Does anybody have any ideas how to solve this please – currently even a one letter password is allowed when setting a new password.
That’s a little trickier.
You can use wpmem_pwd_change_error which is a filter hook in password_change() which is in class-wp-members-user.php.
It passes $is_error which if there is already an error will contain a string indicating an error (in which case you could just return the result since it’s already an error).
If $is_error is a false boolean, then there is no error and you could check your custom values and either continue (returning $is_error unchanged, i.e. false) or return “pwdchangerr” which will trigger an error dialog.
Then you can use the wpmem_msg_dialog filter to return a custom message (https://rocketgeek.com/plugins/wp-members/docs/filter-hooks/wpmem_msg_dialog/).
Here’s the tricky part – there isn’t a way for these two filters to talk to each other since they are separate functions. You need to set and use a global variable in your password change error function to pick up in the msg dialog filter to tell you if the error message is for your custom criteria, in which case you can return a custom message.
Chad,
Thanks – I will have a go with this.
Steve
Chad,
Thanks that works perfectly – but still leaves the option to request a password reset email. The generated email link produces a call to set_password_from_key in class WP_Members_Pwd_Reset. The passwords are checked for equality at line 155; then at line 164 a call do_action( ‘validate_password_reset’, $errors, $user ) which sounds to be just what I want has been commented out.
Does this need uncommenting?
Steve
I now have something that works but it is ugly and involved modifying the plugin code which is obviously unacceptable except to demonstrate that it can be done. Line 164 of includes/class-wp-members-pwd-reset.php has been replaced with:
if (! $errors->has_errors()) {
do_action( 'wpmem_validate_password_reset', $errors, $user, $pass1);
if ($errors->has_errors()) {
$result = 'pwdchangerr';
$msg = '<div class="wpmem_msg" align="center"><p>' . $errors->get_error_message() . '<br /><br />Please try again.</p></div>';
}
}
which allows my theme to do the checking. I changed the name of the commented out action and added the $pass1 argument. My theme adds an error to $errors if it does not like the password.
Have I missed something – and if not what is the timescale for doing this without modifying the plugin code.
I need to come back to this as it remains unresolved. There are three ways in which a password can be updated within WP-Members. With Chad’s help I have been able to deal with two of these (the initial registration and doing a password update). However this still leaves the ability to set a completely trivial password by requesting a password reset email. As reported earlier I have found a workaround but it is unsatisfactory as it requires that I add a few lines to the plugin.
Have I missed something or is an enhancement coming? I cannot believe that the plugin would be left with what appears to be a major security hole.