[wp-trac] [WordPress Trac] #47192: Allow users to enter recovery mode via their registered email
WordPress Trac
noreply at wordpress.org
Thu Jan 9 10:59:31 UTC 2020
#47192: Allow users to enter recovery mode via their registered email
----------------------------------+------------------------------
Reporter: spacedmonkey | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Site Health | Version: 5.2
Severity: normal | Resolution:
Keywords: servehappy has-patch | Focuses:
----------------------------------+------------------------------
Comment (by spacedmonkey):
> The solution the four of us came up with is to "cache" the list of email
addresses that have permission to perform this action, and when the link
is requested, check if the provided email address is contained within the
allow list. That list is then updated when a user logs in, has a role
changed, or the user is updated.
This wasn't what we agreed on. Caching a list of users like this has some
serious performance issues. What if the site has 10k work of admin on it.
That option would be massive and fill the options table with a lot of
data. Specially as this will likely be autoloaded on every page, this
would have a big effect on performance.
What I thought was agree was to hook into login / user edit, to check if
user has access to recovery mode and save a cache in user meta. This way,
we should be able to trust user meta over capability check.
I also do like the user of `wp_die` here. It seem out of place and
confusing. As much of I hate using wp-login.php styling, as it hard to
work with, it is much less confusing to a user.
I am going to add some stuff to my original patch and submit a PR to
github, so it is easier to review.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47192#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list