Opened 3 weeks ago
Last modified 4 days ago
#62485 new defect (bug)
Lost Password form action URL is not using wp_lostpassword_url
Reported by: | talextech | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | minor | Version: | |
Component: | Login and Registration | Keywords: | has-patch |
Focuses: | Cc: |
Description
Lost Password form action URL is set by
<?php echo esc_url( network_site_url( 'wp-login.php?action=lostpassword', 'login_post' ) );
Because of this, if lostpassword_url filter is used the lost password form will no longer work. So ideally the action should be set to:
<?php echo esc_url( wp_lostpassword_url($redirect_to) );
Attached is the updated wp-login.php file with the action URL changed on line 896
Attachments (1)
Change History (6)
This ticket was mentioned in PR #7850 on WordPress/wordpress-develop by @sainathpoojary.
3 weeks ago
#1
- Keywords has-patch added
This PR updates the Lost Password form action in wp-login.php to use wp_lostpassword_url()
instead of network_site_url()
. This change ensures compatibility with the lostpassword_url filter, allowing for greater flexibility in customizing the URL.
---
Trac ticket: #62485
#3
@
3 weeks ago
Nice catch @talextech!
The wp-login.php
file has a set of default actions that determine how the page behaves. If a request is made with an action outside of these defaults, the page redirects to the login page. The current list of default actions includes:
$default_actions = array( 'confirm_admin_email', 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'checkemail', 'confirmaction', 'login', WP_Recovery_Mode_Link_Service::LOGIN_ACTION_ENTERED, );
To resolve this issue, we need to either update the $default_actions
array to include the desired custom actions or remove the lostpassword_url
filter to prevent redirection.
#4
@
3 weeks ago
- Severity changed from normal to minor
Well, you don't necessarily need a new action. You could have just customized the login URL.
But after going over it a bit more, changing anything here might be more work than it's worth, involve way too many edge cases and potentially breaking 3rd party code.
- The same issue applies to the registration form which also has the registraion URL hardcoded.
- If you just filter site_url and network_site_url and replace wp-login.php there it should achieve customizing the login URL just as well.
- If we change the action URL for registration and lost password we would still be using site_url() in other places and things won't be uniform anymore.
So unless anyone else thinks there's something worth pursuing here I guess this ticket can be closed. I wanted a core contribution 😁 but this isn't something that needs any fix.
@rinkalpagdar commented on PR #7850:
4 days ago
#5
hello @SainathPoojary
Can you please elaborate on what this PR changed in the login form?
updated form action at line 896