Changeset 30433

Timestamp:

11/20/2014 01:41:48 PM (11 years ago)

Author:

nacin

Message:

Invalidate password keys when a user's email changes.

Merges [30430] to the 3.8 branch.

Location:

branches/3.8

Files:

• . (modified) (1 prop)
• src/wp-includes/user.php (modified) (1 diff)
• tests/phpunit/tests/user.php (modified) (1 diff)

branches/3.8/src/wp-includes/user.php

@@ -1410 +1410 @@
 
     if ( $update ) {
+        if ( $user_email !== $old_user_data->user_email ) {
+            $data['user_activation_key'] = '';
+        }
         $wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
         $user_id = (int) $ID;

branches/3.8/tests/phpunit/tests/user.php

@@ -628 +628 @@
         $this->assertInstanceOf( 'WP_Error', wp_update_user( array( 'ID' => $user_id ) ) );
     }
+
+    function test_changing_email_invalidates_password_reset_key() {
+        global $wpdb;
+
+        $user = $this->factory->user->create_and_get();
+        $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
+        clean_user_cache( $user );
+
+        $user = get_userdata( $user->ID );
+        $this->assertEquals( 'key', $user->user_activation_key );
+
+        // Check that changing something other than the email doesn't remove the key.
+        $userdata = array(
+            'ID'            => $user->ID,
+            'user_nicename' => 'wat',
+        );
+        wp_update_user( $userdata );
+
+        $user = get_userdata( $user->ID );
+        $this->assertEquals( 'key', $user->user_activation_key );
+
+        // Now check that changing the email does remove it.
+        $userdata = array(
+            'ID'            => $user->ID,
+            'user_nicename' => 'cat',
+            'user_email'    => 'foo@bar.dev',
+        );
+        wp_update_user( $userdata );
+
+        $user = get_userdata( $user->ID );
+        $this->assertEmpty( $user->user_activation_key );
+    }
 }