Opened 2 years ago

Closed 4 months ago

Last modified 4 months ago

#17009 closed defect (bug) (duplicate)

wp_update_user not creating a new user if not passed an ID

Reported by: casben79 Owned by: casben79
Priority: normal Milestone:
Component: Users Version: 3.1
Severity: major Keywords: has-patch
Cc: lkraav, cartpauj@…

Description

the function wp_update_user() is not creating a new user if not passed an ID.

Bugging out as get_object_vars() expects an object but being passed false as no user ID was passed to the function

Upon further investigation was also hashing the password passed to it, when the function it calls ( wp_insert_user() ) does this again which has resulted in an incorrect password error.

I have created a patch for this, and in the process also cleaned up an unnecessary if( isset(...) ) statement at the end of the function as well as some missing whitespace.

Attachments (3)

wp_update_user.patch (1.7 KB) - added by casben79 2 years ago.
Patch for the issues.
17009.patch (744 bytes) - added by hakre 2 years ago.
Test for get_userdata() return value before continuing.
17009.2.patch (1.1 KB) - added by hakre 2 years ago.
Check array key existance before use as well, handle password hashing for non-empty ID only (creation of new user [identified by empty ID] will take care of hashing on it's own).

Download all attachments as: .zip

Change History (12)

casben792 years ago

Patch for the issues.

comment:1   hakre2 years ago

the function wp_update_user() is not creating a new user if not passed an ID.

I think the description of the function is not showing the full picture:

 * If $userdata does not contain an 'ID' key, then a new user will be created
 * and the new user's ID will be returned.

The said check is not performed, so the phpdoc should be corrected instead.

I think this is an error that went in in [6564] from patch registration.phpdoc.r6542.diff.

I think so because if ID is empty, get_userdata(empty) will return false and not an object that is treated like so later on.

Related: [16009], #13761(, [8782], #7550, [6564], #4383), [2872]

Last edited 2 years ago by hakre (previous) (diff)

hakre2 years ago

Test for get_userdata() return value before continuing.

comment:2   hakre2 years ago

That password hashing is a good point, but it needs to be hashed if the user is updated (not created) AFAIK momentarily.

hakre2 years ago

Check array key existance before use as well, handle password hashing for non-empty ID only (creation of new user [identified by empty ID] will take care of hashing on it's own).

comment:3   downloadbook19 months ago

Spam.

Last edited 19 months ago by duck_ (previous) (diff)

comment:4   SergeyBiryukov18 months ago

Closed #19261 as a duplicate.

comment:5   lkraav17 months ago

  • Cc lkraav added

comment:6   SergeyBiryukov6 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #16731.

comment:7   cartpauj4 months ago

  • Cc cartpauj@… added
  • Keywords needs-patch added; has-patch removed
  • Resolution duplicate deleted
  • Severity changed from normal to major
  • Status changed from closed to reopened
  • Version 3.1 deleted

This is still a problem.
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/user.php#L1455
That line is throwing an Exception, which prevents wp_insert_user from ever being called. The function description clearly states it will insert a new user if ID is not set.

So I propose that either wp_insert_user get stripped completely out of wp_update_user or wp_update_user needs fixed to allow wp_insert_user to actually get used before the Exception is thrown.

comment:8   helen4 months ago

  • Keywords needs-patch removed
  • Resolution set to duplicate
  • Status changed from reopened to closed

Still a duplicate of #16731

comment:9   SergeyBiryukov4 months ago

  • Keywords has-patch added
  • Version set to 3.1
Note: See TracTickets for help on using tickets.