[wp-trac] [WordPress Trac] #19714: plugins which use the 'authenticate' hook unable to return errors

WordPress Trac wp-trac at lists.automattic.com
Tue Jan 3 00:59:01 UTC 2012


#19714: plugins which use the 'authenticate' hook unable to return errors
--------------------------+------------------------------
 Reporter:  willnorris    |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  General       |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |
--------------------------+------------------------------

Comment (by willnorris):

 hmm, okay now I'm torn.  I still feel like auth plugins should typically
 happen before the username/password though I'm having trouble articulating
 exactly why.

 However, I just noticed that `wp_authenticate_username_password` also has
 checks for the user or their site being marked as spam.  Based on how
 things work today, the spammer would still be able to login using an auth
 plugin like OpenID, since that happens before the spammer checks.  My gut
 reaction is that the spammer check should not happen inside the
 `wp_authenticate_username_password` method, since that actually has
 nothing to do with the original intent of that method... authenticating a
 user by username and password.  Instead, I think it should be its own
 function that hooks into 'authenticate' much later.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19714#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list