Invalidate password keys when a user's email changes.

git-svn-id: https://develop.svn.wordpress.org/trunk@30430 602fd350-edb4-49c9-b593-d223f7449a82
2014-11-20 13:39:03 +00:00 · 2014-11-20 13:39:03 +00:00 · d2b4df2d4f
parent 7e830d4a4a
commit d2b4df2d4f
2 changed files with 35 additions and 0 deletions
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@ -1885,6 +1885,9 @@ function wp_insert_user( $userdata ) {
 	$data = wp_unslash( $compacted );

 	if ( $update ) {
+		if ( $user_email !== $old_user_data->user_email ) {
+			$data['user_activation_key'] = '';
+		}
 		$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
 		$user_id = (int) $ID;
 	} else {
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@ -672,4 +672,36 @@ class Tests_User extends WP_UnitTestCase {

 		$this->assertSame( $user->user_nicename, $updated_user->user_nicename );
 	}
+
+	function test_changing_email_invalidates_password_reset_key() {
+		global $wpdb;
+
+		$user = $this->factory->user->create_and_get();
+		$wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
+		clean_user_cache( $user );
+
+		$user = get_userdata( $user->ID );
+		$this->assertEquals( 'key', $user->user_activation_key );
+
+		// Check that changing something other than the email doesn't remove the key.
+		$userdata = array(
+			'ID'            => $user->ID,
+			'user_nicename' => 'wat',
+		);
+		wp_update_user( $userdata );
+
+		$user = get_userdata( $user->ID );
+		$this->assertEquals( 'key', $user->user_activation_key );
+
+		// Now check that changing the email does remove it.
+		$userdata = array(
+			'ID'            => $user->ID,
+			'user_nicename' => 'cat',
+			'user_email'    => 'foo@bar.dev',
+		);
+		wp_update_user( $userdata );
+
+		$user = get_userdata( $user->ID );
+		$this->assertEmpty( $user->user_activation_key );
+	}
 }