Users: enable admins to send users a reset password link.

adamsilverstein · adamsilverstein · commit 193a5dae210d · 2021-02-01T22:11:46.000Z
Add a feature so Admins can send users a 'password reset' email. This doesn't change the password or force a password change. It only emails the user the password reset link. The feature appears in several places: * A "Send Reset Link" button on user profile screen. * A "Send password reset" option in the user list bulk action dropdown. * A "Send password reset" quick action when hovering over a username in the user list. Props Ipstenu, DrewAPicture, eventualo, wonderboymusic, knutsp, ericlewis, afercia, JoshuaWold, johnbillion, paaljoachim, hedgefield. Fixes #34281. git-svn-id: https://develop.svn.wordpress.org/trunk@50129 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/js/_enqueues/admin/user-profile.js b/src/js/_enqueues/admin/user-profile.js
@@ -2,7 +2,7 @@
  * @output wp-admin/js/user-profile.js
  */
 
-/* global ajaxurl, pwsL10n */
+/* global ajaxurl, pwsL10n, userProfileL10n */
 (function($) {
 	var updateLock = false,
 		__ = wp.i18n.__,
@@ -91,6 +91,68 @@
 		});
 	}
 
+	/**
+	 * Handle the password reset button. Sets up an ajax callback to trigger sending
+	 * a password reset email.
+	 */
+	function bindPasswordRestLink() {
+		$( '#generate-reset-link' ).on( 'click', function() {
+			var $this  = $(this),
+				data = {
+					'user_id': userProfileL10n.user_id, // The user to send a reset to.
+					'nonce':   userProfileL10n.nonce    // Nonce to validate the action.
+				};
+
+				// Remove any previous error messages.
+				$this.parent().find( '.notice-error' ).remove();
+
+				// Send the reset request.
+				var resetAction =  wp.ajax.post( 'send-password-reset', data );
+
+				// Handle reset success.
+				resetAction.done( function( response ) {
+					addInlineNotice( $this, true, response );
+				} );
+
+				// Handle reset failure.
+				resetAction.fail( function( response ) {
+					addInlineNotice( $this, false, response );
+				} );
+
+		});
+
+	}
+
+	/**
+	 * Helper function to insert an inline notice of success or failure.
+	 *
+	 * @param {jQuery Object} $this   The button element: the message will be inserted
+	 *                                above this button
+	 * @param {bool}          success Whether the message is a success message.
+	 * @param {string}        message The message to insert.
+	 */
+	function addInlineNotice( $this, success, message ) {
+		var resultDiv = $( '<div />' );
+
+		// Set up the notice div.
+		resultDiv.addClass( 'notice inline' );
+
+		// Add a class indicating success or failure.
+		resultDiv.addClass( 'notice-' + ( success ? 'success' : 'error' ) );
+
+		// Add the message, wrapping in a p tag, with a fadein to highlight each message.
+		resultDiv.text( $( $.parseHTML( message ) ).text() ).wrapInner( '<p />');
+
+		// Disable the button when the callback has succeeded.
+		$this.prop( 'disabled', success );
+
+		// Remove any previous notices.
+		$this.siblings( '.notice' ).remove();
+
+		// Insert the notice.
+		$this.before( resultDiv );
+	}
+
 	function bindPasswordForm() {
 		var $generateButton,
 			$cancelButton;
@@ -369,6 +431,7 @@
 		});
 
 		bindPasswordForm();
+		bindPasswordRestLink();
 	});
 
 	$( '#destroy-sessions' ).on( 'click', function( e ) {
diff --git a/src/wp-admin/admin-ajax.php b/src/wp-admin/admin-ajax.php
@@ -140,6 +140,7 @@
 	'health-check-loopback-requests',
 	'health-check-get-sizes',
 	'toggle-auto-updates',
+	'send-password-reset',
 );
 
 // Deprecated.
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
@@ -5398,3 +5398,33 @@ function wp_ajax_toggle_auto_updates() {
 
 	wp_send_json_success();
 }
+
+/**
+ * Ajax handler sends a password reset link.
+ *
+ * @since 5.7.0
+ */
+function wp_ajax_send_password_reset() {
+
+	// Validate the nonce for this action.
+	$user_id = isset( $_POST['user_id'] ) ? (int) $_POST['user_id'] : 0;
+	check_ajax_referer( 'reset-password-for-' . $user_id, 'nonce' );
+
+	// Verify user capabilities.
+	if ( ! current_user_can( 'edit_user', $user_id ) ) {
+		wp_send_json_error( __( 'Cannot send password reset, permission denied.' ) );
+	}
+
+	// Send the password reset link.
+	$user    = get_userdata( $user_id );
+	$results = retrieve_password( $user->user_login );
+
+	if ( true === $results ) {
+		wp_send_json_success(
+			/* translators: 1: User's display name. */
+			sprintf( __( 'A password reset link was emailed to %s.' ), $user->display_name )
+		);
+	} else {
+		wp_send_json_error( $results );
+	}
+}
diff --git a/src/wp-admin/includes/class-wp-users-list-table.php b/src/wp-admin/includes/class-wp-users-list-table.php
@@ -274,6 +274,11 @@ protected function get_bulk_actions() {
 			}
 		}
 
+		// Add a password reset link to the bulk actions dropdown.
+		if ( current_user_can( 'edit_users' ) ) {
+			$actions['resetpassword'] = __( 'Send password reset' );
+		}
+
 		return $actions;
 	}
 
@@ -469,6 +474,11 @@ public function single_row( $user_object, $style = '', $role = '', $numposts = 0
 				);
 			}
 
+			// Add a link to send the user a reset password link by email.
+			if ( get_current_user_id() !== $user_object->ID && current_user_can( 'edit_user', $user_object->ID ) ) {
+				$actions['resetpassword'] = "<a class='resetpassword' href='" . wp_nonce_url( "users.php?action=resetpassword&amp;users=$user_object->ID", 'bulk-users' ) . "'>" . __( 'Send password reset' ) . '</a>';
+			}
+
 			/**
 			 * Filters the action links displayed under each user in the Users list table.
 			 *
diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
@@ -609,6 +609,27 @@
 	</td>
 </tr>
 <?php endif; ?>
+		<?php
+		// Allow admins to send reset password link
+		if ( ! IS_PROFILE_PAGE ) :
+			?>
+	<tr class="user-sessions-wrap hide-if-no-js">
+		<th><?php _e( 'Password Reset' ); ?></th>
+		<td>
+			<div class="generate-reset-link">
+				<button type="button" class="button button-secondary" id="generate-reset-link">
+					<?php _e( 'Send Reset Link' ); ?>
+				</button>
+			</div>
+			<p class="description">
+				<?php
+				/* translators: 1: User's display name. */
+				printf( __( 'Send %s a link to reset their password. This will not change their password, nor will it force a change.' ), esc_html( $profileuser->display_name ) );
+				?>
+			</p>
+		</td>
+	</tr>
+		<?php endif; ?>
 
 		<?php
 		/**
diff --git a/src/wp-admin/users.php b/src/wp-admin/users.php
@@ -208,6 +208,46 @@
 		wp_redirect( $redirect );
 		exit;
 
+	case 'resetpassword':
+		check_admin_referer( 'bulk-users' );
+		if ( ! current_user_can( 'edit_users' ) ) {
+			$errors = new WP_Error( 'edit_users', __( 'You can&#8217;t edit users.' ) );
+		}
+		if ( empty( $_REQUEST['users'] ) ) {
+			wp_redirect( $redirect );
+			exit();
+		}
+		$userids = array_map( 'intval', (array) $_REQUEST['users'] );
+
+		$reset_count = 0;
+
+		foreach ( $userids as $id ) {
+			if ( ! current_user_can( 'edit_user', $id ) ) {
+				wp_die( __( 'You can&#8217;t edit that user.' ) );
+			}
+
+			if ( $id === $current_user->ID ) {
+				$update = 'err_admin_reset';
+				continue;
+			}
+
+			// Send the password reset link.
+			$user = get_userdata( $id );
+			if ( retrieve_password( $user->user_login ) ) {
+				++$reset_count;
+			}
+		}
+
+		$redirect = add_query_arg(
+			array(
+				'reset_count' => $reset_count,
+				'update'      => 'resetpassword',
+			),
+			$redirect
+		);
+		wp_redirect( $redirect );
+		exit;
+
 	case 'delete':
 		if ( is_multisite() ) {
 			wp_die( __( 'User deletion is not allowed from this screen.' ), 400 );
@@ -504,6 +544,16 @@
 						);
 					}
 
+					$messages[] = '<div id="message" class="updated notice is-dismissible"><p>' . $message . '</p></div>';
+					break;
+				case 'resetpassword':
+					$reset_count = isset( $_GET['reset_count'] ) ? (int) $_GET['reset_count'] : 0;
+					if ( 1 === $reset_count ) {
+						$message = __( 'Password reset link sent.' );
+					} else {
+						/* translators: %s: Number of users. */
+						$message = sprintf( __( 'Password reset links sent to %s users.' ), $reset_count );
+					}
 					$messages[] = '<div id="message" class="updated notice is-dismissible"><p>' . $message . '</p></div>';
 					break;
 				case 'promote':
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php
diff --git a/src/wp-login.php b/src/wp-login.php

Original file line number	Diff line number	Diff line change
`@@ -274,6 +274,11 @@ protected function get_bulk_actions() {`
`274`	`274`	`}`
`275`	`275`	`}`
`276`	`276`
	`277`	`+ // Add a password reset link to the bulk actions dropdown.`
	`278`	`+ if ( current_user_can( 'edit_users' ) ) {`
	`279`	`+ $actions['resetpassword'] = __( 'Send password reset' );`
	`280`	`+ }`
	`281`	`+`
`277`	`282`	`return $actions;`
`278`	`283`	`}`
`279`	`284`
`@@ -469,6 +474,11 @@ public function single_row( $user_object, $style = '', $role = '', $numposts = 0`
`469`	`474`	`);`
`470`	`475`	`}`
`471`	`476`
	`477`	`+ // Add a link to send the user a reset password link by email.`
	`478`	`+ if ( get_current_user_id() !== $user_object->ID && current_user_can( 'edit_user', $user_object->ID ) ) {`
	`479`	`+ $actions['resetpassword'] = "<a class='resetpassword' href='" . wp_nonce_url( "users.php?action=resetpassword&users=$user_object->ID", 'bulk-users' ) . "'>" . __( 'Send password reset' ) . '</a>';`
	`480`	`+ }`
	`481`	`+`
`472`	`482`	`/**`
`473`	`483`	`* Filters the action links displayed under each user in the Users list table.`
`474`	`484`	`*`