[buddypress-trac] [BuddyPress Trac] #5553: BP 2.0 upgrade routine improperly deletes existing user roles if activation_key usermeta is present
buddypress-trac
noreply at wordpress.org
Thu Apr 17 19:51:05 UTC 2014
#5553: BP 2.0 upgrade routine improperly deletes existing user roles if
activation_key usermeta is present
-----------------------------------+--------------------
Reporter: boonebgorges | Owner:
Type: defect (bug) | Status: new
Priority: highest | Milestone: 2.0.1
Component: Core | Version: 2.0
Severity: critical | Resolution:
Keywords: has-patch 2nd-opinion |
-----------------------------------+--------------------
Comment (by boonebgorges):
> 5553.02.patch will not put this user in the signups table as the
activation_key is empty. So After upgrade, this user will be able to log
in even if his status is set to 2.
I guess this is a legitimate concern, in particular since the new login
logic comes from BP and not from some other plugin. I remain skeptical
that there are real-life scenarios where user_status = 2 and `'' ===
get_user_meta( $user_id, 'activation_key', true )`, but I guess it's
possible.
If it's a huge concern, how about switching around the way the query is
run? It seems like `activation_key` is not a reliable test of who is an
unactivated user. On the other hand, `user_status=2` is. See
5553.04.patch. (I have not tested the patch - just putting it up to see if
people think it's a more reliable idea.) This does not take into account
the 'activation_key' at all, so will not help with your case (5) above.
But, as I suggest above, I don't think this is much of a meaningful risk.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5553#comment:12>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list