<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul, pre { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[BuddyPress] [3524] trunk:
  Adds password verification before an email address or password change on the General Settings screen
 .</title>
</head>
<body>

<div id="msg">
<dl>
<dt>Revision</dt> <dd>3524</dd>
<dt>Author</dt> <dd>boonebgorges</dd>
<dt>Date</dt> <dd>2010-12-11 13:38:11 +0000 (Sat, 11 Dec 2010)</dd>
</dl>

<h3>Log Message</h3>
<pre>Adds password verification before an email address or password change on the General Settings screen. Fixes #2517. Props nuprn1 and r-a-y</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkbpcorebpcoresettingsphp">trunk/bp-core/bp-core-settings.php</a></li>
<li><a href="#trunkbpthemesbpdefaultmemberssinglepluginsphp">trunk/bp-themes/bp-default/members/single/plugins.php</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkbpcorebpcoresettingsphp"></a>
<div class="modfile"><h4>Modified: trunk/bp-core/bp-core-settings.php (3523 => 3524)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/bp-core/bp-core-settings.php        2010-12-07 22:53:45 UTC (rev 3523)
+++ trunk/bp-core/bp-core-settings.php        2010-12-11 13:38:11 UTC (rev 3524)
</span><span class="lines">@@ -31,10 +31,12 @@
</span><span class="cx"> /**** GENERAL SETTINGS ****/
</span><span class="cx"> 
</span><span class="cx"> function bp_core_screen_general_settings() {
</span><del>-        global $current_user, $bp_settings_updated, $pass_error;
</del><ins>+        global $current_user, $bp_settings_updated, $pass_error, $email_error, $pwd_error;
</ins><span class="cx"> 
</span><span class="cx">         $bp_settings_updated = false;
</span><span class="cx">         $pass_error = false;
</span><ins>+        $email_error = false;
+        $pwd_error = false;
</ins><span class="cx"> 
</span><span class="cx">         if ( isset($_POST['submit']) ) {
</span><span class="cx">                 check_admin_referer('bp_settings_general');
</span><span class="lines">@@ -42,24 +44,61 @@
</span><span class="cx">                 require_once( WPINC . '/registration.php' );
</span><span class="cx"> 
</span><span class="cx">                 // Form has been submitted and nonce checks out, lets do it.
</span><del>-
-                if ( $_POST['email'] != '' )
-                        $current_user-&gt;user_email = esc_html( trim( $_POST['email'] ) );
-
-                if ( $_POST['pass1'] != '' &amp;&amp; $_POST['pass2'] != '' ) {
-                        if ( $_POST['pass1'] == $_POST['pass2'] &amp;&amp; !strpos( &quot; &quot; . $_POST['pass1'], &quot;\\&quot; ) )
-                                $current_user-&gt;user_pass = $_POST['pass1'];
-                        else
-                                $pass_error = true;
-                } else if ( empty( $_POST['pass1'] ) &amp;&amp; !empty( $_POST['pass2'] ) || !empty( $_POST['pass1'] ) &amp;&amp; empty( $_POST['pass2'] ) ) {
-                        $pass_error = true;
-                } else {
-                        unset( $current_user-&gt;user_pass );
-                }
-
-                if ( !$pass_error &amp;&amp; wp_update_user( get_object_vars( $current_user ) ) )
-                        $bp_settings_updated = true;
-                        
</del><ins>+                
+                 // Validate the user again for the current password when making a big change
+                 if ( !empty( $_POST['pwd'] ) &amp;&amp; $_POST['pwd'] != '' &amp;&amp; wp_check_password($_POST['pwd'], $current_user-&gt;user_pass, $current_user-&gt;ID) ) {

+                         // Make sure changing an email address does not already exist
+                         if ( $_POST['email'] != '' ) {

+                                 // What is missing from the profile page vs signup - lets double check the goodies
+                                 $user_email = sanitize_email( wp_specialchars( trim( $_POST['email'] ) ) );

+                                 if ( !is_email( $user_email ) )
+                                         $email_error = true;

+                                 $limited_email_domains = get_site_option( 'limited_email_domains', 'buddypress' );

+                                 if ( is_array( $limited_email_domains ) &amp;&amp; empty( $limited_email_domains ) == false ) {
+                                         $emaildomain = substr( $user_email, 1 + strpos( $user_email, '@' ) );

+                                         if ( in_array( $emaildomain, (array)$limited_email_domains ) == false ) {
+                                                 $email_error = true;
+                                                 
+                                         }
+                                 }

+                                 if ( !$email_error &amp;&amp; $current_user-&gt;user_email != $user_email  ) {
+                                 
+                                         //we don't want email dups in the system
+                                         if ( email_exists( $user_email ) )
+                                                 $email_error = true;
+                                                 
+                                         if (!$email_error)
+                                                 $current_user-&gt;user_email = $user_email;
+                                 }
+                         }

+                         if ( $_POST['pass1'] != '' &amp;&amp; $_POST['pass2'] != '' ) {
+                         
+                                 if ( $_POST['pass1'] == $_POST['pass2'] &amp;&amp; !strpos( &quot; &quot; . $_POST['pass1'], &quot;\\&quot; ) )
+                                         $current_user-&gt;user_pass = $_POST['pass1'];
+                                 else
+                                         $pass_error = true;
+  
+                         } else if ( empty( $_POST['pass1'] ) &amp;&amp; !empty( $_POST['pass2'] ) || !empty( $_POST['pass1'] ) &amp;&amp; empty( $_POST['pass2'] ) ) {
+                                  $pass_error = true;
+                         } else {
+                                 unset( $current_user-&gt;user_pass );
+                         }

+                         if ( !$email_error &amp;&amp; !$pass_error &amp;&amp; wp_update_user( get_object_vars( $current_user ) ) )
+                                 $bp_settings_updated = true;
+                         
+                  } else {
+                         $pwd_error = true;
+                  }
+                  
</ins><span class="cx">                 do_action( 'bp_core_general_settings_after_save' );
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="lines">@@ -74,7 +113,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> function bp_core_screen_general_settings_content() {
</span><del>-        global $bp, $current_user, $bp_settings_updated, $pass_error; ?&gt;
</del><ins>+        global $bp, $current_user, $bp_settings_updated, $pass_error, $pwd_error, $email_error; ?&gt;
</ins><span class="cx"> 
</span><span class="cx">         &lt;?php if ( $bp_settings_updated &amp;&amp; !$pass_error ) { ?&gt;
</span><span class="cx">                 &lt;div id=&quot;message&quot; class=&quot;updated fade&quot;&gt;
</span><span class="lines">@@ -87,8 +126,26 @@
</span><span class="cx">                         &lt;p&gt;&lt;?php _e( 'Your passwords did not match', 'buddypress' ) ?&gt;&lt;/p&gt;
</span><span class="cx">                 &lt;/div&gt;
</span><span class="cx">         &lt;?php } ?&gt;
</span><ins>+        
+        &lt;?php if ( $pwd_error &amp;&amp; !$bp_settings_updated ) { ?&gt;
+                &lt;div id=&quot;message&quot; class=&quot;error fade&quot;&gt;
+                        &lt;p&gt;&lt;?php _e( 'Your password is incorrect', 'buddypress' ) ?&gt;&lt;/p&gt;
+                &lt;/div&gt;
+        &lt;?php } ?&gt;
</ins><span class="cx"> 
</span><ins>+        &lt;?php 
+        if ( $email_error &amp;&amp; !$bp_settings_updated ) { ?&gt;
+                &lt;div id=&quot;message&quot; class=&quot;error fade&quot;&gt;
+                        &lt;p&gt;&lt;?php _e( 'Sorry, that email address is already used or is invalid', 'buddypress' ) ?&gt;&lt;/p&gt;
+                &lt;/div&gt;
+        &lt;?php } ?&gt;
+
+
</ins><span class="cx">         &lt;form action=&quot;&lt;?php echo $bp-&gt;loggedin_user-&gt;domain . BP_SETTINGS_SLUG . '/general' ?&gt;&quot; method=&quot;post&quot; class=&quot;standard-form&quot; id=&quot;settings-form&quot;&gt;
</span><ins>+
+                &lt;label for=&quot;pwd&quot;&gt;&lt;?php _e( 'Current Password &lt;span&gt;(required to update email or change current password)&lt;/span&gt;', 'buddypress' ) ?&gt;&lt;/label&gt;
+                &lt;input type=&quot;password&quot; name=&quot;pwd&quot; id=&quot;pwd&quot; size=&quot;16&quot; value=&quot;&quot; class=&quot;settings-input small&quot; /&gt; &amp;nbsp;&lt;a href=&quot;&lt;?php echo site_url('wp-login.php?action=lostpassword', 'login') ?&gt;&quot; title=&quot;&lt;?php _e('Password Lost and Found') ?&gt;&quot;&gt;&lt;?php _e('Lost your password?') ?&gt;&lt;/a&gt;
+
</ins><span class="cx">                 &lt;label for=&quot;email&quot;&gt;&lt;?php _e( 'Account Email', 'buddypress' ) ?&gt;&lt;/label&gt;
</span><span class="cx">                 &lt;input type=&quot;text&quot; name=&quot;email&quot; id=&quot;email&quot; value=&quot;&lt;?php echo esc_attr( $current_user-&gt;user_email ); ?&gt;&quot; class=&quot;settings-input&quot; /&gt;
</span><span class="cx"> 
</span><span class="lines">@@ -137,7 +194,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> function bp_core_screen_notification_settings_title() {
</span><del>-        echo apply_filters( 'bp_core_notification_settings_title', __( 'Notification Settings', 'buddypress' ) );;
</del><ins>+        echo apply_filters( 'bp_core_notification_settings_title', __( 'Email Notifications', 'buddypress' ) );;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> function bp_core_screen_notification_settings_content() {
</span><span class="lines">@@ -150,7 +207,6 @@
</span><span class="cx">         &lt;?php } ?&gt;
</span><span class="cx"> 
</span><span class="cx">         &lt;form action=&quot;&lt;?php echo $bp-&gt;loggedin_user-&gt;domain . BP_SETTINGS_SLUG . '/notifications' ?&gt;&quot; method=&quot;post&quot; id=&quot;settings-form&quot;&gt;
</span><del>-                &lt;h3&gt;&lt;?php _e( 'Email Notifications', 'buddypress' ) ?&gt;&lt;/h3&gt;
</del><span class="cx">                 &lt;p&gt;&lt;?php _e( 'Send a notification by email when:', 'buddypress' ) ?&gt;&lt;/p&gt;
</span><span class="cx"> 
</span><span class="cx">                 &lt;?php do_action( 'bp_notification_settings' ) ?&gt;
</span></span></pre></div>
<a id="trunkbpthemesbpdefaultmemberssinglepluginsphp"></a>
<div class="modfile"><h4>Modified: trunk/bp-themes/bp-default/members/single/plugins.php (3523 => 3524)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/bp-themes/bp-default/members/single/plugins.php        2010-12-07 22:53:45 UTC (rev 3523)
+++ trunk/bp-themes/bp-default/members/single/plugins.php        2010-12-11 13:38:11 UTC (rev 3524)
</span><span class="lines">@@ -30,7 +30,7 @@
</span><span class="cx">                                         &lt;/ul&gt;
</span><span class="cx">                                 &lt;/div&gt;&lt;!-- .item-list-tabs --&gt;
</span><span class="cx"> 
</span><del>-                                &lt;?php do_action( 'bp_template_title' ) ?&gt;
</del><ins>+                                &lt;h3&gt;&lt;?php do_action( 'bp_template_title' ) ?&gt;&lt;/h3&gt;
</ins><span class="cx"> 
</span><span class="cx">                                 &lt;?php do_action( 'bp_template_content' ) ?&gt;
</span><span class="cx"> 
</span></span></pre>
</div>
</div>

</body>
</html>