bp_settings_action_general()

Handles the changing and saving of user email addresses and passwords.

Description

We do quite a bit of logic and error handling here to make sure that users do not accidentally lock themselves out of their accounts. We also try to provide as accurate of feedback as possible without exposing anyone else’s information to them.

Special considerations are made for super admins that are able to edit any users accounts already, without knowing their existing password.

Source

File: bp-settings/actions/general.php

function bp_settings_action_general() {
    if ( ! bp_is_post_request() ) {
        return;
    }
 
    // Bail if no submit action.
    if ( ! isset( $_POST['submit'] ) ) {
        return;
    }
 
    // Bail if not in settings.
    if ( ! bp_is_settings_component() || ! bp_is_current_action( 'general' ) ) {
        return;
    }
 
    // 404 if there are any additional action variables attached
    if ( bp_action_variables() ) {
        bp_do_404();
        return;
    }
 
    // Define local defaults
    $bp            = buddypress(); // The instance
    $email_error   = false;        // invalid|blocked|taken|empty|nochange
    $pass_error    = false;        // invalid|mismatch|empty|nochange
    $pass_changed  = false;        // true if the user changes their password
    $email_changed = false;        // true if the user changes their email
    $feedback_type = 'error';      // success|error
    $feedback      = array();      // array of strings for feedback.
 
    // Nonce check.
    check_admin_referer('bp_settings_general');
 
    // Validate the user again for the current password when making a big change.
    if ( ( is_super_admin() ) || ( !empty( $_POST['pwd'] ) && wp_check_password( $_POST['pwd'], $bp->displayed_user->userdata->user_pass, bp_displayed_user_id() ) ) ) {
 
        $update_user = get_userdata( bp_displayed_user_id() );
 
        /* Email Change Attempt ******************************************/
 
        if ( !empty( $_POST['email'] ) ) {
 
            // What is missing from the profile page vs signup -
            // let's double check the goodies.
            $user_email     = sanitize_email( esc_html( trim( $_POST['email'] ) ) );
            $old_user_email = $bp->displayed_user->userdata->user_email;
 
            // User is changing email address.
            if ( $old_user_email != $user_email ) {
 
                // Run some tests on the email address.
                $email_checks = bp_core_validate_email_address( $user_email );
 
                if ( true !== $email_checks ) {
                    if ( isset( $email_checks['invalid'] ) ) {
                        $email_error = 'invalid';
                    }
 
                    if ( isset( $email_checks['domain_banned'] ) || isset( $email_checks['domain_not_allowed'] ) ) {
                        $email_error = 'blocked';
                    }
 
                    if ( isset( $email_checks['in_use'] ) ) {
                        $email_error = 'taken';
                    }
                }
 
                // Store a hash to enable email validation.
                if ( false === $email_error ) {
                    $hash = wp_generate_password( 32, false );
 
                    $pending_email = array(
                        'hash'     => $hash,
                        'newemail' => $user_email,
                    );
 
                    bp_update_user_meta( bp_displayed_user_id(), 'pending_email_change', $pending_email );
                    $verify_link = bp_displayed_user_domain() . bp_get_settings_slug() . '/?verify_email_change=' . $hash;
 
                    // Send the verification email.
                    $args = array(
                        'tokens' => array(
                            'displayname'    => bp_core_get_user_displayname( bp_displayed_user_id() ),
                            'old-user.email' => $old_user_email,
                            'user.email'     => $user_email,
                            'verify.url'     => esc_url( $verify_link ),
                        ),
                    );
                    bp_send_email( 'settings-verify-email-change', bp_displayed_user_id(), $args );
 
                    // We mark that the change has taken place so as to ensure a
                    // success message, even though verification is still required.
                    $_POST['email'] = $update_user->user_email;
                    $email_changed = true;
                }
 
            // No change.
            } else {
                $email_error = false;
            }
 
        // Email address cannot be empty.
        } else {
            $email_error = 'empty';
        }
 
        /* Password Change Attempt ***************************************/
 
        if ( !empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) {
 
            if ( ( $_POST['pass1'] == $_POST['pass2'] ) && !strpos( " " . wp_unslash( $_POST['pass1'] ), "\\" ) ) {
 
                // Password change attempt is successful.
                if ( ( ! empty( $_POST['pwd'] ) && $_POST['pwd'] != $_POST['pass1'] ) || is_super_admin() )  {
                    $update_user->user_pass = $_POST['pass1'];
                    $pass_changed = true;
 
                // The new password is the same as the current password.
                } else {
                    $pass_error = 'same';
                }
 
            // Password change attempt was unsuccessful.
            } else {
                $pass_error = 'mismatch';
            }
 
        // Both password fields were empty.
        } elseif ( empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) {
            $pass_error = false;
 
        // One of the password boxes was left empty.
        } elseif ( ( empty( $_POST['pass1'] ) && !empty( $_POST['pass2'] ) ) || ( !empty( $_POST['pass1'] ) && empty( $_POST['pass2'] ) ) ) {
            $pass_error = 'empty';
        }
 
        // The structure of the $update_user object changed in WP 3.3, but
        // wp_update_user() still expects the old format.
        if ( isset( $update_user->data ) && is_object( $update_user->data ) ) {
            $update_user = $update_user->data;
            $update_user = get_object_vars( $update_user );
 
            // Unset the password field to prevent it from emptying out the
            // user's user_pass field in the database.
            // @see wp_update_user().
            if ( false === $pass_changed ) {
                unset( $update_user['user_pass'] );
            }
        }
 
        // Clear cached data, so that the changed settings take effect
        // on the current page load.
        if ( ( false === $email_error ) && ( false === $pass_error ) && ( wp_update_user( $update_user ) ) ) {
            $bp->displayed_user->userdata = bp_core_get_core_userdata( bp_displayed_user_id() );
        }
 
    // Password Error.
    } else {
        $pass_error = 'invalid';
    }
 
    // Email feedback.
    switch ( $email_error ) {
        case 'invalid' :
            $feedback['email_invalid']  = __( 'That email address is invalid. Check the formatting and try again.', 'buddyboss' );
            break;
        case 'blocked' :
            $feedback['email_blocked']  = __( 'That email address is currently unavailable for use.', 'buddyboss' );
            break;
        case 'taken' :
            $feedback['email_taken']    = __( 'That email address is already taken.', 'buddyboss' );
            break;
        case 'empty' :
            $feedback['email_empty']    = __( 'Email address cannot be empty.', 'buddyboss' );
            break;
        case false :
            // No change.
            break;
    }
 
    // Password feedback.
    switch ( $pass_error ) {
        case 'invalid' :
            $feedback['pass_error']    = __( 'Your current password is invalid.', 'buddyboss' );
            break;
        case 'mismatch' :
            $feedback['pass_mismatch'] = __( 'The new password fields did not match.', 'buddyboss' );
            break;
        case 'empty' :
            $feedback['pass_empty']    = __( 'One of the password fields was empty.', 'buddyboss' );
            break;
        case 'same' :
            $feedback['pass_same']     = __( 'The new password must be different from the current password.', 'buddyboss' );
            break;
        case false :
            // No change.
            break;
    }
 
    // No errors so show a simple success message.
    if ( ( ( false === $email_error ) || ( false == $pass_error ) ) && ( ( true === $pass_changed ) || ( true === $email_changed ) ) ) {
        $feedback[]    = __( 'Your settings have been saved.', 'buddyboss' );
        $feedback_type = 'success';
 
    // Some kind of errors occurred.
    } elseif ( ( ( false === $email_error ) || ( false === $pass_error ) ) && ( ( false === $pass_changed ) || ( false === $email_changed ) ) ) {
        if ( bp_is_my_profile() ) {
            $feedback['nochange'] = __( 'No changes were made to your account.', 'buddyboss' );
        } else {
            $feedback['nochange'] = __( 'No changes were made to this account.', 'buddyboss' );
        }
    }
 
    // Set the feedback.
    bp_core_add_message( implode( "\n", $feedback ), $feedback_type );
 
    /**
     * Fires after the general settings have been saved, and before redirect.
     *
     * @since BuddyPress 1.5.0
     */
    do_action( 'bp_core_general_settings_after_save' );
 
    // Redirect to prevent issues with browser back button.
    bp_core_redirect( trailingslashit( bp_displayed_user_domain() . bp_get_settings_slug() . '/general' ) );
}

Expand full source code Collapse full source code

Changelog

Changelog
Version	Description
BuddyPress 1.6.0	Introduced.

Uses

Uses
Uses	Description
bp-settings/bp-settings-template.php: bp_get_settings_slug()	Return the settings component slug.
bp-settings/actions/general.php: bp_core_general_settings_after_save	Fires after the general settings have been saved, and before redirect.
bp-loader.php: buddypress()	The main function responsible for returning the one true BuddyBoss Instance to functions everywhere.
bp-members/bp-members-functions.php: bp_core_validate_email_address()	Check that an email address is valid for use.
bp-members/bp-members-functions.php: bp_core_get_user_displayname()	Fetch the display name for a user.
bp-members/bp-members-functions.php: bp_core_get_core_userdata()	Fetch everything in the wp_users table for a user, without any usermeta.
bp-members/bp-members-template.php: bp_displayed_user_domain()	Generate the link for the displayed user’s profile.
bp-core/bp-core-template.php: bp_is_my_profile()	Is the current page part of the profile of the logged-in user?
bp-core/bp-core-template.php: bp_is_settings_component()	Check whether the current page is part of the Settings component.
bp-core/bp-core-template.php: bp_is_current_action()	Check to see whether the current page matches a given action.
bp-core/bp-core-template.php: bp_displayed_user_id()	Get the ID of the currently displayed user.
bp-core/bp-core-template.php: bp_action_variables()	Return the value of $bp->action_variables.
bp-core/bp-core-functions.php: bp_send_email()	Send email, similar to WordPress’ wp_mail().
bp-core/bp-core-functions.php: bp_is_post_request()	Return true\|false if this is a POST request.
bp-core/bp-core-functions.php: bp_do_404()	Trigger a 404.
bp-core/bp-core-functions.php: bp_update_user_meta()	Update a piece of usermeta.
bp-core/bp-core-functions.php: bp_core_add_message()	Add a feedback (error/success) message to the WP cookie so it can be displayed after the page reloads.
bp-core/bp-core-functions.php: bp_core_redirect()	Perform a status-safe wp_redirect() that is compatible with BP’s URI parser.

Show 13 more uses Hide more uses

Questions?

We're always happy to help with code or other questions you might have! Search our developer docs, contact support, or connect with our sales team.

Contents

Description

Source

Changelog

Related

Uses

Questions?