[wp-trac] [WordPress Trac] #17904: Multisite has more restrictions on user login character set

WordPress Trac noreply at wordpress.org
Mon Mar 13 17:26:43 UTC 2017 

#17904: Multisite has more restrictions on user login character set
-------------------------------------------------+-------------------------
 Reporter:  duck_                                |       Owner:  jeremyfelt
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  Future
Component:  Login and Registration               |  Release
 Severity:  normal                               |     Version:  3.0
 Keywords:  has-patch has-unit-tests 2nd-        |  Resolution:
  opinion needs-refresh                          |     Focuses:  multisite
-------------------------------------------------+-------------------------
Changes (by johnjamesjacoby):

 * keywords:  has-patch has-unit-tests early => has-patch has-unit-tests
     2nd-opinion needs-refresh


Comment:

 I just ran into another edge-case.

 Plugins that implement their own user registration functionality are
 highly likely to use `validate_username()` directly (because there really
 isn't an easier way to customize it all) but the `validate_username`
 filter does not enforce multisite's `user_login` rules.

 This means if a plugin like Easy Digital Downloads is active on 1 site of
 a multisite install, and someone buys something, and registration is
 enabled, anonymous users can successfully sign-up to a multisite install
 the username `-` which is totally valid for single-site but invalid for
 multisite.

 I think it's safe to assume this concern is pandemic across the plugins
 repository, though a deeper dive would be revealing. If that's the case,
 deprecating `validate_username` alone is no longer a complete solution.

 ----

 In light of this new information, I'd like to propose the opposite
 approach.

 * Continue to use `validate_username()` as is
 * Introduce a `wpmu_validate_username()` filter to enforce the multisite
 rules when `validate_username()` is called
 * Introduce the `wp_validate_user_login()` function as discussed, but have
 it use `validate_username()` internally, and only use it in places where
 `WP_Error` results are desirable.
 * In addition, the patches above don't use the return values of
 `wp_validate_user_login()` so they wouldn't actually work as intended, so
 it needs a refresh regardless

--
Ticket URL: <https://core.trac.wordpress.org/ticket/17904#comment:63>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list