#33654 closed defect (bug) (fixed)
wp_new_user_notification breaking change.
Reported by: | alexander.rohmann | Owned by: | ocean90 |
---|---|---|---|
Milestone: | 4.3.1 | Priority: | normal |
Severity: | normal | Version: | 4.3 |
Component: | Users | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
In 4.3 the $plaintext_pass
argument of wp_new_user_notification
wasn't deprecated properly, and instead was repurposed to do something else.
Because this is a pluggable function, it's a pretty big breaking change. You have all these plugged modifications out there that are essentially sending this:
Username: correct
Password: both
Seeing your password as "both" is very confusing for end users, and what's worse is that in many cases they're unable to login at all.
$plaintext_pass
should have been deprecated, and $notify
should have been introduce as a new argument.
Attachments (7)
Change History (32)
#1
@
9 years ago
- Component changed from General to Users
- Milestone changed from Awaiting Review to 4.3.1
This ticket was mentioned in Slack in #core-passwords by binarykitten. View the logs.
9 years ago
#5
@
9 years ago
Honestly, I also find it odd that the activation code is generated in a function named wp_new_user_notification
. I would kinda expect with a function named that way that it's responsible for sending a "notification" based on a user_id, not update my database and prepare an activation key.
#6
@
9 years ago
- Keywords has-patch added; needs-patch removed
Added first pass at a patch. That said, either way plugins would need to patch themselves to not expect the plaintext password so the benefit that I see is a blank password in the e-mail is perhaps less confusing than "both".
This ticket was mentioned in Slack in #core-passwords by sam. View the logs.
9 years ago
#8
@
9 years ago
- Keywords needs-unit-tests added
I reviewed the patch, and the previous work on #33358 that led to the function change. The _deprecated_argument call is perfect. I think I see a stray comma in the function definition for wp_new_user_notification
(L1701)
- Refresh against trunk
- Remove stray comma
Some unit tests would be nice here and would prevent us from breaking this again.
Should we consider sending a filler instead of blank? something like {plaintext password removed}
?
#9
follow-up:
↓ 15
@
9 years ago
@adamsilverstein: Are you thinking something along the lines of
wp_new_user_notification( $user_id, apply_filter('password_removed_text', __( '{plaintext password removed}' ) ), 'both' );
Then update the function to throw deprecated if anything else is returned besides the filtered value? We can't change the function itself since it is pluggable.
This ticket was mentioned in Slack in #core-passwords by sam. View the logs.
9 years ago
#13
@
9 years ago
Updated unit tests added. Inline docs and adding the context parameter for asserts should they fail.
This ticket was mentioned in Slack in #core-passwords by welcher. View the logs.
9 years ago
#15
in reply to:
↑ 9
@
9 years ago
Actually, I don't think we need this now that I understand the issue fully.
Replying to kraftbj:
@adamsilverstein: Are you thinking something along the lines of
wp_new_user_notification( $user_id, apply_filter('password_removed_text', __( '{plaintext password removed}' ) ), 'both' );Then update the function to throw deprecated if anything else is returned besides the filtered value? We can't change the function itself since it is pluggable.
#16
follow-up:
↓ 18
@
9 years ago
In 33654.4.diff:
- Roll up the patches including latest from @welcher
- Add an additional test verifying calling function with second argument thrown the deprecated error as expected
- $plain_text is now deprecated, and $notify is now the (optional) third argument for
wp_new_user_notification
#18
in reply to:
↑ 16
;
follow-up:
↓ 20
@
9 years ago
- Keywords dev-feedback removed
Replying to adamsilverstein:
In 33654.4.diff:
- Add an additional test verifying calling function with second argument thrown the deprecated error as expected
@expectedDeprecated
takes care of the deprecation notice, $this->deprecated_called
isn't needed. Please have also in mind, that unit tests have to pass on PHP 5.2 too, so no closures in tests.
#19
@
9 years ago
@DrewAPicture Can you please take a look at 33654.5.diff? Does the last sentence for $notify
still make sense?
#20
in reply to:
↑ 18
@
9 years ago
Good to know that @expectedDeprecated
takes care of that, I'll read up to learn more. Also, thanks for pointing out 5.2 requirement, wasn't sure that was required for unit tests.
I did know my approach was convoluted, so thanks for cleaning that all up!
Replying to ocean90:
Replying to adamsilverstein:
In 33654.4.diff:
- Add an additional test verifying calling function with second argument thrown the deprecated error as expected
@expectedDeprecated
takes care of the deprecation notice,$this->deprecated_called
isn't needed. Please have also in mind, that unit tests have to pass on PHP 5.2 too, so no closures in tests.
This ticket was mentioned in Slack in #core by drew. View the logs.
9 years ago
#22
@
9 years ago
- Keywords commit added
- Owner changed from adamsilverstein to chriscct7
- Status changed from assigned to accepted
@DrewAPicture is good with the docs:
https://wordpress.slack.com/archives/core/p1442212363001334
Moving to commit requisitioning
This broke an email in Easy Digital Downloads: https://github.com/easydigitaldownloads/Easy-Digital-Downloads/blob/master/includes/user-functions.php#L442
When accounts are registered, we send a welcome email like this:
wp_new_user_notification( $user_id, __( '[Password entered at checkout]', 'edd' ) );
That doesn't work any more.