[wp-trac] [WordPress Trac] #34281: Allow admins to send users a 'Reset Password' link

WordPress Trac noreply at wordpress.org
Mon Feb 22 17:22:29 UTC 2021 

#34281: Allow admins to send users a 'Reset Password' link
-------------------------------------------------+-------------------------
 Reporter:  Ipstenu                              |       Owner:
                                                 |  adamsilverstein
     Type:  task (blessed)                       |      Status:  reopened
 Priority:  normal                               |   Milestone:  5.7
Component:  Users                                |     Version:  4.4
 Severity:  normal                               |  Resolution:
 Keywords:  has-screenshots has-ux-feedback      |     Focuses:
  has-patch has-dev-note                         |  javascript, privacy
-------------------------------------------------+-------------------------

Comment (by SergeyBiryukov):

 Replying to [comment:109 audrasjb]:
 > Ah! I believe we want the opposite :)

 Right, my comment doesn't make much sense on second thought. Replying to
 too many things at a time, sorry :)

 > - Lost password link on wp-login: send the IP address so the user can be
 prevented from request from other IPs
 > - New reset password methods on WP-Admin: don't send the IP address as
 the password reset is asked by a known user on the website (and it fixes
 some potential privacy issues)

 I think this can be done with one of two options:
 * Only include the IP address if the user is not logged in (which would be
 the case when requesting the password reset link from `wp-login.php`).
 * Only include the IP address when requesting the password reset link from
 `wp-login.php` specifically, by checking the `$pagenow` global, like we do
 in several other places in core.

 Per your second point, it looks like the first option would preferable.

 My concern with adding a new parameter this late in the release cycle is
 that it's hard to adjust later without breaking backward compatibility,
 which might lead to minor inconsistencies in the API in the future. This
 would require some careful thinking, so I'd like to avoid adding a new
 parameter for now if there's another way.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/34281#comment:110>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list