[wp-trac] [WordPress Trac] #14949: Login gives false assurance of having logged out

WordPress Trac noreply at wordpress.org
Fri Aug 18 10:43:12 UTC 2023 

#14949: Login gives false assurance of having logged out
-------------------------------------+-------------------------------------
 Reporter:  filosofo                 |       Owner:  rajinsharwar
     Type:  defect (bug)             |      Status:  accepted
 Priority:  normal                   |   Milestone:  6.4
Component:  Login and Registration   |     Version:
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:  administration,
  dev-feedback 2nd-opinion           |  multisite
-------------------------------------+-------------------------------------
Changes (by rajinsharwar):

 * keywords:  has-patch needs-testing dev-feedback => has-patch needs-
     testing dev-feedback 2nd-opinion


Comment:

 Okay, so testing with the patch(14949.3.diff). Works as expected, but I am
 worried about two scenarios.

 1. If the user is not an Administrator, and the admin doesn't want his
 users to visit their wp-admin dash, it that case, the user with a non-
 Administrator role will be forced redirected to the admin page.

 2. If the user is not logged in, and the link is opened
 "http://localhost:10058/wp-login.php?loggedout=true", WordPress again
 falsely tells you that "You are now logged out.". This might not cause any
 issues but isn't correct logically.


 == Here is my proposed solution.

 We can check if the user is logged in. If he is logged in and tries to
 access "**/wp-login.php?loggedout=true**", instead of redirecting them to
 the admin dash, we can show him the "**You are attempting to log out of
 %s. Do you really want to <a href="%s">log out</a>?**". That means we can
 show him the screen which we currently show for the "**/wp-
 login.php?action=logout**". This way they won't be forced redirected
 anywhere, and they can log out from there if they want.

 Secondly, if they are not logged in, we can just redirect them to the
 login URL, instead of showing the message You have logged out".

 Let me know what others think about this.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/14949#comment:38>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list