Ticket #16470: 16470.3.patch

src/wp-admin/includes/admin-filters.php

@@ -99 +99 @@
 add_action( 'admin_init', 'default_password_nag_handler' );
 
 add_action( 'admin_notices', 'default_password_nag' );
+add_action( 'admin_notices', 'new_user_email_admin_notice' );
 
 add_action( 'profile_update', 'default_password_nag_edit_user', 10, 2 );
 
+add_action( 'personal_options_update', 'send_confirmation_on_profile_email' );
+
 // Update hooks.
 add_action( 'load-plugins.php', 'wp_plugin_update_rows', 20 ); // After wp_update_plugins() is called.
 add_action( 'load-themes.php', 'wp_theme_update_rows', 20 ); // After wp_update_themes() is called.

src/wp-admin/includes/ms-admin-filters.php

@@ -11 +11 @@
 add_filter( 'wp_handle_upload_prefilter', 'check_upload_size' );
 
 // User Hooks
-add_action( 'admin_notices', 'new_user_email_admin_notice' );
 add_action( 'user_admin_notices', 'new_user_email_admin_notice' );
 
 add_action( 'admin_page_access_denied', '_access_denied_splash', 99 );
 
 add_action( 'add_option_new_admin_email', 'update_option_new_admin_email', 10, 2 );
 
-add_action( 'personal_options_update', 'send_confirmation_on_profile_email' );
-
 add_action( 'update_option_new_admin_email', 'update_option_new_admin_email', 10, 2 );
 
 // Site Hooks.

src/wp-admin/includes/ms.php

@@ -336 +336 @@
 }
 
 /**
- * Sends an email when an email address change is requested.
- *
- * @since 3.0.0
- *
- * @global WP_Error $errors WP_Error object.
- * @global wpdb     $wpdb   WordPress database object.
- */
-function send_confirmation_on_profile_email() {
-        global $errors, $wpdb;
-        $current_user = wp_get_current_user();
-        if ( ! is_object($errors) )
-                $errors = new WP_Error();
-
-        if ( $current_user->ID != $_POST['user_id'] )
-                return false;
-
-        if ( $current_user->user_email != $_POST['email'] ) {
-                if ( !is_email( $_POST['email'] ) ) {
-                        $errors->add( 'user_email', __( "<strong>ERROR</strong>: The email address isn&#8217;t correct." ), array( 'form-field' => 'email' ) );
-                        return;
-                }
-
-                if ( $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM {$wpdb->users} WHERE user_email=%s", $_POST['email'] ) ) ) {
-                        $errors->add( 'user_email', __( "<strong>ERROR</strong>: The email address is already used." ), array( 'form-field' => 'email' ) );
-                        delete_user_meta( $current_user->ID, '_new_email' );
-                        return;
-                }
-
-                $hash = md5( $_POST['email'] . time() . mt_rand() );
-                $new_user_email = array(
-                        'hash' => $hash,
-                        'newemail' => $_POST['email']
-                );
-                update_user_meta( $current_user->ID, '_new_email', $new_user_email );
-
-                $switched_locale = switch_to_locale( get_user_locale() );
-
-                /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
-                $email_text = __( 'Howdy ###USERNAME###,
-
-You recently requested to have the email address on your account changed.
-
-If this is correct, please click on the following link to change it:
-###ADMIN_URL###
-
-You can safely ignore and delete this email if you do not want to
-take this action.
-
-This email has been sent to ###EMAIL###
-
-Regards,
-All at ###SITENAME###
-###SITEURL###' );
-
-                /**
-                 * Filters the email text sent when a user changes emails.
-                 *
-                 * The following strings have a special meaning and will get replaced dynamically:
-                 * ###USERNAME###  The current user's username.
-                 * ###ADMIN_URL### The link to click on to confirm the email change.
-                 * ###EMAIL###     The new email.
-                 * ###SITENAME###  The name of the site.
-                 * ###SITEURL###   The URL to the site.
-                 *
-                 * @since MU
-                 *
-                 * @param string $email_text     Text in the email.
-                 * @param string $new_user_email New user email that the current user has changed to.
-                 */
-                $content = apply_filters( 'new_user_email_content', $email_text, $new_user_email );
-
-                $content = str_replace( '###USERNAME###', $current_user->user_login, $content );
-                $content = str_replace( '###ADMIN_URL###', esc_url( self_admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
-                $content = str_replace( '###EMAIL###', $_POST['email'], $content);
-                $content = str_replace( '###SITENAME###', wp_specialchars_decode( get_site_option( 'site_name' ), ENT_QUOTES ), $content );
-                $content = str_replace( '###SITEURL###', network_home_url(), $content );
-
-                wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ), $content );
-                $_POST['email'] = $current_user->user_email;
-
-                if ( $switched_locale ) {
-                        restore_previous_locale();
-                }
-        }
-}
-
-/**
- * Adds an admin notice alerting the user to check for confirmation email
- * after email address change.
- *
- * @since 3.0.0
- *
- * @global string $pagenow
- */
-function new_user_email_admin_notice() {
-        global $pagenow;
-        if ( 'profile.php' === $pagenow && isset( $_GET['updated'] ) && $email = get_user_meta( get_current_user_id(), '_new_email', true ) ) {
-                /* translators: %s: New email address */
-                echo '<div class="notice notice-info"><p>' . sprintf( __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), '<code>' . esc_html( $email['newemail'] ) . '</code>' ) . '</p></div>';
-        }
-}
-
-/**
  * Check whether a site has used its allotted upload space.
  *
  * @since MU

src/wp-admin/user-edit.php

@@ -88 +88 @@
 }
 
 // Execute confirmed email change. See send_confirmation_on_profile_email().
-if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) {
+if ( IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) {
         $new_email = get_user_meta( $current_user->ID, '_new_email', true );
         if ( $new_email && hash_equals( $new_email[ 'hash' ], $_GET[ 'newuseremail' ] ) ) {
                 $user = new stdClass;
                 $user->ID = $current_user->ID;
                 $user->user_email = esc_html( trim( $new_email[ 'newemail' ] ) );
-                if ( $wpdb->get_var( $wpdb->prepare( "SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $current_user->user_login ) ) ) {
+                if ( is_multisite() && $wpdb->get_var( $wpdb->prepare( "SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $current_user->user_login ) ) ) {
                         $wpdb->query( $wpdb->prepare( "UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $user->user_email, $current_user->user_login ) );
                 }
                 wp_update_user( $user );
@@ -104 +104 @@
         } else {
                 wp_redirect( add_query_arg( array( 'error' => 'new-email' ), self_admin_url( 'profile.php' ) ) );
         }
-} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) {
+} elseif ( IS_PROFILE_PAGE && ! empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) {
         check_admin_referer( 'dismiss-' . $current_user->ID . '_new_email' );
         delete_user_meta( $current_user->ID, '_new_email' );
         wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) );

src/wp-includes/user.php

@@ -2590 +2590 @@
 
         return $current_user;
 }
+
+/**
+ * Sends an email when an email address change is requested.
+ *
+ * @since 3.0.0
+ * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific.
+ *
+ * @global WP_Error $errors WP_Error object.
+ * @global wpdb     $wpdb   WordPress database object.
+ */
+function send_confirmation_on_profile_email() {
+        global $errors, $wpdb;
+
+        $current_user = wp_get_current_user();
+        if ( ! is_object( $errors ) ) {
+                $errors = new WP_Error();
+        }
+
+        if ( $current_user->ID != $_POST['user_id'] ) {
+                return false;
+        }
+
+        if ( $current_user->user_email != $_POST['email'] ) {
+                if ( ! is_email( $_POST['email'] ) ) {
+                        $errors->add( 'user_email', __( "<strong>ERROR</strong>: The email address isn&#8217;t correct." ), array(
+                                'form-field' => 'email',
+                        ) );
+
+                        return;
+                }
+
+                if ( $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM {$wpdb->users} WHERE user_email=%s", $_POST['email'] ) ) ) {
+                        $errors->add( 'user_email', __( "<strong>ERROR</strong>: The email address is already used." ), array(
+                                'form-field' => 'email',
+                        ) );
+                        delete_user_meta( $current_user->ID, '_new_email' );
+
+                        return;
+                }
+
+                $hash           = md5( $_POST['email'] . time() . mt_rand() );
+                $new_user_email = array(
+                        'hash'     => $hash,
+                        'newemail' => $_POST['email'],
+                );
+                update_user_meta( $current_user->ID, '_new_email', $new_user_email );
+
+                /* translators: Do not translate USERNAME, ADMIN_URL, EMAIL, SITENAME, SITEURL: those are placeholders. */
+                $email_text = __( 'Howdy ###USERNAME###,
+
+You recently requested to have the email address on your account changed.
+
+If this is correct, please click on the following link to change it:
+###ADMIN_URL###
+
+You can safely ignore and delete this email if you do not want to
+take this action.
+
+This email has been sent to ###EMAIL###
+
+Regards,
+All at ###SITENAME###
+###SITEURL###' );
+
+                /**
+                 * Filters the email text sent when a user changes emails.
+                 *
+                 * The following strings have a special meaning and will get replaced dynamically:
+                 * ###USERNAME###  The current user's username.
+                 * ###ADMIN_URL### The link to click on to confirm the email change.
+                 * ###EMAIL###     The new email.
+                 * ###SITENAME###  The name of the site.
+                 * ###SITEURL###   The URL to the site.
+                 *
+                 * @since MU
+                 * @since 4.9.0 This filter is no longer Multisite specific.
+                 *
+                 * @param string $email_text     Text in the email.
+                 * @param string $new_user_email New user email that the current user has changed to.
+                 */
+                $content = apply_filters( 'new_user_email_content', $email_text, $new_user_email );
+
+                $content = str_replace( '###USERNAME###', $current_user->user_login, $content );
+                $content = str_replace( '###ADMIN_URL###', esc_url( admin_url( 'profile.php?newuseremail=' . $hash ) ), $content );
+                $content = str_replace( '###EMAIL###', $_POST['email'], $content );
+                $content = str_replace( '###SITENAME###', get_site_option( 'site_name' ), $content );
+                $content = str_replace( '###SITEURL###', network_home_url(), $content );
+
+                wp_mail( $_POST['email'], sprintf( __( '[%s] New Email Address' ), wp_specialchars_decode( get_option( 'blogname' ) ) ), $content );
+
+                $_POST['email'] = $current_user->user_email;
+        }
+}
+
+/**
+ * Adds an admin notice alerting the user to check for confirmation email
+ * after email address change.
+ *
+ * @since 3.0.0
+ * @since 4.9.0 This function was moved from wp-admin/includes/ms.php so it's no longer Multisite specific.
+ *
+ * @global string $pagenow
+ */
+function new_user_email_admin_notice() {
+        global $pagenow;
+        if ( 'profile.php' === $pagenow && isset( $_GET['updated'] ) && $email = get_user_meta( get_current_user_id(), '_new_email', true ) ) {
+                /* translators: %s: New email address */
+                echo '<div class="notice notice-info"><p>' . sprintf( __( 'Your email address has not been updated yet. Please check your inbox at %s for a confirmation email.' ), '<code>' . esc_html( $email['newemail'] ) . '</code>' ) . '</p></div>';
+        }
+}

tests/phpunit/tests/user.php

@@ -1204 +1204 @@
         function action_check_passwords_blank_pw( $user_login, &$pass1 ) {
                 $pass1 = '';
         }
+
+        /**
+         * @ticket 16470
+         */
+        function test_send_confirmation_on_profile_email() {
+                reset_phpmailer_instance();
+                $was_confirmation_email_sent = false;
+
+                $user = $this->factory()->user->create_and_get( array(
+                        'user_email' => 'before@example.com',
+                ) );
+
+                $_POST['email']   = 'after@example.com';
+                $_POST['user_id'] = $user->ID;
+
+                wp_set_current_user( $user->ID );
+
+                do_action( 'personal_options_update' );
+
+                if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) {
+                        $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] );
+                }
+
+                // A confirmation email is sent.
+                $this->assertTrue( $was_confirmation_email_sent );
+
+                // The new email address gets put into user_meta.
+                $new_email_meta = get_user_meta( $user->ID, '_new_email', true );
+                $this->assertEquals( 'after@example.com', $new_email_meta['newemail'] );
+
+                // The email address of the user doesn't change. $_POST['email'] should be the email address pre-update.
+                $this->assertEquals( $_POST['email'], $user->user_email );
+        }
+
+        /**
+         * @ticket 16470
+         */
+        function test_remove_send_confirmation_on_profile_email() {
+                remove_action( 'personal_options_update', 'send_confirmation_on_profile_email' );
+
+                reset_phpmailer_instance();
+                $was_confirmation_email_sent = false;
+
+                $user = $this->factory()->user->create_and_get( array(
+                        'user_email' => 'before@example.com',
+                ) );
+
+                $_POST['email']   = 'after@example.com';
+                $_POST['user_id'] = $user->ID;
+
+                wp_set_current_user( $user->ID );
+
+                do_action( 'personal_options_update' );
+
+                if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) {
+                        $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] );
+                }
+
+                // No confirmation email is sent.
+                $this->assertFalse( $was_confirmation_email_sent );
+
+                // No usermeta is created.
+                $new_email_meta = get_user_meta( $user->ID, '_new_email', true );
+                $this->assertEmpty( $new_email_meta );
+
+                // $_POST['email'] should be the email address posted from the form.
+                $this->assertEquals( $_POST['email'], 'after@example.com' );
+        }
 }