Admin email verification:

- Add the `admin_email_lifespan` option when installing. Fixes a bug where the verification screen is shown right after installation. - Reset the same option when upgrading and the user doing the DB upgrade is not an admin. This will ensure the email verification is shown next time an admin logs in. - Use `site_url()` instead of `network_site_url()` for the form action. The latter seems needed only for password reset. See #46349. git-svn-id: https://develop.svn.wordpress.org/trunk@45788 602fd350-edb4-49c9-b593-d223f7449a82
2019-08-13 17:39:06 +00:00 · 2019-08-13 17:39:06 +00:00 · 6dad32d2ae
parent feb0830c79
commit 6dad32d2ae
3 changed files with 13 additions and 6 deletions
--- a/src/wp-admin/includes/schema.php
+++ b/src/wp-admin/includes/schema.php
@ -542,6 +542,9 @@ function populate_options( array $options = array() ) {

 		// 4.9.8
 		'show_comments_cookies_opt_in'    => 1,
+
+		// 5.3.0
+		'admin_email_lifespan'            => ( time() + 6 * MONTH_IN_SECONDS ),
 	);

 	// 3.3
--- a/src/wp-admin/includes/upgrade.php
+++ b/src/wp-admin/includes/upgrade.php
@ -2125,10 +2125,14 @@ function upgrade_510() {
 * @since 5.3.0
 */
 function upgrade_530() {
-	// Do `add_option()` rather than overwriting with `update_option()` as this may run
-	// after an admin was redirected to the email verification screen,
-	// and the option was updated.
-	add_option( 'admin_email_lifespan', 0 );
+	// The `admin_email_lifespan` option may have been set by an admin that just logged in,
+	// saw the verification screen, clicked on a button there, and is now upgrading the db,
+	// or by populate_options() that is called earlier in upgrade_all(). 
+	// In the second case `admin_email_lifespan` should be reset so the verification screen
+	// is shown next time an admin logs in.
+	if ( function_exists( 'current_user_can' ) && ! current_user_can( 'manage_options' ) ) {
+		update_option( 'admin_email_lifespan', 0 );
+	}
 }

 /**
--- a/src/wp-login.php
+++ b/src/wp-login.php
@ -594,7 +594,7 @@ switch ( $action ) {
 			 *
 			 * @param int Interval time (in seconds).
 			 */
-			$admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 180 * DAY_IN_SECONDS );
+			$admin_email_check_interval = (int) apply_filters( 'admin_email_check_interval', 6 * MONTH_IN_SECONDS );

 			if ( $admin_email_check_interval > 0 ) {
 				update_option( 'admin_email_lifespan', time() + $admin_email_check_interval );
@ -617,7 +617,7 @@ switch ( $action ) {

 		?>

-		<form class="admin-email-confirm-form" name="admin-email-confirm-form" action="<?php echo esc_url( network_site_url( 'wp-login.php?action=confirm_admin_email', 'login_post' ) ); ?>" method="post">
+		<form class="admin-email-confirm-form" name="admin-email-confirm-form" action="<?php echo esc_url( site_url( 'wp-login.php?action=confirm_admin_email', 'login_post' ) ); ?>" method="post">
 			<?php
 			/**
 			* Fires inside the admin-email-confirm-form form tags, before the hidden fields.