Make WordPress Core


Ignore:
Timestamp:
07/27/2017 02:09:51 AM (7 years ago)
Author:
johnbillion
Message:

Users: Require a confirmation link in an email to be clicked when a user attempts to change their email address.

This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their account.

Props rodrigosprimo, tharsheblows, johnbillion

Fixes #16470

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/user.php

    r40564 r41163  
    12051205        $pass1 = '';
    12061206    }
     1207
     1208    /**
     1209     * @ticket 16470
     1210     */
     1211    function test_send_confirmation_on_profile_email() {
     1212        reset_phpmailer_instance();
     1213        $was_confirmation_email_sent = false;
     1214
     1215        $user = $this->factory()->user->create_and_get( array(
     1216            'user_email' => 'before@example.com',
     1217        ) );
     1218
     1219        $_POST['email']   = 'after@example.com';
     1220        $_POST['user_id'] = $user->ID;
     1221
     1222        wp_set_current_user( $user->ID );
     1223
     1224        do_action( 'personal_options_update' );
     1225
     1226        if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) {
     1227            $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] );
     1228        }
     1229
     1230        // A confirmation email is sent.
     1231        $this->assertTrue( $was_confirmation_email_sent );
     1232
     1233        // The new email address gets put into user_meta.
     1234        $new_email_meta = get_user_meta( $user->ID, '_new_email', true );
     1235        $this->assertEquals( 'after@example.com', $new_email_meta['newemail'] );
     1236
     1237        // The email address of the user doesn't change. $_POST['email'] should be the email address pre-update.
     1238        $this->assertEquals( $_POST['email'], $user->user_email );
     1239    }
     1240
     1241    /**
     1242     * @ticket 16470
     1243     */
     1244    function test_remove_send_confirmation_on_profile_email() {
     1245        remove_action( 'personal_options_update', 'send_confirmation_on_profile_email' );
     1246
     1247        reset_phpmailer_instance();
     1248        $was_confirmation_email_sent = false;
     1249
     1250        $user = $this->factory()->user->create_and_get( array(
     1251            'user_email' => 'before@example.com',
     1252        ) );
     1253
     1254        $_POST['email']   = 'after@example.com';
     1255        $_POST['user_id'] = $user->ID;
     1256
     1257        wp_set_current_user( $user->ID );
     1258
     1259        do_action( 'personal_options_update' );
     1260
     1261        if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) {
     1262            $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] );
     1263        }
     1264
     1265        // No confirmation email is sent.
     1266        $this->assertFalse( $was_confirmation_email_sent );
     1267
     1268        // No usermeta is created.
     1269        $new_email_meta = get_user_meta( $user->ID, '_new_email', true );
     1270        $this->assertEmpty( $new_email_meta );
     1271
     1272        // $_POST['email'] should be the email address posted from the form.
     1273        $this->assertEquals( $_POST['email'], 'after@example.com' );
     1274    }
    12071275}
Note: See TracChangeset for help on using the changeset viewer.