Make WordPress Core

Opened 17 years ago

Closed 16 years ago

#7291 closed defect (bug) (fixed)

user-edit.php doesn't do user exist check

Reported by: viper007bond's profile Viper007Bond Owned by:
Milestone: 2.7 Priority: lowest
Severity: minor Version: 2.6
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

Visit /wp-admin/user-edit.php?user_id=1337 on your test install. No error will display even though the user doesn't (probably) exist.

Attachments (2)

user_edit2.6.diff (455 bytes) - added by mrmist 17 years ago.
Based on wp-admin/user-edit.php 2.6 version
user2.6.diff (480 bytes) - added by mrmist 17 years ago.
based on wp-admin/includes/user.php 2.6 version

Download all attachments as: .zip

Change History (4)

@mrmist
17 years ago

Based on wp-admin/user-edit.php 2.6 version

@mrmist
17 years ago

based on wp-admin/includes/user.php 2.6 version

#1 @mrmist
17 years ago

  • Keywords has-patch added; needs-patch removed

My attempt at this - adds a function check_user_id($id) which checks in the users database and returns the id that matches (if the user exists) or an empty set. Then adds logic to user_edit to check the id passed using the function.

If the user id does not exist, the page calls wp_die.

Strictly, the logic doing the test before the wp_die is unnecessary, as the immediately following block of code will pick up the empty id, but I thought it best to include the check so that the test is self-sufficient.

In IE7 with pretty errors enabled, you get a internal server error not the wp_die message.

#2 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [9135]) Die if invalid user ID passed to user-edit.php. fixes #7291

Note: See TracTickets for help on using tickets.