From d2b4df2d4f3a89ce46d91390cf022cea9419898a Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Thu, 20 Nov 2014 13:39:03 +0000 Subject: [PATCH] Invalidate password keys when a user's email changes. git-svn-id: https://develop.svn.wordpress.org/trunk@30430 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/user.php | 3 +++ tests/phpunit/tests/user.php | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index ecb6bbba4b..a6a35d1e2c 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -1885,6 +1885,9 @@ function wp_insert_user( $userdata ) { $data = wp_unslash( $compacted ); if ( $update ) { + if ( $user_email !== $old_user_data->user_email ) { + $data['user_activation_key'] = ''; + } $wpdb->update( $wpdb->users, $data, compact( 'ID' ) ); $user_id = (int) $ID; } else { diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php index 71acceb7b3..6885cf1378 100644 --- a/tests/phpunit/tests/user.php +++ b/tests/phpunit/tests/user.php @@ -672,4 +672,36 @@ class Tests_User extends WP_UnitTestCase { $this->assertSame( $user->user_nicename, $updated_user->user_nicename ); } + + function test_changing_email_invalidates_password_reset_key() { + global $wpdb; + + $user = $this->factory->user->create_and_get(); + $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) ); + clean_user_cache( $user ); + + $user = get_userdata( $user->ID ); + $this->assertEquals( 'key', $user->user_activation_key ); + + // Check that changing something other than the email doesn't remove the key. + $userdata = array( + 'ID' => $user->ID, + 'user_nicename' => 'wat', + ); + wp_update_user( $userdata ); + + $user = get_userdata( $user->ID ); + $this->assertEquals( 'key', $user->user_activation_key ); + + // Now check that changing the email does remove it. + $userdata = array( + 'ID' => $user->ID, + 'user_nicename' => 'cat', + 'user_email' => 'foo@bar.dev', + ); + wp_update_user( $userdata ); + + $user = get_userdata( $user->ID ); + $this->assertEmpty( $user->user_activation_key ); + } }