[wp-trac] [WordPress Trac] #35715: edit_user() doesn't check for empty password (pass1).
WordPress Trac
noreply at wordpress.org
Mon Feb 29 15:37:51 UTC 2016
#35715: edit_user() doesn't check for empty password (pass1).
-------------------------------------------------+-------------------------
Reporter: gitlost | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future
Component: Users | Release
Severity: normal | Version: 4.4
Keywords: needs-testing good-first-bug has- | Resolution:
patch | Focuses:
-------------------------------------------------+-------------------------
Comment (by gitlost):
Hi, seeing as you ask(!) note that patches should be made from the
[https://make.wordpress.org/core/handbook/tutorials/working-with-
patches/#creating-a-patch SVN trunk root] so in this case the diff should
reference "src/wp-admin/includes/user.php" rather than just "wp-
admin/includes/user.php". Also you should run
[https://make.wordpress.org/core/handbook/testing/automated-
testing/phpunit/ phpunit] after applying your patch (here in particular
`phpunit --group=user`) to check it doesn't obviously break stuff, and
preferably include a failing-before / succeeding-after unit test.
On the actual patch I think the check should be made after the
`'check_passwords'` action is called to maintain flexibility. Also it
should only be checked when adding a user (`! $updated`) as using a blank
password when updating a user is legitimate usage (meaning don't update
the password). Also I think it should only check `$pass1` as there's
already a check for `$pass1 != $pass2`.
I'll upload a unit test.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35715#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list