diff --git a/includes/core/class-form.php b/includes/core/class-form.php
index 76ce15f8..5ae5f373 100644
--- a/includes/core/class-form.php
+++ b/includes/core/class-form.php
@@ -55,6 +55,15 @@ if ( ! class_exists( 'um\core\Form' ) ) {
*/
public $all_fields = array();
+ /**
+ * Whitelisted usermeta that can be stored when UM Form is submitted.
+ *
+ * @since 2.6.7
+ *
+ * @var array
+ */
+ private $usermeta_whitelist = array();
+
/**
* Form constructor.
*/
@@ -401,7 +410,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
} else {
$http_post = 'POST';
}
-
+ // Handles Register, Profile and Login forms.
if ( $http_post && ! is_admin() && isset( $_POST['form_id'] ) && is_numeric( $_POST['form_id'] ) ) {
$this->form_id = absint( $_POST['form_id'] );
@@ -414,185 +423,268 @@ if ( ! class_exists( 'um\core\Form' ) ) {
return;
}
- $this->form_data = UM()->query()->post_data( $this->form_id );
+ // Verified that form_id is right and UM form is published. Then get form data.
+
+ $this->form_data = UM()->query()->post_data( $this->form_id );
+
+ // Checking the form custom fields. Form without custom fields is invalid.
+ if ( ! array_key_exists( 'mode', $this->form_data ) ) {
+ return;
+ }
+
+ // Checking the form custom fields. Form without custom fields is invalid.
+ if ( ! array_key_exists( 'custom_fields', $this->form_data ) ) {
+ return;
+ }
+
+ $custom_fields = maybe_unserialize( $this->form_data['custom_fields'] );
+ if ( ! is_array( $custom_fields ) || empty( $custom_fields ) ) {
+ return;
+ }
+
+ $field_types_without_metakey = UM()->builtin()->get_fields_without_metakey();
+ foreach ( $custom_fields as $cf_k => $cf_data ) {
+ if ( ! array_key_exists( 'type', $cf_data ) || in_array( $cf_data['type'], $field_types_without_metakey, true ) ) {
+ unset( $custom_fields[ $cf_k ] );
+ }
+ if ( ! array_key_exists( 'metakey', $cf_data ) || empty( $cf_data['metakey'] ) ) {
+ unset( $custom_fields[ $cf_k ] );
+ }
+ }
+ $cf_metakeys = array_column( $custom_fields, 'metakey' );
+ $all_cf_metakeys = $cf_metakeys;
+
+ // The '_um_last_login' cannot be updated through UM form.
+ $cf_metakeys = array_values( array_diff( $cf_metakeys, array( 'role_select', 'role_radio', 'role', '_um_last_login' ) ) );
+ if ( 'register' === $this->form_data['mode'] ) {
+ $cf_metakeys[] = 'submitted';
+ }
/**
- * UM hook
+ * Fires before UM login, registration or profile form submission.
*
- * @type action
- * @title um_before_submit_form_post
- * @description Before submit form
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_before_submit_form_post', 'function_name', 10, 1 );
- * @example
- * form() class instance. Since 2.6.7
+ *
+ * @example Make any custom action before UM login, registration or profile form submission.
+ * function my_custom_before_submit_form_post( $um_form_obj ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_before_submit_form_post', 'my_custom_before_submit_form_post' );
*/
- do_action( 'um_before_submit_form_post' );
+ do_action( 'um_before_submit_form_post', $this );
/* save entire form as global */
/**
- * UM hook
+ * Filters $_POST submitted data by the UM login, registration or profile form.
*
- * @type filter
- * @title um_submit_post_form
- * @description Change submitted data on form submit
- * @input_vars
- * [{"var":"$data","type":"array","desc":"Submitted data"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage
- *
- * @example
- * Extends $_POST data.
+ * function my_submit_post_form( $_post ) {
+ * $_post['some_key'] = 'some value';
+ * return $_post;
* }
- * ?>
+ * add_filter( 'um_submit_post_form', 'my_submit_post_form' );
*/
$this->post_form = apply_filters( 'um_submit_post_form', wp_unslash( $_POST ) );
+ // Validate form submission by honeypot.
if ( isset( $this->post_form[ UM()->honeypot ] ) && '' !== $this->post_form[ UM()->honeypot ] ) {
+ // High level escape if hacking.
wp_die( esc_html__( 'Hello, spam bot!', 'ultimate-member' ) );
}
- $this->post_form = $this->beautify( $this->post_form );
- $this->post_form = $this->sanitize( $this->post_form );
- $this->post_form['submitted'] = $this->post_form;
-
- $this->post_form = array_merge( $this->form_data, $this->post_form );
+ $this->post_form = $this->beautify( $this->post_form );
+ // Validate and filter 'role' submitted data to avoid handling roles with admin privileges.
// Remove role from post_form at first if role ! empty and there aren't custom fields with role name
- if ( ! empty( $_POST['role'] ) ) {
- if ( ! isset( $this->form_data['custom_fields'] ) || ! strstr( $this->form_data['custom_fields'], 'role_' ) ) {
+ $maybe_set_default_role = true;
+ if ( array_key_exists( 'role', $this->post_form ) ) {
+ if ( 'login' === $this->form_data['mode'] ) {
unset( $this->post_form['role'] );
- unset( $this->post_form['submitted']['role'] );
- }
- }
-
- // Secure sanitize of the submitted data
- if ( ! empty( $this->post_form ) ) {
- $this->post_form = $this->clean_submitted_data( $this->post_form );
- }
- if ( ! empty( $this->post_form['submitted'] ) ) {
- $this->post_form['submitted'] = $this->clean_submitted_data( $this->post_form['submitted'] );
- }
-
- // set default role from settings on registration form
- if ( isset( $this->post_form['mode'] ) && 'register' === $this->post_form['mode'] ) {
- $role = $this->assigned_role( $this->form_id );
- $this->post_form['role'] = $role;
- }
-
- if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) { // Secure selected role
-
- if ( ! empty( $_POST['role'] ) ) {
- $custom_field_roles = $this->custom_field_roles( $this->form_data['custom_fields'] );
-
- if ( ! empty( $custom_field_roles ) ) {
- if ( is_array( $_POST['role'] ) ) {
- $role = current( $_POST['role'] );
- $role = sanitize_key( $role );
- } else {
- $role = sanitize_key( $_POST['role'] );
- }
-
- global $wp_roles;
- $exclude_roles = array_diff( array_keys( $wp_roles->roles ), UM()->roles()->get_editable_user_roles() );
-
- if ( ! empty( $role ) &&
- ( ! in_array( $role, $custom_field_roles, true ) || in_array( $role, $exclude_roles, true ) ) ) {
- wp_die( esc_html__( 'This is not possible for security reasons.', 'ultimate-member' ) );
- }
-
- $this->post_form['role'] = $role;
- $this->post_form['submitted']['role'] = $role;
- } else {
+ } else {
+ $form_has_role_field = count( array_intersect( $all_cf_metakeys, array( 'role_select', 'role_radio' ) ) ) > 0;
+ if ( ! $form_has_role_field ) {
unset( $this->post_form['role'] );
- unset( $this->post_form['submitted']['role'] );
+ } else {
+ $custom_field_roles = $this->custom_field_roles( $this->form_data['custom_fields'] );
+ if ( ! empty( $custom_field_roles ) ) {
+ if ( is_array( $this->post_form['role'] ) ) {
+ $role = current( $this->post_form['role'] );
+ $role = sanitize_key( $role );
+ } else {
+ $role = sanitize_key( $this->post_form['role'] );
+ }
+
+ global $wp_roles;
+ $exclude_roles = array_diff( array_keys( $wp_roles->roles ), UM()->roles()->get_editable_user_roles() );
+
+ if ( ! empty( $role ) &&
+ ( ! in_array( $role, $custom_field_roles, true ) || in_array( $role, $exclude_roles, true ) ) ) {
+ // High level escape if hacking.
+ wp_die( esc_html__( 'This is not possible for security reasons.', 'ultimate-member' ) );
+ }
- // set default role for registration form if custom field hasn't proper value
- if ( isset( $this->post_form['mode'] ) && 'register' === $this->post_form['mode'] ) {
- $role = $this->assigned_role( $this->form_id );
$this->post_form['role'] = $role;
+ $maybe_set_default_role = false;
}
}
}
}
- /**
- * UM hook
- *
- * @type filter
- * @title um_submit_form_data
- * @description Change submitted data on form submit
- * @input_vars
- * [{"var":"$data","type":"array","desc":"Submitted data"},
- * {"var":"$mode","type":"string","desc":"Form mode"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage
- *
- * @example
- *
- */
- $this->post_form = apply_filters( 'um_submit_form_data', $this->post_form, $this->post_form['mode'] );
+ $this->post_form = $this->sanitize( $this->post_form );
+ $this->post_form['submitted'] = $this->post_form;
+ // Set default role from settings on registration form. It has been made after defined 'submitted' because predefined role isn't a submitted field.
+ if ( $maybe_set_default_role && 'register' === $this->form_data['mode'] ) {
+ $role = $this->assigned_role( $this->form_id );
+ $this->post_form['role'] = $role;
+ }
+
+ // @todo REMOVE THAT !!! AND SEPARATE FORM DATA AND SUBMISSION DATA. MAY AFFECT TO EXTENSIONS
+ $this->post_form = array_merge( $this->form_data, $this->post_form );
+
+ // Remove role from post_form at first if role ! empty and there aren't custom fields with role name
+// if ( ! empty( $this->post_form['role'] ) ) {
+// if ( ! strstr( $this->form_data['custom_fields'], 'role_' ) ) {
+// unset( $this->post_form['role'] );
+// //unset( $this->post_form['submitted']['role'] );
+// }
+// }
+
+ // Secure sanitize of the submitted data
+// if ( ! empty( $this->post_form ) ) {
+// $this->post_form = $this->clean_submitted_data( $this->post_form );
+// }
+// if ( ! empty( $this->post_form['submitted'] ) ) {
+// $this->post_form['submitted'] = $this->clean_submitted_data( $this->post_form['submitted'] );
+// }
+
+
+
+// if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) { // Secure selected role
+// if ( ! empty( $_POST['role'] ) ) {
+// $custom_field_roles = $this->custom_field_roles( $this->form_data['custom_fields'] );
+//
+// if ( ! empty( $custom_field_roles ) ) {
+// if ( is_array( $_POST['role'] ) ) {
+// $role = current( $_POST['role'] );
+// $role = sanitize_key( $role );
+// } else {
+// $role = sanitize_key( $_POST['role'] );
+// }
+//
+// global $wp_roles;
+// $exclude_roles = array_diff( array_keys( $wp_roles->roles ), UM()->roles()->get_editable_user_roles() );
+//
+// if ( ! empty( $role ) &&
+// ( ! in_array( $role, $custom_field_roles, true ) || in_array( $role, $exclude_roles, true ) ) ) {
+// wp_die( esc_html__( 'This is not possible for security reasons.', 'ultimate-member' ) );
+// }
+//
+// $this->post_form['role'] = $role;
+// $this->post_form['submitted']['role'] = $role;
+// } else {
+// unset( $this->post_form['role'] );
+// unset( $this->post_form['submitted']['role'] );
+//
+// // set default role for registration form if custom field hasn't proper value
+// if ( 'register' === $this->form_data['mode'] ) {
+// $role = $this->assigned_role( $this->form_id );
+// $this->post_form['role'] = $role;
+// }
+// }
+// }
+// }
+
+ /**
+ * Filters $_POST submitted data by the UM login, registration or profile form.
+ * It's un-slashed by `wp_unslash()`, beautified and sanitized. `role` attribute is filtered by possible role.
+ * `submitted` key is added by code and contains summary of submission.
+ *
+ * Internal Ultimate Member callbacks (Priority -> Callback name -> Excerpt):
+ * 9 - `um_submit_form_data_trim_fields()` maybe over-functionality and can be removed.
+ * 10 - `um_submit_form_data_role_fields()` important for conditional logic based on role fields in form.
+ *
+ * @param {array} $_post Submitted data.
+ * @param {string} $mode Form mode. login||register||profile
+ * @param {array} $all_cf_metakeys Form's metakeys. Since 2.6.7.
+ *
+ * @return {array} Submitted data.
+ *
+ * @since 1.3.x
+ * @hook um_submit_form_data
+ *
+ * @example Extends UM form submitted data.
+ * function my_submit_form_data( $_post, $mode, $all_cf_metakeys ) {
+ * $_post['some_key'] = 'some value';
+ * return $_post;
+ * }
+ * add_filter( 'um_submit_form_data', 'my_submit_form_data', 10, 3 );
+ */
+ $this->post_form = apply_filters( 'um_submit_form_data', $this->post_form, $this->form_data['mode'], $all_cf_metakeys );
/* Continue based on form mode - pre-validation */
-
/**
- * UM hook
+ * Fires for validation UM login, registration or profile form submission.
*
- * @type action
- * @title um_submit_form_errors_hook
- * @description Action on submit form
- * @input_vars
- * [{"var":"$post","type":"int","desc":"Post data"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_errors_hook', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * 10 - `um_submit_form_errors_hook()` All form validation handlers.
+ * 20 - `um_recaptcha_validate()` reCAPTCHA form validation handlers. um-recaptcha extension.
+ *
+ * @since 1.3.x
+ * @hook um_submit_form_errors_hook
+ *
+ * @param {array} $post $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any common validation action here.
+ * function my_custom_before_submit_form_post( $post, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_submit_form_errors_hook', 'my_custom_submit_form_errors_hook', 10, 2 );
*/
- do_action( 'um_submit_form_errors_hook', $this->post_form );
+ do_action( 'um_submit_form_errors_hook', $this->post_form, $this->form_data );
+ if ( 'login' !== $this->form_data['mode'] ) {
+ var_dump( $this->post_form );
+ var_dump( $this->form_data );
+ var_dump( '------------------------------------------------------------' );
+ var_dump( $all_cf_metakeys );
+ var_dump( $cf_metakeys );
+ exit;
+ }
+ /* Continue based on form mode - store data. */
/**
- * UM hook
+ * Fires for make main actions on UM login, registration or profile form submission.
*
- * @type action
- * @title um_submit_form_{$mode}
- * @description Action on submit form
- * @input_vars
- * [{"var":"$post","type":"int","desc":"Post data"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_{$mode}', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * ### um_submit_form_login:
+ * * 1 - `UM()->login()->verify_nonce()` Verify nonce.
+ * * 10 - `um_submit_form_login()` Login form main handler.
+ * ### um_submit_form_register:
+ * ### um_submit_form_profile:
+ *
+ * @since 1.3.x
+ * @hook um_submit_form_errors_hook
+ *
+ * @param {array} $post $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any custom action.
+ * function my_custom_before_submit_form_post( $post, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_submit_form_errors_hook', 'my_custom_submit_form_errors_hook', 10, 2 );
*/
- do_action( "um_submit_form_{$this->post_form['mode']}", $this->post_form );
+ do_action( "um_submit_form_{$this->post_form['mode']}", $this->post_form, $this->form_data );
}
}
@@ -716,7 +808,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
)
),
' /'
- );
+ );
}
}
}
diff --git a/includes/core/class-login.php b/includes/core/class-login.php
index b825c759..115afbee 100644
--- a/includes/core/class-login.php
+++ b/includes/core/class-login.php
@@ -1,13 +1,12 @@
- * @example
- *
+ * @param {bool} $allow_nonce Is allowed verify nonce on login. By default, allowed = `true`.
+ * @param {array} $form_data Form's metakeys. Since 2.6.7.
+ *
+ * @return {bool} Is allowed verify.
+ *
+ * @since 2.0
+ * @hook um_login_allow_nonce_verification
+ *
+ * @example Disable verifying nonce on the login page.
+ * add_filter( 'um_login_allow_nonce_verification', '__return_false' );
*/
- $allow_nonce_verification = apply_filters( 'um_login_allow_nonce_verification', true );
-
- if ( ! $allow_nonce_verification ) {
- return $args;
+ $allow_nonce_verification = apply_filters( 'um_login_allow_nonce_verification', true, $form_data );
+ if ( ! $allow_nonce_verification ) {
+ return;
}
- if ( ! wp_verify_nonce( $args['_wpnonce'], 'um_login_form' ) || empty( $args['_wpnonce'] ) || ! isset( $args['_wpnonce'] ) ) {
- $url = apply_filters( 'um_login_invalid_nonce_redirect_url', add_query_arg( [ 'err' => 'invalid_nonce' ] ) );
- exit( wp_redirect( $url ) );
+ if ( empty( $args['_wpnonce'] ) || ! wp_verify_nonce( $args['_wpnonce'], 'um_login_form' ) ) {
+ $url = apply_filters( 'um_login_invalid_nonce_redirect_url', add_query_arg( array( 'err' => 'invalid_nonce' ) ) );
+ wp_safe_redirect( $url );
+ exit;
}
-
- return $args;
}
-
}
-
-}
\ No newline at end of file
+}
diff --git a/includes/core/um-actions-form.php b/includes/core/um-actions-form.php
index 25c2a3e2..54e180ba 100644
--- a/includes/core/um-actions-form.php
+++ b/includes/core/um-actions-form.php
@@ -1,12 +1,14 @@
-options()->get( 'blocked_emails' );
if ( ! $emails ) {
return;
@@ -15,41 +17,39 @@ function um_submit_form_errors_hook__blockedemails( $args ) {
$emails = strtolower( $emails );
$emails = array_map( 'rtrim', explode( "\n", $emails ) );
- if ( isset( $args['user_email'] ) && is_email( $args['user_email'] ) ) {
- if ( in_array( strtolower( $args['user_email'] ), $emails ) ) {
+ if ( isset( $submitted_data['user_email'] ) && is_email( $submitted_data['user_email'] ) ) {
+ if ( in_array( strtolower( $submitted_data['user_email'] ), $emails ) ) {
exit( wp_redirect( esc_url( add_query_arg( 'err', 'blocked_email' ) ) ) );
}
- $domain = explode( '@', $args['user_email'] );
- $check_domain = str_replace( $domain[0], '*', $args['user_email'] );
+ $domain = explode( '@', $submitted_data['user_email'] );
+ $check_domain = str_replace( $domain[0], '*', $submitted_data['user_email'] );
if ( in_array( strtolower( $check_domain ), $emails ) ) {
exit( wp_redirect( esc_url( add_query_arg( 'err', 'blocked_domain' ) ) ) );
}
}
- if ( isset( $args['username'] ) && is_email( $args['username'] ) ) {
- if ( in_array( strtolower( $args['username'] ), $emails ) ) {
+ if ( isset( $submitted_data['username'] ) && is_email( $submitted_data['username'] ) ) {
+ if ( in_array( strtolower( $submitted_data['username'] ), $emails ) ) {
exit( wp_redirect( esc_url( add_query_arg( 'err', 'blocked_email' ) ) ) );
}
- $domain = explode( '@', $args['username'] );
- $check_domain = str_replace( $domain[0], '*', $args['username'] );
+ $domain = explode( '@', $submitted_data['username'] );
+ $check_domain = str_replace( $domain[0], '*', $submitted_data['username'] );
if ( in_array( strtolower( $check_domain ), $emails ) ) {
exit( wp_redirect( esc_url( add_query_arg( 'err', 'blocked_domain' ) ) ) );
}
}
}
-add_action( 'um_submit_form_errors_hook__blockedemails', 'um_submit_form_errors_hook__blockedemails', 10 );
+add_action( 'um_submit_form_errors_hook__blockedemails', 'um_submit_form_errors_hook__blockedemails' );
/**
- * Error handling: blocked IPs
- *
- * @param $args
+ * Error handling: blocked IPs.
*/
-function um_submit_form_errors_hook__blockedips( $args ) {
+function um_submit_form_errors_hook__blockedips() {
$ips = UM()->options()->get( 'blocked_ips' );
if ( ! $ips ) {
return;
@@ -65,7 +65,7 @@ function um_submit_form_errors_hook__blockedips( $args ) {
}
}
}
-add_action( 'um_submit_form_errors_hook__blockedips', 'um_submit_form_errors_hook__blockedips', 10 );
+add_action( 'um_submit_form_errors_hook__blockedips', 'um_submit_form_errors_hook__blockedips' );
/**
@@ -79,8 +79,6 @@ function um_submit_form_errors_hook__blockedwords( $args ) {
return;
}
- $form_id = $args['form_id'];
- $mode = $args['mode'];
$fields = unserialize( $args['custom_fields'] );
$words = strtolower( $words );
@@ -99,155 +97,137 @@ add_action( 'um_submit_form_errors_hook__blockedwords', 'um_submit_form_errors_h
/**
- * Error handling
+ * UM login|register|profile form error handling.
*
- * @param $args
+ * @param array $submitted_data
+ * @param array $form_data
*/
-function um_submit_form_errors_hook( $args ) {
- $mode = $args['mode'];
+function um_submit_form_errors_hook( $submitted_data, $form_data ) {
+ $mode = $form_data['mode'];
/**
- * UM hook
+ * Fires for validation blocked IPs when UM login, registration or profile form has been submitted.
*
- * @type action
- * @title um_submit_form_errors_hook__blockedips
- * @description Submit form validation
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form Arguments"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_errors_hook__blockedips', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * 10 - `um_submit_form_errors_hook__blockedips()` Native validation handlers.
+ *
+ * @since 1.3.x
+ * @hook um_submit_form_errors_hook__blockedips
+ *
+ * @param {array} $submitted_data $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any common validation action here.
+ * function my_submit_form_errors_hook__blockedips( $post, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_submit_form_errors_hook__blockedips', 'my_submit_form_errors_hook__blockedips', 10, 2 );
*/
- do_action( 'um_submit_form_errors_hook__blockedips', $args );
-
-
+ do_action( 'um_submit_form_errors_hook__blockedips', $submitted_data, $form_data );
/**
- * UM hook
+ * Fires for validation blocked email addresses when UM login, registration or profile form has been submitted.
*
- * @type action
- * @title um_submit_form_errors_hook__blockedemails
- * @description Submit form validation
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form Arguments"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_errors_hook__blockedemails', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * 10 - `um_submit_form_errors_hook__blockedemails()` Native validation handlers.
+ *
+ * @since 1.3.x
+ * @hook um_submit_form_errors_hook__blockedemails
+ *
+ * @param {array} $submitted_data $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any common validation action here.
+ * function my_submit_form_errors_hook__blockedemails( $post, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_submit_form_errors_hook__blockedemails', 'my_submit_form_errors_hook__blockedemails', 10, 2 );
*/
- do_action( 'um_submit_form_errors_hook__blockedemails', $args );
-
- if ( $mode == 'register' ) {
-
+ do_action( 'um_submit_form_errors_hook__blockedemails', $submitted_data, $form_data );
+ if ( 'login' === $mode ) {
/**
- * UM hook
+ * Fires for login form validation when it has been submitted.
*
- * @type action
- * @title um_submit_form_errors_hook__registration
- * @description Submit registration form validation
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form Arguments"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_errors_hook__registration', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * 10 - `um_submit_form_errors_hook_login()` Native login validation handlers.
+ *
+ * @since 1.3.x
+ * @hook um_submit_form_errors_hook_login
+ *
+ * @param {array} $submitted_data $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any common validation action here.
+ * function my_submit_form_errors_hook_login( $post, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_submit_form_errors_hook_login', 'my_submit_form_errors_hook_login', 10, 2 );
*/
- do_action( 'um_submit_form_errors_hook__registration', $args );
-
- } elseif ( $mode == 'profile' ) {
-
-
+ do_action( 'um_submit_form_errors_hook_login', $submitted_data, $form_data );
/**
- * UM hook
+ * Fires for login form validation when it has been submitted.
*
- * @type action
- * @title um_submit_form_errors_hook__registration
- * @description Submit registration form validation
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form Arguments"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_errors_hook__registration', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * 9999 - `um_submit_form_errors_hook_logincheck()` Native login validation handlers.
+ *
+ * @since 1.3.x
+ * @hook um_submit_form_errors_hook_logincheck
+ *
+ * @param {array} $submitted_data $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any common validation action here.
+ * function my_submit_form_errors_hook_logincheck( $post, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_submit_form_errors_hook_logincheck', 'my_submit_form_errors_hook_logincheck', 10, 2 );
*/
- do_action( 'um_submit_form_errors_hook__profile', $args );
-
- } elseif ( $mode == 'login' ) {
-
-
- /**
- * UM hook
- *
- * @type action
- * @title um_submit_form_errors_hook_login
- * @description Submit login form validation
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form Arguments"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_errors_hook_login', 'function_name', 10, 1 );
- * @example
- *
- */
- do_action( 'um_submit_form_errors_hook_login', $args );
-
-
- /**
- * UM hook
- *
- * @type action
- * @title um_submit_form_errors_hook_logincheck
- * @description Submit login form validation
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form Arguments"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_submit_form_errors_hook_logincheck', 'function_name', 10, 1 );
- * @example
- *
- */
- do_action( 'um_submit_form_errors_hook_logincheck', $args );
-
- }
-
-
- if ( $mode != 'login' ) {
-
+ do_action( 'um_submit_form_errors_hook_logincheck', $submitted_data, $form_data );
+ // ------ Reviewed. --------- //
+ } else {
+ if ( 'register' === $mode ) {
+ /**
+ * UM hook
+ *
+ * @type action
+ * @title um_submit_form_errors_hook__registration
+ * @description Submit registration form validation
+ * @input_vars
+ * [{"var":"$args","type":"array","desc":"Form Arguments"}]
+ * @change_log
+ * ["Since: 2.0"]
+ * @usage add_action( 'um_submit_form_errors_hook__registration', 'function_name', 10, 1 );
+ * @example
+ *
+ */
+ do_action( 'um_submit_form_errors_hook__registration', $submitted_data, $form_data );
+ } elseif ( 'profile' === $mode ) {
+ /**
+ * UM hook
+ *
+ * @type action
+ * @title um_submit_form_errors_hook__registration
+ * @description Submit registration form validation
+ * @input_vars
+ * [{"var":"$args","type":"array","desc":"Form Arguments"}]
+ * @change_log
+ * ["Since: 2.0"]
+ * @usage add_action( 'um_submit_form_errors_hook__registration', 'function_name', 10, 1 );
+ * @example
+ *
+ */
+ do_action( 'um_submit_form_errors_hook__profile', $submitted_data, $form_data );
+ }
/**
* UM hook
@@ -268,9 +248,7 @@ function um_submit_form_errors_hook( $args ) {
* }
* ?>
*/
- do_action( 'um_submit_form_errors_hook__blockedwords', $args );
-
-
+ do_action( 'um_submit_form_errors_hook__blockedwords', $submitted_data, $form_data );
/**
* UM hook
*
@@ -290,12 +268,10 @@ function um_submit_form_errors_hook( $args ) {
* }
* ?>
*/
- do_action( 'um_submit_form_errors_hook_', $args );
-
+ do_action( 'um_submit_form_errors_hook_', $submitted_data, $form_data );
}
-
}
-add_action( 'um_submit_form_errors_hook', 'um_submit_form_errors_hook', 10 );
+add_action( 'um_submit_form_errors_hook', 'um_submit_form_errors_hook', 10, 2 );
/**
diff --git a/includes/core/um-actions-login.php b/includes/core/um-actions-login.php
index dbf019ea..de777c93 100644
--- a/includes/core/um-actions-login.php
+++ b/includes/core/um-actions-login.php
@@ -4,57 +4,51 @@ if ( ! defined( 'ABSPATH' ) ) {
}
/**
- * Error procesing hook for login
+ * Error processing hook for login.
*
- * @param $args
+ * @param $submitted_data
*/
-function um_submit_form_errors_hook_login( $args ) {
- $is_email = false;
+function um_submit_form_errors_hook_login( $submitted_data ) {
+ $user_password = $submitted_data['user_password'];
- $form_id = $args['form_id'];
- $mode = $args['mode'];
- $user_password = $args['user_password'];
-
- if ( isset( $args['username'] ) && $args['username'] == '' ) {
+ if ( isset( $submitted_data['username'] ) && $submitted_data['username'] == '' ) {
UM()->form()->add_error( 'username', __( 'Please enter your username or email', 'ultimate-member' ) );
}
- if ( isset( $args['user_login'] ) && $args['user_login'] == '' ) {
+ if ( isset( $submitted_data['user_login'] ) && $submitted_data['user_login'] == '' ) {
UM()->form()->add_error( 'user_login', __( 'Please enter your username', 'ultimate-member' ) );
}
- if ( isset( $args['user_email'] ) && $args['user_email'] == '' ) {
+ if ( isset( $submitted_data['user_email'] ) && $submitted_data['user_email'] == '' ) {
UM()->form()->add_error( 'user_email', __( 'Please enter your email', 'ultimate-member' ) );
}
- if ( isset( $args['username'] ) ) {
- $authenticate = $args['username'];
+ if ( isset( $submitted_data['username'] ) ) {
+ $authenticate = $submitted_data['username'];
$field = 'username';
- if ( is_email( $args['username'] ) ) {
- $is_email = true;
- $data = get_user_by('email', $args['username'] );
+ if ( is_email( $submitted_data['username'] ) ) {
+ $data = get_user_by('email', $submitted_data['username'] );
$user_name = isset( $data->user_login ) ? $data->user_login : null;
} else {
- $user_name = $args['username'];
+ $user_name = $submitted_data['username'];
}
- } elseif ( isset( $args['user_email'] ) ) {
- $authenticate = $args['user_email'];
+ } elseif ( isset( $submitted_data['user_email'] ) ) {
+ $authenticate = $submitted_data['user_email'];
$field = 'user_email';
- $is_email = true;
- $data = get_user_by('email', $args['user_email'] );
+ $data = get_user_by('email', $submitted_data['user_email'] );
$user_name = isset( $data->user_login ) ? $data->user_login : null;
} else {
$field = 'user_login';
- $user_name = $args['user_login'];
- $authenticate = $args['user_login'];
+ $user_name = $submitted_data['user_login'];
+ $authenticate = $submitted_data['user_login'];
}
- if ( $args['user_password'] == '' ) {
+ if ( $submitted_data['user_password'] == '' ) {
UM()->form()->add_error( 'user_password', __( 'Please enter your password', 'ultimate-member' ) );
}
$user = get_user_by( 'login', $user_name );
- if ( $user && wp_check_password( $args['user_password'], $user->data->user_pass, $user->ID ) ) {
+ if ( $user && wp_check_password( $submitted_data['user_password'], $user->data->user_pass, $user->ID ) ) {
UM()->login()->auth_id = username_exists( $user_name );
} else {
UM()->form()->add_error( 'user_password', __( 'Password is incorrect. Please try again.', 'ultimate-member' ) );
@@ -67,7 +61,7 @@ function um_submit_form_errors_hook_login( $args ) {
// see WP function wp_authenticate()
$ignore_codes = array( 'empty_username', 'empty_password' );
- $user = apply_filters( 'authenticate', null, $authenticate, $args['user_password'] );
+ $user = apply_filters( 'authenticate', null, $authenticate, $submitted_data['user_password'] );
if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes ) ) {
if ( ! empty( $third_party_codes ) && in_array( $user->get_error_code(), $third_party_codes ) ) {
UM()->form()->add_error( $user->get_error_code(), $user->get_error_message() );
@@ -76,7 +70,7 @@ function um_submit_form_errors_hook_login( $args ) {
}
}
- $user = apply_filters( 'wp_authenticate_user', $user, $args['user_password'] );
+ $user = apply_filters( 'wp_authenticate_user', $user, $submitted_data['user_password'] );
if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes ) ) {
if ( ! empty( $third_party_codes ) && in_array( $user->get_error_code(), $third_party_codes ) ) {
UM()->form()->add_error( $user->get_error_code(), $user->get_error_message() );
@@ -90,7 +84,7 @@ function um_submit_form_errors_hook_login( $args ) {
do_action( 'wp_login_failed', $user_name, UM()->form()->get_wp_error() );
}
}
-add_action( 'um_submit_form_errors_hook_login', 'um_submit_form_errors_hook_login', 10 );
+add_action( 'um_submit_form_errors_hook_login', 'um_submit_form_errors_hook_login' );
/**
@@ -123,13 +117,13 @@ function um_display_login_errors( $args ) {
}
add_action( 'um_before_login_fields', 'um_display_login_errors' );
-
/**
- * Login checks thru the frontend login
+ * Login checks through the frontend login
*
- * @param $args
+ * @param array $submitted_data
+ * @param array $form_data
*/
-function um_submit_form_errors_hook_logincheck( $args ) {
+function um_submit_form_errors_hook_logincheck( $submitted_data, $form_data ) {
// Logout if logged in
if ( is_user_logged_in() ) {
wp_logout();
@@ -140,25 +134,23 @@ function um_submit_form_errors_hook_logincheck( $args ) {
$status = um_user( 'account_status' ); // account status
switch ( $status ) {
-
- // If user can't login to site...
+ // If user can't log in to site...
case 'inactive':
case 'awaiting_admin_review':
case 'awaiting_email_confirmation':
case 'rejected':
- um_reset_user();
- exit( wp_redirect( add_query_arg( 'err', esc_attr( $status ), UM()->permalinks()->get_current_url() ) ) );
- break;
-
+ um_reset_user();
+ wp_safe_redirect( add_query_arg( 'err', esc_attr( $status ), UM()->permalinks()->get_current_url() ) );
+ exit;
}
- if ( isset( $args['form_id'] ) && $args['form_id'] == UM()->shortcodes()->core_login_form() && UM()->form()->errors && ! isset( $_POST[ UM()->honeypot ] ) ) {
- exit( wp_redirect( um_get_core_page( 'login' ) ) );
+ if ( isset( $form_data['form_id'] ) && absint( $form_data['form_id'] ) === absint( UM()->shortcodes()->core_login_form() ) && UM()->form()->errors && ! isset( $_POST[ UM()->honeypot ] ) ) {
+ wp_safe_redirect( um_get_core_page( 'login' ) );
+ exit;
}
}
-add_action( 'um_submit_form_errors_hook_logincheck', 'um_submit_form_errors_hook_logincheck', 9999 );
-
+add_action( 'um_submit_form_errors_hook_logincheck', 'um_submit_form_errors_hook_logincheck', 9999, 2 );
/**
* Store last login timestamp
@@ -192,13 +184,13 @@ function um_store_lastlogin_timestamp_( $login ) {
add_action( 'wp_login', 'um_store_lastlogin_timestamp_' );
/**
- * Login user process
+ * Login user process.
*
- * @param array $args
+ * @param array $submitted_data
*/
-function um_user_login( $args ) {
+function um_user_login( $submitted_data ) {
// phpcs:disable WordPress.Security.NonceVerification -- already verified here
- $rememberme = ( isset( $_REQUEST['rememberme'], $args['rememberme'] ) && 1 === (int) $args['rememberme'] ) ? 1 : 0;
+ $rememberme = ( isset( $_REQUEST['rememberme'], $submitted_data['rememberme'] ) && 1 === (int) $submitted_data['rememberme'] ) ? 1 : 0;
// @todo check using the 'deny_admin_frontend_login' option
if ( false !== strrpos( um_user( 'wp_roles' ), 'administrator' ) && ( ! isset( $_GET['provider'] ) && UM()->options()->get( 'deny_admin_frontend_login' ) ) ) {
@@ -224,8 +216,8 @@ function um_user_login( $args ) {
do_action( 'um_on_login_before_redirect', um_user( 'ID' ) );
// Priority redirect from $_GET attribute.
- if ( ! empty( $args['redirect_to'] ) ) {
- wp_safe_redirect( $args['redirect_to'] );
+ if ( ! empty( $submitted_data['redirect_to'] ) ) {
+ wp_safe_redirect( $submitted_data['redirect_to'] );
exit;
}
@@ -277,56 +269,52 @@ add_action( 'um_user_login', 'um_user_login' );
/**
* Form processing
*
- * @param $args
+ * @param array $submitted_data
+ * @param array $form_data
*/
-function um_submit_form_login( $args ) {
-
+function um_submit_form_login( $submitted_data, $form_data ) {
if ( ! isset( UM()->form()->errors ) ) {
/**
- * UM hook
+ * Fires after successful submit login form.
*
- * @type action
- * @title um_user_login
- * @description Hook that runs after successful submit login form
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form data"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_user_login', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * * 10 - `um_user_login()` Login form main handler.
+ *
+ * @since 1.3.x
+ * @hook um_user_login
+ *
+ * @param {array} $submitted_data $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any custom login action if submission is valid.
+ * function my_user_login( $submitted_data, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_user_login', 'my_user_login', 10, 2 );
*/
- do_action( 'um_user_login', $args );
+ do_action( 'um_user_login', $submitted_data, $form_data );
}
-
/**
- * UM hook
+ * Fires after submit login form.
*
- * @type action
- * @title um_user_login_extra_hook
- * @description Hook that runs after successful submit login form
- * @input_vars
- * [{"var":"$args","type":"array","desc":"Form data"}]
- * @change_log
- * ["Since: 2.0"]
- * @usage add_action( 'um_user_login_extra_hook', 'function_name', 10, 1 );
- * @example
- * Callback name -> Excerpt):
+ * * 10 - um-messaging.
+ *
+ * @since 1.3.x
+ * @hook um_user_login_extra_hook
+ *
+ * @param {array} $submitted_data $_POST Submission array.
+ * @param {array} $form_data UM form data. Since 2.6.7
+ *
+ * @example Make any custom login action.
+ * function my_user_login_extra( $submitted_data, $form_data ) {
* // your code here
* }
- * ?>
+ * add_action( 'um_user_login_extra_hook', 'my_user_login_extra', 10, 2 );
*/
- do_action( 'um_user_login_extra_hook', $args );
+ do_action( 'um_user_login_extra_hook', $submitted_data, $form_data );
}
-add_action( 'um_submit_form_login', 'um_submit_form_login', 10 );
-
+add_action( 'um_submit_form_login', 'um_submit_form_login', 10, 2 );
/**
* Show the submit button
diff --git a/includes/core/um-filters-fields.php b/includes/core/um-filters-fields.php
index 2bf8bb6d..12101d31 100644
--- a/includes/core/um-filters-fields.php
+++ b/includes/core/um-filters-fields.php
@@ -898,12 +898,13 @@ add_filter( 'um_profile_field_filter_hook__', 'um_profile_field_filter_xss_valid
/**
* Trim All form POST submitted data
*
+ * @todo Maybe deprecate because data is sanitized in earlier code and trim included to `sanitize_text_field()`. Need testing and confirmation.
+ *
* @param $post_form
- * @param $mode
*
* @return mixed
*/
-function um_submit_form_data_trim_fields( $post_form, $mode ) {
+function um_submit_form_data_trim_fields( $post_form ) {
foreach ( $post_form as $key => $field ) {
if ( is_string( $field ) ) {
$post_form[ $key ] = trim( $field );
@@ -912,30 +913,44 @@ function um_submit_form_data_trim_fields( $post_form, $mode ) {
return $post_form;
}
-add_filter( 'um_submit_form_data', 'um_submit_form_data_trim_fields', 9, 2 );
+add_filter( 'um_submit_form_data', 'um_submit_form_data_trim_fields', 9, 1 );
/**
- * add role_select and role_radio to the $post_form
- * It is necessary for that if on these fields the conditional logic
- * @param $post_form array
- * @param $mode
+ * Add `role_select` and `role_radio` to the $post_form
+ * It is necessary for that if on these fields the conditional logic.
*
- * @return $post_form
- * @uses hook filters: um_submit_form_data
+ * @param array $post_form
+ * @param string $mode
+ * @param array $all_cf_metakeys
+ *
+ * @return array
*/
-function um_submit_form_data_role_fields( $post_form, $mode ) {
- $custom_fields = unserialize( $post_form['custom_fields'] );
- if ( ! empty( $post_form['role'] ) && array_key_exists( 'role_select', $custom_fields ) ) {
- $post_form['role_select'] = $post_form['role'];
+function um_submit_form_data_role_fields( $post_form, $mode, $all_cf_metakeys ) {
+ if ( 'login' === $mode ) {
+ return $post_form;
}
- if (! empty( $post_form['role'] ) && array_key_exists( 'role_radio', $custom_fields ) ) {
- $post_form['role_radio'] = $post_form['role'];
+
+ if ( ! array_key_exists( 'role', $post_form ) ) {
+ return $post_form;
+ }
+
+ $role_fields = array( 'role_select', 'role_radio' );
+
+ $form_has_role_field = count( array_intersect( $all_cf_metakeys, $role_fields ) ) > 0;
+ if ( ! $form_has_role_field ) {
+ return $post_form;
+ }
+
+ foreach ( $role_fields as $role_field ) {
+ if ( in_array( $role_field, $all_cf_metakeys, true ) ) {
+ $post_form[ $role_field ] = $post_form['role'];
+ }
}
return $post_form;
}
-add_filter( 'um_submit_form_data', 'um_submit_form_data_role_fields', 10, 2 );
+add_filter( 'um_submit_form_data', 'um_submit_form_data_role_fields', 10, 3 );
/**
diff --git a/includes/core/um-filters-login.php b/includes/core/um-filters-login.php
index 185ad9b8..18af141c 100644
--- a/includes/core/um-filters-login.php
+++ b/includes/core/um-filters-login.php
@@ -43,8 +43,10 @@ add_filter( 'login_message', 'um_custom_wp_err_messages' );
*/
function um_wp_form_errors_hook_ip_test( $user, $username, $password ) {
if ( ! empty( $username ) ) {
- do_action( 'um_submit_form_errors_hook__blockedips', array() );
- do_action( 'um_submit_form_errors_hook__blockedemails', array( 'username' => $username ) );
+ /** This action is documented in includes/core/um-actions-form.php */
+ do_action( 'um_submit_form_errors_hook__blockedips', array(), null );
+ /** This action is documented in includes/core/um-actions-form.php */
+ do_action( 'um_submit_form_errors_hook__blockedemails', array( 'username' => $username ), null );
}
return $user;
@@ -53,7 +55,7 @@ add_filter( 'authenticate', 'um_wp_form_errors_hook_ip_test', 10, 3 );
/**
- * Login checks thru the wordpress admin login
+ * Login checks through the WordPress admin login.
*
* @param $user
* @param $username
@@ -93,8 +95,8 @@ add_filter( 'authenticate', 'um_wp_form_errors_hook_logincheck', 50, 3 );
/**
* Change lost password url in UM Login form
- * @param string $lostpassword_url
- * @return string
+ * @param string $lostpassword_url
+ * @return string
*/
function um_lostpassword_url( $lostpassword_url ) {