XML-RPC should use User returned from wp_authenticate

[wnorris]

The WordPress XML-RPC class currently makes use of wp_authenticate indirectly to test the validity of the username and password included in requests. It then calls set_current_user( 0, $username ) separately, using the username that was included in the request. This works in most cases, except those in which the user returned by wp_authenticate does not match the username that was in the XML-RPC request. Specifically, I'm thinking about requests that are authenticated using OAuth. For those requests, the username and password in the XML-RPC request will be empty, but wp_authenticate will still be able to return the correct user based on the OAuth request headers.

The included patch makes the following changes:

• adds new login() function that mimics login_pass_ok(), but passes back the user object from wp_authenticate rather than a simple boolean. It also calls set_current_user(). All functions have been updated to use login() instead of login_pass_ok(), and the latter has been marked @deprecated

• standardize on 'username' and 'password' as variable names. Some functions still used 'user_login' and 'user_pass'.

It's important to note that while this patch is part of the same overall effort as #8938 (that is, to allow for OAuth-authenticated XML-RPC requests), this patch is in no way dependent on #8938. It should work just fine on its own, with introducing any backward compatibility issues.

I applied this patch to my trunk test and cursory testing reveals no backward compatibility problem with authentication from MarsEdit.

This patch has been working fine in my tests so far. I'd like to see this get into -trunk.

(In [10456]) Use user returned from auth for XML-RPC logins. Props wnorris. fixes #8941