id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
19714,plugins which use the 'authenticate' hook unable to return errors,willnorris,,"The 'authenticate' hook is designed to allow functions to return either an authenticated `WP_User` object (which will cause the user to be logged in), or a `WP_Error` object, which will cause the errors to be displayed to the user.

In practice, most plugins that use this hook don't rely on the username and password at all, but instead on other means entirely.  So what is happening with these plugins (the OpenID plugin chief among them), is that they are returning a `WP_Error` object that describes the error, but then the `wp_authenticate_username_password` function is ignoring that and returning its own `WP_Error` object which rightfully shows that the username and password fields were left empty.  Unfortunately, this error object (containing both an empty username AND password) is explicitly checked for and removed in the `wp_signon` method.  This is normally the right behavior and handles the case of a user who simply clicks ""Log In"" without entering anything... we don't show them an error, we just redraw the login form.  However, in the case described above, an actual error did occur with an authentication plugin, but the user simply sees the normal login form with no error displayed.

(patch forthcoming)",defect (bug),new,normal,Awaiting Review,General,3.3,normal,,has-patch,abackstrom