WordPress.org

Make WordPress Core

Changeset 30430


Ignore:
Timestamp:
11/20/2014 01:39:03 PM (6 years ago)
Author:
nacin
Message:

Invalidate password keys when a user's email changes.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r30328 r30430  
    18861886
    18871887    if ( $update ) {
     1888        if ( $user_email !== $old_user_data->user_email ) {
     1889            $data['user_activation_key'] = '';
     1890        }
    18881891        $wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
    18891892        $user_id = (int) $ID;
  • trunk/tests/phpunit/tests/user.php

    r29937 r30430  
    673673        $this->assertSame( $user->user_nicename, $updated_user->user_nicename );
    674674    }
     675
     676    function test_changing_email_invalidates_password_reset_key() {
     677        global $wpdb;
     678
     679        $user = $this->factory->user->create_and_get();
     680        $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
     681        clean_user_cache( $user );
     682
     683        $user = get_userdata( $user->ID );
     684        $this->assertEquals( 'key', $user->user_activation_key );
     685
     686        // Check that changing something other than the email doesn't remove the key.
     687        $userdata = array(
     688            'ID'            => $user->ID,
     689            'user_nicename' => 'wat',
     690        );
     691        wp_update_user( $userdata );
     692
     693        $user = get_userdata( $user->ID );
     694        $this->assertEquals( 'key', $user->user_activation_key );
     695
     696        // Now check that changing the email does remove it.
     697        $userdata = array(
     698            'ID'            => $user->ID,
     699            'user_nicename' => 'cat',
     700            'user_email'    => 'foo@bar.dev',
     701        );
     702        wp_update_user( $userdata );
     703
     704        $user = get_userdata( $user->ID );
     705        $this->assertEmpty( $user->user_activation_key );
     706    }
    675707}
Note: See TracChangeset for help on using the changeset viewer.