Skip to content

Commit

Permalink
Refactor password logic for clarity
Browse files Browse the repository at this point in the history
  • Loading branch information
@joshcanhelp
joshcanhelp committed Mar 31, 2020
1 parent c5e1a47 commit 6d8ab15
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 22 deletions.
38 changes: 16 additions & 22 deletions lib/profile/WP_Auth0_Profile_Change_Password.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,43 +48,37 @@ public function validate_new_password( $errors, $user ) {
return false;
}

$field_name = ! empty( $_POST['pass1'] ) ? 'pass1' : 'password_1';

// Validated above and only sent to the change password API endpoint.
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
$new_password = wp_unslash( $_POST[ $field_name ] );
$wp_user_id = null;

// User object passed in from an action.
if ( is_object( $user ) && ! empty( $user->ID ) ) {
$wp_user_id = absint( $user->ID );
// Do we have a user to edit?
$is_user_from_hook = is_object( $user ) && ! empty( $user->ID );
if ( ! $is_user_from_hook && ! isset( $_POST['user_id'] ) ) {
return false;
}

// Input field from user edit or profile update.
if ( ! $wp_user_id && isset( $_POST['user_id'] ) ) {
$user_editing_allowed = ( current_user_can( 'edit_users' ) || $_POST['user_id'] == get_current_user_id() );

if ( $user_editing_allowed ) {
$wp_user_id = absint( $_POST['user_id'] );
}
}
$wp_user_id = absint( $is_user_from_hook ? $user->ID : $_POST['user_id'] );

if ( ! $wp_user_id ) {
// Does the current user have permission to edit this user?
if ( ! current_user_can( 'edit_users' ) && $wp_user_id !== get_current_user_id() ) {
return false;
}

// Exit if this is not an Auth0 user.
// Is the user being edited an Auth0 user?
$auth0_id = WP_Auth0_UsersRepo::get_meta( $wp_user_id, 'auth0_id' );
if ( empty( $auth0_id ) ) {
return false;
}
$strategy = WP_Auth0_Users::get_strategy( $auth0_id );

// Exit if this is not a database strategy user.
// Is the user being edited a DB strategy user?
$strategy = WP_Auth0_Users::get_strategy( $auth0_id );
if ( 'auth0' !== $strategy ) {
return false;
}

$field_name = ! empty( $_POST['pass1'] ) ? 'pass1' : 'password_1';

// Validated above and only sent to the change password API endpoint.
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
$new_password = wp_unslash( $_POST[ $field_name ] );

$result = $this->api_change_password->call( $auth0_id, $new_password );

// Password change was successful, nothing else to do.
Expand Down
6 changes: 6 additions & 0 deletions tests/testProfileChangePassword.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ public function testSuccessfulPasswordChangeDuringPasswordReset() {

self::setApiToken( 'update:users' );

self::setGlobalUser( $user->ID );

$this->assertTrue( wp_auth0_validate_new_password( $errors, $user ) );
$this->assertEquals( $password, $_POST['pass1'] );
$this->assertEquals( $password, $_POST['pass2'] );
Expand All @@ -138,6 +140,8 @@ public function testSuccessfulPasswordChangeDuringWooAccountEdit() {

self::setApiToken( 'update:users' );

self::setGlobalUser( $user->ID );

$this->assertTrue( wp_auth0_validate_new_password( $errors, $user ) );
$this->assertEmpty( $errors->get_error_messages() );
}
Expand All @@ -161,6 +165,8 @@ public function testThatPasswordIsUnescapedBeforeSending() {

self::setApiToken( 'update:users' );

self::setGlobalUser( $user->ID );

$decoded_res = [];
try {
wp_auth0_validate_new_password( $errors, $user );
Expand Down

0 comments on commit 6d8ab15

Please sign in to comment.