[wp-trac] [WordPress Trac] #33209: Inviting a new user to Multisite results in password being emailed

WordPress Trac noreply at wordpress.org
Mon Nov 5 23:13:29 UTC 2018 

#33209: Inviting a new user to Multisite results in password being emailed
------------------------------------+-----------------------------
 Reporter:  Ipstenu                 |       Owner:  (none)
     Type:  enhancement             |      Status:  new
 Priority:  normal                  |   Milestone:  Future Release
Component:  Users                   |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:  multisite
------------------------------------+-----------------------------

Comment (by BjornW):

 A bit more info about this
 [https://core.trac.wordpress.org/attachment/ticket/33209/33209-3.diff
 patch]:

 == In short:**
 This patch will make a **new installation of default WordPress Mu
 installation safer** by removing the plain-text passwords from the
 welcome_email and welcome_user_email emails. It respects existing
 installations by not changing their settings (yet), but it will warn them
 that the PASSWORD token is deprecated.

 == Details:
 - It replaces the PASSWORD token from the default 'Welcome Email' and
 'Welcome User Email' template texts with a new token RESETLINK in the
 code. It does *NOT* change settings in the database to preserve backwards-
 compatibility.

 ''In a future WordPress version we should remove the PASSWORD token
 completely and replace it with the RESETLINK token automagically. However
 doing this now, might be to abrupt for users. Therefor I assume we want to
 deprecate and warn people first.''

 - It refactors the PASSWORD token replacement functionality into using a
 new filter called 'wpmu_replace_password_token'. This filter is being
 called using
 [https://developer.wordpress.org/reference/functions/apply_filters_deprecated/#parameters
 apply_filters_deprecated] to immediately deprecate the function so we can
 set a notice warning about NOT using the PASSWORD token anymore.

 ''It might even be extended into using an admin notice in the wp-admin for
 users with super_admin role, to make sure they are aware of this upcoming
 change''

 - The RESETLINK token functionality uses a new filter called
 'wpmu_replace_resetlink_token' to replace the RESETLINK token for a
 re(set) url.


 == To discuss:
 1. Is this the proper way to deprecate the usage of the PASSWORD token?
 2. Should we warn users with super_admin role about this change using an
 admin notice?
 3. Should we respect the existing settings or replace them automagically
 with the re(set) functionality now without even warning them?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/33209#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list