[wp-trac] [WordPress Trac] #33209: Inviting a new user to Multisite results in password being emailed
    WordPress Trac 
    noreply at wordpress.org
       
    Mon Nov  5 23:13:29 UTC 2018
    
    
  
#33209: Inviting a new user to Multisite results in password being emailed
------------------------------------+-----------------------------
 Reporter:  Ipstenu                 |       Owner:  (none)
     Type:  enhancement             |      Status:  new
 Priority:  normal                  |   Milestone:  Future Release
Component:  Users                   |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:  multisite
------------------------------------+-----------------------------
Comment (by BjornW):
 A bit more info about this
 [https://core.trac.wordpress.org/attachment/ticket/33209/33209-3.diff
 patch]:
 == In short:**
 This patch will make a **new installation of default WordPress Mu
 installation safer** by removing the plain-text passwords from the
 welcome_email and welcome_user_email emails. It respects existing
 installations by not changing their settings (yet), but it will warn them
 that the PASSWORD token is deprecated.
 == Details:
 - It replaces the PASSWORD token from the default 'Welcome Email' and
 'Welcome User Email' template texts with a new token RESETLINK in the
 code. It does *NOT* change settings in the database to preserve backwards-
 compatibility.
 ''In a future WordPress version we should remove the PASSWORD token
 completely and replace it with the RESETLINK token automagically. However
 doing this now, might be to abrupt for users. Therefor I assume we want to
 deprecate and warn people first.''
 - It refactors the PASSWORD token replacement functionality into using a
 new filter called 'wpmu_replace_password_token'. This filter is being
 called using
 [https://developer.wordpress.org/reference/functions/apply_filters_deprecated/#parameters
 apply_filters_deprecated] to immediately deprecate the function so we can
 set a notice warning about NOT using the PASSWORD token anymore.
 ''It might even be extended into using an admin notice in the wp-admin for
 users with super_admin role, to make sure they are aware of this upcoming
 change''
 - The RESETLINK token functionality uses a new filter called
 'wpmu_replace_resetlink_token' to replace the RESETLINK token for a
 re(set) url.
 == To discuss:
 1. Is this the proper way to deprecate the usage of the PASSWORD token?
 2. Should we warn users with super_admin role about this change using an
 admin notice?
 3. Should we respect the existing settings or replace them automagically
 with the re(set) functionality now without even warning them?
-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/33209#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
    
    
More information about the wp-trac
mailing list