No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
 
 
 
 
 

540 líneas
17 KiB

  1. <?php
  2. /**
  3. * WordPress user administration API.
  4. *
  5. * @package WordPress
  6. * @subpackage Administration
  7. */
  8. /**
  9. * Creates a new user from the "Users" form using $_POST information.
  10. *
  11. * @since 2.0.0
  12. *
  13. * @return int|WP_Error WP_Error or User ID.
  14. */
  15. function add_user() {
  16. return edit_user();
  17. }
  18. /**
  19. * Edit user settings based on contents of $_POST
  20. *
  21. * Used on user-edit.php and profile.php to manage and process user options, passwords etc.
  22. *
  23. * @since 2.0.0
  24. *
  25. * @param int $user_id Optional. User ID.
  26. * @return int|WP_Error user id of the updated user
  27. */
  28. function edit_user( $user_id = 0 ) {
  29. $wp_roles = wp_roles();
  30. $user = new stdClass;
  31. if ( $user_id ) {
  32. $update = true;
  33. $user->ID = (int) $user_id;
  34. $userdata = get_userdata( $user_id );
  35. $user->user_login = wp_slash( $userdata->user_login );
  36. } else {
  37. $update = false;
  38. }
  39. if ( !$update && isset( $_POST['user_login'] ) )
  40. $user->user_login = sanitize_user($_POST['user_login'], true);
  41. $pass1 = $pass2 = '';
  42. if ( isset( $_POST['pass1'] ) )
  43. $pass1 = $_POST['pass1'];
  44. if ( isset( $_POST['pass2'] ) )
  45. $pass2 = $_POST['pass2'];
  46. if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
  47. $new_role = sanitize_text_field( $_POST['role'] );
  48. $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
  49. // Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
  50. // Multisite super admins can freely edit their blog roles -- they possess all caps.
  51. if ( ( is_multisite() && current_user_can( 'manage_sites' ) ) || $user_id != get_current_user_id() || ($potential_role && $potential_role->has_cap( 'edit_users' ) ) )
  52. $user->role = $new_role;
  53. // If the new role isn't editable by the logged-in user die with error
  54. $editable_roles = get_editable_roles();
  55. if ( ! empty( $new_role ) && empty( $editable_roles[$new_role] ) )
  56. wp_die(__('You can&#8217;t give users that role.'));
  57. }
  58. if ( isset( $_POST['email'] ))
  59. $user->user_email = sanitize_text_field( wp_unslash( $_POST['email'] ) );
  60. if ( isset( $_POST['url'] ) ) {
  61. if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
  62. $user->user_url = '';
  63. } else {
  64. $user->user_url = esc_url_raw( $_POST['url'] );
  65. $protocols = implode( '|', array_map( 'preg_quote', wp_allowed_protocols() ) );
  66. $user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
  67. }
  68. }
  69. if ( isset( $_POST['first_name'] ) )
  70. $user->first_name = sanitize_text_field( $_POST['first_name'] );
  71. if ( isset( $_POST['last_name'] ) )
  72. $user->last_name = sanitize_text_field( $_POST['last_name'] );
  73. if ( isset( $_POST['nickname'] ) )
  74. $user->nickname = sanitize_text_field( $_POST['nickname'] );
  75. if ( isset( $_POST['display_name'] ) )
  76. $user->display_name = sanitize_text_field( $_POST['display_name'] );
  77. if ( isset( $_POST['description'] ) )
  78. $user->description = trim( $_POST['description'] );
  79. foreach ( wp_get_user_contact_methods( $user ) as $method => $name ) {
  80. if ( isset( $_POST[$method] ))
  81. $user->$method = sanitize_text_field( $_POST[$method] );
  82. }
  83. if ( $update ) {
  84. $user->rich_editing = isset( $_POST['rich_editing'] ) && 'false' == $_POST['rich_editing'] ? 'false' : 'true';
  85. $user->admin_color = isset( $_POST['admin_color'] ) ? sanitize_text_field( $_POST['admin_color'] ) : 'fresh';
  86. $user->show_admin_bar_front = isset( $_POST['admin_bar_front'] ) ? 'true' : 'false';
  87. $user->locale = '';
  88. if ( isset( $_POST['locale'] ) ) {
  89. $locale = sanitize_text_field( $_POST['locale'] );
  90. if ( 'site-default' === $locale ) {
  91. $locale = '';
  92. } elseif ( '' === $locale ) {
  93. $locale = 'en_US';
  94. } elseif ( ! in_array( $locale, get_available_languages(), true ) ) {
  95. $locale = '';
  96. }
  97. $user->locale = $locale;
  98. }
  99. }
  100. $user->comment_shortcuts = isset( $_POST['comment_shortcuts'] ) && 'true' == $_POST['comment_shortcuts'] ? 'true' : '';
  101. $user->use_ssl = 0;
  102. if ( !empty($_POST['use_ssl']) )
  103. $user->use_ssl = 1;
  104. $errors = new WP_Error();
  105. /* checking that username has been typed */
  106. if ( $user->user_login == '' )
  107. $errors->add( 'user_login', __( '<strong>ERROR</strong>: Please enter a username.' ) );
  108. /* checking that nickname has been typed */
  109. if ( $update && empty( $user->nickname ) ) {
  110. $errors->add( 'nickname', __( '<strong>ERROR</strong>: Please enter a nickname.' ) );
  111. }
  112. /**
  113. * Fires before the password and confirm password fields are checked for congruity.
  114. *
  115. * @since 1.5.1
  116. *
  117. * @param string $user_login The username.
  118. * @param string &$pass1 The password, passed by reference.
  119. * @param string &$pass2 The confirmed password, passed by reference.
  120. */
  121. do_action_ref_array( 'check_passwords', array( $user->user_login, &$pass1, &$pass2 ) );
  122. // Check for blank password when adding a user.
  123. if ( ! $update && empty( $pass1 ) ) {
  124. $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter a password.' ), array( 'form-field' => 'pass1' ) );
  125. }
  126. // Check for "\" in password.
  127. if ( false !== strpos( wp_unslash( $pass1 ), "\\" ) ) {
  128. $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
  129. }
  130. // Checking the password has been typed twice the same.
  131. if ( ( $update || ! empty( $pass1 ) ) && $pass1 != $pass2 ) {
  132. $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in both password fields.' ), array( 'form-field' => 'pass1' ) );
  133. }
  134. if ( !empty( $pass1 ) )
  135. $user->user_pass = $pass1;
  136. if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )
  137. $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
  138. if ( !$update && username_exists( $user->user_login ) )
  139. $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ));
  140. /** This filter is documented in wp-includes/user.php */
  141. $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() );
  142. if ( in_array( strtolower( $user->user_login ), array_map( 'strtolower', $illegal_logins ) ) ) {
  143. $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: Sorry, that username is not allowed.' ) );
  144. }
  145. /* checking email address */
  146. if ( empty( $user->user_email ) ) {
  147. $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please enter an email address.' ), array( 'form-field' => 'email' ) );
  148. } elseif ( !is_email( $user->user_email ) ) {
  149. $errors->add( 'invalid_email', __( '<strong>ERROR</strong>: The email address isn&#8217;t correct.' ), array( 'form-field' => 'email' ) );
  150. } elseif ( ( $owner_id = email_exists($user->user_email) ) && ( !$update || ( $owner_id != $user->ID ) ) ) {
  151. $errors->add( 'email_exists', __('<strong>ERROR</strong>: This email is already registered, please choose another one.'), array( 'form-field' => 'email' ) );
  152. }
  153. /**
  154. * Fires before user profile update errors are returned.
  155. *
  156. * @since 2.8.0
  157. *
  158. * @param WP_Error &$errors WP_Error object, passed by reference.
  159. * @param bool $update Whether this is a user update.
  160. * @param stdClass &$user User object, passed by reference.
  161. */
  162. do_action_ref_array( 'user_profile_update_errors', array( &$errors, $update, &$user ) );
  163. if ( $errors->get_error_codes() )
  164. return $errors;
  165. if ( $update ) {
  166. $user_id = wp_update_user( $user );
  167. } else {
  168. $user_id = wp_insert_user( $user );
  169. $notify = isset( $_POST['send_user_notification'] ) ? 'both' : 'admin';
  170. /**
  171. * Fires after a new user has been created.
  172. *
  173. * @since 4.4.0
  174. *
  175. * @param int $user_id ID of the newly created user.
  176. * @param string $notify Type of notification that should happen. See wp_send_new_user_notifications()
  177. * for more information on possible values.
  178. */
  179. do_action( 'edit_user_created_user', $user_id, $notify );
  180. }
  181. return $user_id;
  182. }
  183. /**
  184. * Fetch a filtered list of user roles that the current user is
  185. * allowed to edit.
  186. *
  187. * Simple function who's main purpose is to allow filtering of the
  188. * list of roles in the $wp_roles object so that plugins can remove
  189. * inappropriate ones depending on the situation or user making edits.
  190. * Specifically because without filtering anyone with the edit_users
  191. * capability can edit others to be administrators, even if they are
  192. * only editors or authors. This filter allows admins to delegate
  193. * user management.
  194. *
  195. * @since 2.8.0
  196. *
  197. * @return array
  198. */
  199. function get_editable_roles() {
  200. $all_roles = wp_roles()->roles;
  201. /**
  202. * Filters the list of editable roles.
  203. *
  204. * @since 2.8.0
  205. *
  206. * @param array $all_roles List of roles.
  207. */
  208. $editable_roles = apply_filters( 'editable_roles', $all_roles );
  209. return $editable_roles;
  210. }
  211. /**
  212. * Retrieve user data and filter it.
  213. *
  214. * @since 2.0.5
  215. *
  216. * @param int $user_id User ID.
  217. * @return WP_User|bool WP_User object on success, false on failure.
  218. */
  219. function get_user_to_edit( $user_id ) {
  220. $user = get_userdata( $user_id );
  221. if ( $user )
  222. $user->filter = 'edit';
  223. return $user;
  224. }
  225. /**
  226. * Retrieve the user's drafts.
  227. *
  228. * @since 2.0.0
  229. *
  230. * @global wpdb $wpdb WordPress database abstraction object.
  231. *
  232. * @param int $user_id User ID.
  233. * @return array
  234. */
  235. function get_users_drafts( $user_id ) {
  236. global $wpdb;
  237. $query = $wpdb->prepare("SELECT ID, post_title FROM $wpdb->posts WHERE post_type = 'post' AND post_status = 'draft' AND post_author = %d ORDER BY post_modified DESC", $user_id);
  238. /**
  239. * Filters the user's drafts query string.
  240. *
  241. * @since 2.0.0
  242. *
  243. * @param string $query The user's drafts query string.
  244. */
  245. $query = apply_filters( 'get_users_drafts', $query );
  246. return $wpdb->get_results( $query );
  247. }
  248. /**
  249. * Remove user and optionally reassign posts and links to another user.
  250. *
  251. * If the $reassign parameter is not assigned to a User ID, then all posts will
  252. * be deleted of that user. The action {@see 'delete_user'} that is passed the User ID
  253. * being deleted will be run after the posts are either reassigned or deleted.
  254. * The user meta will also be deleted that are for that User ID.
  255. *
  256. * @since 2.0.0
  257. *
  258. * @global wpdb $wpdb WordPress database abstraction object.
  259. *
  260. * @param int $id User ID.
  261. * @param int $reassign Optional. Reassign posts and links to new User ID.
  262. * @return bool True when finished.
  263. */
  264. function wp_delete_user( $id, $reassign = null ) {
  265. global $wpdb;
  266. if ( ! is_numeric( $id ) ) {
  267. return false;
  268. }
  269. $id = (int) $id;
  270. $user = new WP_User( $id );
  271. if ( !$user->exists() )
  272. return false;
  273. // Normalize $reassign to null or a user ID. 'novalue' was an older default.
  274. if ( 'novalue' === $reassign ) {
  275. $reassign = null;
  276. } elseif ( null !== $reassign ) {
  277. $reassign = (int) $reassign;
  278. }
  279. /**
  280. * Fires immediately before a user is deleted from the database.
  281. *
  282. * @since 2.0.0
  283. *
  284. * @param int $id ID of the user to delete.
  285. * @param int|null $reassign ID of the user to reassign posts and links to.
  286. * Default null, for no reassignment.
  287. */
  288. do_action( 'delete_user', $id, $reassign );
  289. if ( null === $reassign ) {
  290. $post_types_to_delete = array();
  291. foreach ( get_post_types( array(), 'objects' ) as $post_type ) {
  292. if ( $post_type->delete_with_user ) {
  293. $post_types_to_delete[] = $post_type->name;
  294. } elseif ( null === $post_type->delete_with_user && post_type_supports( $post_type->name, 'author' ) ) {
  295. $post_types_to_delete[] = $post_type->name;
  296. }
  297. }
  298. /**
  299. * Filters the list of post types to delete with a user.
  300. *
  301. * @since 3.4.0
  302. *
  303. * @param array $post_types_to_delete Post types to delete.
  304. * @param int $id User ID.
  305. */
  306. $post_types_to_delete = apply_filters( 'post_types_to_delete_with_user', $post_types_to_delete, $id );
  307. $post_types_to_delete = implode( "', '", $post_types_to_delete );
  308. $post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_author = %d AND post_type IN ('$post_types_to_delete')", $id ) );
  309. if ( $post_ids ) {
  310. foreach ( $post_ids as $post_id )
  311. wp_delete_post( $post_id );
  312. }
  313. // Clean links
  314. $link_ids = $wpdb->get_col( $wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_owner = %d", $id) );
  315. if ( $link_ids ) {
  316. foreach ( $link_ids as $link_id )
  317. wp_delete_link($link_id);
  318. }
  319. } else {
  320. $post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_author = %d", $id ) );
  321. $wpdb->update( $wpdb->posts, array('post_author' => $reassign), array('post_author' => $id) );
  322. if ( ! empty( $post_ids ) ) {
  323. foreach ( $post_ids as $post_id )
  324. clean_post_cache( $post_id );
  325. }
  326. $link_ids = $wpdb->get_col( $wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_owner = %d", $id) );
  327. $wpdb->update( $wpdb->links, array('link_owner' => $reassign), array('link_owner' => $id) );
  328. if ( ! empty( $link_ids ) ) {
  329. foreach ( $link_ids as $link_id )
  330. clean_bookmark_cache( $link_id );
  331. }
  332. }
  333. // FINALLY, delete user
  334. if ( is_multisite() ) {
  335. remove_user_from_blog( $id, get_current_blog_id() );
  336. } else {
  337. $meta = $wpdb->get_col( $wpdb->prepare( "SELECT umeta_id FROM $wpdb->usermeta WHERE user_id = %d", $id ) );
  338. foreach ( $meta as $mid )
  339. delete_metadata_by_mid( 'user', $mid );
  340. $wpdb->delete( $wpdb->users, array( 'ID' => $id ) );
  341. }
  342. clean_user_cache( $user );
  343. /**
  344. * Fires immediately after a user is deleted from the database.
  345. *
  346. * @since 2.9.0
  347. *
  348. * @param int $id ID of the deleted user.
  349. * @param int|null $reassign ID of the user to reassign posts and links to.
  350. * Default null, for no reassignment.
  351. */
  352. do_action( 'deleted_user', $id, $reassign );
  353. return true;
  354. }
  355. /**
  356. * Remove all capabilities from user.
  357. *
  358. * @since 2.1.0
  359. *
  360. * @param int $id User ID.
  361. */
  362. function wp_revoke_user($id) {
  363. $id = (int) $id;
  364. $user = new WP_User($id);
  365. $user->remove_all_caps();
  366. }
  367. /**
  368. * @since 2.8.0
  369. *
  370. * @global int $user_ID
  371. *
  372. * @param false $errors Deprecated.
  373. */
  374. function default_password_nag_handler($errors = false) {
  375. global $user_ID;
  376. // Short-circuit it.
  377. if ( ! get_user_option('default_password_nag') )
  378. return;
  379. // get_user_setting = JS saved UI setting. else no-js-fallback code.
  380. if ( 'hide' == get_user_setting('default_password_nag') || isset($_GET['default_password_nag']) && '0' == $_GET['default_password_nag'] ) {
  381. delete_user_setting('default_password_nag');
  382. update_user_option($user_ID, 'default_password_nag', false, true);
  383. }
  384. }
  385. /**
  386. * @since 2.8.0
  387. *
  388. * @param int $user_ID
  389. * @param object $old_data
  390. */
  391. function default_password_nag_edit_user($user_ID, $old_data) {
  392. // Short-circuit it.
  393. if ( ! get_user_option('default_password_nag', $user_ID) )
  394. return;
  395. $new_data = get_userdata($user_ID);
  396. // Remove the nag if the password has been changed.
  397. if ( $new_data->user_pass != $old_data->user_pass ) {
  398. delete_user_setting('default_password_nag');
  399. update_user_option($user_ID, 'default_password_nag', false, true);
  400. }
  401. }
  402. /**
  403. * @since 2.8.0
  404. *
  405. * @global string $pagenow
  406. */
  407. function default_password_nag() {
  408. global $pagenow;
  409. // Short-circuit it.
  410. if ( 'profile.php' == $pagenow || ! get_user_option('default_password_nag') )
  411. return;
  412. echo '<div class="error default-password-nag">';
  413. echo '<p>';
  414. echo '<strong>' . __('Notice:') . '</strong> ';
  415. _e('You&rsquo;re using the auto-generated password for your account. Would you like to change it?');
  416. echo '</p><p>';
  417. printf( '<a href="%s">' . __('Yes, take me to my profile page') . '</a> | ', get_edit_profile_url() . '#password' );
  418. printf( '<a href="%s" id="default-password-nag-no">' . __('No thanks, do not remind me again') . '</a>', '?default_password_nag=0' );
  419. echo '</p></div>';
  420. }
  421. /**
  422. * @since 3.5.0
  423. * @access private
  424. */
  425. function delete_users_add_js() { ?>
  426. <script>
  427. jQuery(document).ready( function($) {
  428. var submit = $('#submit').prop('disabled', true);
  429. $('input[name="delete_option"]').one('change', function() {
  430. submit.prop('disabled', false);
  431. });
  432. $('#reassign_user').focus( function() {
  433. $('#delete_option1').prop('checked', true).trigger('change');
  434. });
  435. });
  436. </script>
  437. <?php
  438. }
  439. /**
  440. * Optional SSL preference that can be turned on by hooking to the 'personal_options' action.
  441. *
  442. * See the {@see 'personal_options'} action.
  443. *
  444. * @since 2.7.0
  445. *
  446. * @param object $user User data object
  447. */
  448. function use_ssl_preference($user) {
  449. ?>
  450. <tr class="user-use-ssl-wrap">
  451. <th scope="row"><?php _e('Use https')?></th>
  452. <td><label for="use_ssl"><input name="use_ssl" type="checkbox" id="use_ssl" value="1" <?php checked('1', $user->use_ssl); ?> /> <?php _e('Always use https when visiting the admin'); ?></label></td>
  453. </tr>
  454. <?php
  455. }
  456. /**
  457. *
  458. * @param string $text
  459. * @return string
  460. */
  461. function admin_created_user_email( $text ) {
  462. $roles = get_editable_roles();
  463. $role = $roles[ $_REQUEST['role'] ];
  464. /* translators: 1: Site name, 2: site URL, 3: role */
  465. return sprintf( __( 'Hi,
  466. You\'ve been invited to join \'%1$s\' at
  467. %2$s with the role of %3$s.
  468. If you do not want to join this site please ignore
  469. this email. This invitation will expire in a few days.
  470. Please click the following link to activate your user account:
  471. %%s' ), get_bloginfo( 'name' ), home_url(), wp_specialchars_decode( translate_user_role( $role['name'] ) ) );
  472. }