WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 20 months ago

#13351 closed defect (bug) (fixed)

Auto-generated Password Nag

Reported by: battis Owned by:
Milestone: 3.5 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

Whenever I log in, I am warned that "You’re using the auto-generated password for your account. Would you like to change it to something you’ll remember easier?" -- even after having changed my password (and clicked the link to "No thanks, do not remind me again")

This appears in WordPress 3.0-beta2-14550

Attachments (1)

13351.patch (1.0 KB) - added by SergeyBiryukov 20 months ago.

Download all attachments as: .zip

Change History (6)

comment:1 dd324 years ago

  • Component changed from General to Administration
  • Keywords reporter-feedback added
  • Milestone changed from Unassigned to 3.0

Was this installed on SVN trunk a few weeks ago? I believe there was a bug for a few revisions which result in this.

Does this occur on a new installation of the latest trunk?

comment:2 dd324 years ago

  • Milestone 3.0 deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Just tested this, Both changing the users password and clicking the dismiss option appears to be working correctly for me.

If you experience this on a clean install, please re-open with any specifics on the environment/configuration of WordPress you are using.

comment:3 TomAuger20 months ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened
  • Version changed from 3.0 to 3.4.1

Just had this happen twice with two fresh installs from trunk (3.5-alpha-21499) on a local XAMPP box.

Here's the install process I followed both times:

  • create a new directory inside my server path
  • checkout http://core.svn.wordpress.org/trunk
  • create a new DB
  • edit wp-config.php
  • 5-minute install (more like 5 seconds these days!)
  • default user ('admin')
  • get the auto-generated pwd message. Copy the pwd
  • log in with auto-generated pwd
  • get the nag
  • click the nag to go to profile
  • change the password
  • this logs you out
  • log in with the new password
  • nag is still there.

SergeyBiryukov20 months ago

comment:4 SergeyBiryukov20 months ago

  • Keywords has-patch added; reporter-feedback removed
  • Milestone set to 3.5
  • Version 3.4.1 deleted

The latest bug was introduced in [21376].

Now that get_userdata() returns existing data for current user, default_password_nag_edit_user() compares the old password to itself and fails to delete the default_password_nag option:
http://core.trac.wordpress.org/browser/trunk/wp-admin/includes/user.php?rev=21496#L334

wp_generate_auth_cookie() (called via wp_update_user()) also receives the old data, which causes it to create cookies for the old password and leads to logout:
http://core.trac.wordpress.org/browser/trunk/wp-includes/pluggable.php?rev=21496#L581

13351.patch replaces get_userdata() with new WP_User() in those two places. An alternative would probably be to check if $_POST (or a specific key) is empty in get_user_by().

Last edited 20 months ago by SergeyBiryukov (previous) (diff)

comment:5 SergeyBiryukov20 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Fixed in [21563].

Note: See TracTickets for help on using tickets.