Make WordPress Core

Opened 19 months ago

Last modified 19 months ago

#57413 new defect (bug)

Updating a user email via rest api doesn't trigger confirmation email

Reported by: dd32's profile dd32 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords: has-patch has-unit-tests
Focuses: rest-api Cc:


When a user changes their email address through wp-admin/profile.php the email change is delayed until the user clicks a confirmation link in their email. This was implemented via #16470.

This doesn't happen when an administrator changes another users email address.

When a user updates their own email through the rest API (ie. POST /wp-json/wp/v2/users/1) the confirmation email is also not triggered, and the email change occurs instantly.

This is because the code for the email confirmation is a UI-only method, it's not attached to the user update event, simply the profile.php page submission.

The PR that will be attached to this will re-work the existing code to more generalise it and call it from the REST API.
As part of that, the confirmation link being changed from wp-admin/profile.php to /wp-login.php?action=confirm-email-change... makes more sense to me.

This could have unintended effects, as those using the REST API might be expecting changes to occur without any further action from the user, such as when there is a custom front-end, which this will break. Implementations would need to be updated to use a filter to remove the email confirmation step.

Change History (3)

This ticket was mentioned in PR #3813 on WordPress/wordpress-develop by @dd32.

19 months ago

  • Keywords has-patch has-unit-tests added

@dd32 commented on PR #3813:

19 months ago

Some additional unit tests of send_user_email_change_confirmation_email() and send_user_email_change_confirmation_process() wouldn't go astray.

Strings, documentation, and function naming likely needs a second set of eyes.

#3 @dd32
19 months ago

Something of note here, is that bbPress has it's own implementation of this functionality for it's user-edit page, to mimic the WordPress core behaviour.

Note: See TracTickets for help on using tickets.