Make WordPress Core

Changeset 58333


Ignore:
Timestamp:
06/04/2024 02:42:29 PM (4 months ago)
Author:
audrasjb
Message:

Login and Registration: Flush user_activation_key after successfully login.

This changeset ensures the user_activation_key is flushed after successful login, so reset password links can not be used anymore after the user successfully log into their dashboard.

Props nsinelnikov, rajinsharwar, Rahmohn, oglekler, hellofromTonya.
Fixes #58901.
See #32429

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r58261 r58333  
    111111
    112112    wp_set_auth_cookie( $user->ID, $credentials['remember'], $secure_cookie );
     113
     114    /**
     115     * @global wpdb $wpdb WordPress database abstraction object.
     116     */
     117    global $wpdb;
     118
     119    // Flush `user_activation_key` if exists after successful login.
     120    if ( ! empty( $user->user_activation_key ) ) {
     121        $wpdb->update(
     122            $wpdb->users,
     123            array(
     124                'user_activation_key' => '',
     125            ),
     126            array( 'ID' => $user->ID ),
     127            array( '%s' ),
     128            array( '%d' )
     129        );
     130
     131        // Empty user_activation_key object.
     132        $user->user_activation_key = '';
     133    }
     134
    113135    /**
    114136     * Fires after the user has successfully logged in.
  • trunk/tests/phpunit/tests/auth.php

    r57990 r58333  
    425425
    426426    /**
     427     * Ensure that the user_activation_key is cleared (if available) after a successful login.
     428     *
     429     * @ticket 58901
     430     */
     431    public function test_user_activation_key_after_successful_login() {
     432        global $wpdb;
     433
     434        $reset_key                    = get_password_reset_key( $this->user );
     435        $user                         = wp_signon(
     436            array(
     437                'user_login'    => self::USER_LOGIN,
     438                'user_password' => self::USER_PASS,
     439            )
     440        );
     441        $activation_key_from_database = $wpdb->get_var(
     442            $wpdb->prepare( "SELECT user_activation_key FROM $wpdb->users WHERE ID = %d", $this->user->ID )
     443        );
     444
     445        $this->assertNotWPError( $reset_key, 'The password reset key was not created.' );
     446        $this->assertNotWPError( $user, 'The user was not authenticated.' );
     447        $this->assertEmpty( $user->user_activation_key, 'The `user_activation_key` was not empty on the user object returned by `wp_signon` function.' );
     448        $this->assertEmpty( $activation_key_from_database, 'The `user_activation_key` was not empty in the database.' );
     449    }
     450
     451    /**
    427452     * Ensure users can log in using both their username and their email address.
    428453     *
Note: See TracChangeset for help on using the changeset viewer.