Opened 8 years ago
Last modified 8 months ago
#41522 new defect (bug)
wp_set_password() doesn't trigger a changed password notification
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Users | Keywords: | dev-feedback has-patch close |
Focuses: | Cc: |
Description
If wp_update_user()
is used to update a user's password, a notification is sent to the user telling them their password has changed.
However, the same doesn't happen if wp_set_password()
is used to update a user's password.
Attachments (1)
Change History (6)
#2
@
8 years ago
- Keywords has-patch added
41522.diff rewrites wp_set_password()
so that it uses wp_update_user()
. wp_update_user()
will hash the password so 41522.diff also removes the use of wp_hash_password()
from wp_set_password()
.
#4
@
8 months ago
- Keywords close added
I consider this to be the correct behaviour of the function.
I think it's worth noting this comment in the functions description:
Please note: This function should be used sparingly and is really only meant for single-time application. Leveraging this improperly in a plugin or theme could result in an endless loop of password resets if precautions are not taken to ensure it does not execute on every page load.
This function should be not be used where wp_update_user( [ 'ID' => $user_id, 'user_pass' => 'hunter1' ] );
would be more appropriate.
If
wp_set_password()
was rewritten to use the API, specificallywp_update_user()
, then a notification would be sent. Thing is, it's a pluggable function. What's the policy on updating those things considering people could have their own implementation in a mu-plugins file?