Plugin Directory: Enforce owner-domain verification for Plugin URI / Author URI on new plugin submissions

[davidperezgar]

Summary

We currently show ownership guidance in the upload UI, but we do not enforce it during submission checks.

For new plugin submissions, we should validate plugin header URLs (Plugin URI, Author URI) against the submitter’s verified email domain (or require a clear ownership proof flow).

Problem

At submit time, plugin metadata can claim organization/project ownership without domain alignment, which can mislead users and reviewers.

Proposal

Add a new validation step in submission flow (shortcodes/class-upload-handler.php) for new submissions:

1. Parse domains from:
   • Plugin URI
   • Author URI
2. Compare those domains to the submitter’s email domain (from profile email).
3. If domain does not match and no approved ownership proof exists, block submission with actionable error text.

Error message (proposed)

Error: Ownership could not be verified for plugin URLs.
The domain used in Plugin URI/Author URI must match your profile email domain, or you must provide ownership verification. Update your profile email domain or contact plugins@wordpress.org with proof of ownership.

Scope

• Apply on new plugin submissions.
• Do not block existing plugins updating versions (unless we explicitly decide to extend later).
• Keep current “Plugin URI and Author URI must be different” rule.

Acceptance criteria

• New submission fails when Plugin URI/Author URI domain does not match submitter email domain and no override/proof exists.
• New submission succeeds when domain matches.
• New submission succeeds when approved ownership proof/override exists.
• Clear reviewer-facing logging for failures/overrides.

Notes

Related UI copy already exists in shortcodes/class-upload.php under “Plugin Ownership”, but backend enforcement is missing.