Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#54213 new defect (bug)

"Authorize Application" should reject handling an already existing app name

Reported by: mark-k's profile mark-k Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.6
Component: Application Passwords Keywords: needs-testing-info
Focuses: Cc:

Description

or give a better message than the current (5.8) "Each application name should be unique.".

Should probably point the user to its profile page with a message saying something like "if you want to get new password to use for *appname* you should first revoke the current one"

If the app name is not existing at all as a url parameter it should probably just display some error on the page which indicates that an appname is missing and the that it is probably bug in the application that sent the user to the URL.

Change History (4)

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.


2 years ago

#2 @Boniu91
2 years ago

  • Keywords needs-testing-info added

Hello @mark-k

Thanks for creating this ticket. While ago we made sure that application names should be unique:
https://core.trac.wordpress.org/ticket/51941

As a Test team we wanted to better understand and reproduce the problem on our end, could you provide us with exact steps that we need to perform in order to see the problem?

Thank you!

#3 @mark-k
2 years ago

@Boniu91

  1. while logged in go to wp-admin/authorize-application.php. With this url there is not application name/id and therefor it should just be denied as in the admin side when adding application password you must specify an application name. A message like "an application must supply an application name, contact the application's author with this information" should be displayed to the user.
  1. On the admin side add an application password for an application "app". Now go to wp-admin/authorize-application.php?app_name=app. Even at this point any further steps should be denied as the application already exist, and the user should be directed to his his account to revoke the corrent password if it wants to reauthenticate the application.

In the current behaviour user clicks "Yes I approve..." only to get a very user hostile message that tells him what the code checks instead of telling him what steps he should take.

Now that I look at it while trying to add the same app twice on the admin side I see that the same message is used there, but from the context it is much easier to get what the problem is (although that message can probably be improved as well)

This ticket was mentioned in Slack in #core-test by boniu91. View the logs.


2 years ago

Note: See TracTickets for help on using tickets.