WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#19767 closed defect (bug) (fixed)

Password Reset email returns invalid account address

Reported by: raamdev Owned by: nacin
Milestone: 3.4 Priority: normal
Severity: normal Version: 1.5
Component: General Keywords: has-patch
Focuses: Cc:

Description

The retrieve_password() function in wp-login.php calls network_site_url() (see source:/trunk/wp-login.php#L211), which on a non-multisite network calls site_url(), which then returns the 'WordPress Address'.

However, that doesn't make sense when the 'WordPress Address' and 'Site Address' are different.

People receiving Password Reset emails shouldn't be seeing the 'WordPress Address', they should be seing 'Site Address'. When these fields are different, the 'WordPress Address' URL doesn't even point anywhere useful to the user.

FYI, I do have FORCE_SSL_ADMIN enabled. My 'WordPress Address' is set to https://raamdev.com/wordpress while my 'Site Address' is set to http://raamdev.com. Password reset emails contain the former address.

Attachments (1)

wp-login-for19767.diff (761 bytes) - added by thee17 3 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 @raamdev3 years ago

  • Cc raam@… added

comment:2 follow-up: @dd323 years ago

  • Version set to 1.5

Replacing the usage of network_site_url() with trailingslashit(network_home_url()) sounds correct here to me

Currently it returns http://dd32.id.au/wordpress where as I'd expect http://dd32.id.au/

We've always used the siteurl in this field however, for the last 7 years at least :)

@thee173 years ago

comment:3 @thee173 years ago

  • Keywords has-patch added

Here is the patch with the change dd32 suggested.

comment:4 in reply to: ↑ 2 ; follow-up: @raamdev3 years ago

Replying to dd32:

Replacing the usage of network_site_url() with trailingslashit(network_home_url()) sounds correct here to me

Currently it returns http://dd32.id.au/wordpress where as I'd expect http://dd32.id.au/

We've always used the siteurl in this field however, for the last 7 years at least :)

Replacing network_site_url() with trailingslashit(network_home_url()) wouldn't correct the problem. That would simply return http://dd32.id.au/wordpress/ not http://dd32.id.au/ as you said you'd expect.

What doesn't make sense to me is why you'd ever want to show the WordPress Address to a user resetting their password. If WordPress Address and Site Address are different, the WordPress Address points nowhere useful to the user (only <WordPress Address>/wp-admin/ is useful, but a user probably shouldn't be pointed there either).

It seems like network_home_url() (if multisite) or home_url() (if non-multisite) would be the logical thing to use. Am I missing something?

comment:5 in reply to: ↑ 4 ; follow-up: @SergeyBiryukov3 years ago

Replying to raamdev:

It seems like network_home_url() (if multisite) or home_url() (if non-multisite) would be the logical thing to use. Am I missing something?

That's what dd32 suggested. network_home_url() returns home_url() if not Multisite.

comment:6 in reply to: ↑ 5 @raamdev3 years ago

Replying to SergeyBiryukov:

That's what dd32 suggested. network_home_url() returns home_url() if not Multisite.

My mistake. I can't believe I didn't see that. :) Thanks!

comment:7 @nacin3 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [19705]:

Use home URL, not siteurl, in the password reset email. fixes #19767.

comment:8 @SergeyBiryukov3 years ago

  • Milestone changed from Awaiting Review to 3.4
Note: See TracTickets for help on using tickets.