[wp-trac] [WordPress Trac] #17904: Multisite has more restrictions on user login character set

WordPress Trac noreply at wordpress.org
Tue May 17 17:19:53 UTC 2016


#17904: Multisite has more restrictions on user login character set
--------------------------------------+-------------------------
 Reporter:  duck_                     |       Owner:  jeremyfelt
     Type:  defect (bug)              |      Status:  assigned
 Priority:  normal                    |   Milestone:  4.6
Component:  Login and Registration    |     Version:  3.0
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:  multisite
--------------------------------------+-------------------------

Comment (by jeremyfelt):

 Replying to [comment:49 ericlewis]:
 > More in attachment:17904.5.diff.
 >
 > I've brought over the `validate_username` filter from
 `validate_username()` for backwards compatibility. This filter provides a
 generic true/false way to invalidate a username. If a developer wants to
 add a more explicit `WP_Error` code, they can use the
 `wp_validate_user_login` action.

 The `validate_username` filter is currently only used when checking the
 string against `sanitize_user` to see if it changed. Moving it to its new
 location in `wp_validate_user_login()` gives it more authority and removes
 the direct true/false response it has now. I'd prefer finding a way to
 apply the filter only in the case of the `sanitize_user()` mismatch
 further up.

 > We should deprecate `validate_username()` and perhaps have it call
 `wp_validate_user_login()` directly.

 I think deprecating is the right answer, as core will no longer use it,
 though I'm not sure the internals should change immediately. It performs a
 very direct task at the moment.

 > `wp_validate_user_login()` should stay true to its intent, and
 exclusively handle validation. The function could return true or WP_Error.
 The `wp_validate_user_login` filter shouldn't allow for filtering of the
 user_login, and rather filter the WP_Error, with the `user_login` passed
 in for context.

 Agreed, `true`/`WP_Error` makes sense.

 > `wp_insert_user()` has some duplicate logic. Should we call
 `wp_validate_user_login()` in here? The WP_Error response codes are
 incompatible with the ones merged in from `wpmu_validate_user_signup()`
 (e.g. `user_name` vs. `empty_user_login`).

 It's interesting that we don't already do more validation in
 `wp_insert_user()`. I don't think we should make adjustments there right
 now. There are quite a few additional restrictions in
 `wp_validate_user_login()` that may not jive with non-UI facing code that
 has been using `wp_insert_user()` for a while.

 > I've moved the "is this username pending sign-up?" logic from
 `wpmu_validate_user_signup()` into `wp_validate_user_login()`, which was
 [https://core.trac.wordpress.org/ticket/17904#comment:20 intended
 previously].

 +1

 Would anything break if we adjusted the order of the `is_multisite()`
 checks a bit for readability? Illegal names could go after illegal user
 logins. Username exists could go after the pending signups. It may be
 easier then to spot the single site/multisite differences.

 > > Oh, I also suggest that we change the username away from admin when
 installing WordPress in unit tests so that some tests can pass.
 >
 > I'm going to hold back on this recommendation as it breaks other tests
 and would hamstring our work here. Commenting out the problematic code in
 the unit test for now.

 This seems like a good idea. Should we move that specific change to
 another ticket?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/17904#comment:52>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list