diff --git a/src/wp-includes/user-functions.php b/src/wp-includes/user-functions.php index 9e95bee6c7..3ec4cd856f 100644 --- a/src/wp-includes/user-functions.php +++ b/src/wp-includes/user-functions.php @@ -1869,6 +1869,83 @@ function wp_get_password_hint() { return apply_filters( 'password_hint', $hint ); } +/** + * Creates, stores, then returns a password reset key for user. + * + * @since 4.4.0 + * + * @global wpdb $wpdb WordPress database abstraction object. + * @global PasswordHash $wp_hasher Portable PHP password hashing framework. + * + * @param WP_User $user User to retrieve password reset key for. + * + * @return string|WP_Error Password reset key on success. WP_Error on error. + */ +function get_password_reset_key( $user ) { + global $wpdb, $wp_hasher; + + /** + * Fires before a new password is retrieved. + * + * @since 1.5.0 + * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead. + * + * @param string $user_login The user login name. + */ + do_action( 'retreive_password', $user->user_login ); + + /** + * Fires before a new password is retrieved. + * + * @since 1.5.1 + * + * @param string $user_login The user login name. + */ + do_action( 'retrieve_password', $user->user_login ); + + /** + * Filter whether to allow a password to be reset. + * + * @since 2.7.0 + * + * @param bool true Whether to allow the password to be reset. Default true. + * @param int $user_data->ID The ID of the user attempting to reset a password. + */ + $allow = apply_filters( 'allow_password_reset', true, $user->ID ); + + if ( ! $allow ) { + return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) ); + } elseif ( is_wp_error( $allow ) ) { + return $allow; + } + + // Generate something random for a password reset key. + $key = wp_generate_password( 20, false ); + + /** + * Fires when a password reset key is generated. + * + * @since 2.5.0 + * + * @param string $user_login The username for the user. + * @param string $key The generated password reset key. + */ + do_action( 'retrieve_password_key', $user->user_login, $key ); + + // Now insert the key, hashed, into the DB. + if ( empty( $wp_hasher ) ) { + require_once ABSPATH . WPINC . '/class-phpass.php'; + $wp_hasher = new PasswordHash( 8, true ); + } + $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); + $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) ); + if ( false === $key_saved ) { + return WP_Error( 'no_password_key_update', __( 'Could not save password reset key to database.' ) ); + } + + return $key; +} + /** * Retrieves a user row based on password reset key and login * diff --git a/src/wp-login.php b/src/wp-login.php index 83eefe7239..42db80b191 100644 --- a/src/wp-login.php +++ b/src/wp-login.php @@ -313,63 +313,12 @@ function retrieve_password() { // Redefining user_login ensures we return the right case in the email. $user_login = $user_data->user_login; $user_email = $user_data->user_email; + $key = get_password_reset_key( $user_data ); - /** - * Fires before a new password is retrieved. - * - * @since 1.5.0 - * @deprecated 1.5.1 Misspelled. Use 'retrieve_password' hook instead. - * - * @param string $user_login The user login name. - */ - do_action( 'retreive_password', $user_login ); - - /** - * Fires before a new password is retrieved. - * - * @since 1.5.1 - * - * @param string $user_login The user login name. - */ - do_action( 'retrieve_password', $user_login ); - - /** - * Filter whether to allow a password to be reset. - * - * @since 2.7.0 - * - * @param bool true Whether to allow the password to be reset. Default true. - * @param int $user_data->ID The ID of the user attempting to reset a password. - */ - $allow = apply_filters( 'allow_password_reset', true, $user_data->ID ); - - if ( ! $allow ) { - return new WP_Error( 'no_password_reset', __('Password reset is not allowed for this user') ); - } elseif ( is_wp_error( $allow ) ) { - return $allow; + if ( is_wp_error( $key ) ) { + return $key; } - // Generate something random for a password reset key. - $key = wp_generate_password( 20, false ); - - /** - * Fires when a password reset key is generated. - * - * @since 2.5.0 - * - * @param string $user_login The username for the user. - * @param string $key The generated password reset key. - */ - do_action( 'retrieve_password_key', $user_login, $key ); - - // Now insert the key, hashed, into the DB. - if ( empty( $wp_hasher ) ) { - require_once ABSPATH . WPINC . '/class-phpass.php'; - $wp_hasher = new PasswordHash( 8, true ); - } - $hashed = time() . ':' . $wp_hasher->HashPassword( $key ); - $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) ); - $message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n"; $message .= network_home_url( '/' ) . "\r\n\r\n"; $message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";