buddypress
diff --git a/‎src/bp-core/bp-core-rest-api.php‎
Lines changed: 38 additions & 0 deletions b/‎src/bp-core/bp-core-rest-api.php‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎src/bp-members/bp-members-functions.php‎
Lines changed: 51 additions & 17 deletions b/‎src/bp-members/bp-members-functions.php‎
Lines changed: 51 additions & 17 deletions
diff --git a/‎src/bp-members/bp-members-template.php‎
Lines changed: 1 addition & 1 deletion b/‎src/bp-members/bp-members-template.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/bp-members/classes/class-bp-members-signup-rest-controller.php‎
Lines changed: 21 additions & 9 deletions b/‎src/bp-members/classes/class-bp-members-signup-rest-controller.php‎
Lines changed: 21 additions & 9 deletions
diff --git a/‎src/bp-members/classes/class-bp-signup.php‎
Lines changed: 57 additions & 13 deletions b/‎src/bp-members/classes/class-bp-signup.php‎
Lines changed: 57 additions & 13 deletions
@@ -392,3 +392,41 @@ function bp_rest_api_v1_dispatch_error( $result, $server, $request ) {
 	);
 }
 add_filter( 'rest_pre_dispatch', 'bp_rest_api_v1_dispatch_error', 10, 3 );
+
+/**
+ * Filter the WP REST API response to return a 403 if the signup feature is disabled.
+ *
+ * @since 15.0.0
+ *
+ * @param mixed           $result Response to replace the requested version with. Can be anything
+ *                                a normal endpoint can return, or null to not hijack the request.
+ * @param WP_REST_Server  $server Server instance.
+ * @param WP_REST_Request $request Request used to generate the response.
+ *
+ * @return mixed
+ */
+function bp_rest_api_signup_disabled_feature_dispatch_error( $result, $server, $request ) {
+
+	// Bail early if the BP REST plugin is active.
+	if ( bp_rest_is_plugin_active() ) {
+		return $result;
+	}
+
+	$route = $request->get_route();
+
+	if ( empty( $route ) || ! str_contains( $route, 'buddypress/v2/signup' ) ) {
+		return $result;
+	}
+
+	// Bail early if signups are allowed.
+	if ( bp_get_signup_allowed() ) {
+		return $result;
+	}
+
+	return new WP_Error(
+		'rest_no_route',
+		__( 'BuddyPress: The user signup feature is currently disabled. Please activate this feature to proceed.', 'buddypress' ),
+		array( 'status' => 403 )
+	);
+}
+add_filter( 'rest_pre_dispatch', 'bp_rest_api_signup_disabled_feature_dispatch_error', 10, 3 );
@@ -1592,11 +1592,13 @@ function bp_core_get_illegal_names( $value = '' ) {
  *
  * Performs the following checks:
  *   - Is the email address well-formed?
- *   - Is the email address already used?
+ *   - Is the email address already used in a user?
+ *   - Is the email address already used in a signup?
  *   - If there are disallowed email domains, is the current domain among them?
- *   - If there's an email domain whitelist, is the current domain on it?
+ *   - If there's an email domain allowlist, is the current domain on it?
  *
  * @since 1.6.2
+ * @since 15.0.0 Check if the email address is already used in a signup.
  *
  * @param string $user_email The email being checked.
  * @return bool|array True if the address passes all checks; otherwise an array
@@ -1629,11 +1631,24 @@ function bp_core_validate_email_address( $user_email ) {
 		}
 	}
 
-	// Is the email already in use?
+	// Is the email already in use in a user?
 	if ( email_exists( $user_email ) ) {
 		$errors['in_use'] = 1;
 	}
 
+	// Is the email already in use in a signup?
+	if ( ! isset( $errors['in_use'] ) ) {
+		$signups = BP_Signup::get(
+			array( 'user_email' => $user_email )
+		);
+
+		$signup = isset( $signups['signups'] ) && ! empty( $signups['signups'][0] );
+
+		if ( $signup ) {
+			$errors['in_use'] = 1;
+		}
+	}
+
 	return ! empty( $errors ) ? $errors : true;
 }
 
@@ -1748,22 +1763,22 @@ function bp_core_validate_user_signup( $user_name, $user_email ) {
 
 		// Check into signups.
 		$signups = BP_Signup::get(
-			array(
-				'user_login' => $user_name,
-			)
+			array( 'user_login' => $user_name )
 		);
 
-		$signup = isset( $signups['signups'] ) && ! empty( $signups['signups'][0] ) ? $signups['signups'][0] : false;
+		$signup           = isset( $signups['signups'] ) && ! empty( $signups['signups'][0] );
+		$user_name_exists = ( empty( $signup ) && username_exists( $user_name ) ) || ! empty( $signup );
 
 		// Check if the username has been used already.
-		if ( username_exists( $user_name ) || ! empty( $signup ) ) {
+		if ( true === $user_name_exists ) {
 			$errors->add( 'user_name', __( 'Sorry, that username already exists!', 'buddypress' ) );
 		}
 
-		// Validate the email address and process the validation results into
-		// error messages.
-		$validate_email = bp_core_validate_email_address( $user_email );
-		bp_core_add_validation_error_messages( $errors, $validate_email );
+		// Validate the email address.
+		bp_core_add_validation_error_messages(
+			$errors,
+			bp_core_validate_email_address( $user_email )
+		);
 
 		// Assemble the return array.
 		$result = array(
@@ -1772,7 +1787,7 @@ function bp_core_validate_user_signup( $user_name, $user_email ) {
 			'errors'     => $errors,
 		);
 
-		// Apply WPMU legacy filter.
+		/** This filter is documented in wp-includes/ms-functions.php */
 		$result = apply_filters( 'wpmu_validate_user_signup', $result );
 	}
 
@@ -2486,6 +2501,7 @@ function bp_core_signup_disable_inactive( $user = null, $username = '', $passwor
  * On the login screen, resends the activation email for a user.
  *
  * @since 2.0.0
+ * @since 15.0.0 Return an error when the activation email resend has been blocked temporarily.
  *
  * @global string $error The error message.
  *
@@ -2499,22 +2515,40 @@ function bp_members_login_resend_activation_email() {
 	}
 
 	// Verify nonce.
-	if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'bp-resend-activation' ) ) {
-		die( 'Security check' );
+	if ( ! wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), 'bp-resend-activation' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		wp_die( esc_html__( 'There was a problem performing this action. Please try again.', 'buddypress' ) );
 	}
 
-	$signup_id = (int) $_GET['id'];
+	$signups = BP_Signup::get(
+		array( 'include' => (int) $_GET['id'] )
+	);
+
+	// phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited
+
+	if ( empty( $signups['signups'] ) || ! is_array( $signups['signups'] ) || empty( $signups['signups'][0] ) ) {
+		$error = __( '<strong>Error</strong>: Invalid signup id.', 'buddypress' );
+		return;
+	}
+
+	$signup = $signups['signups'][0];
+
+	if ( false === BP_Signup::allow_activation_resend( $signup ) ) {
+		$error = __( '<strong>Error</strong>: You\'ve reached the limit for resending your account activation email. Please wait a few minutes and try again. If you continue to experience issues, contact support for assistance.', 'buddypress' );
+		return;
+	}
 
 	// Resend the activation email.
 	// also updates the 'last sent' and '# of emails sent' values.
-	$resend = BP_Signup::resend( array( $signup_id ) );
+	$resend = BP_Signup::resend( $signup->id );
 
 	// Add feedback message.
 	if ( ! empty( $resend['errors'] ) ) {
 		$error = __( '<strong>Error</strong>: Your account has already been activated.', 'buddypress' );
 	} else {
 		$error = __( 'Activation email resent! Please check your inbox or spam folder.', 'buddypress' );
 	}
+
+	// phpcs:enable WordPress.WP.GlobalVariablesOverride.Prohibited
 }
 add_action( 'login_form_bp-resend-activation', 'bp_members_login_resend_activation_email' );
 
 
@@ -3065,7 +3065,7 @@ function bp_signup_allowed() {
 	function bp_get_signup_allowed() {
 
 		/**
-		 * Filters whether or not new signups are allowed.
+		 * Filters whether new signups are allowed.
 		 *
 		 * @since 1.5.0
 		 *
 
@@ -764,16 +764,22 @@ public function activate_item_permissions_check( $request ) {
 	 * @return WP_REST_Response|WP_Error
 	 */
 	public function signup_resend_activation_email( $request ) {
-		$signup_id = $request->get_param( 'id' );
-		$send      = \BP_Signup::resend( array( $signup_id ) );
+		$signup = $this->get_signup_object( $request->get_param( 'id' ) );
+		$send   = $signup::resend( $signup->id );
+
+		if ( empty( $send ) ) {
+			return new WP_Error(
+				'bp_rest_signup_resend_activation_email_fail',
+				__( 'There was a problem performing this action. Please try again.', 'buddypress' ),
+				array( 'status' => 500 )
+			);
+		}
 
 		if ( ! empty( $send['errors'] ) ) {
 			return new WP_Error(
 				'bp_rest_signup_resend_activation_email_fail',
 				__( 'Your account has already been activated.', 'buddypress' ),
-				array(
-					'status' => 500,
-				)
+				array( 'status' => 500 )
 			);
 		}
 
@@ -808,9 +814,15 @@ public function signup_resend_activation_email_permissions_check( $request ) {
 			$retval = new WP_Error(
 				'bp_rest_invalid_id',
 				__( 'Invalid signup id.', 'buddypress' ),
-				array(
-					'status' => 404,
-				)
+				array( 'status' => 404 )
+			);
+		}
+
+		if ( true === $retval && false === BP_Signup::allow_activation_resend( $signup ) ) {
+			$retval = new WP_Error(
+				'bp_rest_signup_resend_activation_email_fail',
+				__( 'You\'ve reached the limit for resending your account activation email. Please wait a few minutes and try again. If you continue to experience issues, contact support for assistance.', 'buddypress' ),
+				array( 'status' => 500 )
 			);
 		}
 
@@ -975,7 +987,7 @@ public function get_signup_object( $identifier ) {
 	public function check_user_password( $value ) {
 		$password = (string) $value;
 
-		if ( empty( $password ) || false !== strpos( $password, '\\' ) ) {
+		if ( empty( $password ) || str_contains( $password, '\\' ) ) {
 			return new WP_Error(
 				'rest_user_invalid_password',
 				__( 'Passwords cannot be empty or contain the "\\" character.', 'buddypress' ),
 
@@ -3,7 +3,7 @@
  * Signups Management class.
  *
  * @package BuddyPress
- * @subpackage coreClasses
+ * @subpackage Signup
  * @since 2.0.0
  */
 
@@ -159,7 +159,7 @@ class BP_Signup {
 	 *
 	 * @since 2.0.0
 	 *
-	 * @param integer $signup_id The ID for the signup being queried.
+	 * @param int $signup_id The ID for the signup being queried.
 	 */
 	public function __construct( $signup_id = 0 ) {
 		if ( ! empty( $signup_id ) ) {
@@ -248,8 +248,7 @@ public function populate() {
 		 * Set a boolean to track whether an activation link
 		 * was sent in the last day.
 		 */
-		$this->recently_sent = $this->count_sent && ( $diff < 1 * DAY_IN_SECONDS );
-
+		$this->recently_sent = $this->count_sent && ( $diff < DAY_IN_SECONDS );
 	}
 
 	/** Static Methods *******************************************************/
@@ -826,23 +825,30 @@ public static function update( $args = array() ) {
 	 * Resend an activation email.
 	 *
 	 * @since 2.0.0
+	 * @since 15.0.0 Added the ability to resend to a single ID.
 	 *
-	 * @param array $signup_ids Single ID or list of IDs to resend.
+	 * @param array|int $signup_ids Single ID or list of IDs to resend.
 	 * @return array
 	 */
 	public static function resend( $signup_ids = array() ) {
-		if ( empty( $signup_ids ) || ! is_array( $signup_ids ) ) {
-			return false;
+		if ( empty( $signup_ids ) ) {
+			return array();
+		}
+
+		if ( ! is_array( $signup_ids ) ) {
+			$signup_ids = array( $signup_ids );
 		}
 
 		$to_resend = self::get(
 			array(
-				'include' => $signup_ids,
+				'include' => wp_parse_id_list( $signup_ids ),
 			)
 		);
 
-		if ( ! $signups = $to_resend['signups'] ) {
-			return false;
+		$signups = $to_resend['signups'];
+
+		if ( ! $signups ) {
+			return array();
 		}
 
 		$result = array();
@@ -875,7 +881,7 @@ public static function resend( $signup_ids = array() ) {
 				// Check user status before sending email.
 				$user_id = email_exists( $signup->user_email );
 
-				if ( ! empty( $user_id ) && 2 != self::check_user_status( $user_id ) ) {
+				if ( ! empty( $user_id ) && 2 !== self::check_user_status( $user_id ) ) {
 
 					// Status is not 2, so user's account has been activated.
 					$result['errors'][ $signup->signup_id ] = array( $signup->user_login, esc_html__( 'the sign-up has already been activated.', 'buddypress' ) );
@@ -885,7 +891,7 @@ public static function resend( $signup_ids = array() ) {
 
 					continue;
 
-				// Send the validation email.
+					// Send the validation email.
 				} else {
 					$salutation = $signup->user_login;
 					if ( bp_is_active( 'xprofile' ) && isset( $meta[ 'field_' . bp_xprofile_fullname_field_id() ] ) ) {
@@ -906,7 +912,7 @@ public static function resend( $signup_ids = array() ) {
 		}
 
 		/**
-		 * Fires after activation emails are resent.
+		 * Fires after activation email(s) are/is resent.
 		 *
 		 * @since 2.0.0
 		 *
@@ -925,6 +931,44 @@ public static function resend( $signup_ids = array() ) {
 		return apply_filters( 'bp_core_signup_resend', $result );
 	}
 
+	/**
+	 * Check if an activation email can be resent.
+	 *
+	 * @since 15.0.0
+	 *
+	 * @param BP_Signup $signup The signup object.
+	 * @return bool
+	 */
+	public static function allow_activation_resend( $signup ) {
+
+		// Bail if the signup is not a BP_Signup object.
+		if ( ! $signup instanceof BP_Signup ) {
+			return false;
+		}
+
+		// Allow the activation email to be sent if not already.
+		if ( ! $signup->recently_sent || ! $signup->count_sent ) {
+			return true;
+		}
+
+		$sent_at = mysql2date( 'U', $signup->date_sent );
+		$now     = time();
+		$diff    = $now - $sent_at;
+
+		/**
+		 * Filters the lock time for the resend activation.
+		 *
+		 * @since 15.0.0
+		 *
+		 * @param float|int $lock_time The lock time for the resend activation. Default: 1 hour.
+		 * @param BP_Signup $signup The signup object.
+		 */
+		$lock_time = apply_filters( 'bp_core_signup_resend_activation_lock_time', HOUR_IN_SECONDS, $signup );
+
+		// If the activation email was sent less than the lock time ago.
+		return false === ( $diff < $lock_time );
+	}
+
 	/**
 	 * Activate a pending account.
 	 *
Original file line number	Diff line number	Diff line change
`@@ -3065,7 +3065,7 @@ function bp_signup_allowed() {`
`3065`	`3065`	`function bp_get_signup_allowed() {`
`3066`	`3066`
`3067`	`3067`	`/**`
`3068`		`- * Filters whether or not new signups are allowed.`
	`3068`	`+ * Filters whether new signups are allowed.`
`3069`	`3069`	`*`
`3070`	`3070`	`* @since 1.5.0`
`3071`	`3071`	`*`