Opened 3 months ago
#48508 new defect (bug)
User cache needs to be cleaned after updating user_activation_key via wpdb
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Users | Keywords: | |
| Focuses: | Cc: | ||
| PR Number: |
Description
The r45716 has replaced direct SQL query for getting user_activation_key for get_user_by function call. However, it get_user_by takes advantage of cache and may return a cached user object.
In case a WP install is using a persistent cache backend (memcache, redis ...), a direct update of user_activation_key via $wpdb->update (eg.: done by a plugin), would not invalidate the cache, and newly added activation key would then get rejected as invalid.
There are some plugins / pieces of code out there, which are performing the direct SQL update and which might stop working under mentioned conditions (persistent cache backend). Eg.:
- https://plugins.trac.wordpress.org/browser/bnfw/tags/1.7.5/includes/overrides.php#L97
- https://plugins.trac.wordpress.org/browser/sailthru-widget/tags/3.3.0/sailthru_mail.php#L115
- https://github.com/haekalby/fkp/blob/442fec37333faba4e1a84a346ca5384bee54138/wp-content/themes/forumengine/includes/core/class-email-confirmation.php#L92
- https://github.com/localymine/medican/blob/da89cb3354c3fe6139caa562a7063dae870cf4da/wp-content/themes/medican-child/woocommerce/myaccount/resetpassword.php#L13
A hotfix for the issue in affected plugins/code would be to call clean_user_cache function or use the get_password_reset_key function or wp_update_user, which, since r45714, uses wp_update_user, and thus is properly clearing the caches.