[wp-trac] [WordPress Trac] #28435: wp_insert_user/wp_update_user break when passed WP_User instance

Tue Jun 3 04:57:52 UTC 2014

#28435: wp_insert_user/wp_update_user break when passed WP_User instance
--------------------------+-----------------------------
 Reporter:  rmccue        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Users         |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Supposedly fixed in #21429. (Tangential to #28019)

 If you pass a `WP_User` instance to `wp_update_user` or `wp_insert_user`,
 it first calls `WP_User::to_array`, which returns the user data from the
 DB. This is then treated as the input data.

 The problem then is that `$userdata['user_pass']` is '''always''' set, as
 it's always included in `$userdata`. This then gets double-hashed by
 `wp_update_user`. (`wp_update_user` will then update the cookies, so the
 user won't notice until they're logged out)

 To reproduce:
 {{{
 <?php
 $testuserid = 1;

 $user = get_userdata( $testuserid );

 echo 'Before: ' . $user->user_pass;

 wp_update_user( $user );

 // Reload the data
 $user = get_userdata( $testuserid );

 echo 'After: ' . $user->user_pass;
 }}}

 Current output:
 {{{
 Before: $P$BDqB8PmujqwtUNqnDW/aiQKuAEvm741
 After: $P$BsqV0Lkka4QIWE9RaveZ49wvOMnHD//
 }}}

 This operation should have been a no-op, but isn't.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28435>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform