email' ); wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) ); diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index 41a83d2422..d27bbda392 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2590,3 +2590,113 @@ function _wp_get_current_user() { return $current_user; } + +/** + * Sends an email when an email address change is requested. + * + * @since 3.0.0 + * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific. + * + * @global WP_Error $errors WP_Error object. + * @global wpdb $wpdb WordPress database object. + */ +function send_confirmation_on_profile_email() { + global $errors, $wpdb; + + $current_user = wp_get_current_user(); + if ( ! is_object( $errors ) ) { + $errors = new WP_Error(); + } + + if ( $current_user->ID != $_POST['user_id'] ) { + return false; + } + + if ( $current_user->user_email != $_POST['email'] ) { + if ( ! is_email( $_POST['email'] ) ) { + $errors->add( 'user_email', __( "ERROR: The email address isn’t correct." ), array( + 'form-field' => 'email', + ) ); + + return; + } + + if ( $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM {$wpdb->users} WHERE user_email=%s", $_POST['email'] ) ) ) { + $errors->add( 'user_email', __( "ERROR: The email address is already used." ), array( + 'form-field' => 'email', + ) ); + delete_user_meta( $current_user->ID, '_new_email' ); + + return; + } + + $hash = md5( $_POST['email'] . time() . mt_rand() ); + $new_user_email = array( + 'hash' => $hash, + 'newemail' => $_POST['email'], + ); + update_user_meta( $current_user->ID, '_new_email', $new_user_email ); + + /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */ + $email_text = __( 'Howdy ###USERNAME###, + +You recently requested to have the email address on your account changed. + +If this is correct, please click on the following link to change it: +###ADMIN_URL### + +You can safely ignore and delete this email if you do not want to +take this action. + +This email has been sent to ###EMAIL### + +Regards, +All at ###SITENAME### +###SITEURL###' ); + + /** + * Filters the email text sent when a user changes emails. + * + * The following strings have a special meaning and will get replaced dynamically: + * ###USERNAME### The current user's username. + * ###ADMIN_URL### The link to click on to confirm the email change. + * ###EMAIL### The new email. + * ###SITENAME### The name of the site. + * ###SITEURL### The URL to the site. + * + * @since MU + * @since 4.9.0 This filter is no longer Multisite specific. + * + * @param string $email_text Text in the email. + * @param string $new_user_email New user email that the current user has changed to. + */ + $content = apply_filters( 'new_user_email_content', $email_text, $new_user_email ); + + $content = str_replace( '###USERNAME###', $current_user->user_login, $content ); + $content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content ); + $content = str_replace( '###EMAIL###', $_POST['email'], $content ); + $content = str_replace( '###SITENAME###', get_site_option( 'site_name' ), $content ); + $content = str_replace( '###SITEURL###', network_home_url(), $content ); + + wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content ); + + $_POST['email'] = $current_user->user_email; + } +} + +/** + * Adds an admin notice alerting the user to check for confirmation email + * after email address change. + * + * @since 3.0.0 + * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific. + * + * @global string $pagenow + */ +function new_user_email_admin_notice() { + global $pagenow; + if ( 'profile.php' === $pagenow && isset( $_GET['updated'] ) && $email = get_user_meta( get_current_user_id(), '_new_email', true ) ) { + /* translators: %s: New email address */ + echo '

' . sprintf( __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), '' . esc_html( $email['newemail'] ) . '' ) . '

'; + } +} diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php index b2b87d19d2..94a4bde5ce 100644 --- a/tests/phpunit/tests/user.php +++ b/tests/phpunit/tests/user.php @@ -1204,4 +1204,72 @@ class Tests_User extends WP_UnitTestCase { function action_check_passwords_blank_pw( $user_login, &$pass1 ) { $pass1 = ''; } + + /** + * @ticket 16470 + */ + function test_send_confirmation_on_profile_email() { + reset_phpmailer_instance(); + $was_confirmation_email_sent = false; + + $user = $this->factory()->user->create_and_get( array( + 'user_email' => 'before@example.com', + ) ); + + $_POST['email'] = 'after@example.com'; + $_POST['user_id'] = $user->ID; + + wp_set_current_user( $user->ID ); + + do_action( 'personal_options_update' ); + + if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) { + $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] ); + } + + // A confirmation email is sent. + $this->assertTrue( $was_confirmation_email_sent ); + + // The new email address gets put into user_meta. + $new_email_meta = get_user_meta( $user->ID, '_new_email', true ); + $this->assertEquals( 'after@example.com', $new_email_meta['newemail'] ); + + // The email address of the user doesn't change. $_POST['email'] should be the email address pre-update. + $this->assertEquals( $_POST['email'], $user->user_email ); + } + + /** + * @ticket 16470 + */ + function test_remove_send_confirmation_on_profile_email() { + remove_action( 'personal_options_update', 'send_confirmation_on_profile_email' ); + + reset_phpmailer_instance(); + $was_confirmation_email_sent = false; + + $user = $this->factory()->user->create_and_get( array( + 'user_email' => 'before@example.com', + ) ); + + $_POST['email'] = 'after@example.com'; + $_POST['user_id'] = $user->ID; + + wp_set_current_user( $user->ID ); + + do_action( 'personal_options_update' ); + + if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) { + $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] ); + } + + // No confirmation email is sent. + $this->assertFalse( $was_confirmation_email_sent ); + + // No usermeta is created. + $new_email_meta = get_user_meta( $user->ID, '_new_email', true ); + $this->assertEmpty( $new_email_meta ); + + // $_POST['email'] should be the email address posted from the form. + $this->assertEquals( $_POST['email'], 'after@example.com' ); + } }