You can use current_user_can()
to check if the user has permission to edit a specific user. If that’s what you’re trying to do. You will need to get the relevant user ID though as the 2nd argument:
if ( current_user_can( 'edit_user', $user_id ) ) {
// Do stuff.
}
So you can send the relevant user ID through the form, maybe as a hidden field, and use that:
current_user_can( 'edit_user', $_POST['user_id'] )
Or you could just use the current user’s ID:
current_user_can( 'edit_user', get_current_user_id() )
These might seem redundant, but it is technically possible for you to not let users edit themselves, so these methods would still respect the site owner’s ability to do that.
The important point is that if you’re getting a result for wp_get_current_user()
then you know the user’s signed in, so you don’t need to check the password/cookie etc. That’s already done. All you need to do is check that the current user has permission to perform certain actions.
If you are trying to check the user’s password again, then what you have should work. I did notice though that your condition is written so that if the password is correct it is being redirected to ?validation=passwordincorrect
. If you want to throw an error if the password is incorrect you should change the condition to:
if ( $user && ! wp_check_password( $pass_check, $user->data->user_pass, $user->ID ) ) {
Notice the addition of !
.
Also, don’t use esc_attr
on the submitted password. That could change the password. If the user has entered 123<567
as the password then you need to check that, not 123<567
.
If you are trying to create a login form, then you should just use wp_login_form()
with your own redirect.