Users: when calling wp_insert_user() with an valid user ID, return WP_Error instead of arbitrarily updating user meta.

Adds unit test.

Props swissspidy, bilalcoder.
Fixes #28004.


git-svn-id: https://develop.svn.wordpress.org/trunk@35280 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/user-functions.php

@@ -1275,11 +1275,17 @@ function wp_insert_user( $userdata ) {
 	} elseif ( $userdata instanceof WP_User ) {
 		$userdata = $userdata->to_array();
 	}
+
 	// Are we updating or creating?
 	if ( ! empty( $userdata['ID'] ) ) {
 		$ID = (int) $userdata['ID'];
 		$update = true;
-		$old_user_data = WP_User::get_data_by( 'id', $ID );
+		$old_user_data = get_userdata( $ID );
+
+		if ( ! $old_user_data ) {
+			return new WP_Error( 'invalid_user_id', __( 'Invalid user ID.' ) );
+		}
+
 		// hashed in wp_update_user(), plaintext if called directly
 		$user_pass = $userdata['user_pass'];
 	} else {

tests/phpunit/tests/user.php

@@ -819,6 +819,20 @@ class Tests_User extends WP_UnitTestCase {
 		$this->assertSame( $expected, $user->user_nicename );
 	}
 
+	/**
+	 * @ticket 28004
+	 */
+	public function test_wp_insert_user_with_invalid_user_id() {
+		$u = wp_insert_user( array(
+			'ID' => 123,
+			'user_login' => 'whatever',
+			'user_email' => 'whatever@example.com',
+			'user_pass' => 'password',
+		) );
+
+		$this->assertWPError( $u );
+	}
+
 	function test_changing_email_invalidates_password_reset_key() {
 		global $wpdb;