[wp-trac] [WordPress Trac] #33504: Cannot create a user without emailing a reset link

WordPress Trac noreply at wordpress.org
Thu Sep 3 21:18:21 UTC 2015


#33504: Cannot create a user without emailing a reset link
--------------------------+--------------------
 Reporter:  Ipstenu       |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  4.3.1
Component:  Users         |     Version:  4.3
 Severity:  major         |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+--------------------

Comment (by smerriman):

 I mentioned a use-case in my original message - after running the
 WordPress importer, you're prompted to change the passwords of imported
 users. You can't do so without notifying all of those users, even if you
 are using their original password.

 I agree this can already be done with filters, but from that perspective,
 so can the original request.

 The reason the emails were sent was "''so if someone hijacks your browser
 session and changes these items, you’ll be notified that it happened, and
 you can take action.''"

 If the person changing the password has admin rights, this doesn't provide
 any security benefits or useful information - they already have complete
 control over the WordPress site, can create new accounts, and delete all
 other user accounts.

 The email received says "''If you did not change your password, please
 contact the Site Administrator''". This is misleading when it could well
 have been the Site Administrator who changed it in the first place.

 If these were indeed added for the purpose described above (hijacking your
 session), then perhaps these emails should only be sent if you change your
 *own* password. An admin should have the rights to do whatever they want
 without needing to resort to editing site code.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33504#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list