WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/27/17 02:09:51 (6 months ago)
Author:
johnbillion
Message:

Users: Require a confirmation link in an email to be clicked when a user attempts to change their email address.

This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their account.

Props rodrigosprimo, tharsheblows, johnbillion

Fixes #16470

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/user.php

    r40564 r41163  
    12051205        $pass1 = ''; 
    12061206    } 
     1207 
     1208    /** 
     1209     * @ticket 16470 
     1210     */ 
     1211    function test_send_confirmation_on_profile_email() { 
     1212        reset_phpmailer_instance(); 
     1213        $was_confirmation_email_sent = false; 
     1214 
     1215        $user = $this->factory()->user->create_and_get( array( 
     1216            'user_email' => 'before@example.com', 
     1217        ) ); 
     1218 
     1219        $_POST['email']   = 'after@example.com'; 
     1220        $_POST['user_id'] = $user->ID; 
     1221 
     1222        wp_set_current_user( $user->ID ); 
     1223 
     1224        do_action( 'personal_options_update' ); 
     1225 
     1226        if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) { 
     1227            $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] ); 
     1228        } 
     1229 
     1230        // A confirmation email is sent. 
     1231        $this->assertTrue( $was_confirmation_email_sent ); 
     1232 
     1233        // The new email address gets put into user_meta. 
     1234        $new_email_meta = get_user_meta( $user->ID, '_new_email', true ); 
     1235        $this->assertEquals( 'after@example.com', $new_email_meta['newemail'] ); 
     1236 
     1237        // The email address of the user doesn't change. $_POST['email'] should be the email address pre-update. 
     1238        $this->assertEquals( $_POST['email'], $user->user_email ); 
     1239    } 
     1240 
     1241    /** 
     1242     * @ticket 16470 
     1243     */ 
     1244    function test_remove_send_confirmation_on_profile_email() { 
     1245        remove_action( 'personal_options_update', 'send_confirmation_on_profile_email' ); 
     1246 
     1247        reset_phpmailer_instance(); 
     1248        $was_confirmation_email_sent = false; 
     1249 
     1250        $user = $this->factory()->user->create_and_get( array( 
     1251            'user_email' => 'before@example.com', 
     1252        ) ); 
     1253 
     1254        $_POST['email']   = 'after@example.com'; 
     1255        $_POST['user_id'] = $user->ID; 
     1256 
     1257        wp_set_current_user( $user->ID ); 
     1258 
     1259        do_action( 'personal_options_update' ); 
     1260 
     1261        if ( ! empty( $GLOBALS['phpmailer']->mock_sent ) ) { 
     1262            $was_confirmation_email_sent = ( isset( $GLOBALS['phpmailer']->mock_sent[0] ) && 'after@example.com' == $GLOBALS['phpmailer']->mock_sent[0]['to'][0][0] ); 
     1263        } 
     1264 
     1265        // No confirmation email is sent. 
     1266        $this->assertFalse( $was_confirmation_email_sent ); 
     1267 
     1268        // No usermeta is created. 
     1269        $new_email_meta = get_user_meta( $user->ID, '_new_email', true ); 
     1270        $this->assertEmpty( $new_email_meta ); 
     1271 
     1272        // $_POST['email'] should be the email address posted from the form. 
     1273        $this->assertEquals( $_POST['email'], 'after@example.com' ); 
     1274    } 
    12071275} 
Note: See TracChangeset for help on using the changeset viewer.