[wp-trac] [WordPress Trac] #25603: Update about page for WordPress 3.7

Wed Oct 23 17:11:21 UTC 2013

#25603: Update about page for WordPress 3.7
----------------------------+-----------------------
 Reporter:  jorbin          |       Owner:  nacin
     Type:  task (blessed)  |      Status:  reopened
 Priority:  normal          |   Milestone:  3.7
Component:  Help/About      |     Version:  trunk
 Severity:  normal          |  Resolution:
 Keywords:  has-patch       |
----------------------------+-----------------------

Comment (by nacin):

 As reported in IRC by boogah (also in discussion: jorbin, ipstenu, DH-
 Shredder, dotben), there are a few issues with the way the about page
 presents the background update status of the site:

  * It exposes the email address to everyone. Authors can see the
 admin_email, and in multisite, anyone can see the network admin email.
 (This email address is supposedly used for communication with users, but
 that's not really the case.) Suppressing the email is therefore necessary.

  * If auto updates are 100% disabled, we'll claim that we'll email users
 of pending updates — but that's not true, as the update notification is
 currently baked directly into the automatic updater class. I snuck in a
 comment yesterday in [25873], you can see it at the top: "This [100%
 disabling] also disables update notification emails. That may change in
 the future."

 The solution proposed in [attachment:25603.20.diff] does the following:
  * current_user_can( 'update_core' ) is required to view the site's
 status.
  * If the automatic updater is 100% disabled, we don't show anything
 either. This only happens for DISALLOW_FILE_MODS (for which
 current_user_can( 'update_core' ) fails anyway),
 AUTOMATIC_UPDATER_DISABLED, and the automatic_updater_disabled filter.
 Note that this constant and filter is the '''updater''', not particular
 updates. To only disable core updates, you will want to use the
 auto_update_core filter, the WP_AUTO_UPDATE_CORE constant, or the various
 allow_*_auto_core_updates filters (where * is 'dev', 'minor', and
 'major').
  * It assumes that if the user can update_core, they can see the admin
 email.
  * It hides the notice about the email when the filter
 `notify_core_update` returns false. This is a new filter in the patch.
 Basically, this is a filter that is more general than the automatic
 updater, for a time in the future (probably 3.8) when emails are
 specifically top-level, rather than piggybacked to the updater process.
 (Thus, merely blocking the updater will not be enough to block emails in
 the future.)
  * Adds the notify_core_update filter because the filter
 auto_core_update_send_email also blocks critical failure and update
 success emails. We don't want people using that filter to block
 *notification* emails, because they might accidentally block fail/success
 emails as well. That _send_email filter isn't even run for 'manual'
 (update notification) emails anymore.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25603#comment:36>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software