#58194 closed defect (bug) (fixed)
Users: Don't show 'Reset Password' link if password reset is not allowed
Reported by: | ocean90 | Owned by: | audrasjb |
---|---|---|---|
Milestone: | 6.3 | Priority: | normal |
Severity: | normal | Version: | 5.7 |
Component: | Users | Keywords: | good-first-bug has-patch needs-testing |
Focuses: | administration | Cc: |
Description
With the allow_password_reset filter it's possible to disallow a password reset per user. The value of this filter is not checked when adding the 'Reset Password' link to the list table actions added in #34281. In such cases you still get a "Password reset link sent." notice but no email is actually sent.
Relevant part in core: https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/class-wp-users-list-table.php?rev=55276&marks=502-507#L502
Change History (22)
This ticket was mentioned in PR #4389 on WordPress/wordpress-develop by Cshark1.
21 months ago
#2
- Keywords has-patch added; needs-patch removed
This ticket was mentioned in PR #4573 on WordPress/wordpress-develop by @ocean90.
20 months ago
#4
Trac ticket: https://core.trac.wordpress.org/ticket/58194
#5
@
20 months ago
@cshark Thank you for the patch. Based on this I created a new PR where I have introduced wp_is_password_reset_allowed_for_user()
which can be used to DRY up the code a bit because there's also a link on the profile page which shouldn't be visible either.
#8
@
19 months ago
We need to test in 3 different places.
- "Send Reset Link" button on user profile screen.
- "Send password reset" option in the user list bulk action dropdown.
- "Send password reset" quick action when hovering over a username in the user list.
Ref: https://core.trac.wordpress.org/ticket/34281#comment:87
#9
@
19 months ago
Test Report
This report validates that the indicated patch doesn't address the issue.
Patch tested: https://github.com/WordPress/wordpress-develop/pull/4573
Environment
- OS: macOS 13.2.1
- Web Server: Nginx
- PHP: 7.4.30
- WordPress: 6.3-beta2-56100-src
- Browser: Chrome 114.0.5735.198
- Theme: Twenty Twenty-Three
- Active Plugins:
- Demo Plugin (to use the filter)
Actual Results
- ❌ Issue not resolved with the patch.
Additional Notes
Checked in 3 places.
- ✅ "Send Reset Link" button on user profile screen.
- ❌ "Send password reset" option in the user list bulk action dropdown.
- ✅ "Send password reset" quick action when hovering over a username in the user list.
After disabling the reset password using the filter, I see 2 out of 3 places are fixed. However, bulk action is still having Send password reset
option.
Supplemental Artifacts
Screenshots after applying patch:
- "Send Reset Link" on edit user profile: https://drive.google.com/file/d/1Jurao_mvGf13fGRnzwVHLwvI6b085MPj/view?usp=sharing
- "Send password reset" bulk action: https://drive.google.com/file/d/1xQCO-qXGugsDO1pmX6vP99CFDd4Ln5u1/view?usp=sharing
- "Send password reset" quick action: https://drive.google.com/file/d/1sfc5EuSlCgIZpIyKSt-VLWCH56mtIYVP/view?usp=sharing
#10
@
19 months ago
Regarding the test report, I think this may be acceptable for the patch landing.
The logic is that there is a filter for allowing password resets generally and/or specific users. In order to know we should not display the bulk item, we need to confirm that the filter is set to disallow generally and set to disallow for all users (at least those listed on the page).
There's also not going to be a good way, IMO, to indicate which users could or could not have a reset sent in that scenario.
This ticket was mentioned in Slack in #core-test by robinwpdeveloper. View the logs.
19 months ago
#12
@
19 months ago
I agree with @kraftbj
We can skip => "Send password reset" option in the user list bulk action dropdown.
Remaining 2 occurrences are working fine.
PR is good to land.
#15
@
19 months ago
When exactly would wp_is_password_reset_allowed_for_user()
return WP_Error
? Just when the return value is filtered? If so, the possible type should be added to the filter's docblock.
@audrasjb commented on PR #4573:
19 months ago
#17
committed in https://core.trac.wordpress.org/changeset/56150
@audrasjb commented on PR #4389:
19 months ago
#18
committed in https://core.trac.wordpress.org/changeset/56150
#19
@
19 months ago
Good point @swissspidy.
I'm not sure there is any value in assuming that wp_is_password_reset_allowed_for_user()
may return WP_Error
, even using the filter. In that case, it may also return a string, an array, etc.
#20
@
19 months ago
- Keywords needs-testing removed
Probably better to simply remove WP_Error
from the @return
declaration.
#22
@
19 months ago
- Keywords needs-testing added
The WP_Error
is just for back-compat as it was already possible before, see https://github.com/WordPress/wordpress-develop/blob/bea4307daa21a3f97d159898b0ac676332e0e7de/src/wp-includes/user.php#L2903-L2905.
Since it wasn't documented in the filter before I didn't want to promote this usage further but since it's possible it's important to document at least the return value otherwise a non-true check will cause issues. I think [56150] is good as is.
If the allow_password_reset filter is set to false, the admin panel still shows the
Send Password reset
, even though this does nothing. This PR adds a check to see if the filter is set to false and if it is set to false it does not show the button.See: https://core.trac.wordpress.org/ticket/58194