[wp-trac] [WordPress Trac] #33800: wp_delete_user delete the user ID 1 if an object is passed in param
WordPress Trac
noreply at wordpress.org
Fri Sep 11 01:32:14 UTC 2015
#33800: wp_delete_user delete the user ID 1 if an object is passed in param
--------------------------+------------------
Reporter: juliobox | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.4
Component: Users | Version: 2.0
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+------------------
Changes (by boonebgorges):
* milestone: Awaiting Review => 4.4
Comment:
A brief search through the codebase suggests that there are several dozen
places where we cast a `$user_id` parameter to an integer. None of these
instances are as harmful as `wp_delete_user()` (aside from
`wpmu_delete_user()`, which has the exact same problem). And it's highly
likely that we do the same thing in dozens of places with posts, terms,
etc as well.
In the long run, it would be ideal to modify all these functions - or at
least the update/delete functions - so that they (a) do stricter type
checking on the ID params, and (b) also accept the corresponding
`WP_User`, `WP_Post`, etc objects. See #33638 for a related issue.
In the short term, I don't think it's necessary to add `WP_User` support
for this function. It's not currently possible to pass a user object to
`wp_delete_user()`, and I don't see the benefit of adding it here without
also adding it across the whole API. So let's just add `is_numeric()`
checks to `wp_delete_user()` and `wpmu_delete_user()` for now.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33800#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list