[wp-trac] [WordPress Trac] #31686: wp_authenticate_username_password() should check for a WP_Error object
WordPress Trac
noreply at wordpress.org
Wed Mar 18 16:29:10 UTC 2015
#31686: wp_authenticate_username_password() should check for a WP_Error object
--------------------------+-----------------------------
Reporter: kwisatz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
This is a follow-up to #19714 and #22516
These were closed, but IMHO, the bug as such is not resolved.
wp_authenticate_username_password() does only check whether $user is a
WP_Error object when either password or username are empty:
{{{
75 if ( empty($username) || empty($password) ) {
76 if ( is_wp_error( $user ) )
77 return $user;
78 …
}}}
However, another plugin that hooks into authenticate might pass a WP_Error
even if $username and $password were provided, but the specific
authentication mechanism failed.
The current implementation completely ignores this.
The result is that users who exist locally can log in using a local,
possibly older password, bypassing the plugins' additional authentication
mechanisms completely.
I'd advocate to check for is_wp_error($user) much earlier in
wp_authenticate_username_password(), so that the authentication process
will fail as soon as one "authenticate" filter returns a WP_Error object.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31686>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list