[wp-trac] [WordPress Trac] #58407: resetpassword action on users.php (users list page) handles retrieve_password() return incorrectly
WordPress Trac
noreply at wordpress.org
Thu May 25 13:16:54 UTC 2023
#58407: resetpassword action on users.php (users list page) handles
retrieve_password() return incorrectly
--------------------------------+-----------------------------
Reporter: letraceursnork | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 6.2.2
Severity: trivial | Keywords:
Focuses: ui, administration |
--------------------------------+-----------------------------
I've noticed there is 3 usages of `retrieve_password()` function across
the core - it's in `ajax-actions.php`, `wp-login.php` and `users.php`. The
last one handles its return incorrectly: `if
(retrieve_password($user->user_login))` despite the fact that function
returns `true|WP_Error`, and if the answer is `WP_Error` - `if` condition
still works, while semantically it should not (and two other usages
implements that kind of logic - there are additional checks via
`is_wp_error()`)
What did I do to produce the problem:
1. Forbid to reset users passwords via `allow_password_reset` hook (for
example, by hooking `__return_false` to it)
2. Tried to reset it as an admin on '/uesers.php' page
3. Got a success message 'Password reset link sent.'
Step three is the problem - message should be smth like 'Password reset is
not allowed for this user'
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58407>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list