enmi-conf.org: comparison wp/wp-includes/user.php

equal deleted inserted replaced

-:7b1b88e27a20
+:48c4eec2b7e6
 * with wp_signon(), wp_set_current_user() should be called explicitly.
 *
 * @since 2.5.0
 *
 * @global string $auth_secure_cookie
-*
+* @global wpdb   $wpdb               WordPress database abstraction object.
-* @param array       $credentials   Optional. User info in order to sign on.
+*
+* @param array       $credentials {
+*     Optional. User info in order to sign on.
+*
+*     @type string $user_login    Username.
+*     @type string $user_password User password.
+*     @type bool   $remember      Whether to 'remember' the user. Increases the time
+*                                 that the cookie will be kept. Default false.
+* }
 * @param string|bool $secure_cookie Optional. Whether to use secure cookie.
 * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
 */
 function wp_signon( $credentials = array(), $secure_cookie = '' ) {
+	global $auth_secure_cookie, $wpdb;
 	if ( empty( $credentials ) ) {
-		$credentials = array(); // Back-compat for plugins passing an empty string.
+		$credentials = array(
+			'user_login'    => '',
+			'user_password' => '',
+			'remember'      => false,
+		);
 		if ( ! empty( $_POST['log'] ) ) {
 			$credentials['user_login'] = wp_unslash( $_POST['log'] );
 		}
 		if ( ! empty( $_POST['pwd'] ) ) {
 	 *                                 that the cookie will be kept. Default false.
 	 * }
 	 */
 	$secure_cookie = apply_filters( 'secure_signon_cookie', $secure_cookie, $credentials );
-	global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie().
+	// XXX ugly hack to pass this to wp_authenticate_cookie().
 	$auth_secure_cookie = $secure_cookie;
 	add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );
 	$user = wp_authenticate( $credentials['user_login'], $credentials['user_password'] );
 	if ( is_wp_error( $user ) ) {
 		return $user;
 	}
 	wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );
+	// Clear `user_activation_key` after a successful login.
+	if ( ! empty( $user->user_activation_key ) ) {
+		$wpdb->update(
+			$wpdb->users,
+			array(
+				'user_activation_key' => '',
+			),
+			array( 'ID' => $user->ID )
+		);
+		$user->user_activation_key = '';
+	}
 	/**
 	 * Fires after the user has successfully logged in.
 	 *
 	 * @since 1.5.0
 	 *
 	 * @param string  $user_login Username.
 	 * @param WP_User $user       WP_User object of the logged-in user.
 	 */
 	do_action( 'wp_login', $user->user_login, $user );
 	return $user;
 }
 /**
 * Authenticates a user, confirming the username and password are valid.
 		}
 		$error = new WP_Error();
 		if ( empty( $username ) ) {
-			$error->add( 'empty_username', __( '<strong>Error</strong>: The username field is empty.' ) );
+			$error->add( 'empty_username', __( '<strong>Error:</strong> The username field is empty.' ) );
 		}
 		if ( empty( $password ) ) {
-			$error->add( 'empty_password', __( '<strong>Error</strong>: The password field is empty.' ) );
+			$error->add( 'empty_password', __( '<strong>Error:</strong> The password field is empty.' ) );
 		}
 		return $error;
 	}
 	if ( ! $user ) {
 		return new WP_Error(
 			'invalid_username',
 			sprintf(
 				/* translators: %s: User name. */
-				__( '<strong>Error</strong>: The username <strong>%s</strong> is not registered on this site. If you are unsure of your username, try your email address instead.' ),
+				__( '<strong>Error:</strong> The username <strong>%s</strong> is not registered on this site. If you are unsure of your username, try your email address instead.' ),
 				$username
 			)
 		);
 	}
 	if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
 		return new WP_Error(
 			'incorrect_password',
 			sprintf(
 				/* translators: %s: User name. */
-				__( '<strong>Error</strong>: The password you entered for the username %s is incorrect.' ),
+				__( '<strong>Error:</strong> The password you entered for the username %s is incorrect.' ),
 				'<strong>' . $username . '</strong>'
 			) .
 			' <a href="' . wp_lostpassword_url() . '">' .
 			__( 'Lost your password?' ) .
 			'</a>'
 		$error = new WP_Error();
 		if ( empty( $email ) ) {
 			// Uses 'empty_username' for back-compat with wp_signon().
-			$error->add( 'empty_username', __( '<strong>Error</strong>: The email field is empty.' ) );
+			$error->add( 'empty_username', __( '<strong>Error:</strong> The email field is empty.' ) );
 		}
 		if ( empty( $password ) ) {
-			$error->add( 'empty_password', __( '<strong>Error</strong>: The password field is empty.' ) );
+			$error->add( 'empty_password', __( '<strong>Error:</strong> The password field is empty.' ) );
 		}
 		return $error;
 	}
 	if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
 		return new WP_Error(
 			'incorrect_password',
 			sprintf(
 				/* translators: %s: Email address. */
-				__( '<strong>Error</strong>: The password you entered for the email address %s is incorrect.' ),
+				__( '<strong>Error:</strong> The password you entered for the email address %s is incorrect.' ),
 				'<strong>' . $email . '</strong>'
 			) .
 			' <a href="' . wp_lostpassword_url() . '">' .
 			__( 'Lost your password?' ) .
 			'</a>'
 * @param string                $username Username. If not empty, cancels the cookie authentication.
 * @param string                $password Password. If not empty, cancels the cookie authentication.
 * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
 */
 function wp_authenticate_cookie( $user, $username, $password ) {
+	global $auth_secure_cookie;
 	if ( $user instanceof WP_User ) {
 		return $user;
 	}
 	if ( empty( $username ) && empty( $password ) ) {
 		$user_id = wp_validate_auth_cookie();
 		if ( $user_id ) {
 			return new WP_User( $user_id );
 		}
-		global $auth_secure_cookie;
 		if ( $auth_secure_cookie ) {
 			$auth_cookie = SECURE_AUTH_COOKIE;
 		} else {
 			$auth_cookie = AUTH_COOKIE;
 	if ( ! WP_Application_Passwords::is_in_use() ) {
 		return $input_user;
 	}
+	// The 'REST_REQUEST' check here may happen too early for the constant to be available.
 	$is_api_request = ( ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) );
 	/**
 	 * Filters whether this is an API request that Application Passwords can be used on.
 	 *
 	// If the login name is invalid, short circuit.
 	if ( ! $user ) {
 		if ( is_email( $username ) ) {
 			$error = new WP_Error(
 				'invalid_email',
-				__( '<strong>Error</strong>: Unknown email address. Check again or try your username.' )
+				__( '<strong>Error:</strong> Unknown email address. Check again or try your username.' )
 			);
 		} else {
 			$error = new WP_Error(
 				'invalid_username',
-				__( '<strong>Error</strong>: Unknown username. Check again or try your email address.' )
+				__( '<strong>Error:</strong> Unknown username. Check again or try your email address.' )
 			);
 		}
 	} elseif ( ! wp_is_application_passwords_available() ) {
 		$error = new WP_Error(
 			'application_passwords_disabled',
 		 * @param WP_User $user    User to check against.
 		 */
 		$spammed = apply_filters( 'check_is_user_spammed', is_user_spammy( $user ), $user );
 		if ( $spammed ) {
-			return new WP_Error( 'spammer_account', __( '<strong>Error</strong>: Your account has been marked as a spammer.' ) );
+			return new WP_Error( 'spammer_account', __( '<strong>Error:</strong> Your account has been marked as a spammer.' ) );
 		}
 	}
 	return $user;
 }
 /**
 * Updates user option with global blog capability.
 *
 * User options are just like user metadata except that they have support for
-* global blog options. If the 'global' parameter is false, which it is by default
+* global blog options. If the 'is_global' parameter is false, which it is by default,
 * it will prepend the WordPress table prefix to the option name.
 *
 * Deletes the user option if $newvalue is empty.
 *
 * @since 2.0.0
 * @global wpdb $wpdb WordPress database abstraction object.
 *
 * @param int    $user_id     User ID.
 * @param string $option_name User option name.
 * @param mixed  $newvalue    User option value.
-* @param bool   $global      Optional. Whether option name is global or blog specific.
+* @param bool   $is_global   Optional. Whether option name is global or blog specific.
 *                            Default false (blog specific).
 * @return int|bool User meta ID if the option didn't exist, true on successful update,
 *                  false on failure.
 */
-function update_user_option( $user_id, $option_name, $newvalue, $global = false ) {
+function update_user_option( $user_id, $option_name, $newvalue, $is_global = false ) {
 	global $wpdb;
-	if ( ! $global ) {
+	if ( ! $is_global ) {
 		$option_name = $wpdb->get_blog_prefix() . $option_name;
 	}
 	return update_user_meta( $user_id, $option_name, $newvalue );
 }
 /**
 * Deletes user option with global blog capability.
 *
 * User options are just like user metadata except that they have support for
-* global blog options. If the 'global' parameter is false, which it is by default
+* global blog options. If the 'is_global' parameter is false, which it is by default,
 * it will prepend the WordPress table prefix to the option name.
 *
 * @since 3.0.0
 *
 * @global wpdb $wpdb WordPress database abstraction object.
 *
 * @param int    $user_id     User ID
 * @param string $option_name User option name.
-* @param bool   $global      Optional. Whether option name is global or blog specific.
+* @param bool   $is_global   Optional. Whether option name is global or blog specific.
 *                            Default false (blog specific).
 * @return bool True on success, false on failure.
 */
-function delete_user_option( $user_id, $option_name, $global = false ) {
+function delete_user_option( $user_id, $option_name, $is_global = false ) {
 	global $wpdb;
-	if ( ! $global ) {
+	if ( ! $is_global ) {
 		$option_name = $wpdb->get_blog_prefix() . $option_name;
 	}
 	return delete_user_meta( $user_id, $option_name );
 }
 /**
 * Retrieves list of users matching criteria.
 		'html'          => true,
 		'exclude'       => '',
 		'include'       => '',
 	);
-	$args = wp_parse_args( $args, $defaults );
+	$parsed_args = wp_parse_args( $args, $defaults );
 	$return = '';
-	$query_args           = wp_array_slice_assoc( $args, array( 'orderby', 'order', 'number', 'exclude', 'include' ) );
+	$query_args           = wp_array_slice_assoc( $parsed_args, array( 'orderby', 'order', 'number', 'exclude', 'include' ) );
 	$query_args['fields'] = 'ids';
-	$users                = get_users( $query_args );
+	/**
+	 * Filters the query arguments for the list of all users of the site.
+	 *
+	 * @since 6.1.0
+	 *
+	 * @param array $query_args  The query arguments for get_users().
+	 * @param array $parsed_args The arguments passed to wp_list_users() combined with the defaults.
+	 */
+	$query_args = apply_filters( 'wp_list_users_args', $query_args, $parsed_args );
+	$users = get_users( $query_args );
 	foreach ( $users as $user_id ) {
 		$user = get_userdata( $user_id );
-		if ( $args['exclude_admin'] && 'admin' === $user->display_name ) {
+		if ( $parsed_args['exclude_admin'] && 'admin' === $user->display_name ) {
 			continue;
 		}
-		if ( $args['show_fullname'] && '' !== $user->first_name && '' !== $user->last_name ) {
+		if ( $parsed_args['show_fullname'] && '' !== $user->first_name && '' !== $user->last_name ) {
-			$name = "$user->first_name $user->last_name";
+			$name = sprintf(
+				/* translators: 1: User's first name, 2: Last name. */
+				_x( '%1$s %2$s', 'Display name based on first name and last name' ),
+				$user->first_name,
+				$user->last_name
+			);
 		} else {
 			$name = $user->display_name;
 		}
-		if ( ! $args['html'] ) {
+		if ( ! $parsed_args['html'] ) {
 			$return .= $name . ', ';
 			continue; // No need to go further to process HTML.
 		}
-		if ( 'list' === $args['style'] ) {
+		if ( 'list' === $parsed_args['style'] ) {
 			$return .= '<li>';
 		}
 		$row = $name;
-		if ( ! empty( $args['feed_image'] ) || ! empty( $args['feed'] ) ) {
+		if ( ! empty( $parsed_args['feed_image'] ) || ! empty( $parsed_args['feed'] ) ) {
 			$row .= ' ';
-			if ( empty( $args['feed_image'] ) ) {
+			if ( empty( $parsed_args['feed_image'] ) ) {
 				$row .= '(';
 			}
-			$row .= '<a href="' . get_author_feed_link( $user->ID, $args['feed_type'] ) . '"';
+			$row .= '<a href="' . get_author_feed_link( $user->ID, $parsed_args['feed_type'] ) . '"';
 			$alt = '';
-			if ( ! empty( $args['feed'] ) ) {
+			if ( ! empty( $parsed_args['feed'] ) ) {
-				$alt  = ' alt="' . esc_attr( $args['feed'] ) . '"';
+				$alt  = ' alt="' . esc_attr( $parsed_args['feed'] ) . '"';
-				$name = $args['feed'];
+				$name = $parsed_args['feed'];
 			}
 			$row .= '>';
-			if ( ! empty( $args['feed_image'] ) ) {
+			if ( ! empty( $parsed_args['feed_image'] ) ) {
-				$row .= '<img src="' . esc_url( $args['feed_image'] ) . '" style="border: none;"' . $alt . ' />';
+				$row .= '<img src="' . esc_url( $parsed_args['feed_image'] ) . '" style="border: none;"' . $alt . ' />';
 			} else {
 				$row .= $name;
 			}
 			$row .= '</a>';
-			if ( empty( $args['feed_image'] ) ) {
+			if ( empty( $parsed_args['feed_image'] ) ) {
 				$row .= ')';
 			}
 		}
 		$return .= $row;
-		$return .= ( 'list' === $args['style'] ) ? '</li>' : ', ';
+		$return .= ( 'list' === $parsed_args['style'] ) ? '</li>' : ', ';
 	}
 	$return = rtrim( $return, ', ' );
-	if ( ! $args['echo'] ) {
+	if ( ! $parsed_args['echo'] ) {
 		return $return;
 	}
 	echo $return;
 }
 		return array();
 	}
 	if ( ! is_multisite() ) {
 		$site_id                        = get_current_blog_id();
-		$sites                          = array( $site_id => new stdClass );
+		$sites                          = array( $site_id => new stdClass() );
 		$sites[ $site_id ]->userblog_id = $site_id;
 		$sites[ $site_id ]->blogname    = get_option( 'blogname' );
 		$sites[ $site_id ]->domain      = '';
 		$sites[ $site_id ]->path        = '';
 		$sites[ $site_id ]->site_id     = 1;
 	}
 	$keys = array_keys( $keys );
 	foreach ( $keys as $key ) {
-		if ( 'capabilities' !== substr( $key, -12 ) ) {
+		if ( ! str_ends_with( $key, 'capabilities' ) ) {
 			continue;
 		}
-		if ( $wpdb->base_prefix && 0 !== strpos( $key, $wpdb->base_prefix ) ) {
+		if ( $wpdb->base_prefix && ! str_starts_with( $key, $wpdb->base_prefix ) ) {
 			continue;
 		}
 		$site_id = str_replace( array( $wpdb->base_prefix, '_capabilities' ), '', $key );
 		if ( ! is_numeric( $site_id ) ) {
 			continue;
 	$sites = array();
 	if ( ! empty( $site_ids ) ) {
 		$args = array(
-			'number'                 => '',
+			'number'   => '',
-			'site__in'               => $site_ids,
+			'site__in' => $site_ids,
-			'update_site_meta_cache' => false,
 		);
 		if ( ! $all ) {
 			$args['archived'] = 0;
 			$args['spam']     = 0;
 			$args['deleted']  = 0;
 	if ( empty( $user_id ) ) {
 		$user_id = get_current_user_id();
 	}
-	// Technically not needed, but does save calls to get_site() and get_user_meta()
+	/*
-	// in the event that the function is called when a user isn't logged in.
+	 * Technically not needed, but does save calls to get_site() and get_user_meta()
+	 * in the event that the function is called when a user isn't logged in.
+	 */
 	if ( empty( $user_id ) ) {
 		return false;
 	} else {
 		$user = get_userdata( $user_id );
 		if ( ! $user instanceof WP_User ) {
 	// No underscore before capabilities in $base_capabilities_key.
 	$base_capabilities_key = $wpdb->base_prefix . 'capabilities';
 	$site_capabilities_key = $wpdb->base_prefix . $blog_id . '_capabilities';
-	if ( isset( $keys[ $base_capabilities_key ] ) && 1 == $blog_id ) {
+	if ( isset( $keys[ $base_capabilities_key ] ) && 1 === $blog_id ) {
 		return true;
 	}
 	if ( isset( $keys[ $site_capabilities_key ] ) ) {
 		return true;
 	 *
 	 * Return a non-null value to cause count_users() to return early.
 	 *
 	 * @since 5.1.0
 	 *
-	 * @param null|string $result   The value to return instead. Default null to continue with the query.
+	 * @param null|array $result   The value to return instead. Default null to continue with the query.
-	 * @param string      $strategy Optional. The computational strategy to use when counting the users.
+	 * @param string     $strategy Optional. The computational strategy to use when counting the users.
-	 *                              Accepts either 'time' or 'memory'. Default 'time'.
+	 *                             Accepts either 'time' or 'memory'. Default 'time'.
-	 * @param int|null    $site_id  Optional. The site ID to count users for. Defaults to the current site.
+	 * @param int        $site_id  The site ID to count users for.
 	 */
 	$pre = apply_filters( 'pre_count_users', null, $strategy, $site_id );
 	if ( null !== $pre ) {
 		return $pre;
 	$blog_prefix = $wpdb->get_blog_prefix( $site_id );
 	$result      = array();
 	if ( 'time' === $strategy ) {
-		if ( is_multisite() && get_current_blog_id() != $site_id ) {
+		if ( is_multisite() && get_current_blog_id() !== $site_id ) {
 			switch_to_blog( $site_id );
 			$avail_roles = wp_roles()->get_names();
 			restore_current_blog();
 		} else {
 			$avail_roles = wp_roles()->get_names();
 			$b_roles = maybe_unserialize( $caps_meta );
 			if ( ! is_array( $b_roles ) ) {
 				continue;
 			}
 			if ( empty( $b_roles ) ) {
-				$avail_roles['none']++;
+				++$avail_roles['none'];
 			}
 			foreach ( $b_roles as $b_role => $val ) {
 				if ( isset( $avail_roles[ $b_role ] ) ) {
-					$avail_roles[ $b_role ]++;
+					++$avail_roles[ $b_role ];
 				} else {
 					$avail_roles[ $b_role ] = 1;
 				}
 			}
 		}
 *
 * The available arguments are as follows:
 *
 * @since 2.3.0
 * @since 4.5.0 Added the 'display_name_with_login' value for 'show'.
-* @since 4.7.0 Added the `$role`, `$role__in`, and `$role__not_in` parameters.
+* @since 4.7.0 Added the 'role', 'role__in', and 'role__not_in' parameters.
+* @since 5.9.0 Added the 'capability', 'capability__in', and 'capability__not_in' parameters.
+*              Deprecated the 'who' parameter.
 *
 * @param array|string $args {
 *     Optional. Array or string of arguments to generate a drop-down of users.
 *     See WP_User_Query::prepare_query() for additional available arguments.
 *
-*     @type string       $show_option_all         Text to show as the drop-down default (all).
+*     @type string          $show_option_all         Text to show as the drop-down default (all).
-*                                                 Default empty.
+*                                                    Default empty.
-*     @type string       $show_option_none        Text to show as the drop-down default when no
+*     @type string          $show_option_none        Text to show as the drop-down default when no
-*                                                 users were found. Default empty.
+*                                                    users were found. Default empty.
-*     @type int|string   $option_none_value       Value to use for $show_option_non when no users
+*     @type int|string      $option_none_value       Value to use for `$show_option_none` when no users
-*                                                 were found. Default -1.
+*                                                    were found. Default -1.
-*     @type string       $hide_if_only_one_author Whether to skip generating the drop-down
+*     @type string          $hide_if_only_one_author Whether to skip generating the drop-down
-*                                                 if only one user was found. Default empty.
+*                                                    if only one user was found. Default empty.
-*     @type string       $orderby                 Field to order found users by. Accepts user fields.
+*     @type string          $orderby                 Field to order found users by. Accepts user fields.
-*                                                 Default 'display_name'.
+*                                                    Default 'display_name'.
-*     @type string       $order                   Whether to order users in ascending or descending
+*     @type string          $order                   Whether to order users in ascending or descending
-*                                                 order. Accepts 'ASC' (ascending) or 'DESC' (descending).
+*                                                    order. Accepts 'ASC' (ascending) or 'DESC' (descending).
-*                                                 Default 'ASC'.
+*                                                    Default 'ASC'.
-*     @type int[]|string $include                 Array or comma-separated list of user IDs to include.
+*     @type int[]|string    $include                 Array or comma-separated list of user IDs to include.
-*                                                 Default empty.
+*                                                    Default empty.
-*     @type int[]|string $exclude                 Array or comma-separated list of user IDs to exclude.
+*     @type int[]|string    $exclude                 Array or comma-separated list of user IDs to exclude.
-*                                                 Default empty.
+*                                                    Default empty.
-*     @type bool|int     $multi                   Whether to skip the ID attribute on the 'select' element.
+*     @type bool|int        $multi                   Whether to skip the ID attribute on the 'select' element.
-*                                                 Accepts 1|true or 0|false. Default 0|false.
+*                                                    Accepts 1|true or 0|false. Default 0|false.
-*     @type string       $show                    User data to display. If the selected item is empty
+*     @type string          $show                    User data to display. If the selected item is empty
-*                                                 then the 'user_login' will be displayed in parentheses.
+*                                                    then the 'user_login' will be displayed in parentheses.
-*                                                 Accepts any user field, or 'display_name_with_login' to show
+*                                                    Accepts any user field, or 'display_name_with_login' to show
-*                                                 the display name with user_login in parentheses.
+*                                                    the display name with user_login in parentheses.
-*                                                 Default 'display_name'.
+*                                                    Default 'display_name'.
-*     @type int|bool     $echo                    Whether to echo or return the drop-down. Accepts 1|true (echo)
+*     @type int|bool        $echo                    Whether to echo or return the drop-down. Accepts 1|true (echo)
-*                                                 or 0|false (return). Default 1|true.
+*                                                    or 0|false (return). Default 1|true.
-*     @type int          $selected                Which user ID should be selected. Default 0.
+*     @type int             $selected                Which user ID should be selected. Default 0.
-*     @type bool         $include_selected        Whether to always include the selected user ID in the drop-
+*     @type bool            $include_selected        Whether to always include the selected user ID in the drop-
-*                                                 down. Default false.
+*                                                    down. Default false.
-*     @type string       $name                    Name attribute of select element. Default 'user'.
+*     @type string          $name                    Name attribute of select element. Default 'user'.
-*     @type string       $id                      ID attribute of the select element. Default is the value of $name.
+*     @type string          $id                      ID attribute of the select element. Default is the value of `$name`.
-*     @type string       $class                   Class attribute of the select element. Default empty.
+*     @type string          $class                   Class attribute of the select element. Default empty.
-*     @type int          $blog_id                 ID of blog (Multisite only). Default is ID of the current blog.
+*     @type int             $blog_id                 ID of blog (Multisite only). Default is ID of the current blog.
-*     @type string       $who                     Which type of users to query. Accepts only an empty string or
+*     @type string          $who                     Deprecated, use `$capability` instead.
-*                                                 'authors'. Default empty.
+*                                                    Which type of users to query. Accepts only an empty string or
-*     @type string|array $role                    An array or a comma-separated list of role names that users must
+*                                                    'authors'. Default empty (all users).
-*                                                 match to be included in results. Note that this is an inclusive
+*     @type string|string[] $role                    An array or a comma-separated list of role names that users
-*                                                 list: users must match *each* role. Default empty.
+*                                                    must match to be included in results. Note that this is
-*     @type string[]     $role__in                An array of role names. Matched users must have at least one of
+*                                                    an inclusive list: users must match *each* role. Default empty.
-*                                                 these roles. Default empty array.
+*     @type string[]        $role__in                An array of role names. Matched users must have at least one
-*     @type string[]     $role__not_in            An array of role names to exclude. Users matching one or more of
+*                                                    of these roles. Default empty array.
-*                                                 these roles will not be included in results. Default empty array.
+*     @type string[]        $role__not_in            An array of role names to exclude. Users matching one or more
+*                                                    of these roles will not be included in results. Default empty array.
+*     @type string|string[] $capability              An array or a comma-separated list of capability names that users
+*                                                    must match to be included in results. Note that this is
+*                                                    an inclusive list: users must match *each* capability.
+*                                                    Does NOT work for capabilities not in the database or filtered
+*                                                    via {@see 'map_meta_cap'}. Default empty.
+*     @type string[]        $capability__in          An array of capability names. Matched users must have at least one
+*                                                    of these capabilities.
+*                                                    Does NOT work for capabilities not in the database or filtered
+*                                                    via {@see 'map_meta_cap'}. Default empty array.
+*     @type string[]        $capability__not_in      An array of capability names to exclude. Users matching one or more
+*                                                    of these capabilities will not be included in results.
+*                                                    Does NOT work for capabilities not in the database or filtered
+*                                                    via {@see 'map_meta_cap'}. Default empty array.
 * }
 * @return string HTML dropdown list of users.
 */
 function wp_dropdown_users( $args = '' ) {
 	$defaults = array(
 	if ( ! is_string( $value ) && ! is_numeric( $value ) ) {
 		return $value;
 	}
-	$prefixed = false !== strpos( $field, 'user_' );
+	$prefixed = str_contains( $field, 'user_' );
 	if ( 'edit' === $context ) {
 		if ( $prefixed ) {
 			/** This filter is documented in wp-includes/post.php */
 		$user = $user->data;
 	}
 	wp_cache_add( $user->ID, $user, 'users' );
 	wp_cache_add( $user->user_login, $user->ID, 'userlogins' );
-	wp_cache_add( $user->user_email, $user->ID, 'useremail' );
 	wp_cache_add( $user->user_nicename, $user->ID, 'userslugs' );
+	if ( ! empty( $user->user_email ) ) {
+		wp_cache_add( $user->user_email, $user->ID, 'useremail' );
+	}
 }
 /**
 * Cleans all user caches.
 *
 * @since 3.0.0
 * @since 4.4.0 'clean_user_cache' action was added.
-* @since 5.8.0 Refreshes the global user instance if cleaning the user cache for the current user.
+* @since 6.2.0 User metadata caches are now cleared.
-*
-* @global WP_User $current_user The current user object which holds the user data.
 *
 * @param WP_User|int $user User object or ID to be cleaned from the cache
 */
 function clean_user_cache( $user ) {
-	global $current_user;
 	if ( is_numeric( $user ) ) {
 		$user = new WP_User( $user );
 	}
 	if ( ! $user->exists() ) {
 		return;
 	}
 	wp_cache_delete( $user->ID, 'users' );
 	wp_cache_delete( $user->user_login, 'userlogins' );
-	wp_cache_delete( $user->user_email, 'useremail' );
 	wp_cache_delete( $user->user_nicename, 'userslugs' );
+	if ( ! empty( $user->user_email ) ) {
+		wp_cache_delete( $user->user_email, 'useremail' );
+	}
+	wp_cache_delete( $user->ID, 'user_meta' );
+	wp_cache_set_users_last_changed();
 	/**
 	 * Fires immediately after the given user's cache is cleaned.
 	 *
 	 * @since 4.4.0
 	 *
 	 * @param int     $user_id User ID.
 	 * @param WP_User $user    User object.
 	 */
 	do_action( 'clean_user_cache', $user->ID, $user );
-	// Refresh the global user instance if the cleaning current user.
-	if ( get_current_user_id() === (int) $user->ID ) {
-		$user_id      = (int) $user->ID;
-		$current_user = null;
-		wp_set_current_user( $user_id, '' );
-	}
 }
 /**
 * Determines whether the given username exists.
 *
 * @param string $username Username.
 * @return bool Whether username given is valid.
 */
 function validate_username( $username ) {
 	$sanitized = sanitize_user( $username, true );
-	$valid     = ( $sanitized == $username && ! empty( $sanitized ) );
+	$valid     = ( $sanitized === $username && ! empty( $sanitized ) );
 	/**
 	 * Filters whether the provided username is valid.
 	 *
 	 * @since 2.0.1
 *
 * @param array|object|WP_User $userdata {
 *     An array, object, or WP_User object of user data arguments.
 *
 *     @type int    $ID                   User ID. If supplied, the user will be updated.
-*     @type string $user_pass            The plain-text user password.
+*     @type string $user_pass            The plain-text user password for new users.
+*                                        Hashed password for existing users.
 *     @type string $user_login           The user's login username.
 *     @type string $user_nicename        The URL-friendly user name.
 *     @type string $user_url             The user URL.
 *     @type string $user_email           The user email address.
 *     @type string $display_name         The user's display name.
 		if ( ! $old_user_data ) {
 			return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) );
 		}
+		// Slash current user email to compare it later with slashed new user email.
+		$old_user_data->user_email = wp_slash( $old_user_data->user_email );
 		// Hashed in wp_update_user(), plaintext if called directly.
 		$user_pass = ! empty( $userdata['user_pass'] ) ? $userdata['user_pass'] : $old_user_data->user_pass;
 	} else {
 		$update = false;
 		// Hash the password.
 		while ( $user_nicename_check ) {
 			// user_nicename allows 50 chars. Subtract one for a hyphen, plus the length of the suffix.
 			$base_length         = 49 - mb_strlen( $suffix );
 			$alt_user_nicename   = mb_substr( $user_nicename, 0, $base_length ) . "-$suffix";
 			$user_nicename_check = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->users WHERE user_nicename = %s AND user_login != %s LIMIT 1", $alt_user_nicename, $user_login ) );
-			$suffix++;
+			++$suffix;
 		}
 		$user_nicename = $alt_user_nicename;
 	}
 	$raw_user_email = empty( $userdata['user_email'] ) ? '' : $userdata['user_email'];
 	if ( empty( $userdata['display_name'] ) ) {
 		if ( $update ) {
 			$display_name = $user_login;
 		} elseif ( $meta['first_name'] && $meta['last_name'] ) {
-			/* translators: 1: User's first name, 2: Last name. */
+			$display_name = sprintf(
-			$display_name = sprintf( _x( '%1$s %2$s', 'Display name based on first name and last name' ), $meta['first_name'], $meta['last_name'] );
+				/* translators: 1: User's first name, 2: Last name. */
+				_x( '%1$s %2$s', 'Display name based on first name and last name' ),
+				$meta['first_name'],
+				$meta['last_name']
+			);
 		} elseif ( $meta['first_name'] ) {
 			$display_name = $meta['first_name'];
 		} elseif ( $meta['last_name'] ) {
 			$display_name = $meta['last_name'];
 		} else {
 	 */
 	$custom_meta = apply_filters( 'insert_custom_user_meta', $custom_meta, $user, $update, $userdata );
 	$meta = array_merge( $meta, $custom_meta );
-	// Update user meta.
+	if ( $update ) {
-	foreach ( $meta as $key => $value ) {
+		// Update user meta.
-		update_user_meta( $user_id, $key, $value );
+		foreach ( $meta as $key => $value ) {
+			update_user_meta( $user_id, $key, $value );
+		}
+	} else {
+		// Add user meta.
+		foreach ( $meta as $key => $value ) {
+			add_user_meta( $user_id, $key, $value );
+		}
 	}
 	foreach ( wp_get_user_contact_methods( $user ) as $key => $value ) {
 		if ( isset( $userdata[ $key ] ) ) {
 			update_user_meta( $user_id, $key, $userdata[ $key ] );
 		 * @param WP_User $old_user_data Object containing user's data prior to update.
 		 * @param array   $userdata      The raw array of data passed to wp_insert_user().
 		 */
 		do_action( 'profile_update', $user_id, $old_user_data, $userdata );
-		if ( isset( $userdata['spam'] ) && $userdata['spam'] != $old_user_data->spam ) {
+		if ( isset( $userdata['spam'] ) && $userdata['spam'] !== $old_user_data->spam ) {
-			if ( 1 == $userdata['spam'] ) {
+			if ( '1' === $userdata['spam'] ) {
 				/**
 				 * Fires after the user is marked as a SPAM user.
 				 *
 				 * @since 3.0.0
 				 *
 		$userdata = get_object_vars( $userdata );
 	} elseif ( $userdata instanceof WP_User ) {
 		$userdata = $userdata->to_array();
 	}
+	$userdata_raw = $userdata;
 	$user_id = isset( $userdata['ID'] ) ? (int) $userdata['ID'] : 0;
 	if ( ! $user_id ) {
 		return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) );
 	}
 	$blog_name = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES );
 	$switched_locale = false;
 	if ( ! empty( $send_password_change_email ) || ! empty( $send_email_change_email ) ) {
-		$switched_locale = switch_to_locale( get_user_locale( $user_id ) );
+		$switched_locale = switch_to_user_locale( $user_id );
 	}
 	if ( ! empty( $send_password_change_email ) ) {
 		/* translators: Do not translate USERNAME, ADMIN_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */
 		$pass_change_text = __(
 		restore_previous_locale();
 	}
 	// Update the cookies if the password changed.
 	$current_user = wp_get_current_user();
-	if ( $current_user->ID == $user_id ) {
+	if ( $current_user->ID === $user_id ) {
 		if ( isset( $plaintext_pass ) ) {
 			wp_clear_auth_cookie();
-			// Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.
+			/*
-			// If it's greater than this, then we know the user checked 'Remember Me' when they logged in.
+			 * Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.
+			 * If it's greater than this, then we know the user checked 'Remember Me' when they logged in.
+			 */
 			$logged_in_cookie = wp_parse_auth_cookie( '', 'logged_in' );
 			/** This filter is documented in wp-includes/pluggable.php */
 			$default_cookie_life = apply_filters( 'auth_cookie_expiration', ( 2 * DAY_IN_SECONDS ), $user_id, false );
-			$remember            = false;
+			$remember = false;
 			if ( false !== $logged_in_cookie && ( $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) {
 				$remember = true;
 			}
 			wp_set_auth_cookie( $user_id, $remember );
 		}
 	}
+	/**
+	 * Fires after the user has been updated and emails have been sent.
+	 *
+	 * @since 6.3.0
+	 *
+	 * @param int   $user_id      The ID of the user that was just updated.
+	 * @param array $userdata     The array of user data that was updated.
+	 * @param array $userdata_raw The unedited array of user data that was updated.
+	 */
+	do_action( 'wp_update_user', $user_id, $userdata, $userdata_raw );
 	return $user_id;
 }
 /**
 /**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
-* @global PasswordHash $wp_hasher Portable PHP password hashing framework.
+* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
 *
 * @param WP_User $user User to retrieve password reset key for.
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
 function get_password_reset_key( $user ) {
 	global $wp_hasher;
 	if ( ! ( $user instanceof WP_User ) ) {
-		return new WP_Error( 'invalidcombo', __( '<strong>Error</strong>: There is no account with that username or email address.' ) );
+		return new WP_Error( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
 	}
 	/**
 	 * Fires before a new password is retrieved.
 	 *
 	 *
 	 * @param string $user_login The user login name.
 	 */
 	do_action( 'retrieve_password', $user->user_login );
-	$allow = true;
+	$password_reset_allowed = wp_is_password_reset_allowed_for_user( $user );
-	if ( is_multisite() && is_user_spammy( $user ) ) {
+	if ( ! $password_reset_allowed ) {
-		$allow = false;
-	}
-	/**
-	 * Filters whether to allow a password to be reset.
-	 *
-	 * @since 2.7.0
-	 *
-	 * @param bool $allow   Whether to allow the password to be reset. Default true.
-	 * @param int  $user_id The ID of the user attempting to reset a password.
-	 */
-	$allow = apply_filters( 'allow_password_reset', $allow, $user->ID );
-	if ( ! $allow ) {
 		return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) );
-	} elseif ( is_wp_error( $allow ) ) {
+	} elseif ( is_wp_error( $password_reset_allowed ) ) {
-		return $allow;
+		return $password_reset_allowed;
 	}
 	// Generate something random for a password reset key.
 	$key = wp_generate_password( 20, false );
 * hashing process. This field is now hashed; old values are no longer accepted
 * but have a different WP_Error code so good user feedback can be provided.
 *
 * @since 3.1.0
 *
-* @global wpdb         $wpdb      WordPress database object for queries.
 * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
 *
 * @param string $key       Hash to validate sending user's password.
 * @param string $login     The user login.
 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys.
 */
 function check_password_reset_key( $key, $login ) {
-	global $wpdb, $wp_hasher;
+	global $wp_hasher;
 	$key = preg_replace( '/[^a-z0-9]/i', '', $key );
 	if ( empty( $key ) || ! is_string( $key ) ) {
 		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
 	 *
 	 * @param int $expiration The expiration time in seconds.
 	 */
 	$expiration_duration = apply_filters( 'password_reset_expiration', DAY_IN_SECONDS );
-	if ( false !== strpos( $user->user_activation_key, ':' ) ) {
+	if ( str_contains( $user->user_activation_key, ':' ) ) {
 		list( $pass_request_time, $pass_key ) = explode( ':', $user->user_activation_key, 2 );
 		$expiration_time                      = $pass_request_time + $expiration_duration;
 	} else {
 		$pass_key        = $user->user_activation_key;
 		$expiration_time = false;
 * Handles sending a password retrieval email to a user.
 *
 * @since 2.5.0
 * @since 5.7.0 Added `$user_login` parameter.
 *
-* @global wpdb         $wpdb       WordPress database abstraction object.
+* @global wpdb         $wpdb      WordPress database abstraction object.
-* @global PasswordHash $wp_hasher  Portable PHP password hashing framework.
+* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
 *
 * @param string $user_login Optional. Username to send a password retrieval email for.
 *                           Defaults to `$_POST['user_login']` if not set.
 * @return true|WP_Error True when finished, WP_Error object on error.
 */
 	// Use the passed $user_login if available, otherwise use $_POST['user_login'].
 	if ( ! $user_login && ! empty( $_POST['user_login'] ) ) {
 		$user_login = $_POST['user_login'];
 	}
+	$user_login = trim( wp_unslash( $user_login ) );
 	if ( empty( $user_login ) ) {
-		$errors->add( 'empty_username', __( '<strong>Error</strong>: Please enter a username or email address.' ) );
+		$errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username or email address.' ) );
 	} elseif ( strpos( $user_login, '@' ) ) {
-		$user_data = get_user_by( 'email', trim( wp_unslash( $user_login ) ) );
+		$user_data = get_user_by( 'email', $user_login );
 		if ( empty( $user_data ) ) {
-			$errors->add( 'invalid_email', __( '<strong>Error</strong>: There is no account with that username or email address.' ) );
+			$user_data = get_user_by( 'login', $user_login );
+		}
+		if ( empty( $user_data ) ) {
+			$errors->add( 'invalid_email', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
 		}
 	} else {
-		$user_data = get_user_by( 'login', trim( wp_unslash( $user_login ) ) );
+		$user_data = get_user_by( 'login', $user_login );
 	}
 	/**
 	 * Filters the user data during a password reset request.
 	 *
 	if ( $errors->has_errors() ) {
 		return $errors;
 	}
 	if ( ! $user_data ) {
-		$errors->add( 'invalidcombo', __( '<strong>Error</strong>: There is no account with that username or email address.' ) );
+		$errors->add( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
 		return $errors;
 	}
 	/**
 	 * Filters whether to send the retrieve password email.
 	}
 	// Localize password reset message content for user.
 	$locale = get_user_locale( $user_data );
-	$switched_locale = switch_to_locale( $locale );
+	$switched_locale = switch_to_user_locale( $user_data->ID );
 	if ( is_multisite() ) {
 		$site_name = get_network()->site_name;
 	} else {
 		/*
 	 *     @type string $to      The intended recipient - user email address.
 	 *     @type string $subject The subject of the email.
 	 *     @type string $message The body of the email.
 	 *     @type string $headers The headers of the email.
 	 * }
-	 * @type string  $key        The activation key.
+	 * @param string  $key        The activation key.
-	 * @type string  $user_login The username for the user.
+	 * @param string  $user_login The username for the user.
-	 * @type WP_User $user_data  WP_User object.
+	 * @param WP_User $user_data  WP_User object.
 	 */
 	$notification_email = apply_filters( 'retrieve_password_notification_email', $defaults, $key, $user_login, $user_data );
 	if ( $switched_locale ) {
 		restore_previous_locale();
 	if ( ! wp_mail( $to, $subject, $message, $headers ) ) {
 		$errors->add(
 			'retrieve_password_email_failure',
 			sprintf(
 				/* translators: %s: Documentation URL. */
-				__( '<strong>Error</strong>: The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ),
+				__( '<strong>Error:</strong> The email could not be sent. Your site may not be correctly configured to send emails. <a href="%s">Get support for resetting your password</a>.' ),
-				esc_url( __( 'https://wordpress.org/support/article/resetting-your-password/' ) )
+				esc_url( __( 'https://wordpress.org/documentation/article/reset-your-password/' ) )
 			)
 		);
 		return $errors;
 	}
 	 */
 	$user_email = apply_filters( 'user_registration_email', $user_email );
 	// Check the username.
 	if ( '' === $sanitized_user_login ) {
-		$errors->add( 'empty_username', __( '<strong>Error</strong>: Please enter a username.' ) );
+		$errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username.' ) );
 	} elseif ( ! validate_username( $user_login ) ) {
-		$errors->add( 'invalid_username', __( '<strong>Error</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
+		$errors->add( 'invalid_username', __( '<strong>Error:</strong> This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
 		$sanitized_user_login = '';
 	} elseif ( username_exists( $sanitized_user_login ) ) {
-		$errors->add( 'username_exists', __( '<strong>Error</strong>: This username is already registered. Please choose another one.' ) );
+		$errors->add( 'username_exists', __( '<strong>Error:</strong> This username is already registered. Please choose another one.' ) );
 	} else {
 		/** This filter is documented in wp-includes/user.php */
 		$illegal_user_logins = (array) apply_filters( 'illegal_user_logins', array() );
 		if ( in_array( strtolower( $sanitized_user_login ), array_map( 'strtolower', $illegal_user_logins ), true ) ) {
-			$errors->add( 'invalid_username', __( '<strong>Error</strong>: Sorry, that username is not allowed.' ) );
+			$errors->add( 'invalid_username', __( '<strong>Error:</strong> Sorry, that username is not allowed.' ) );
 		}
 	}
 	// Check the email address.
 	if ( '' === $user_email ) {
-		$errors->add( 'empty_email', __( '<strong>Error</strong>: Please type your email address.' ) );
+		$errors->add( 'empty_email', __( '<strong>Error:</strong> Please type your email address.' ) );
 	} elseif ( ! is_email( $user_email ) ) {
-		$errors->add( 'invalid_email', __( '<strong>Error</strong>: The email address is not correct.' ) );
+		$errors->add( 'invalid_email', __( '<strong>Error:</strong> The email address is not correct.' ) );
 		$user_email = '';
 	} elseif ( email_exists( $user_email ) ) {
 		$errors->add(
 			'email_exists',
 			sprintf(
 	if ( ! $user_id || is_wp_error( $user_id ) ) {
 		$errors->add(
 			'registerfail',
 			sprintf(
 				/* translators: %s: Admin email address. */
-				__( '<strong>Error</strong>: Could not register you&hellip; please contact the <a href="mailto:%s">site admin</a>!' ),
+				__( '<strong>Error:</strong> Could not register you&hellip; please contact the <a href="mailto:%s">site admin</a>!' ),
 				get_option( 'admin_email' )
 			)
 		);
 		return $errors;
 	}
 * Gets the user IDs of all users with no role on this site.
 *
 * @since 4.4.0
 * @since 4.9.0 The `$site_id` parameter was added to support multisite.
 *
+* @global wpdb $wpdb WordPress database abstraction object.
+*
 * @param int|null $site_id Optional. The site ID to get users with no role for. Defaults to the current site.
 * @return string[] Array of user IDs as strings.
 */
 function wp_get_users_with_no_role( $site_id = null ) {
 	global $wpdb;
 		$site_id = get_current_blog_id();
 	}
 	$prefix = $wpdb->get_blog_prefix( $site_id );
-	if ( is_multisite() && get_current_blog_id() != $site_id ) {
+	if ( is_multisite() && get_current_blog_id() !== $site_id ) {
 		switch_to_blog( $site_id );
 		$role_names = wp_roles()->get_names();
 		restore_current_blog();
 	} else {
 		$role_names = wp_roles()->get_names();
 	$regex = implode( '|', array_keys( $role_names ) );
 	$regex = preg_replace( '/[^a-zA-Z_\|-]/', '', $regex );
 	$users = $wpdb->get_col(
 		$wpdb->prepare(
-			"
+			"SELECT user_id
-		SELECT user_id
+			FROM $wpdb->usermeta
-		FROM $wpdb->usermeta
+			WHERE meta_key = '{$prefix}capabilities'
-		WHERE meta_key = '{$prefix}capabilities'
+			AND meta_value NOT REGEXP %s",
-		AND meta_value NOT REGEXP %s
-	",
 			$regex
 		)
 	);
 	return $users;
 	$current_user = wp_get_current_user();
 	if ( ! is_object( $errors ) ) {
 		$errors = new WP_Error();
 	}
-	if ( $current_user->ID != $_POST['user_id'] ) {
+	if ( $current_user->ID !== (int) $_POST['user_id'] ) {
 		return false;
 	}
-	if ( $current_user->user_email != $_POST['email'] ) {
+	if ( $current_user->user_email !== $_POST['email'] ) {
 		if ( ! is_email( $_POST['email'] ) ) {
 			$errors->add(
 				'user_email',
-				__( '<strong>Error</strong>: The email address is not correct.' ),
+				__( '<strong>Error:</strong> The email address is not correct.' ),
 				array(
 					'form-field' => 'email',
 				)
 			);
 		}
 		if ( email_exists( $_POST['email'] ) ) {
 			$errors->add(
 				'user_email',
-				__( '<strong>Error</strong>: The email address is already used.' ),
+				__( '<strong>Error:</strong> The email address is already used.' ),
 				array(
 					'form-field' => 'email',
 				)
 			);
 			delete_user_meta( $current_user->ID, '_new_email' );
 		 * }
 		 */
 		$content = apply_filters( 'new_user_email_content', $email_text, $new_user_email );
 		$content = str_replace( '###USERNAME###', $current_user->user_login, $content );
-		$content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
+		$content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
 		$content = str_replace( '###EMAIL###', $_POST['email'], $content );
 		$content = str_replace( '###SITENAME###', $sitename, $content );
 		$content = str_replace( '###SITEURL###', home_url(), $content );
 		/* translators: New email address notification email subject. %s: Site title. */
 	global $pagenow;
 	if ( 'profile.php' === $pagenow && isset( $_GET['updated'] ) ) {
 		$email = get_user_meta( get_current_user_id(), '_new_email', true );
 		if ( $email ) {
-			/* translators: %s: New email address. */
+			$message = sprintf(
-			echo '<div class="notice notice-info"><p>' . sprintf( __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), '<code>' . esc_html( $email['newemail'] ) . '</code>' ) . '</p></div>';
+				/* translators: %s: New email address. */
+				__( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ),
+				'<code>' . esc_html( $email['newemail'] ) . '</code>'
+			);
+			wp_admin_notice( $message, array( 'type' => 'info' ) );
 		}
 	}
 }
 /**
 * Gets all personal data request types.
 *
 * @since 4.9.6
 * @access private
 *
-* @return array List of core privacy action types.
+* @return string[] List of core privacy action types.
 */
 function _wp_privacy_action_request_types() {
 	return array(
 		'export_personal_data',
 		'remove_personal_data',
 /**
 * Registers the personal data exporter for users.
 *
 * @since 4.9.6
 *
-* @param array $exporters  An array of personal data exporters.
+* @param array[] $exporters An array of personal data exporters.
-* @return array An array of personal data exporters.
+* @return array[] An array of personal data exporters.
 */
 function wp_register_user_personal_data_exporter( $exporters ) {
 	$exporters['wordpress-user'] = array(
 		'exporter_friendly_name' => __( 'WordPress User' ),
 		'callback'               => 'wp_user_personal_data_exporter',
 * @since 4.9.6
 * @since 5.4.0 Added 'Community Events Location' group to the export data.
 * @since 5.4.0 Added 'Session Tokens' group to the export data.
 *
 * @param string $email_address  The user's email address.
-* @return array An array of personal data.
+* @return array {
+*     An array of personal data.
+*
+*     @type array[] $data An array of personal data arrays.
+*     @type bool    $done Whether the exporter is finished.
+* }
 */
 function wp_user_personal_data_exporter( $email_address ) {
 	$email_address = trim( $email_address );
 	$data_to_export = array();
 	if ( is_array( $_extra_data ) && ! empty( $_extra_data ) ) {
 		// Remove items that use reserved names.
 		$extra_data = array_filter(
 			$_extra_data,
-			static function( $item ) use ( $reserved_names ) {
+			static function ( $item ) use ( $reserved_names ) {
 				return ! in_array( $item['name'], $reserved_names, true );
 			}
 		);
 		if ( count( $extra_data ) !== count( $_extra_data ) ) {
 * @param int $request_id The ID of the request.
 */
 function _wp_privacy_send_request_confirmation_notification( $request_id ) {
 	$request = wp_get_user_request( $request_id );
-	if ( ! is_a( $request, 'WP_User_Request' ) || 'request-confirmed' !== $request->status ) {
+	if ( ! ( $request instanceof WP_User_Request ) || 'request-confirmed' !== $request->status ) {
 		return;
 	}
 	$already_notified = (bool) get_post_meta( $request_id, '_wp_admin_notified', true );
 	$content = apply_filters( 'user_request_confirmed_email_content', $content, $email_data );
 	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###USER_EMAIL###', $email_data['user_email'], $content );
 	$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
-	$content = str_replace( '###MANAGE_URL###', esc_url_raw( $email_data['manage_url'] ), $content );
+	$content = str_replace( '###MANAGE_URL###', sanitize_url( $email_data['manage_url'] ), $content );
-	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
+	$content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
 	$headers = '';
 	/**
 	 * Filters the headers of the user request confirmation email.
 * @param int $request_id The privacy request post ID associated with this request.
 */
 function _wp_privacy_send_erasure_fulfillment_notification( $request_id ) {
 	$request = wp_get_user_request( $request_id );
-	if ( ! is_a( $request, 'WP_User_Request' ) || 'request-completed' !== $request->status ) {
+	if ( ! ( $request instanceof WP_User_Request ) || 'request-completed' !== $request->status ) {
 		return;
 	}
 	$already_notified = (bool) get_post_meta( $request_id, '_wp_user_notified', true );
 		return;
 	}
 	// Localize message content for user; fallback to site default for visitors.
 	if ( ! empty( $request->user_id ) ) {
-		$locale = get_user_locale( $request->user_id );
+		$switched_locale = switch_to_user_locale( $request->user_id );
 	} else {
-		$locale = get_locale();
+		$switched_locale = switch_to_locale( get_locale() );
 	}
-	$switched_locale = switch_to_locale( $locale );
 	/**
 	 * Filters the recipient of the data erasure fulfillment notification.
 	 *
 	 * @since 4.9.6
 	 */
 	$content = apply_filters( 'user_erasure_fulfillment_email_content', $content, $email_data );
 	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
 	$content = str_replace( '###PRIVACY_POLICY_URL###', $email_data['privacy_policy_url'], $content );
-	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
+	$content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
 	$headers = '';
 	/**
 	 * Filters the headers of the data erasure fulfillment notification.
 		return new WP_Error( 'invalid_request', __( 'Invalid personal data request.' ) );
 	}
 	// Localize message content for user; fallback to site default for visitors.
 	if ( ! empty( $request->user_id ) ) {
-		$locale = get_user_locale( $request->user_id );
+		$switched_locale = switch_to_user_locale( $request->user_id );
 	} else {
-		$locale = get_locale();
+		$switched_locale = switch_to_locale( get_locale() );
 	}
-	$switched_locale = switch_to_locale( $locale );
 	$email_data = array(
 		'request'     => $request,
 		'email'       => $request->email,
 		'description' => wp_user_request_action_description( $request->action_name ),
 	 * }
 	 */
 	$content = apply_filters( 'user_request_action_email_content', $content, $email_data );
 	$content = str_replace( '###DESCRIPTION###', $email_data['description'], $content );
-	$content = str_replace( '###CONFIRM_URL###', esc_url_raw( $email_data['confirm_url'] ), $content );
+	$content = str_replace( '###CONFIRM_URL###', sanitize_url( $email_data['confirm_url'] ), $content );
 	$content = str_replace( '###EMAIL###', $email_data['email'], $content );
 	$content = str_replace( '###SITENAME###', $email_data['sitename'], $content );
-	$content = str_replace( '###SITEURL###', esc_url_raw( $email_data['siteurl'] ), $content );
+	$content = str_replace( '###SITEURL###', sanitize_url( $email_data['siteurl'] ), $content );
 	$headers = '';
 	/**
 	 * Filters the headers of the email sent when an account action is attempted.
 /**
 * Returns a confirmation key for a user action and stores the hashed version for future comparison.
 *
 * @since 4.9.6
 *
+* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+*
 * @param int $request_id Request ID.
 * @return string Confirmation key.
 */
 function wp_generate_user_request_key( $request_id ) {
 	global $wp_hasher;
 /**
 * Validates a user request by comparing the key with the request's key.
 *
 * @since 4.9.6
 *
+* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+*
 * @param string $request_id ID of the request being confirmed.
 * @param string $key        Provided key to validate.
 * @return true|WP_Error True on success, WP_Error on failure.
 */
 function wp_validate_user_request_key( $request_id, $key ) {
 	 * @param bool    $available True if available, false otherwise.
 	 * @param WP_User $user      The user to check.
 	 */
 	return apply_filters( 'wp_is_application_passwords_available_for_user', true, $user );
 }
+/**
+* Registers the user meta property for persisted preferences.
+*
+* This property is used to store user preferences across page reloads and is
+* currently used by the block editor for preferences like 'fullscreenMode' and
+* 'fixedToolbar'.
+*
+* @since 6.1.0
+* @access private
+*
+* @global wpdb $wpdb WordPress database abstraction object.
+*/
+function wp_register_persisted_preferences_meta() {
+	/*
+	 * Create a meta key that incorporates the blog prefix so that each site
+	 * on a multisite can have distinct user preferences.
+	 */
+	global $wpdb;
+	$meta_key = $wpdb->get_blog_prefix() . 'persisted_preferences';
+	register_meta(
+		'user',
+		$meta_key,
+		array(
+			'type'         => 'object',
+			'single'       => true,
+			'show_in_rest' => array(
+				'name'   => 'persisted_preferences',
+				'type'   => 'object',
+				'schema' => array(
+					'type'                 => 'object',
+					'context'              => array( 'edit' ),
+					'properties'           => array(
+						'_modified' => array(
+							'description' => __( 'The date and time the preferences were updated.' ),
+							'type'        => 'string',
+							'format'      => 'date-time',
+							'readonly'    => false,
+						),
+					),
+					'additionalProperties' => true,
+				),
+			),
+		)
+	);
+}
+/**
+* Sets the last changed time for the 'users' cache group.
+*
+* @since 6.3.0
+*/
+function wp_cache_set_users_last_changed() {
+	wp_cache_set_last_changed( 'users' );
+}
+/**
+* Checks if password reset is allowed for a specific user.
+*
+* @since 6.3.0
+*
+* @param int|WP_User $user The user to check.
+* @return bool|WP_Error True if allowed, false or WP_Error otherwise.
+*/
+function wp_is_password_reset_allowed_for_user( $user ) {
+	if ( ! is_object( $user ) ) {
+		$user = get_userdata( $user );
+	}
+	if ( ! $user || ! $user->exists() ) {
+		return false;
+	}
+	$allow = true;
+	if ( is_multisite() && is_user_spammy( $user ) ) {
+		$allow = false;
+	}
+	/**
+	 * Filters whether to allow a password to be reset.
+	 *
+	 * @since 2.7.0
+	 *
+	 * @param bool $allow   Whether to allow the password to be reset. Default true.
+	 * @param int  $user_id The ID of the user attempting to reset a password.
+	 */
+	return apply_filters( 'allow_password_reset', $allow, $user->ID );
+}

changeset 21	48c4eec2b7e6
parent 19	3d72ae0968f4
child 22	8c2e4d02f4ef