WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Why not just login automatically when user is activated? (8 posts)

  1. webvitaly
    Member
    Posted 1 year ago #

    After registration of new blog on WordPress Multisite user receive such link to email and after clicking it the blog and user are activated (created):
    http://site.com/wp-activate.php?key=abcdefg1234567890

    It would be great for user to be logged in automatically and redirected to the activated blog.
    This could be made by adding such code to the end of the wp-activate.php file:

    <?php
    $creds = array();
    $creds['user_login'] = $user->user_login;
    $creds['user_password'] = $password;
    $creds['remember'] = true;
    $user = wp_signon( $creds, false ); // login automatically
    if ( is_wp_error($user) ) {
    	echo $user->get_error_message();
    } else { // redirect to site
    	wp_redirect( $url );
    	exit;
    }
    ?>

    IMHO this could be added to WordPress core.
    It is useful feature for user and could be made pretty easily.

  2. You mean you want people to have their account created and log in right away without activating?

    Or do you mean the second email that comes with your password is annoying?

    It's done for security. Stops a LOT of spammers.

  3. webvitaly
    Member
    Posted 1 year ago #

    After signing up user receives activation link to email.
    Then user clicks this link from email to activate his blog and username: http://site.com/wp-activate.php?key=abcdefg1234567890 and user sees his login and password and now user can login to his blog.
    I mean that at this step after clicking this activation link user could be logged in automatically.

    I don't want to skip email-activation step. I want that user could be logged in in just after user and blog activation.

  4. The problem is that the password is sensitive data.

    Yes, logging them in instantly would make things more convenient, but putting the password in the URL is bad. This is more secure. ANd god knows we need more securre.

  5. webvitaly
    Member
    Posted 1 year ago #

    I am not telling to add the password to link.
    Check out line 103:
    http://core.trac.wordpress.org/browser/trunk/wp-activate.php#L103
    There you can found the $password.

    If inserting the code I posted before just after line 103 than user will be logged in automatically and security will be on the same level as before.

  6. side777
    Member
    Posted 7 months ago #

    thanks for this snippet! i use it in my network now.

    this is WAY better than showing the password - in plain text - on the screen in the browser after activation! (which is very far away from secure...)

  7. For the love of potatoes!

    DO NOT EDIT CORE

    Good lord, people, just stop it right now. If you really think that's the only way to solve the problem, then either the problem is way bigger than you think or you need to join the dev team and make WP more awesome. 99.99999% of the time? Editing core is a terrible, horrible, no good, very bad, yes I am publicly telling you that you're doing it wrong, thing.

    Okay?

    If this isn't hookable (which a quick Google seems to imply it's not, then this may not be a very safe or good idea to do.

    Please stop editing core.

  8. side777
    Member
    Posted 7 months ago #

    well, the hook would be 'wpmu_activate_user' and - of course - i added an action to it with the snippet above. (slightly changed.) i did

    NOT EDIT ANY CORE FILES!!

    this is absolutely not recommended and i am sorry that i wasn't clear about this before.

    this is the code i used:

    function custom_login_new_user( $user_id, $email, $meta ) {
    	$user = new WP_User( (int) $user_id );
    	$creds = array();
    	$creds['user_login'] = $user->user_login;
    	$creds['user_password'] = $meta['user_pass'];
    	$creds['remember'] = true;
    	$user = wp_signon( $creds, false );
    	wp_set_current_user($user->ID);
    	if ( is_wp_error($user) ) {
    		echo $user->get_error_message();
    	} else {
    		// safe redirect to actually login the user - otherwise they would need to manually refresh the page
    		// PLUS: this clears the activation confirmation page with the plain text password printed on screen
    		wp_safe_redirect( get_home_url() );
    		exit;
    	}
    }
    add_action( 'wpmu_activate_user', 'custom_login_new_user', 10, 3 );

Topic Closed

This topic has been closed to new replies.

About this Topic