diff -r 34716fd837a4 -r be944660c56a wp/wp-admin/includes/user.php --- a/wp/wp-admin/includes/user.php Tue Dec 15 15:52:01 2020 +0100 +++ b/wp/wp-admin/includes/user.php Wed Sep 21 18:19:35 2022 +0200 @@ -47,10 +47,10 @@ $pass1 = ''; $pass2 = ''; if ( isset( $_POST['pass1'] ) ) { - $pass1 = $_POST['pass1']; + $pass1 = trim( $_POST['pass1'] ); } if ( isset( $_POST['pass2'] ) ) { - $pass2 = $_POST['pass2']; + $pass2 = trim( $_POST['pass2'] ); } if ( isset( $_POST['role'] ) && current_user_can( 'promote_users' ) && ( ! $user_id || current_user_can( 'promote_user', $user_id ) ) ) { @@ -280,7 +280,7 @@ * @since 2.0.5 * * @param int $user_id User ID. - * @return WP_User|bool WP_User object on success, false on failure. + * @return WP_User|false WP_User object on success, false on failure. */ function get_user_to_edit( $user_id ) { $user = get_userdata( $user_id ); @@ -482,15 +482,15 @@ || isset( $_GET['default_password_nag'] ) && '0' == $_GET['default_password_nag'] ) { delete_user_setting( 'default_password_nag' ); - update_user_option( $user_ID, 'default_password_nag', false, true ); + update_user_meta( $user_ID, 'default_password_nag', false ); } } /** * @since 2.8.0 * - * @param int $user_ID - * @param object $old_data + * @param int $user_ID + * @param WP_User $old_data */ function default_password_nag_edit_user( $user_ID, $old_data ) { // Short-circuit it. @@ -503,7 +503,7 @@ // Remove the nag if the password has been changed. if ( $new_data->user_pass != $old_data->user_pass ) { delete_user_setting( 'default_password_nag' ); - update_user_option( $user_ID, 'default_password_nag', false, true ); + update_user_meta( $user_ID, 'default_password_nag', false ); } } @@ -594,3 +594,69 @@ wp_specialchars_decode( translate_user_role( $role['name'] ) ) ); } + +/** + * Checks if the Authorize Application Password request is valid. + * + * @since 5.6.0 + * + * @param array $request { + * The array of request data. All arguments are optional and may be empty. + * + * @type string $app_name The suggested name of the application. + * @type string $app_id A uuid provided by the application to uniquely identify it. + * @type string $success_url The url the user will be redirected to after approving the application. + * @type string $reject_url The url the user will be redirected to after rejecting the application. + * } + * @param WP_User $user The user authorizing the application. + * @return true|WP_Error True if the request is valid, a WP_Error object contains errors if not. + */ +function wp_is_authorize_application_password_request_valid( $request, $user ) { + $error = new WP_Error(); + + if ( ! empty( $request['success_url'] ) ) { + $scheme = wp_parse_url( $request['success_url'], PHP_URL_SCHEME ); + + if ( 'http' === $scheme ) { + $error->add( + 'invalid_redirect_scheme', + __( 'The success url must be served over a secure connection.' ) + ); + } + } + + if ( ! empty( $request['reject_url'] ) ) { + $scheme = wp_parse_url( $request['reject_url'], PHP_URL_SCHEME ); + + if ( 'http' === $scheme ) { + $error->add( + 'invalid_redirect_scheme', + __( 'The rejection url must be served over a secure connection.' ) + ); + } + } + + if ( ! empty( $request['app_id'] ) && ! wp_is_uuid( $request['app_id'] ) ) { + $error->add( + 'invalid_app_id', + __( 'The app id must be a uuid.' ) + ); + } + + /** + * Fires before application password errors are returned. + * + * @since 5.6.0 + * + * @param WP_Error $error The error object. + * @param array $request The array of request data. + * @param WP_User $user The user authorizing the application. + */ + do_action( 'wp_authorize_application_password_request_errors', $error, $request, $user ); + + if ( $error->has_errors() ) { + return $error; + } + + return true; +}