WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 15 months ago

Last modified 15 months ago

#17009 closed defect (bug) (duplicate)

wp_update_user not creating a new user if not passed an ID

Reported by: casben79 Owned by: casben79
Milestone: Priority: normal
Severity: major Version: 3.1
Component: Users Keywords: has-patch
Focuses: Cc:

Description

the function wp_update_user() is not creating a new user if not passed an ID.

Bugging out as get_object_vars() expects an object but being passed false as no user ID was passed to the function

Upon further investigation was also hashing the password passed to it, when the function it calls ( wp_insert_user() ) does this again which has resulted in an incorrect password error.

I have created a patch for this, and in the process also cleaned up an unnecessary if( isset(...) ) statement at the end of the function as well as some missing whitespace.

Attachments (3)

wp_update_user.patch (1.7 KB) - added by casben79 3 years ago.
Patch for the issues.
17009.patch (744 bytes) - added by hakre 3 years ago.
Test for get_userdata() return value before continuing.
17009.2.patch (1.1 KB) - added by hakre 3 years ago.
Check array key existance before use as well, handle password hashing for non-empty ID only (creation of new user [identified by empty ID] will take care of hashing on it's own).

Download all attachments as: .zip

Change History (12)

casben793 years ago

Patch for the issues.

comment:1 hakre3 years ago

the function wp_update_user() is not creating a new user if not passed an ID.

I think the description of the function is not showing the full picture:

 * If $userdata does not contain an 'ID' key, then a new user will be created
 * and the new user's ID will be returned.

The said check is not performed, so the phpdoc should be corrected instead.

I think this is an error that went in in [6564] from patch registration.phpdoc.r6542.diff.

I think so because if ID is empty, get_userdata(empty) will return false and not an object that is treated like so later on.

Related: [16009], #13761(, [8782], #7550, [6564], #4383), [2872]

Last edited 3 years ago by hakre (previous) (diff)

hakre3 years ago

Test for get_userdata() return value before continuing.

comment:2 hakre3 years ago

That password hashing is a good point, but it needs to be hashed if the user is updated (not created) AFAIK momentarily.

hakre3 years ago

Check array key existance before use as well, handle password hashing for non-empty ID only (creation of new user [identified by empty ID] will take care of hashing on it's own).

comment:3 downloadbook2 years ago

Spam.

Last edited 2 years ago by duck_ (previous) (diff)

comment:4 SergeyBiryukov2 years ago

Closed #19261 as a duplicate.

comment:5 lkraav2 years ago

  • Cc lkraav added

comment:6 SergeyBiryukov17 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #16731.

comment:7 cartpauj15 months ago

  • Cc cartpauj@… added
  • Keywords needs-patch added; has-patch removed
  • Resolution duplicate deleted
  • Severity changed from normal to major
  • Status changed from closed to reopened
  • Version 3.1 deleted

This is still a problem.
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/user.php#L1455
That line is throwing an Exception, which prevents wp_insert_user from ever being called. The function description clearly states it will insert a new user if ID is not set.

So I propose that either wp_insert_user get stripped completely out of wp_update_user or wp_update_user needs fixed to allow wp_insert_user to actually get used before the Exception is thrown.

comment:8 helen15 months ago

  • Keywords needs-patch removed
  • Resolution set to duplicate
  • Status changed from reopened to closed

Still a duplicate of #16731

comment:9 SergeyBiryukov15 months ago

  • Keywords has-patch added
  • Version set to 3.1
Note: See TracTickets for help on using tickets.