Fix PHP warning when creating users without password in wp_insert_user()
#9381
Conversation
…e and hash a random password
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
| if ( empty( $userdata['user_pass'] ) ) { | ||
| wp_trigger_error( | ||
| __FUNCTION__, | ||
| __( 'The user_pass field is required when creating a new user. A random password has been generated.' ), | ||
| E_USER_WARNING | ||
| ); | ||
|
|
||
| // Generate and hash a random password | ||
| $user_pass = wp_hash_password( wp_generate_password( 32 ) ); | ||
| } else { | ||
| // Hash the password. | ||
| $user_pass = wp_hash_password( $userdata['user_pass'] ); | ||
| } |
There was a problem hiding this comment.
This would look clean instead of nested if..else.
| if ( empty( $userdata['user_pass'] ) ) { | |
| wp_trigger_error( | |
| __FUNCTION__, | |
| __( 'The user_pass field is required when creating a new user. A random password has been generated.' ), | |
| E_USER_WARNING | |
| ); | |
| // Generate and hash a random password | |
| $user_pass = wp_hash_password( wp_generate_password( 32 ) ); | |
| } else { | |
| // Hash the password. | |
| $user_pass = wp_hash_password( $userdata['user_pass'] ); | |
| } | |
| $user_pass = ! empty( $user_pass['user_pass'] ) ? wp_hash_password( $user_pass['user_pass'] ) : wp_hash_password( wp_generate_password( 32 ) ); | |
| if ( empty( $userdata['user_pass'] ) ) { | |
| wp_trigger_error( | |
| __FUNCTION__, | |
| __( 'The user_pass field is required when creating a new user. A random password has been generated.' ), | |
| E_USER_WARNING | |
| ); | |
| } |
peterwilsoncc
left a comment
peterwilsoncc
left a comment
There was a problem hiding this comment.
I've dropped a suggestion inline after checking something I should have thought to check earlier.
Co-authored-by: Peter Wilson <[email protected]>
peterwilsoncc
left a comment
peterwilsoncc
left a comment
There was a problem hiding this comment.
Thanks @Adi-ty!
This looks good to me and tests well.
On trunk running PHP 8.3.23 I am seeing three PHP warnings:
Warning: Undefined array keyoncetrim(): Passing null to parameter #1 ($string) of type string is deprecatedtwice
On this branch running the same version of PHP, I see the new warning once only.
3 participants
This PR implements improved handling for missing passwords in
wp_insert_user(). Adds a check for an empty or missinguser_passwhen creating a new user. Ifuser_passis not provided, it triggers a developer warning usingwp_trigger_error()withE_USER_WARNINGand a clear message. Securely generates and hashes a 32-character random password for the new user, ensuring backward compatibility.Trac ticket: https://core.trac.wordpress.org/ticket/63770
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.