[wp-trac] [WordPress Trac] #44940: Empty confirm_key property in WP_User_Request when hooking in the user_request_action_email_content
WordPress Trac
noreply at wordpress.org
Wed Aug 20 18:41:24 UTC 2025
#44940: Empty confirm_key property in WP_User_Request when hooking in the
user_request_action_email_content
--------------------------------------+------------------------------
Reporter: dingo_d | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 4.9.6
Severity: normal | Resolution:
Keywords: dev-feedback 2nd-opinion | Focuses:
--------------------------------------+------------------------------
Comment (by johnjamesjacoby):
I see what's happening.
What's needed here is to decide whether a new `confirm_key` (aka
`post_password`) needs to be generated every time `wp_send_user_request()`
is called, or if it would be acceptable to generate it a single time when
`wp_create_user_request()` is called.
Currently it happens on every (re)send, which is nice because it tumbles
the key and invalidates links in previous emails, but that definitely
makes the surrounding code somewhat weird like this ticket has uncovered.
I think it is mostly safe to assume that tumbling the key was intentional
during the 4.9 release, and I agree that to maintain this behavior will
require one of the approaches outlined above by @birgire.
I'll attach 2 patches that address this ticket:
1. Breaking: Only generate on create
1. Non-breaking: Regenerating on send
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44940#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list