[wp-trac] [WordPress Trac] #34281: Allow admins to send users a 'Reset Password' link
WordPress Trac
noreply at wordpress.org
Mon Feb 1 16:03:58 UTC 2021
#34281: Allow admins to send users a 'Reset Password' link
-------------------------------------------------+-------------------------
Reporter: Ipstenu | Owner:
| adamsilverstein
Type: enhancement | Status: assigned
Priority: normal | Milestone: Future
| Release
Component: Users | Version: 4.4
Severity: normal | Resolution:
Keywords: has-screenshots has-ux-feedback | Focuses: javascript
has-patch |
-------------------------------------------------+-------------------------
Comment (by johnbillion):
[attachment:"34281.12.diff"] makes a couple of tweaks:
* Removed the formatting-only changes (mostly `==` to `===`) that aren't
related to the functional change, these should happen in a separate ticket
so they can be checked properly.
* Adjusted the formatting of `retrieve_password()` to minimise the non-
functional changes and make it easier to see the diff from its old
version. Below is the actual diff.
* There are two noticeable changes to `retrieve_password()` as a result.
These appear to create a functional change that might not be expected. The
two `sanitize_*()` functions both strip octets and entities, for example.
@adamsilverstein what's the reason to switching to using these functions?
- `sanitize_email(...)` is used instead of `trim( wp_unslash(...) )`
- `sanitize_user(...)` is used instead of `trim( wp_unslash(...) )`
{{{#!diff
--- wp-login.php
+++ wp-includes/functions.php
@@ -351,23 +351,35 @@
* Handles sending a password retrieval email to a user.
*
* @since 2.5.0
+ * @since 5.7.0 Added `$user_login` parameter.
*
+ * Note: prior to 5.7.0 this function was in wp_login.php.
+ *
+ * @global wpdb $wpdb WordPress database abstraction
object.
+ * @global PasswordHash $wp_hasher Portable PHP password hashing
framework.
+ *
+ * @param string $user_login Optional user_login, default null.
Uses
+ * `$_POST['user_login']` if
`$user_login` not set.
* @return true|WP_Error True when finished, WP_Error object on error.
*/
-function retrieve_password() {
+function retrieve_password( $user_login = null ) {
$errors = new WP_Error();
$user_data = false;
- if ( empty( $_POST['user_login'] ) || ! is_string(
$_POST['user_login'] ) ) {
+ // Use the passed $user_login if available, otherwise use
$_POST['user_login'].
+ if ( ! $user_login && ! empty( $_POST['user_login'] ) ) {
+ $user_login = $_POST['user_login'];
+ }
+
+ if ( empty( $user_login ) ) {
$errors->add( 'empty_username', __(
'<strong>Error</strong>: Please enter a username or email address.' ) );
- } elseif ( strpos( $_POST['user_login'], '@' ) ) {
- $user_data = get_user_by( 'email', trim( wp_unslash(
$_POST['user_login'] ) ) );
+ } elseif ( strpos( $user_login, '@' ) ) {
+ $user_data = get_user_by( 'email', sanitize_email(
$user_login ) );
if ( empty( $user_data ) ) {
$errors->add( 'invalid_email', __(
'<strong>Error</strong>: There is no account with that username or email
address.' ) );
}
} else {
- $login = trim( wp_unslash( $_POST['user_login'] ) );
- $user_data = get_user_by( 'login', $login );
+ $user_data = get_user_by( 'login', sanitize_user(
$user_login ) );
}
/**
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34281#comment:73>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list