Make WordPress Core

Opened 12 years ago

Last modified 2 years ago

#21352 new enhancement

wp_lostpassword_url() on multisite

Reported by: philly-max's profile philly max Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.3
Component: Login and Registration Keywords: needs-patch
Focuses: multisite Cc:

Description

The wp_lostpassword_url() function on Multisite outputs the link to the primary domain not the current domain.

Although it works its not what should be expected if a user is registered to use blog ID 2 but not Blog ID 1.

The lost password email generated also links back to the primary domain not the current domain.

Attachments (2)

lost_password_multisite_patch.diff (1.6 KB) - added by philly max 12 years ago.
21352.diff (813 bytes) - added by jamescollins 11 years ago.

Download all attachments as: .zip

Change History (38)

#2 @wonderboymusic
12 years ago

  • Keywords dev-feedback added

#3 follow-up: @wpmuguru
11 years ago

I would prefer to see this send the link for the user's primary blog if they have one and the current site when they don't.

#4 @jamescollins
11 years ago

#23874 was marked as a duplicate.

#5 @sunnyratilal
11 years ago

  • Cc ratilal.sunny@… added

#6 @sunnyratilal
11 years ago

Is there an ETA as to when this will get merged into Core?

#7 @SergeyBiryukov
11 years ago

Closed #24174 as a duplicate.

#8 @SergeyBiryukov
11 years ago

  • Version changed from 3.4.1 to 3.3

The change in wp_lostpassword_url() was introduced in [19027]. See comment:1 for the changes in lost password email.

#9 in reply to: ↑ 3 ; follow-up: @jeremyfelt
11 years ago

  • Keywords needs-patch added; has-patch dev-feedback removed
  • Milestone changed from Awaiting Review to Future Release

Replying to wpmuguru:

I would prefer to see this send the link for the user's primary blog if they have one and the current site when they don't.

+1 for this approach.

@jamescollins
11 years ago

#10 in reply to: ↑ 9 ; follow-up: @jamescollins
11 years ago

  • Keywords has-patch added; needs-patch removed

Replying to jeremyfelt:

Replying to wpmuguru:

I would prefer to see this send the link for the user's primary blog if they have one and the current site when they don't.

+1 for this approach.

21352.diff implements this suggestion.

If using WordPress multisite, use the user's primary blog (falling back to the current site when they don't have a primary blog).
If no-one is logged in, then the current site is used.

#11 @SergeyBiryukov
11 years ago

  • Milestone changed from Future Release to 3.7

#12 @nacin
10 years ago

In order to do this, wp_lostpassword_url() should probably gain a $user parameter. Otherwise this function goes from being a utility function to one that uses global scope.

Imagine a plugin that, at a super admin's request, sends a lost password email to a user. The primary site of the super admin would be used, which would be incorrect.

#13 @nacin
10 years ago

  • Milestone changed from 3.7 to Future Release

#14 @jeremyfelt
10 years ago

  • Keywords needs-patch added; has-patch removed
  • Type changed from defect (bug) to enhancement

#15 @jeremyfelt
10 years ago

  • Component changed from Multisite to Login and Registration
  • Focuses multisite added

#16 in reply to: ↑ 10 @amandafrench
10 years ago

Thanks for these patches -- they've solved this annoying issue on my network.

Replying to jamescollins:

Replying to jeremyfelt:

Replying to wpmuguru:

I would prefer to see this send the link for the user's primary blog if they have one and the current site when they don't.

+1 for this approach.

21352.diff implements this suggestion.

If using WordPress multisite, use the user's primary blog (falling back to the current site when they don't have a primary blog).
If no-one is logged in, then the current site is used.

#17 @strangerstudios
10 years ago

I can do a patch that includes a $user parameter defaulting to $current_user->ID if that's what is needed for this to get official release.

#18 follow-up: @strangerstudios
10 years ago

I've been working on this for a site. I'm not sure the attached diffs make sense anymore. (They rely on $current_user to figure out the URL, but people aren't logged in when requesting a password reset. Maybe I'm missing something.)

Anyway, on the site I'm working on, here is the plugin I put together that updates the lost password URL and the reset URL in the email that goes out to be for the site where the lost password request originated rather than the primary domain. It basically swaps out network_site_url() for site_url().

https://gist.github.com/strangerstudios/9487278

I could see cases where you do want password resets to come from/go to the primary domain. So maybe this is best solved by a plugin. My plugin above could also be adjusted to work in the case where you want subsite admin resets to happen on their own blogs.

Open to suggestions for the plugin as well as ways this might be incorporated into core. Thanks.

#19 in reply to: ↑ 18 @oldmankit
10 years ago

Anyway, on the site I'm working on, here is the plugin I put together that updates the lost password URL and the reset URL in the email that goes out to be for the site where the lost password request originated rather than the primary domain. It basically swaps out network_site_url() for site_url().

https://gist.github.com/strangerstudios/9487278

I tried this plugin but it didn't seem to have any effect. (Copied php file to plugins folder, as network admin I clicked 'Activate for all sites'.) The emails remained unchanged.

I also tried patch https://core.trac.wordpress.org/attachment/ticket/21352/lost_password_multisite_patch.diff attached to this bug, which also had no effect. The emails being sent to lost password users again remained unchanged.

I wonder what I'm doing wrong.

Last edited 10 years ago by oldmankit (previous) (diff)

#20 follow-up: @foodin65
9 years ago

I'm having this issue on my multi-site network now. It's very confusing for users on my sub-site (which is a membership site) to click the lost password link and then get an email with the main site's name and domain. It's also links them back to the main site to reset their email. Then the "success" please login form... logs them into the main site and not the sub site they are trying to reset their password form.

How do we change this?

#21 in reply to: ↑ 20 ; follow-up: @Tree2054
9 years ago

Replying to foodin65:

I'm having this issue on my multi-site network now. It's very confusing for users on my sub-site (which is a membership site) to click the lost password link and then get an email with the main site's name and domain. It's also links them back to the main site to reset their email. Then the "success" please login form... logs them into the main site and not the sub site they are trying to reset their password form.

How do we change this?

I'm using the following filter on network_site_url and it seems to give the functionality that you are describing.

https://gist.github.com/Trii/32498eb95b13caf66d69

<?php
// rewrite "network" URLs to site_url except for URLs that truly need it
add_filter( 'network_site_url', function($url, $path = '', $scheme = null ) {
        // Normalize path in case people pass in a leading /
        $path = ltrim( $path, '/' );

        // According to my pal grep, a call to `network_site_url` with no path
        // means they are intentionally linking to the main network site.
        // Specific requests for the network admin interface should also
        // remain the same
        if ( !$path || strpos( $path, 'wp-admin/network' ) === 0 ) {
            return $url;
        }

        return site_url($path, $scheme);
});
?>

#22 in reply to: ↑ 21 ; follow-up: @landshark
9 years ago

Pardon my ignorance, but were do I insert this code to fix the problem?

Replying to Tree2054:

Replying to foodin65:

I'm having this issue on my multi-site network now. It's very confusing for users on my sub-site (which is a membership site) to click the lost password link and then get an email with the main site's name and domain. It's also links them back to the main site to reset their email. Then the "success" please login form... logs them into the main site and not the sub site they are trying to reset their password form.

How do we change this?

I'm using the following filter on network_site_url and it seems to give the functionality that you are describing.

https://gist.github.com/Trii/32498eb95b13caf66d69

<?php
// rewrite "network" URLs to site_url except for URLs that truly need it
add_filter( 'network_site_url', function($url, $path = '', $scheme = null ) {
        // Normalize path in case people pass in a leading /
        $path = ltrim( $path, '/' );

        // According to my pal grep, a call to `network_site_url` with no path
        // means they are intentionally linking to the main network site.
        // Specific requests for the network admin interface should also
        // remain the same
        if ( !$path || strpos( $path, 'wp-admin/network' ) === 0 ) {
            return $url;
        }

        return site_url($path, $scheme);
});
?>

#23 in reply to: ↑ 22 ; follow-up: @Tree2054
9 years ago

Replying to landshark:

Pardon my ignorance, but were do I insert this code to fix the problem?

You would need to add it in your own plugin somewhere

Replying to Tree2054:

Replying to foodin65:

I'm having this issue on my multi-site network now. It's very confusing for users on my sub-site (which is a membership site) to click the lost password link and then get an email with the main site's name and domain. It's also links them back to the main site to reset their email. Then the "success" please login form... logs them into the main site and not the sub site they are trying to reset their password form.

How do we change this?

I'm using the following filter on network_site_url and it seems to give the functionality that you are describing.

https://gist.github.com/Trii/32498eb95b13caf66d69

<?php
// rewrite "network" URLs to site_url except for URLs that truly need it
add_filter( 'network_site_url', function($url, $path = '', $scheme = null ) {
        // Normalize path in case people pass in a leading /
        $path = ltrim( $path, '/' );

        // According to my pal grep, a call to `network_site_url` with no path
        // means they are intentionally linking to the main network site.
        // Specific requests for the network admin interface should also
        // remain the same
        if ( !$path || strpos( $path, 'wp-admin/network' ) === 0 ) {
            return $url;
        }

        return site_url($path, $scheme);
});
?>

#24 in reply to: ↑ 23 @landshark
9 years ago

OK I'm revisiting this problem, I created a plugin file and inserted this code. It is now an active plugin on my multisite network

Unfortunately,when I go to xyz.mydomain.com/wp-login and click on reset password, I'm taken to the main site reset password page (mydomain.com/wp-login.php?action=lostpassword). Of course the email that is sent also contains links back to the main site not the subsite.

Is there something I'm missing?

Reply

Replying to Tree2054:

Replying to landshark:

Pardon my ignorance, but were do I insert this code to fix the problem?

You would need to add it in your own plugin somewhere

#26 @SergeyBiryukov
9 years ago

#32321 was marked as a duplicate.

#27 in reply to: ↑ 25 @danbrady
9 years ago

Replying to eteubert:

Here's my take on a workaround: https://gist.github.com/eteubert/293e07a49f56f300ddbb

We've installed this, all works well so far. Thanks @eteubert !

#28 @ocean90
8 years ago

#36439 was marked as a duplicate.

#29 @lukecavanagh
7 years ago

#38898 was marked as a duplicate.

#30 @johnbillion
7 years ago

Brain dump:

This behaviour is confusing for several reasons:

  • Users may not be aware of the relationship between a site and its "main" site. They may not be aware of the existence or role of multisite at all.
  • The main site may not use the same language as the site the user is trying to log in to. The user may not understand the language of the main site, meaning they're unable to follow the password reset instructions.
  • After resetting their password, they're sent to the admin area for the main site, which was not probably not their original destination.

When the user does reset their password, they're subsequently sent an email notification that they've reset their password for the main site. There's no mention of the site that they were attempting to log in to.

It looks like there are quite a few considerations that need to be thought about that relate to how WordPress deals with sites and how it communicates to the user about sites or the main site.

#31 @henry.wright
4 years ago

The behaviour of register, activate, login, lost password and reset password links is inconsistent in general in a network install. I've tried to describe the behaviour below.

Context: I am in the root blog

wp-signup.php (stays in same blog)
wp-activate.php (stays in same blog)
wp-login.php

  • log in (stays in same blog)
  • lost password and the redirect location after (stays in same blog)
  • reset password (link to it in email) and the redirect location after (stays in same blog)

Context: I am in a blog

wp-signup.php (jumps to root blog)
wp-activate.php (stays in same blog)
wp-login.php

  • log in (stays in same blog)
  • lost password and the redirect location after (jumps to root blog)
  • reset password (link to it in email) and the redirect after (jumps to root blog)

I don't see a reason why we should jump to a different blog. Blogs can use different languages as @johnbillion pointed out above and jumping will cause confusion for the user.

Last edited 4 years ago by henry.wright (previous) (diff)

This ticket was mentioned in Slack in #core by helen. View the logs.


3 years ago

#33 @ocean90
2 years ago

#54294 was marked as a duplicate.

#34 @costdev
2 years ago

Related ticket: #54297

Last edited 2 years ago by costdev (previous) (diff)

#35 @henry.wright
2 years ago

Related ticket #54298.

Note: See TracTickets for help on using tickets.