[wp-trac] [WordPress Trac] #33759: An admin changing an email/password should not generate a notification
WordPress Trac
noreply at wordpress.org
Mon Sep 7 05:01:07 UTC 2015
#33759: An admin changing an email/password should not generate a notification
--------------------------+-----------------------------
Reporter: smerriman | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 4.3
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Branched off from #33504 as requested.
In 4.3, email notifications are now sent to a user whenever their email or
password is changed. The reasoning behind the was solely from a security
perspective:
''so if someone hijacks your browser session and changes these items,
you’ll be notified that it happened, and you can take action.''
If the person changing the email/password is an admin, this notification
does not provide any security benefits or useful information - all is done
is mislead/confuse the user.
It does not provide security benefits because an admin has full control of
the site and rights to do whatever they want - they could delete every
user account on the site and create their own if they wanted to.
It is misleading/confusing because the notification implies this should
only be happening if they changed the information themselves: ''If you did
not change your password, please contact the Site Administrator''.
A common use-case where an admin is changing the password of a user occurs
after a WordPress import - you are prompted to change all imported users'
passwords. Other than editing site code to add filters, you can no longer
do so without everyone getting an email they won't understand - even if
you are setting their passwords to same as their originals.
For these reasons, I suggest altering the code to not send these
notifications if the change of email/password was instigated by someone
with admin rights.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33759>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list