[wp-trac] [WordPress Trac] #19714: plugins which use the 'authenticate' hook unable to return errors
WordPress Trac
wp-trac at lists.automattic.com
Tue Jan 3 00:59:01 UTC 2012
#19714: plugins which use the 'authenticate' hook unable to return errors
--------------------------+------------------------------
Reporter: willnorris | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch |
--------------------------+------------------------------
Comment (by willnorris):
hmm, okay now I'm torn. I still feel like auth plugins should typically
happen before the username/password though I'm having trouble articulating
exactly why.
However, I just noticed that `wp_authenticate_username_password` also has
checks for the user or their site being marked as spam. Based on how
things work today, the spammer would still be able to login using an auth
plugin like OpenID, since that happens before the spammer checks. My gut
reaction is that the spammer check should not happen inside the
`wp_authenticate_username_password` method, since that actually has
nothing to do with the original intent of that method... authenticating a
user by username and password. Instead, I think it should be its own
function that hooks into 'authenticate' much later.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19714#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list