Make WordPress Core


Ignore:
Timestamp:
10/11/2022 01:43:20 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Users: Fetch user by login in retrieve_password() if not found by email.

This ensures that sending a password reset link works as expected if the user's login and email were initially the same, but the email address was subsequently updated and no longer matches the login, which is still set to the old address.

Follow-up to [6643], [18513], [19056], [37474], [50129], [50140].

Props donmhico, pbearne, azouamauriac, boblindner, daxelrod, audrasjb, SergeyBiryukov.
Fixes #53634.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r54397 r54477  
    30393039    }
    30403040
     3041    $user_login = trim( wp_unslash( $user_login ) );
     3042
    30413043    if ( empty( $user_login ) ) {
    30423044        $errors->add( 'empty_username', __( '<strong>Error:</strong> Please enter a username or email address.' ) );
    30433045    } elseif ( strpos( $user_login, '@' ) ) {
    3044         $user_data = get_user_by( 'email', trim( wp_unslash( $user_login ) ) );
     3046        $user_data = get_user_by( 'email', $user_login );
     3047
     3048        if ( empty( $user_data ) ) {
     3049            $user_data = get_user_by( 'login', $user_login );
     3050        }
     3051
    30453052        if ( empty( $user_data ) ) {
    30463053            $errors->add( 'invalid_email', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
    30473054        }
    30483055    } else {
    3049         $user_data = get_user_by( 'login', trim( wp_unslash( $user_login ) ) );
     3056        $user_data = get_user_by( 'login', $user_login );
    30503057    }
    30513058
Note: See TracChangeset for help on using the changeset viewer.