From ad71b63dd15b33fb7ae2d30fe6c7b9a456e20eda Mon Sep 17 00:00:00 2001 From: Champ Camba Date: Wed, 30 Nov 2016 17:11:41 +0800 Subject: [PATCH] Fix reset and set password validation --- core/um-actions-password.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/core/um-actions-password.php b/core/um-actions-password.php index 79f8f37a..ed2c7a16 100644 --- a/core/um-actions-password.php +++ b/core/um-actions-password.php @@ -170,9 +170,16 @@ wp_die( __('Whoa, slow down! You\'re seeing this message because you tried to submit a form too fast and we think you might be a spam bot. If you are a real human being please wait a few seconds before submitting the form. Thanks!') ); } + $reset_pass_hash = ''; + + if( isset( $_REQUEST['act'] ) && $_REQUEST['act'] == 'reset_password' && um_is_core_page('password-reset') ){ + $reset_pass_hash = get_user_meta( $args['user_id'], 'reset_pass_hash', true ); + + } + if( !is_user_logged_in() && isset( $args ) && ! um_is_core_page('password-reset') || - isset( $args['user_id'] ) && um_is_core_page('password-reset') || - is_user_logged_in() && isset( $args['user_id'] ) && $args['user_id'] != get_current_user_id() + is_user_logged_in() && isset( $args['user_id'] ) && $args['user_id'] != get_current_user_id() || + !is_user_logged_in() && isset( $_REQUEST['hash'] ) && $reset_pass_hash != $_REQUEST['hash'] && um_is_core_page('password-reset') ){ wp_die( __( 'This is not possible for security reasons.','ultimatemember') ); }