From 1926a14489e63ef736b1f9f2b436ba8f97ccb75e Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Tue, 23 Feb 2021 20:06:40 +0000
Subject: [PATCH] Users: Only include the IP address in password reset email if
 the user is not logged in.

This avoids unnecessarily disclosing the IP address when sending a password reset link to another user from the admin.

Follow-up to [49255], [50129].

Props carike, audrasjb, gmariani405, Ipstenu.
See #34281.

git-svn-id: https://develop.svn.wordpress.org/trunk@50422 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index 0ea54f1a52..ce43a159b1 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -2773,13 +2773,15 @@ function retrieve_password( $user_login = null ) {
 	$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
 	$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . "\r\n\r\n";
 
-	$requester_ip = $_SERVER['REMOTE_ADDR'];
-	if ( $requester_ip ) {
-		$message .= sprintf(
-			/* translators: %s: IP address of password reset requester. */
-			__( 'This password reset request originated from the IP address %s.' ),
-			$requester_ip
-		) . "\r\n";
+	if ( ! is_user_logged_in() ) {
+		$requester_ip = $_SERVER['REMOTE_ADDR'];
+		if ( $requester_ip ) {
+			$message .= sprintf(
+				/* translators: %s: IP address of password reset requester. */
+				__( 'This password reset request originated from the IP address %s.' ),
+				$requester_ip
+			) . "\r\n";
+		}
 	}
 
 	/* translators: Password reset notification email subject. %s: Site title. */