WordPress.org

Make WordPress Core

Changeset 45714


Ignore:
Timestamp:
08/01/2019 05:24:20 PM (14 months ago)
Author:
SergeyBiryukov
Message:

Users: Use wp_update_user() in get_password_reset_key().

Props jayswadas, spacedmonkey, donmhico, SergeyBiryukov.
Fixes #45746.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r45713 r45714  
    14691469 * Most of the `$userdata` array fields have filters associated with the values. Exceptions are
    14701470 * 'ID', 'rich_editing', 'syntax_highlighting', 'comment_shortcuts', 'admin_color', 'use_ssl',
    1471  * 'user_registered', 'spam', and 'role'. The filters have the prefix 'pre_user_' followed by the
    1472  * field name. An example using 'description' would have the filter called, 'pre_user_description'
    1473  * that can be hooked into.
     1471 * 'user_registered', 'user_activation_key', 'spam', and 'role'. The filters have the prefix
     1472 * 'pre_user_' followed by the field name. An example using 'description' would have the filter
     1473 * called 'pre_user_description' that can be hooked into.
    14741474 *
    14751475 * @since 2.0.0
     
    14771477 *              methods for new installations. See wp_get_user_contact_methods().
    14781478 * @since 4.7.0 The user's locale can be passed to `$userdata`.
     1479 * @since 5.3.0 The `user_activation_key` field can be passed to `$userdata`.
    14791480 * @since 5.3.0 The `spam` field can be passed to `$userdata` (Multisite only).
    14801481 *
     
    15111512 *                                             https. Default false.
    15121513 *     @type string      $user_registered      Date the user registered. Format is 'Y-m-d H:i:s'.
     1514 *     @type string      $user_activation_key  Password reset key. Default empty.
    15131515 *     @type bool        $spam                 Multisite only. Whether the user is marked as spam.
    15141516 *                                             Default false.
     
    16611663
    16621664    $user_registered = empty( $userdata['user_registered'] ) ? gmdate( 'Y-m-d H:i:s' ) : $userdata['user_registered'];
     1665
     1666    $user_activation_key = empty( $userdata['user_activation_key'] ) ? '' : $userdata['user_activation_key'];
    16631667
    16641668    if ( isset( $userdata['spam'] ) && ! is_multisite() ) {
     
    17561760    $meta['locale'] = isset( $userdata['locale'] ) ? $userdata['locale'] : '';
    17571761
    1758     $compacted = compact( 'user_pass', 'user_nicename', 'user_email', 'user_url', 'user_registered', 'display_name' );
     1762    $compacted = compact( 'user_pass', 'user_nicename', 'user_email', 'user_url', 'user_registered', 'user_activation_key', 'display_name' );
    17591763    $data      = wp_unslash( $compacted );
    17601764
     
    22492253 * @since 4.4.0
    22502254 *
    2251  * @global wpdb         $wpdb      WordPress database abstraction object.
    22522255 * @global PasswordHash $wp_hasher Portable PHP password hashing framework.
    22532256 *
     
    22572260 */
    22582261function get_password_reset_key( $user ) {
    2259     global $wpdb, $wp_hasher;
     2262    global $wp_hasher;
    22602263
    22612264    if ( ! ( $user instanceof WP_User ) ) {
     
    23232326        $wp_hasher = new PasswordHash( 8, true );
    23242327    }
    2325     $hashed    = time() . ':' . $wp_hasher->HashPassword( $key );
    2326     $key_saved = $wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user->user_login ) );
    2327     if ( false === $key_saved ) {
    2328         return new WP_Error( 'no_password_key_update', __( 'Could not save password reset key to database.' ) );
     2328
     2329    $hashed = time() . ':' . $wp_hasher->HashPassword( $key );
     2330
     2331    $key_saved = wp_update_user(
     2332        array(
     2333            'ID'                  => $user->ID,
     2334            'user_activation_key' => $hashed,
     2335        )
     2336    );
     2337
     2338    if ( is_wp_error( $key_saved ) ) {
     2339        return $key_saved;
    23292340    }
    23302341
  • trunk/tests/phpunit/tests/auth.php

    r43571 r45714  
    228228
    229229    /**
     230     * @ticket 45746
     231     */
     232    function test_user_activation_key_is_saved() {
     233        $user = get_userdata( $this->user->ID );
     234        $key  = get_password_reset_key( $user );
     235
     236        // A correctly saved key should be accepted
     237        $check = check_password_reset_key( $key, $this->user->user_login );
     238        $this->assertNotWPError( $check );
     239        $this->assertInstanceOf( 'WP_User', $check );
     240        $this->assertSame( $this->user->ID, $check->ID );
     241    }
     242
     243    /**
    230244     * @ticket 32429
    231245     */
Note: See TracChangeset for help on using the changeset viewer.