From cca265971e45a12bfc8199c26efb2f5f506c3cd6 Mon Sep 17 00:00:00 2001
From: Dominik Schilling <dominikschilling+git@gmail.com>
Date: Mon, 14 Sep 2015 13:03:24 +0000
Subject: [PATCH] Passwords: Deprecate second parameter of
 `wp_new_user_notification()`.

The second parameter `$plaintext_pass` was removed in [33023] and restored as `$notify` in [33620] with a different behavior. If you have a plugin overriding `wp_new_user_notification()` which hasn't been updated you would get a notification with your username and the password "both".
To prevent this the second parameter is now deprecated and reintroduced as the third parameter.

Adds unit tests.

Merge of [34116] to the 4.3 branch.

Props kraftbj, adamsilverstein, welcher, ocean90.
See #33654.
Built from https://develop.svn.wordpress.org/branches/4.3@34118


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34086 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/user.php      |  2 +-
 wp-admin/network/site-new.php   |  2 +-
 wp-admin/network/site-users.php |  2 +-
 wp-admin/network/user-new.php   |  2 +-
 wp-includes/pluggable.php       | 15 +++++++++++----
 wp-includes/user.php            |  2 +-
 6 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php
index 132ea6d76c..8e1df4f22c 100644
--- a/wp-admin/includes/user.php
+++ b/wp-admin/includes/user.php
@@ -176,7 +176,7 @@ function edit_user( $user_id = 0 ) {
 		$user_id = wp_update_user( $user );
 	} else {
 		$user_id = wp_insert_user( $user );
-		wp_new_user_notification( $user_id, 'both' );
+		wp_new_user_notification( $user_id, null, 'both' );
 	}
 	return $user_id;
 }
diff --git a/wp-admin/network/site-new.php b/wp-admin/network/site-new.php
index 8dec36cf02..582fa5048c 100644
--- a/wp-admin/network/site-new.php
+++ b/wp-admin/network/site-new.php
@@ -79,7 +79,7 @@ if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
 		if ( false === $user_id )
 			wp_die( __( 'There was an error creating the user.' ) );
 		else
-			wp_new_user_notification( $user_id, 'both' );
+			wp_new_user_notification( $user_id, null, 'both' );
 	}
 
 	$wpdb->hide_errors();
diff --git a/wp-admin/network/site-users.php b/wp-admin/network/site-users.php
index 0ab1771088..6920cb1de6 100644
--- a/wp-admin/network/site-users.php
+++ b/wp-admin/network/site-users.php
@@ -77,7 +77,7 @@ if ( $action ) {
 				if ( false === $user_id ) {
 		 			$update = 'err_new_dup';
 				} else {
-					wp_new_user_notification( $user_id, 'both' );
+					wp_new_user_notification( $user_id, null, 'both' );
 					add_user_to_blog( $id, $user_id, $_POST['new_role'] );
 					$update = 'newuser';
 				}
diff --git a/wp-admin/network/user-new.php b/wp-admin/network/user-new.php
index 002e098dc1..775e754b2f 100644
--- a/wp-admin/network/user-new.php
+++ b/wp-admin/network/user-new.php
@@ -51,7 +51,7 @@ if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) {
 		if ( ! $user_id ) {
 	 		$add_user_errors = new WP_Error( 'add_user_fail', __( 'Cannot add user.' ) );
 		} else {
-			wp_new_user_notification( $user_id, 'both' );
+			wp_new_user_notification( $user_id, null, 'both' );
 			wp_redirect( add_query_arg( array('update' => 'added'), 'user-new.php' ) );
 			exit;
 		}
diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php
index d3a930b1f1..e41cbfe585 100644
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -1689,15 +1689,22 @@ if ( !function_exists('wp_new_user_notification') ) :
  *
  * @since 2.0.0
  * @since 4.3.0 The `$plaintext_pass` parameter was changed to `$notify`.
+ * @since 4.3.1 The `$plaintext_pass` parameter was deprecated. `$notify` added as a third parameter.
  *
  * @global wpdb         $wpdb      WordPress database object for queries.
  * @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
  *
- * @param int    $user_id User ID.
- * @param string $notify  Whether admin and user should be notified ('both') or
- *                        only the admin ('admin' or empty).
+ * @param int    $user_id    User ID.
+ * @param null   $deprecated Not used (argument deprecated).
+ * @param string $notify     Optional. Type of notification that should happen. Accepts 'admin' or an empty
+ *                           string (admin only), or 'both' (admin and user). The empty string value was kept
+ *                           for backward-compatibility purposes with the renamed parameter. Default empty.
  */
-function wp_new_user_notification( $user_id, $notify = '' ) {
+function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' ) {
+	if ( $deprecated !== null ) {
+		_deprecated_argument( __FUNCTION__, '4.3.1' );
+	}
+
 	global $wpdb, $wp_hasher;
 	$user = get_userdata( $user_id );
 
diff --git a/wp-includes/user.php b/wp-includes/user.php
index 64ec650716..6f9de67706 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -2619,7 +2619,7 @@ function register_new_user( $user_login, $user_email ) {
 
 	update_user_option( $user_id, 'default_password_nag', true, true ); //Set up the Password change nag.
 
-	wp_new_user_notification( $user_id, 'both' );
+	wp_new_user_notification( $user_id, null, 'both' );
 
 	return $user_id;
 }