WordPress Version: 5.4
/**
* Edit user settings based on contents of $_POST
*
* Used on user-edit.php and profile.php to manage and process user options, passwords etc.
*
* @since 2.0.0
*
* @param int $user_id Optional. User ID.
* @return int|WP_Error user id of the updated user.
*/
function edit_user($user_id = 0)
{
$wp_roles = wp_roles();
$user = new stdClass();
$user_id = (int) $user_id;
if ($user_id) {
$update = true;
$user->ID = $user_id;
$userdata = get_userdata($user_id);
$user->user_login = wp_slash($userdata->user_login);
} else {
$update = false;
}
if (!$update && isset($_POST['user_login'])) {
$user->user_login = sanitize_user(wp_unslash($_POST['user_login']), true);
}
$pass1 = '';
$pass2 = '';
if (isset($_POST['pass1'])) {
$pass1 = $_POST['pass1'];
}
if (isset($_POST['pass2'])) {
$pass2 = $_POST['pass2'];
}
if (isset($_POST['role']) && current_user_can('promote_users') && (!$user_id || current_user_can('promote_user', $user_id))) {
$new_role = sanitize_text_field($_POST['role']);
// If the new role isn't editable by the logged-in user die with error.
$editable_roles = get_editable_roles();
if (!empty($new_role) && empty($editable_roles[$new_role])) {
wp_die(__('Sorry, you are not allowed to give users that role.'), 403);
}
$potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
/*
* Don't let anyone with 'promote_users' edit their own role to something without it.
* Multisite super admins can freely edit their roles, they possess all caps.
*/
if (is_multisite() && current_user_can('manage_network_users') || get_current_user_id() !== $user_id || $potential_role && $potential_role->has_cap('promote_users')) {
$user->role = $new_role;
}
}
if (isset($_POST['email'])) {
$user->user_email = sanitize_text_field(wp_unslash($_POST['email']));
}
if (isset($_POST['url'])) {
if (empty($_POST['url']) || 'http://' === $_POST['url']) {
$user->user_url = '';
} else {
$user->user_url = esc_url_raw($_POST['url']);
$protocols = implode('|', array_map('preg_quote', wp_allowed_protocols()));
$user->user_url = preg_match('/^(' . $protocols . '):/is', $user->user_url) ? $user->user_url : ('http://' . $user->user_url);
}
}
if (isset($_POST['first_name'])) {
$user->first_name = sanitize_text_field($_POST['first_name']);
}
if (isset($_POST['last_name'])) {
$user->last_name = sanitize_text_field($_POST['last_name']);
}
if (isset($_POST['nickname'])) {
$user->nickname = sanitize_text_field($_POST['nickname']);
}
if (isset($_POST['display_name'])) {
$user->display_name = sanitize_text_field($_POST['display_name']);
}
if (isset($_POST['description'])) {
$user->description = trim($_POST['description']);
}
foreach (wp_get_user_contact_methods($user) as $method => $name) {
if (isset($_POST[$method])) {
$user->{$method} = sanitize_text_field($_POST[$method]);
}
}
if ($update) {
$user->rich_editing = (isset($_POST['rich_editing']) && 'false' === $_POST['rich_editing']) ? 'false' : 'true';
$user->syntax_highlighting = (isset($_POST['syntax_highlighting']) && 'false' === $_POST['syntax_highlighting']) ? 'false' : 'true';
$user->admin_color = isset($_POST['admin_color']) ? sanitize_text_field($_POST['admin_color']) : 'fresh';
$user->show_admin_bar_front = isset($_POST['admin_bar_front']) ? 'true' : 'false';
$user->locale = '';
if (isset($_POST['locale'])) {
$locale = sanitize_text_field($_POST['locale']);
if ('site-default' === $locale) {
$locale = '';
} elseif ('' === $locale) {
$locale = 'en_US';
} elseif (!in_array($locale, get_available_languages(), true)) {
$locale = '';
}
$user->locale = $locale;
}
}
$user->comment_shortcuts = (isset($_POST['comment_shortcuts']) && 'true' == $_POST['comment_shortcuts']) ? 'true' : '';
$user->use_ssl = 0;
if (!empty($_POST['use_ssl'])) {
$user->use_ssl = 1;
}
$errors = new WP_Error();
/* checking that username has been typed */
if ('' == $user->user_login) {
$errors->add('user_login', __('<strong>Error</strong>: Please enter a username.'));
}
/* checking that nickname has been typed */
if ($update && empty($user->nickname)) {
$errors->add('nickname', __('<strong>Error</strong>: Please enter a nickname.'));
}
/**
* Fires before the password and confirm password fields are checked for congruity.
*
* @since 1.5.1
*
* @param string $user_login The username.
* @param string $pass1 The password (passed by reference).
* @param string $pass2 The confirmed password (passed by reference).
*/
do_action_ref_array('check_passwords', array($user->user_login, &$pass1, &$pass2));
// Check for blank password when adding a user.
if (!$update && empty($pass1)) {
$errors->add('pass', __('<strong>Error</strong>: Please enter a password.'), array('form-field' => 'pass1'));
}
// Check for "\" in password.
if (false !== strpos(wp_unslash($pass1), '\\')) {
$errors->add('pass', __('<strong>Error</strong>: Passwords may not contain the character "\".'), array('form-field' => 'pass1'));
}
// Checking the password has been typed twice the same.
if (($update || !empty($pass1)) && $pass1 != $pass2) {
$errors->add('pass', __('<strong>Error</strong>: Please enter the same password in both password fields.'), array('form-field' => 'pass1'));
}
if (!empty($pass1)) {
$user->user_pass = $pass1;
}
if (!$update && isset($_POST['user_login']) && !validate_username($_POST['user_login'])) {
$errors->add('user_login', __('<strong>Error</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.'));
}
if (!$update && username_exists($user->user_login)) {
$errors->add('user_login', __('<strong>Error</strong>: This username is already registered. Please choose another one.'));
}
/** This filter is documented in wp-includes/user.php */
$illegal_logins = (array) apply_filters('illegal_user_logins', array());
if (in_array(strtolower($user->user_login), array_map('strtolower', $illegal_logins), true)) {
$errors->add('invalid_username', __('<strong>Error</strong>: Sorry, that username is not allowed.'));
}
/* checking email address */
if (empty($user->user_email)) {
$errors->add('empty_email', __('<strong>Error</strong>: Please enter an email address.'), array('form-field' => 'email'));
} elseif (!is_email($user->user_email)) {
$errors->add('invalid_email', __('<strong>Error</strong>: The email address isn’t correct.'), array('form-field' => 'email'));
} else {
$owner_id = email_exists($user->user_email);
if ($owner_id && (!$update || $owner_id != $user->ID)) {
$errors->add('email_exists', __('<strong>Error</strong>: This email is already registered, please choose another one.'), array('form-field' => 'email'));
}
}
/**
* Fires before user profile update errors are returned.
*
* @since 2.8.0
*
* @param WP_Error $errors WP_Error object (passed by reference).
* @param bool $update Whether this is a user update.
* @param stdClass $user User object (passed by reference).
*/
do_action_ref_array('user_profile_update_errors', array(&$errors, $update, &$user));
if ($errors->has_errors()) {
return $errors;
}
if ($update) {
$user_id = wp_update_user($user);
} else {
$user_id = wp_insert_user($user);
$notify = isset($_POST['send_user_notification']) ? 'both' : 'admin';
/**
* Fires after a new user has been created.
*
* @since 4.4.0
*
* @param int $user_id ID of the newly created user.
* @param string $notify Type of notification that should happen. See wp_send_new_user_notifications()
* for more information on possible values.
*/
do_action('edit_user_created_user', $user_id, $notify);
}
return $user_id;
}