[wp-trac] [WordPress Trac] #30647: wp_update_user() allows using existing user_email, user_login, and user_nicename
WordPress Trac
noreply at wordpress.org
Wed Dec 10 00:55:25 UTC 2014
#30647: wp_update_user() allows using existing user_email, user_login, and
user_nicename
-----------------------------+--------------------------------------
Reporter: danielbachhuber | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: Users | Version:
Severity: normal | Keywords: needs-patch dev-feedback
Focuses: |
-----------------------------+--------------------------------------
When updating a user with `wp_update_user()` (which, in turn, uses
`wp_insert_user()`), it's possible to set the `user_email` or
`user_nicename` to those of an existing user. It's also possible to supply
`user_login`, which gets silently discarded.
Each of these values need to be considered unique per user. If the values
were supplied and not unique, I'd expect `WP_Error` to be returned.
Here's the relevant faulty logic:
{{{
if ( ! $update && username_exists( $user_login ) ) {
return new WP_Error( 'existing_user_login', __( 'Sorry, that
username already exists!' ) );
}
}}}
{{{
if ( ! $update && ! defined( 'WP_IMPORTING' ) && email_exists( $user_email
) ) {
return new WP_Error( 'existing_user_email', __( 'Sorry, that email
address is already used!' ) );
}
}}}
Looks like this was introduced in r12778.
Discovered in:
* https://github.com/WP-API/WP-API/pull/705
* https://github.com/WP-API/WP-API/pull/707
--
Ticket URL: <https://core.trac.wordpress.org/ticket/30647>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list