WordPress.org

Make WordPress Core

Opened 13 months ago

Last modified 9 months ago

#44940 new defect (bug)

Empty confirm_key property in WP_User_Request when hooking in the user_request_action_email_content

Reported by: dingo_d Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: dev-feedback 2nd-opinion
Focuses: privacy Cc:
PR Number:

Description

I need to change the look (and the url) of the link for the request personal data deletion/export, so I hooked to user_request_action_email_content filter, and inspected the $email_data so that I can get the request ID and the confirm_key in my email.

But upon inspecting the data provided I can see the confirmation key in the confirm_url key of the $email_data, but the field in the object is empty.

This is intentional or a bug?

Array
(
    [request] => WP_User_Request Object
        (
            [ID] => 334
            [user_id] => 20
            [email] => my.email.[at]example.com
            [action_name] => export_personal_data
            [status] => request-pending
            [created_timestamp] => 1536847994
            [modified_timestamp] => 1536847994
            [confirmed_timestamp] => 0
            [completed_timestamp] => 0
            [request_data] => Array
                (
                )

            [confirm_key] => 
        )

    [email] => my.email.[at]example.com
    [description] => Export Personal Data
    [confirm_url] => https://my-site.com/wp-login.php?action=confirmaction&request_id=334&confirm_key=wjjeDD3mx5J02U51F7Zt
    [sitename] => My Cool site
    [siteurl] => https://my-site.com/
)

Change History (3)

#1 @birgire
13 months ago

  • Severity changed from major to normal
  • Version changed from 4.9.8 to 4.9.6

Thanks for the ticket @dingo_bastard

Having the confirm key available within these filters seems useful.

Within wp_send_user_request( $request_id ) the request is fetched by request ID with wp_get_user_request_data( $request_id ).

At that moment the confirm key has not been generated for the request.

Then the confirm key is generated by calling wp_generate_user_request_key( $request_id ).

That means the request is updated and stores the confirm key in the post_password field.

But then the request object, in the $email_data, becomes "dirty" (not refreshed) so it's still with an empty confirm key.

At first glance it seems that possible fixes could be to:

  • Re-fetch the request object into the $email_data.
  • Only update the confirm_key attribute, of the request object into the $email_data. But there's currently no set method in WP_User_Request.
  • Set the confirm key explicitly into $email_data['confirm_key'].
  • ...

after the confirm key is generated.

This ticket was mentioned in Slack in #core-privacy by desrosj. View the logs.


11 months ago

#3 @dd32
9 months ago

  • Reporter changed from dingo_bastard to dingo_d
Note: See TracTickets for help on using tickets.