Opened 7 years ago
Last modified 3 years ago
#43706 reviewing enhancement
Email with link to change admin email does not include proposed new email address.
Reported by: | sshanky | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | 4.9.5 |
Component: | Users | Keywords: | good-first-bug has-patch needs-refresh |
Focuses: | Cc: |
Description
This is a follow-up to #39112.
This can be precarious -- I've received this note twice since locking out the previous administrator (not sure how he is attempting to change the address yet) and there's no way to determine who is requesting the admin email change. The email with the link to change the admin email follows.
Howdy [name],
You recently requested to have the administration email address on
your site changed.
If this is correct, please click on the following link to change it:
https://siteurl.com/wp-admin/options.php?adminhash=[hash]
You can safely ignore and delete this email if you do not want to
take this action.
This email has been sent to [current admin email]
Regards,
All at sitename
http://siteurl.com
Attachments (2)
Change History (16)
#2
@
7 years ago
Hey, @sshanky! Welcome to Trac :)
The email you mention does contain the "proposed new email address".
$email_text = __( 'Howdy ###USERNAME###, You recently requested to have the administration email address on your site changed. If this is correct, please click on the following link to change it: ###ADMIN_URL### You can safely ignore and delete this email if you do not want to take this action. This email has been sent to ###EMAIL### Regards, All at ###SITENAME### ###SITEURL###' );
###EMAIL###
is, in fact, the proposed new email.
Quoting the help block in the User Edit screen:
If you change this we will send you an email at your new address to confirm it. The new address will not become active until confirmed.
What appears to be happening, is your old administrator registered as a regular user, and is trying to change his email to the address you're receiving the notification on. Would this make sense?
#3
@
7 years ago
This might be what is happening...It doesn't quite explain why, after clicking the confirmation link in the email, the admin email was set to the old admin's email address. Perhaps I thought I clicked the link but I didn't?
In any case, I would propose that it might be clearer if the verbiage in the email was more precise -- rather than using
This email has been sent to ###EMAIL###
which doesn't clearly state that ###EMAIL### is the proposed new email, a more instructive approach might be to change the email to read something like:
$email_text = __( 'Howdy ###USERNAME###, You recently requested to have the administration email address on your site changed to: ###EMAIL### If this is correct, please click on the following link to confirm this email and change it: ###ADMIN_URL### You can safely ignore and delete this email if you do not want to take this action. Regards, All at ###SITENAME### ###SITEURL###' );
Thanks for the reply. I'll play with it some more and come back if I can reproduce the behavior. For now we should probably close this issue.
#5
@
4 years ago
- Keywords needs-patch good-first-bug added
- Type changed from defect (bug) to enhancement
Agreed that the wording in this email could be improved.
This ticket was mentioned in Slack in #core by tremidkhar. View the logs.
4 years ago
@
4 years ago
The old email can be taken from the $old_value variable if ticket #52464 get resolved.
This ticket was mentioned in Slack in #core by tremidkhar. View the logs.
4 years ago
#9
@
4 years ago
- Milestone changed from Awaiting Review to 5.8
- Owner set to SergeyBiryukov
- Status changed from new to reviewing
#10
@
4 years ago
- Milestone changed from 5.8 to 5.9
Thanks for the patch! Didn't get around to reviewing it in time for the 5.8 feature freeze, moving to the next release.
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
3 years ago
#12
@
3 years ago
- Milestone changed from 5.9 to Future Release
As per today's bug scrub and since tomorrow is WP 5.9 feature freeze, I'm moving this ticket to Future release
.
#13
@
3 years ago
- Keywords needs-refresh added
Thanks for the patch @tremidkhar!
While changing the ###EMAIL###
placeholder to ###NEW_EMAIL###
makes sense, you'll need to include a little bit of work to make sure that the code doesn't break for developers using the new_admin_email_content
filter.
I suggest ###EMAIL###
be considered deprecated in favour of ###NEW_EMAIL###
.
Immediately following the filter a new line of code can be added to replace the old with the new, for example:
<?php $content = apply_filters( 'new_admin_email_content', $email_text, $new_admin_email ); // EMAIL placeholder has been deprecated in favour of NEW_EMAIL placeholder. $content = str_replace( '###EMAIL###', '###NEW_EMAIL###', $content );
@SergeyBiryukov @audrasjb @johnbillion Do you know if a placeholder like this has been deprecated in the past? I'm wondering what to do with regard to throwing a warning. There doesn't seem to be an appropriate _deprectated_*()
function.
I just rehosted a site for a client, and am now receiving emails from the site stating I've recently requested to have the administration email changed. I didn't request it, and I've deleted the account the former admin could have used to log in. I've also changed all other passwords, and the host has changed.
This is the second time this has happened. The first time, I tried clicking the link to see if it would tell me the proposed new email that was requested, but instead it just authorized the change. And I couldn't change it back, because the confirmation email went to the new, unauthorized email. So I changed it directly in the database and now know better than to click the link.
I am trying to figure out how these emails are being generated...any ideas? Email I'm receiving is below.
Thanks!