sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Users: In edit_user() check for a blank password when adding a user.

Browse Source 
Props wesleye, gitlost, adamsilverstein.
Fixes #35715.

git-svn-id: https://develop.svn.wordpress.org/trunk@37059 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Dominik Schilling (ocean90) 2016-03-22 23:06:29 +00:00
parent 2a8573c6ca
commit 6c0a66cf49
2 changed files with 79 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/wp-admin/includes/user.php
View File

@ -113,7 +113,6 @@ function edit_user( $user_id = 0 ) {
$errors->add( 'nickname', __( '<strong>ERROR</strong>: Please enter a nickname.' ) ); $errors->add( 'nickname', __( '<strong>ERROR</strong>: Please enter a nickname.' ) );
} }
/* checking the password has been typed twice */
/** /**
* Fires before the password and confirm password fields are checked for congruity. * Fires before the password and confirm password fields are checked for congruity.
* *
@ -125,13 +124,20 @@ function edit_user( $user_id = 0 ) {
*/ */
do_action_ref_array( 'check_passwords', array( $user->user_login, &$pass1, &$pass2 ) ); do_action_ref_array( 'check_passwords', array( $user->user_login, &$pass1, &$pass2 ) );
/* Check for "\" in password */ // Check for blank password when adding a user.
if ( false !== strpos( wp_unslash( $pass1 ), "\\" ) ) if ( ! $update && empty( $pass1 ) ) {
$errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) ); $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter a password.' ), array( 'form-field' => 'pass1' ) );
}
/* checking the password has been typed twice the same */ // Check for "\" in password.
if ( $pass1 != $pass2 ) if ( false !== strpos( wp_unslash( $pass1 ), "\\" ) ) {
$errors->add( 'pass', __( '<strong>ERROR</strong>: Passwords may not contain the character "\\".' ), array( 'form-field' => 'pass1' ) );
}
// Checking the password has been typed twice the same.
if ( ( $update || ! empty( $pass1 ) ) && $pass1 != $pass2 ) {
$errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in both password fields.' ), array( 'form-field' => 'pass1' ) ); $errors->add( 'pass', __( '<strong>ERROR</strong>: Please enter the same password in both password fields.' ), array( 'form-field' => 'pass1' ) );
}
if ( !empty( $pass1 ) ) if ( !empty( $pass1 ) )
$user->user_pass = $pass1; $user->user_pass = $pass1;

67
tests/phpunit/tests/user.php
View File

@ -1132,4 +1132,71 @@ class Tests_User extends WP_UnitTestCase {
$this->assertTrue( $was_admin_email_sent ); $this->assertTrue( $was_admin_email_sent );
$this->assertFalse( $was_user_email_sent ); $this->assertFalse( $was_user_email_sent );
} }
/**
* Checks that calling edit_user() with no password returns an error when adding, and doesn't when updating.
*
* @ticket 35715
*/
function test_edit_user_blank_pw() {
$_POST = $_GET = $_REQUEST = array();
$_POST['role'] = 'subscriber';
$_POST['email'] = 'user1@example.com';
$_POST['user_login'] = 'user_login1';
$_POST['first_name'] = 'first_name1';
$_POST['last_name'] = 'last_name1';
$_POST['nickname'] = 'nickname1';
$_POST['display_name'] = 'display_name1';
// Check new user with missing password.
$response = edit_user();
$this->assertInstanceOf( 'WP_Error', $response );
$this->assertEquals( 'pass', $response->get_error_code() );
// Check new user with password set.
$_POST['pass1'] = $_POST['pass2'] = 'password';
$user_id = edit_user();
$user = get_user_by( 'ID', $user_id );
$this->assertInternalType( 'int', $user_id );
$this->assertInstanceOf( 'WP_User', $user );
$this->assertEquals( 'nickname1', $user->nickname );
// Check updating user with empty password.
$_POST['nickname'] = 'nickname_updated';
$_POST['pass1'] = $_POST['pass2'] = '';
$user_id = edit_user( $user_id );
$this->assertInternalType( 'int', $user_id );
$this->assertEquals( 'nickname_updated', $user->nickname );
// Check updating user with missing second password.
$_POST['nickname'] = 'nickname_updated2';
$_POST['pass1'] = 'blank_pass2';
$_POST['pass2'] = '';
$response = edit_user( $user_id );
$this->assertInstanceOf( 'WP_Error', $response );
$this->assertEquals( 'pass', $response->get_error_code() );
$this->assertEquals( 'nickname_updated', $user->nickname );
// Check updating user with empty password via `check_passwords` action.
add_action( 'check_passwords', array( $this, 'action_check_passwords_blank_pw' ), 10, 2 );
$user_id = edit_user( $user_id );
remove_action( 'check_passwords', array( $this, 'action_check_passwords_blank_pw' ) );
$this->assertInternalType( 'int', $user_id );
$this->assertEquals( 'nickname_updated2', $user->nickname );
}
/**
* Check passwords action for test_edit_user_blank_pw().
*/
function action_check_passwords_blank_pw( $user_login, &$pass1 ) {
$pass1 = '';
}
} }