Opened 6 years ago
Closed 4 months ago
#48508 closed defect (bug) (worksforme)
User cache needs to be cleaned after updating user_activation_key via wpdb
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Users | Keywords: | |
| Focuses: | Cc: |
Description
The r45716 has replaced direct SQL query for getting user_activation_key for get_user_by function call. However, it get_user_by takes advantage of cache and may return a cached user object.
In case a WP install is using a persistent cache backend (memcache, redis ...), a direct update of user_activation_key via $wpdb->update (eg.: done by a plugin), would not invalidate the cache, and newly added activation key would then get rejected as invalid.
There are some plugins / pieces of code out there, which are performing the direct SQL update and which might stop working under mentioned conditions (persistent cache backend). Eg.:
- https://plugins.trac.wordpress.org/browser/bnfw/tags/1.7.5/includes/overrides.php#L97
- https://plugins.trac.wordpress.org/browser/sailthru-widget/tags/3.3.0/sailthru_mail.php#L115
- https://github.com/haekalby/fkp/blob/442fec37333faba4e1a84a346ca5384bee54138/wp-content/themes/forumengine/includes/core/class-email-confirmation.php#L92
- https://github.com/localymine/medican/blob/da89cb3354c3fe6139caa562a7063dae870cf4da/wp-content/themes/medican-child/woocommerce/myaccount/resetpassword.php#L13
A hotfix for the issue in affected plugins/code would be to call clean_user_cache function or use the get_password_reset_key function or wp_update_user, which, since r45714, uses wp_update_user, and thus is properly clearing the caches.
Going to close this ticket as there does not appear to be an opportunity to improve the WordPress core code itself. If I'm incorrect, please feel free to reopen! 😅
Like @davidbinda already mentioned, switching to
get_user_by()andwp_update_user ()was intentional, and integrating the user cache there means direct database queries elsewhere may have problematic consequences.When plugins/themes use
$wpdbto update database rows directly, they have a responsibility to clean the caches related to their queries at the same time.(Which caches to clean can be a mystery sometimes, but improved docs & AI tooling is helping with this, etc...)