[wp-trac] [WordPress Trac] #33504: Cannot create a user without emailing a reset link
WordPress Trac
noreply at wordpress.org
Thu Sep 3 21:18:21 UTC 2015
#33504: Cannot create a user without emailing a reset link
--------------------------+--------------------
Reporter: Ipstenu | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.3.1
Component: Users | Version: 4.3
Severity: major | Resolution:
Keywords: has-patch | Focuses:
--------------------------+--------------------
Comment (by smerriman):
I mentioned a use-case in my original message - after running the
WordPress importer, you're prompted to change the passwords of imported
users. You can't do so without notifying all of those users, even if you
are using their original password.
I agree this can already be done with filters, but from that perspective,
so can the original request.
The reason the emails were sent was "''so if someone hijacks your browser
session and changes these items, you’ll be notified that it happened, and
you can take action.''"
If the person changing the password has admin rights, this doesn't provide
any security benefits or useful information - they already have complete
control over the WordPress site, can create new accounts, and delete all
other user accounts.
The email received says "''If you did not change your password, please
contact the Site Administrator''". This is misleading when it could well
have been the Site Administrator who changed it in the first place.
If these were indeed added for the purpose described above (hijacking your
session), then perhaps these emails should only be sent if you change your
*own* password. An admin should have the rights to do whatever they want
without needing to resort to editing site code.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33504#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list