WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 22 months ago

#14767 new defect (bug)

wp_create_user() does not check for a valid email address

Reported by: mrwiblog Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0.1
Component: Users Keywords: has-patch
Focuses: Cc:

Description

When creating a new user an invalid email address (for example user@) will result in a zero-length string in the email field of the users table. If another new user is subsequently created with another invalid email address the error returned is "This email address is already registered."

It would be better for wp_create_user() to check if a valid email address has been given and return a more descriptive error. I attach a patch file for wp-includes/registration.php to include this functionality.

Attachments (1)

registration.php.patch (161 bytes) - added by mrwiblog 5 years ago.
Patch for wp-includes/registration.php

Download all attachments as: .zip

Change History (9)

@mrwiblog5 years ago

Patch for wp-includes/registration.php

comment:1 @nacin5 years ago

  • Milestone changed from Awaiting Review to 3.1

This reminds me of a ticket or two. Not sure if there are any duplicates though.

comment:2 @mrwiblog5 years ago

  • Keywords has-patch added

The nearest thing I could find was #14417, and there's also #14308 which is in 3.1. Looks like there's a bit of cleaning up that could be done in that function.

comment:3 follow-up: @nacin5 years ago

Closed #14417 as a duplicate.

We should make email addresses required and enforce uniqueness. I think that will be necessary with #5919 with being able to log in with an email (though unsure if that is covered there).

comment:4 in reply to: ↑ 3 ; follow-up: @filosofo5 years ago

Replying to nacin:

We should make email addresses required and enforce uniqueness.

I think we should consider doing the opposite: making email addresses just another user datum, like URL. The current system, which de facto requires email addresses, makes it tricky to implement authorization or authentication protocols such as OAuth or OpenID that don't necessarily get you a user's email address.

Aside from emailing password resets (which is not needed for sites accepting those protocols), there's not much reason for core WP to require email addresses.

comment:5 in reply to: ↑ 4 @jonkirkman4 years ago

Replying to filosofo:

Replying to nacin:

We should make email addresses required and enforce uniqueness.

I think we should consider doing the opposite: making email addresses just another user datum, like URL. The current system, which de facto requires email addresses, makes it tricky to implement authorization or authentication protocols such as OAuth or OpenID that don't necessarily get you a user's email address.

Aside from emailing password resets (which is not needed for sites accepting those protocols), there's not much reason for core WP to require email addresses.

I agree with Filosofo. This seems to be more of an issue with email_exists() not being cope with being passed an empty string which is the default behavior of some of the functions which rely upon it. If email_exists() is passed an empty string, perhaps it automatically return false without searching the users table.

comment:6 @ryan4 years ago

  • Milestone changed from 3.1 to Future Release

comment:7 @SergeyBiryukov22 months ago

#24630 was marked as a duplicate.

comment:8 @SergeyBiryukov22 months ago

  • Keywords wp_create_user is_email removed

wp_create_user() was introduced in [2872], $email became optional in [2915], apparently for the MT importer.

Note: See TracTickets for help on using tickets.