[wp-trac] [WordPress Trac] #43856: Include submitter IP details in password reset emails?

WordPress Trac noreply at wordpress.org
Thu Sep 10 08:21:35 UTC 2020 

#43856: Include submitter IP details in password reset emails?
-------------------------------------------------+-------------------------
 Reporter:  cefiar                               |       Owner:  garrett-
                                                 |  eclipse
     Type:  enhancement                          |      Status:  assigned
 Priority:  normal                               |   Milestone:  Future
                                                 |  Release
Component:  Privacy                              |     Version:  4.9.6
 Severity:  minor                                |  Resolution:
 Keywords:  has-patch dev-feedback 2nd-opinion   |     Focuses:  ui-copy
  needs-privacy-review has-screenshots           |
-------------------------------------------------+-------------------------
Changes (by garrett-eclipse):

 * keywords:  has-patch 2nd-opinion ux-feedback needs-refresh =>
     has-patch dev-feedback 2nd-opinion needs-privacy-review has-
     screenshots
 * focuses:   => ui-copy


Comment:

 Thanks for the initial patch @isharis I've refreshed it in
 [https://core.trac.wordpress.org/attachment/ticket/43856/43856.2.diff
 43856.2.diff] to apply to trunk and make the following amendments;
 1. Added `If you request a reset of your password, your IP address will be
 included in the reset email.` to the default privacy policy content as
 suggested by @allendav.
 2. Addressed the comments by @desrosj updating to 5.6.0 and adding
 translator comment.
 3. Updated the verbiage in the email as just 'IP Address' felt like it
 could be confused with the website IP. Verbiage used `This password reset
 request originated from the IP address %s.`
 4. I made it conditional so if `wp_get_unsafe_client_ip` returns false the
 string isn't added.

 Adding dev-feedback/needs-privacy-review as I feel we don't need to
 anonymize the IP in this context as this is a security measure so would
 fall into section f of the GDPR. The full IP is more useful in ensuring
 identity in this case. I didn't remove the anon_ip portion yet as I'd like
 some input on that.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43856#comment:14>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list