Make WordPress Core

Opened 3 years ago

Last modified 6 months ago

#54685 new defect (bug)

Admin email verification redirects back to login page

Reported by: golenkovm's profile golenkovm Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8.1
Component: Login and Registration Keywords: has-patch
Focuses: administration Cc:

Description

Hi everyone,

Recently, our admins started to getting Administration email confirmation on logon. However, after clicking on This email is correct admins are redirected back to login page and asked to login again. We've tried many times and it's an infinite loop of logging in, confirming email address, redirecting back to login page, logging in, confirming email addres, redirecting to login page and so on.

We use login URL configured on the /wp-admin/options-general.php?page=move-login page and it seems like WP doesn't properly handle admin email confirmation when login URL is set. I had a look at the codebase and I believe this ?action=confirm_admin_email string parameter gets lost when webserver redirects wp-login.php to configured login page: https://github.com/WordPress/WordPress/blob/b788e6255a97dbdd1dc55d42f8fbeeb66c806214/wp-login.php#L623

I added one more hidden input same way as redirect_to is implemented https://github.com/WordPress/WordPress/blob/b788e6255a97dbdd1dc55d42f8fbeeb66c806214/wp-login.php#L635 and this fixed the issue.

I'm happy to attach a patch file.

Kind regards,
Mikhail Golenkov

Attachments (1)

WP54685.diff (964 bytes) - added by golenkovm 3 years ago.
Patch for the ticket

Download all attachments as: .zip

Change History (5)

@golenkovm
3 years ago

Patch for the ticket

#1 @sabernhardt
3 years ago

  • Component changed from General to Login and Registration
  • Keywords has-patch added

#2 @golenkovm
3 years ago

After having another look I'd like to add that .htaccess has the following line:

RewriteRule ^client-adminlogin/?$ wp-login.php [QSA,L]

However, HTML form still doesn't have ?action=confirm_admin_email added to the action URL:

<form class="admin-email-confirm-form" name="admin-email-confirm-form" action="https://client-wordpress/client-adminlogin" method="post">

Perhaps, it's just a configuration issue and the patch is not needed. If so, please feel free to let me know what should be done to pass ?action=confirm_admin_email to the action URL.

Cheers,
Mikhail Golenkov

#3 in reply to: ↑ description @SergeyBiryukov
3 years ago

Hi there, welcome to WordPress Trac! Thanks for the ticket.

Replying to golenkovm:

We use login URL configured on the /wp-admin/options-general.php?page=move-login page and it seems like WP doesn't properly handle admin email confirmation when login URL is set.

Just noting that the Move Login page is not a part of WordPress core and appears to be created by a plugin, most likely Move Login (last updated 5 years ago). So at a glance, this does seem like either a configuration issue or something that the plugin would need to be updated to support.

The current URL appears to be more consistent with other form action URLs in wp-login.php:

  • wp-login.php?action=confirm_admin_email
  • wp-login.php?action=lostpassword
  • wp-login.php?action=resetpass
  • wp-login.php?action=register

#4 @rajinsharwar
13 months ago

Hi @SergeyBiryukov, following up on this old ticket. I believe in that case, we can close this down, shouldn't we?

Note: See TracTickets for help on using tickets.