Make WordPress Core

Changeset 50422


Ignore:
Timestamp:
02/23/2021 08:06:40 PM (4 years ago)
Author:
SergeyBiryukov
Message:

Users: Only include the IP address in password reset email if the user is not logged in.

This avoids unnecessarily disclosing the IP address when sending a password reset link to another user from the admin.

Follow-up to [49255], [50129].

Props carike, audrasjb, gmariani405, Ipstenu.
See #34281.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r50415 r50422  
    27742774    $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n\r\n";
    27752775
    2776     $requester_ip = $_SERVER['REMOTE_ADDR'];
    2777     if ( $requester_ip ) {
    2778         $message .= sprintf(
    2779             /* translators: %s: IP address of password reset requester. */
    2780             __( 'This password reset request originated from the IP address %s.' ),
    2781             $requester_ip
    2782         ) . "\r\n";
     2776    if ( ! is_user_logged_in() ) {
     2777        $requester_ip = $_SERVER['REMOTE_ADDR'];
     2778        if ( $requester_ip ) {
     2779            $message .= sprintf(
     2780                /* translators: %s: IP address of password reset requester. */
     2781                __( 'This password reset request originated from the IP address %s.' ),
     2782                $requester_ip
     2783            ) . "\r\n";
     2784        }
    27832785    }
    27842786
Note: See TracChangeset for help on using the changeset viewer.