[wp-trac] [WordPress Trac] #52066: Application Passwords are unusable in combination with password protected /wp-admin
WordPress Trac
noreply at wordpress.org
Sun Jan 24 02:56:32 UTC 2021
#52066: Application Passwords are unusable in combination with password protected
/wp-admin
-----------------------------------+--------------------------------
Reporter: SeBsZ | Owner: TimothyBlynJacobs
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 5.6.1
Component: Application Passwords | Version: 5.6
Severity: major | Resolution: fixed
Keywords: has-patch commit | Focuses:
-----------------------------------+--------------------------------
Changes (by TimothyBlynJacobs):
* owner: (none) => TimothyBlynJacobs
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"50006" 50006]:
{{{
#!CommitTicketReference repository="" revision="50006"
App Passwords: Extract Basic Auth check into a reusable filterable
function.
In [49752] a check was added to prevent creating new Application Passwords
if Basic Auth credentials were detected to prevent conflicts. This check
takes place in WP-Admin, though a conflict would only arise if Basic Auth
was used on the website's front-end.
This commit extracts the Basic Auth check into a reusable function,
`wp_is_site_protected_by_basic_auth()`, which can be adjusted using a
filter of the same name. This way, a site that uses Basic Auth to protect
WP-Admin can still use the Application Passwords feature.
In the future, instead of requiring the use of a filter, WordPress could
make a loopback request and check for a `WWW-Authenticate` header to make
this detection more robust out of the box.
Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov,
TimothyBlynJacobs.
Fixes #52066.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52066#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list