wp_insert_user in 3.0 is not backwards compatible
|Reported by:||ahupp||Owned by:|
Prior to WP3.0 the function wp_insert_user would always return an integer or falsy on failure. In 3.0 this function can return either an integer, or an instance of WP_Error. This behavior is not backwards compatible and can result in bad results.
A function that expects an integer return value will treat this WP_Error instance as an integer, which results in a '1'. This is the id of the administrator, resulting in possible corruption of the admin account. In particular, calling wp_update_user() with this WP_Error value will cast the error to (int) and operate on the administrator. First line of wp_update_user:
$ID = (int) $userdataID?;
best: don't return WP_Error from wp_insert_user - this is not backwards compatible.
otherwise: check for is_wp_error() in wp_update_user(), and every other function that takes a user id.
Change History (8)
- Component changed from General to Users
- Keywords has-patch added
- Milestone changed from Awaiting Review to 3.1
- Milestone changed from 3.1 to Future Release
- Resolution set to fixed
- Status changed from new to closed