Monthly Archives: September 2013

WordPress/BuddyPress registration and the Office 365 email filter

Just tore through the following problem on a client site (independently discovered by Martha Burtis here). WordPress/BuddyPress sites that allow for self-registration send out emails with activation links of the form: http://example.com/activate/?key=12345 (for BuddyPress) and http://example.com/wp-activate.php?key=12345 (for WordPress multisite). This format trips up the link filter that Microsoft’s Office 365 email service uses. After some experimentation, I figured out that the problem is the word ‘key’ in a URL parameter – once this term is removed from the URL, it passes right through the filter.

So, you can fix the problem by changing the URL parameter in the activation emails. That means (a) changing the text of the email, and (b) changing the server-side logic to expect something other than ‘key’. Here’s how to do it in BuddyPress:

<br />
function bbg_activation_email_content( $message ) {<br />
	return str_replace( '?key=', '?activationk=', $message );<br />
}<br />
add_filter( 'bp_core_activation_signup_user_notification_message', 'bbg_activation_email_content' );</p>
<p>function bbg_screen_activation() {<br />
	global $bp;</p>
<p>if ( !bp_is_current_component( 'activate' ) )<br />
		return false;</p>
<p>// Check if an activation key has been passed<br />
	if ( isset( $_GET['activationk'] ) ) {</p>
<p>// Activate the signup<br />
		$user = apply_filters( 'bp_core_activate_account', bp_core_activate_signup( $_GET['activationk'] ) );</p>
<p>// If there were errors, add a message and redirect<br />
		if ( !empty( $user->errors ) ) {<br />
			bp_core_add_message( $user->get_error_message(), 'error' );<br />
			bp_core_redirect( trailingslashit( bp_get_root_domain() . '/' . $bp->pages->activate->slug ) );<br />
		}</p>
<p>// Check for an uploaded avatar and move that to the correct user folder<br />
		if ( is_multisite() )<br />
			$hashed_key = wp_hash( $_GET['activationk'] );<br />
		else<br />
			$hashed_key = wp_hash( $user );</p>
<p>// Check if the avatar folder exists. If it does, move rename it, move<br />
		// it and delete the signup avatar dir<br />
		if ( file_exists( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key ) )<br />
			@rename( bp_core_avatar_upload_path() . '/avatars/signups/' . $hashed_key, bp_core_avatar_upload_path() . '/avatars/' . $user );</p>
<p>bp_core_add_message( __( 'Your account is now active!', 'buddypress' ) );</p>
<p>$bp->activation_complete = true;<br />
	}</p>
<p>bp_core_load_template( apply_filters( 'bp_core_template_activate', array( 'activate', 'registration/activate' ) ) );<br />
}<br />
remove_action( 'bp_screens', 'bp_core_screen_activation' );<br />
add_action( 'bp_screens', 'bbg_screen_activation' );<br />

You’d have to do something in the same spirit when not using BuddyPress. For the email, filter ‘wpmu_signup_user_notification_email’. Catching the request and overriding ‘key’ will be trickier. I haven’t experimented with it, but maybe you can hook to ‘activate_header’, detect the presence of $_GET['activationk'], and then redirect to the ‘key=’ URL that wp-activate.php expects.

Hopefully this is enough to help if you’re having the problem.

Who works for the NSA?

With every awful new revelation about the NSA, I ask myself: Who works there? It must take many thousands of very smart technicians to break the internet: mathematicians, computer scientists, hackers. Who are these people, and why do they decide to do what they do?

Are they in it for the money?

Is the work really that interesting?

Are they the kinds of people who’d be cracking illegally anyway, and the NSA gives them some legitimacy?

Do they imagine themselves engaged in some kind of noble pursuit, protecting the world from wrongdoers?

I’m continually perplexed that so many people, who presumably could be making much more money doing work that is more visible and less creepy, choose this path.

WP DPLA 0.3 – important update

I’ve just released version 0.3 of my plugin WP DPLA (described more here). Anyone running this plugin is strongly encouraged to update immediately, as this update fixes (among a number of other, minor things) a major bug that was causing the DPLA API to get hammered. Boo Boone.

Many thanks to Phunk Gadoury for giving me a heads up about this issue.