Invalidate password keys when a user's email changes.

git-svn-id: https://develop.svn.wordpress.org/trunk@30430 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin 2014-11-20 13:39:03 +00:00
parent 7e830d4a4a
commit d2b4df2d4f
2 changed files with 35 additions and 0 deletions

View File

@ -1885,6 +1885,9 @@ function wp_insert_user( $userdata ) {
$data = wp_unslash( $compacted );
if ( $update ) {
if ( $user_email !== $old_user_data->user_email ) {
$data['user_activation_key'] = '';
}
$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
$user_id = (int) $ID;
} else {

View File

@ -672,4 +672,36 @@ class Tests_User extends WP_UnitTestCase {
$this->assertSame( $user->user_nicename, $updated_user->user_nicename );
}
function test_changing_email_invalidates_password_reset_key() {
global $wpdb;
$user = $this->factory->user->create_and_get();
$wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) );
clean_user_cache( $user );
$user = get_userdata( $user->ID );
$this->assertEquals( 'key', $user->user_activation_key );
// Check that changing something other than the email doesn't remove the key.
$userdata = array(
'ID' => $user->ID,
'user_nicename' => 'wat',
);
wp_update_user( $userdata );
$user = get_userdata( $user->ID );
$this->assertEquals( 'key', $user->user_activation_key );
// Now check that changing the email does remove it.
$userdata = array(
'ID' => $user->ID,
'user_nicename' => 'cat',
'user_email' => 'foo@bar.dev',
);
wp_update_user( $userdata );
$user = get_userdata( $user->ID );
$this->assertEmpty( $user->user_activation_key );
}
}