Changeset 41254 for trunk/src/wp-admin/options.php

Timestamp:

08/14/2017 08:12:23 PM (8 years ago)

Author:

johnbillion

Message:

Options, Meta APIs: Require a confirmation link in an email to be clicked when an admin attempts to change the site admin email address.

This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their site.

Props MatheusGimenez, johnbillion

Fixes #39118

File:

• trunk/src/wp-admin/options.php (modified) (4 diffs)

trunk/src/wp-admin/options.php

@@ -54 +54 @@
 
 // Handle admin email change requests
-if ( is_multisite() ) {
-    if ( ! empty($_GET[ 'adminhash' ] ) ) {
-        $new_admin_details = get_option( 'adminhash' );
-        $redirect = 'options-general.php?updated=false';
-        if ( is_array( $new_admin_details ) && hash_equals( $new_admin_details[ 'hash' ], $_GET[ 'adminhash' ] ) && !empty($new_admin_details[ 'newemail' ]) ) {
-            update_option( 'admin_email', $new_admin_details[ 'newemail' ] );
-            delete_option( 'adminhash' );
-            delete_option( 'new_admin_email' );
-            $redirect = 'options-general.php?updated=true';
-        }
-        wp_redirect( admin_url( $redirect ) );
-        exit;
-    } elseif ( ! empty( $_GET['dismiss'] ) && 'new_admin_email' == $_GET['dismiss'] ) {
-        check_admin_referer( 'dismiss-' . get_current_blog_id() . '-new_admin_email' );
+if ( ! empty( $_GET[ 'adminhash' ] ) ) {
+    $new_admin_details = get_option( 'adminhash' );
+    $redirect = 'options-general.php?updated=false';
+    if ( is_array( $new_admin_details ) && hash_equals( $new_admin_details[ 'hash' ], $_GET[ 'adminhash' ] ) && ! empty( $new_admin_details[ 'newemail' ] ) ) {
+        update_option( 'admin_email', $new_admin_details[ 'newemail' ] );
         delete_option( 'adminhash' );
         delete_option( 'new_admin_email' );
-        wp_redirect( admin_url( 'options-general.php?updated=true' ) );
-        exit;
-    }
+        $redirect = 'options-general.php?updated=true';
+    }
+    wp_redirect( admin_url( $redirect ) );
+    exit;
+} elseif ( ! empty( $_GET['dismiss'] ) && 'new_admin_email' == $_GET['dismiss'] ) {
+    check_admin_referer( 'dismiss-' . get_current_blog_id() . '-new_admin_email' );
+    delete_option( 'adminhash' );
+    delete_option( 'new_admin_email' );
+    wp_redirect( admin_url( 'options-general.php?updated=true' ) );
+    exit;
 }
 
@@ -84 +82 @@
 
 $whitelist_options = array(
-    'general' => array( 'blogname', 'blogdescription', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'timezone_string', 'WPLANG' ),
+    'general' => array( 'blogname', 'blogdescription', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'timezone_string', 'WPLANG', 'new_admin_email' ),
     'discussion' => array( 'default_pingback_flag', 'default_ping_status', 'default_comment_status', 'comments_notify', 'moderation_notify', 'comment_moderation', 'require_name_email', 'comment_whitelist', 'comment_max_links', 'moderation_keys', 'blacklist_keys', 'show_avatars', 'avatar_rating', 'avatar_default', 'close_comments_for_old_posts', 'close_comments_days_old', 'thread_comments', 'thread_comments_depth', 'page_comments', 'comments_per_page', 'default_comments_page', 'comment_order', 'comment_registration' ),
     'media' => array( 'thumbnail_size_w', 'thumbnail_size_h', 'thumbnail_crop', 'medium_size_w', 'medium_size_h', 'large_size_w', 'large_size_h', 'image_default_size', 'image_default_align', 'image_default_link_type' ),
@@ -108 +106 @@
         $whitelist_options['general'][] = 'home';
 
-    $whitelist_options['general'][] = 'admin_email';
     $whitelist_options['general'][] = 'users_can_register';
     $whitelist_options['general'][] = 'default_role';
@@ -123 +120 @@
     }
 } else {
-    $whitelist_options['general'][] = 'new_admin_email';
-
     /**
      * Filters whether the post-by-email functionality is enabled.