From e952b31145b4e78673ba1f1bcaaabfe2fc624c51 Mon Sep 17 00:00:00 2001
From: audrasjb <audrasjb@git.wordpress.org>
Date: Thu, 6 Jul 2023 12:47:23 +0000
Subject: [PATCH] Users: Remove password reset links when the feature is not
 allowed for a specific user.

This also introduces `wp_is_password_reset_allowed_for_user()` which returns `false` when password reset is not allowed for a specific user. This can be
filtered by developers using the existing `allow_password_reset` hook.

Props ocean90, cshark, robinwpdeveloper, tahmina1du, kraftbj.
Fixes #58194.



Built from https://develop.svn.wordpress.org/trunk@56150


git-svn-id: http://core.svn.wordpress.org/trunk@55662 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../includes/class-wp-users-list-table.php    |  1 +
 wp-admin/user-edit.php                        |  2 +-
 wp-includes/user.php                          | 54 ++++++++++++-------
 wp-includes/version.php                       |  2 +-
 4 files changed, 39 insertions(+), 20 deletions(-)

diff --git a/wp-admin/includes/class-wp-users-list-table.php b/wp-admin/includes/class-wp-users-list-table.php
index 593479abc0..43abd608ae 100644
--- a/wp-admin/includes/class-wp-users-list-table.php
+++ b/wp-admin/includes/class-wp-users-list-table.php
@@ -502,6 +502,7 @@ class WP_Users_List_Table extends WP_List_Table {
 			// Add a link to send the user a reset password link by email.
 			if ( get_current_user_id() !== $user_object->ID
 				&& current_user_can( 'edit_user', $user_object->ID )
+				&& true === wp_is_password_reset_allowed_for_user( $user_object )
 			) {
 				$actions['resetpassword'] = "<a class='resetpassword' href='" . wp_nonce_url( "users.php?action=resetpassword&amp;users=$user_object->ID", 'bulk-users' ) . "'>" . __( 'Send password reset' ) . '</a>';
 			}
diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php
index cf748f462d..bd0e787964 100644
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@@ -681,7 +681,7 @@ switch ( $action ) {
 							<?php endif; // End Show Password Fields. ?>
 
 							<?php // Allow admins to send reset password link. ?>
-							<?php if ( ! IS_PROFILE_PAGE ) : ?>
+							<?php if ( ! IS_PROFILE_PAGE && true === wp_is_password_reset_allowed_for_user( $profile_user ) ) : ?>
 								<tr class="user-generate-reset-link-wrap hide-if-no-js">
 									<th><?php _e( 'Password Reset' ); ?></th>
 									<td>
diff --git a/wp-includes/user.php b/wp-includes/user.php
index 8e230708e4..d6bda7af47 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -2897,25 +2897,11 @@ function get_password_reset_key( $user ) {
 	 */
 	do_action( 'retrieve_password', $user->user_login );
 
-	$allow = true;
-	if ( is_multisite() && is_user_spammy( $user ) ) {
-		$allow = false;
-	}
-
-	/**
-	 * Filters whether to allow a password to be reset.
-	 *
-	 * @since 2.7.0
-	 *
-	 * @param bool $allow   Whether to allow the password to be reset. Default true.
-	 * @param int  $user_id The ID of the user attempting to reset a password.
-	 */
-	$allow = apply_filters( 'allow_password_reset', $allow, $user->ID );
-
-	if ( ! $allow ) {
+	$password_reset_allowed = wp_is_password_reset_allowed_for_user( $user );
+	if ( ! $password_reset_allowed ) {
 		return new WP_Error( 'no_password_reset', __( 'Password reset is not allowed for this user' ) );
-	} elseif ( is_wp_error( $allow ) ) {
-		return $allow;
+	} elseif ( is_wp_error( $password_reset_allowed ) ) {
+		return $password_reset_allowed;
 	}
 
 	// Generate something random for a password reset key.
@@ -5037,3 +5023,35 @@ function wp_register_persisted_preferences_meta() {
 function wp_cache_set_users_last_changed() {
 	wp_cache_set_last_changed( 'users' );
 }
+
+/**
+ * Checks if password reset is allowed for a specific user.
+ *
+ * @since 6.3.0
+ *
+ * @param int|WP_User $user The user to check.
+ * @return bool|WP_Error True if allowed, false or WP_Error otherwise.
+ */
+function wp_is_password_reset_allowed_for_user( $user ) {
+	if ( ! is_object( $user ) ) {
+		$user = get_userdata( $user );
+	}
+
+	if ( ! $user || ! $user->exists() ) {
+		return false;
+	}
+	$allow = true;
+	if ( is_multisite() && is_user_spammy( $user ) ) {
+		$allow = false;
+	}
+
+	/**
+	 * Filters whether to allow a password to be reset.
+	 *
+	 * @since 2.7.0
+	 *
+	 * @param bool $allow   Whether to allow the password to be reset. Default true.
+	 * @param int  $user_id The ID of the user attempting to reset a password.
+	 */
+	return apply_filters( 'allow_password_reset', $allow, $user->ID );
+}
\ No newline at end of file
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5757d40b85..6d8ca97a6e 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.3-beta3-56149';
+$wp_version = '6.3-beta3-56150';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.