From 4354d1fc5cd55a18bc24555b11db201d5eb87e0c Mon Sep 17 00:00:00 2001
From: Jake Spurlock <whyisjake@git.wordpress.org>
Date: Wed, 29 Apr 2020 15:23:37 +0000
Subject: [PATCH] User: Invalidate `user_activation_key` on password update.

Props: sstoqnov, sergeybiryukov.



git-svn-id: https://develop.svn.wordpress.org/trunk@47634 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php     |  2 +-
 tests/phpunit/tests/user.php | 22 +++++++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 4404a4b90b..bf9472d8cf 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -1812,7 +1812,7 @@ function wp_insert_user( $userdata ) {
 	}
 
 	if ( $update ) {
-		if ( $user_email !== $old_user_data->user_email ) {
+		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
 			$data['user_activation_key'] = '';
 		}
 		$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index 8f3d04ca32..18760214bb 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -1036,7 +1036,7 @@ class Tests_User extends WP_UnitTestCase {
 		$this->assertEquals( $u, wp_cache_get( $updated_user->user_nicename, 'userslugs' ) );
 	}
 
-	function test_changing_email_invalidates_password_reset_key() {
+	public function test_changing_email_invalidates_password_reset_key() {
 		global $wpdb;
 
 		$user = $this->author;
@@ -1068,6 +1068,26 @@ class Tests_User extends WP_UnitTestCase {
 		$this->assertEmpty( $user->user_activation_key );
 	}
 
+	public function test_changing_password_invalidates_password_reset_key() {
+		global $wpdb;
+
+		$user = $this->author;
+		$wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
+		clean_user_cache( $user );
+
+		$user = get_userdata( $user->ID );
+		$this->assertEquals( 'key', $user->user_activation_key );
+
+		$userdata = array(
+			'ID'        => $user->ID,
+			'user_pass' => 'password',
+		);
+		wp_update_user( $userdata );
+
+		$user = get_userdata( $user->ID );
+		$this->assertEmpty( $user->user_activation_key );
+	}
+
 	public function test_search_users_login() {
 		$users = get_users(
 			array(