WordPress.org

Make WordPress Core

Changeset 37059


Ignore:
Timestamp:
03/22/2016 11:06:29 PM (6 years ago)
Author:
ocean90
Message:

Users: In edit_user() check for a blank password when adding a user.

Props wesleye, gitlost, adamsilverstein.
Fixes #35715.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/user.php

    r35772 r37059  
    114114    }
    115115
    116     /* checking the password has been typed twice */
    117116    /**
    118117     * Fires before the password and confirm password fields are checked for congruity.
     
    126125    do_action_ref_array( 'check_passwords', array( $user->user_login, &$pass1, &$pass2 ) );
    127126
    128     /* Check for "\" in password */
    129     if ( false !== strpos( wp_unslash( $pass1 ), "\\" ) )
     127    // Check for blank password when adding a user.
     128    if ( ! $update && empty( $pass1 ) ) {
     129        $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter a password.' ), array( 'form-field' => 'pass1' ) );
     130    }
     131
     132    // Check for "\" in password.
     133    if ( false !== strpos( wp_unslash( $pass1 ), "\\" ) ) {
    130134        $errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
    131 
    132     /* checking the password has been typed twice the same */
    133     if ( $pass1 != $pass2 )
     135    }
     136
     137    // Checking the password has been typed twice the same.
     138    if ( ( $update || ! empty( $pass1 ) ) && $pass1 != $pass2 ) {
    134139        $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in both password fields.' ), array( 'form-field' => 'pass1' ) );
     140    }
    135141
    136142    if ( !empty( $pass1 ) )
  • trunk/tests/phpunit/tests/user.php

    r36791 r37059  
    11331133        $this->assertFalse( $was_user_email_sent );
    11341134    }
     1135
     1136    /**
     1137     * Checks that calling edit_user() with no password returns an error when adding, and doesn't when updating.
     1138     *
     1139     * @ticket 35715
     1140     */
     1141    function test_edit_user_blank_pw() {
     1142        $_POST = $_GET = $_REQUEST = array();
     1143        $_POST['role'] = 'subscriber';
     1144        $_POST['email'] = 'user1@example.com';
     1145        $_POST['user_login'] = 'user_login1';
     1146        $_POST['first_name'] = 'first_name1';
     1147        $_POST['last_name'] = 'last_name1';
     1148        $_POST['nickname'] = 'nickname1';
     1149        $_POST['display_name'] = 'display_name1';
     1150
     1151        // Check new user with missing password.
     1152        $response = edit_user();
     1153
     1154        $this->assertInstanceOf( 'WP_Error', $response );
     1155        $this->assertEquals( 'pass', $response->get_error_code() );
     1156
     1157        // Check new user with password set.
     1158        $_POST['pass1'] = $_POST['pass2'] = 'password';
     1159
     1160        $user_id = edit_user();
     1161        $user = get_user_by( 'ID', $user_id );
     1162
     1163        $this->assertInternalType( 'int', $user_id );
     1164        $this->assertInstanceOf( 'WP_User', $user );
     1165        $this->assertEquals( 'nickname1', $user->nickname );
     1166
     1167        // Check updating user with empty password.
     1168        $_POST['nickname'] = 'nickname_updated';
     1169        $_POST['pass1'] = $_POST['pass2'] = '';
     1170
     1171        $user_id = edit_user( $user_id );
     1172
     1173        $this->assertInternalType( 'int', $user_id );
     1174        $this->assertEquals( 'nickname_updated', $user->nickname );
     1175
     1176        // Check updating user with missing second password.
     1177        $_POST['nickname'] = 'nickname_updated2';
     1178        $_POST['pass1'] = 'blank_pass2';
     1179        $_POST['pass2'] = '';
     1180
     1181        $response = edit_user( $user_id );
     1182
     1183        $this->assertInstanceOf( 'WP_Error', $response );
     1184        $this->assertEquals( 'pass', $response->get_error_code() );
     1185        $this->assertEquals( 'nickname_updated', $user->nickname );
     1186
     1187        // Check updating user with empty password via `check_passwords` action.
     1188        add_action( 'check_passwords', array( $this, 'action_check_passwords_blank_pw' ), 10, 2 );
     1189        $user_id = edit_user( $user_id );
     1190        remove_action( 'check_passwords', array( $this, 'action_check_passwords_blank_pw' ) );
     1191
     1192        $this->assertInternalType( 'int', $user_id );
     1193        $this->assertEquals( 'nickname_updated2', $user->nickname );
     1194    }
     1195
     1196    /**
     1197     * Check passwords action for test_edit_user_blank_pw().
     1198     */
     1199    function action_check_passwords_blank_pw( $user_login, &$pass1 ) {
     1200        $pass1 = '';
     1201    }
    11351202}
Note: See TracChangeset for help on using the changeset viewer.