Require numeric IDs in user deletion functions.

`wp_delete_user()` and `wpmu_delete_user()` both require an `$id` parameter.
Previously, the functions did not verify that the value passed was, in fact,
a number. As such, passing an object or any other entity that would be cast
to int `1` would result in user 1 being deleted. We fix this by enforcing
the requirement that `$id` be numeric.

Props dipesh.kakadiya, utkarshpatel, juliobox.
Fixes #33800.

git-svn-id: https://develop.svn.wordpress.org/trunk@34034 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Boone Gorges
2015-09-11 02:24:03 +00:00
parent 40a0d1f3cb
commit 5b9d9c7c07
4 changed files with 63 additions and 0 deletions

View File

@@ -344,6 +344,29 @@ class Tests_Multisite_User extends WP_UnitTestCase {
}
}
public function test_numeric_string_user_id() {
$u = $this->factory->user->create();
$u_string = (string) $u;
$this->assertTrue( wpmu_delete_user( $u_string ) );
$this->assertFalse( get_user_by( 'id', $u ) );
}
/**
* @ticket 33800
*/
public function test_should_return_false_for_non_numeric_string_user_id() {
$this->assertFalse( wpmu_delete_user( 'abcde' ) );
}
/**
* @ticket 33800
*/
public function test_should_return_false_for_object_user_id() {
$u_obj = $this->factory->user->create_and_get();
$this->assertFalse( wpmu_delete_user( $u_obj ) );
$this->assertEquals( $u_obj->ID, username_exists( $u_obj->user_login ) );
}
}
endif ;