[wp-trac] [WordPress Trac] #35715: edit_user() doesn't check for empty password (pass1).

WordPress Trac noreply at wordpress.org
Mon Feb 29 15:37:51 UTC 2016

#35715: edit_user() doesn't check for empty password (pass1).
 Reporter:  gitlost                              |       Owner:
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  Future
Component:  Users                                |  Release
 Severity:  normal                               |     Version:  4.4
 Keywords:  needs-testing good-first-bug has-    |  Resolution:
  patch                                          |     Focuses:

Comment (by gitlost):

 Hi, seeing as you ask(!) note that patches should be made from the
 patches/#creating-a-patch SVN trunk root] so in this case the diff should
 reference "src/wp-admin/includes/user.php" rather than just "wp-
 admin/includes/user.php". Also you should run
 testing/phpunit/ phpunit] after applying your patch (here in particular
 `phpunit --group=user`) to check it doesn't obviously break stuff, and
 preferably include a failing-before / succeeding-after unit test.

 On the actual patch I think the check should be made after the
 `'check_passwords'` action is called to maintain flexibility. Also it
 should only be checked when adding a user (`! $updated`) as using a blank
 password when updating a user is legitimate usage (meaning don't update
 the password). Also I think it should only check `$pass1` as there's
 already a check for `$pass1 != $pass2`.

 I'll upload a unit test.

Ticket URL: <https://core.trac.wordpress.org/ticket/35715#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list