WordPress.org

Make WordPress Core

Changeset 10437


Ignore:
Timestamp:
01/24/2009 10:38:19 PM (9 years ago)
Author:
westi
Message:

Make authentication more pluggable than ever before. See #8938 props wnorris.

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r10395 r10437  
    423423function wp_authenticate($username, $password) {
    424424    $username = sanitize_user($username);
    425 
    426     if ( '' == $username )
    427         return new WP_Error('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
    428 
    429     if ( '' == $password )
    430         return new WP_Error('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
    431 
    432     $user = get_userdatabylogin($username);
    433 
    434     if ( !$user || ($user->user_login != $username) ) {
    435         do_action( 'wp_login_failed', $username );
    436         return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Invalid username.'));
    437     }
    438 
    439     $user = apply_filters('wp_authenticate_user', $user, $password);
    440     if ( is_wp_error($user) ) {
    441         do_action( 'wp_login_failed', $username );
    442         return $user;
    443     }
    444 
    445     if ( !wp_check_password($password, $user->user_pass, $user->ID) ) {
    446         do_action( 'wp_login_failed', $username );
    447         return new WP_Error('incorrect_password', __('<strong>ERROR</strong>: Incorrect password.'));
    448     }
    449 
    450     return new WP_User($user->ID);
     425    $password = trim($password);
     426
     427    $user = apply_filters('authenticate', null, $username, $password);
     428
     429    if ($user == null) {
     430        // TODO what should the error message be? (Or would these even happen?)
     431        // Only needed if all authentication handlers fail to return anything.
     432        $user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));
     433    }
     434
     435    if (is_wp_error($user)) {
     436        do_action('wp_login_failed', $username);
     437    }
     438
     439    return $user;
    451440}
    452441endif;
  • trunk/wp-includes/user.php

    r10150 r10437  
    3333    }
    3434
    35     if ( !empty($credentials['user_login']) )
    36         $credentials['user_login'] = sanitize_user($credentials['user_login']);
    37     if ( !empty($credentials['user_password']) )
    38         $credentials['user_password'] = trim($credentials['user_password']);
    3935    if ( !empty($credentials['remember']) )
    4036        $credentials['remember'] = true;
     
    4238        $credentials['remember'] = false;
    4339
     40    // TODO do we deprecate the wp_authentication action?
    4441    do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
    4542
     
    4744        $secure_cookie = is_ssl() ? true : false;
    4845
    49     // If no credential info provided, check cookie.
    50     if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
    51         $user = wp_validate_auth_cookie();
    52         if ( $user )
    53             return new WP_User($user);
    54 
    55         if ( $secure_cookie )
     46    global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie
     47    $auth_secure_cookie = $secure_cookie;
     48
     49    add_filter('authenticate', 'wp_authenticate_cookie', 30, 3);
     50
     51    $user = wp_authenticate($credentials['user_login'], $credentials['user_password']);
     52
     53    if ( is_wp_error($user) )
     54        return $user;
     55
     56    wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
     57    do_action('wp_login', $credentials['user_login']);
     58    return $user;
     59}
     60
     61
     62/**
     63 * Authenticate the user using the username and password.
     64 */
     65add_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
     66function wp_authenticate_username_password($user, $username, $password) {
     67    if ( is_a($user, 'WP_User') ) { return $user; }
     68
     69    // XXX slight hack to handle initial load of wp-login.php
     70    if ( (empty($username) && empty($password)) && $GLOBALS['pagenow'] == 'wp-login.php' ) {
     71        return $user;
     72    }
     73
     74    if ( empty($username) || empty($password) ) {
     75        $error = new WP_Error();
     76
     77        if ( empty($username) )
     78            $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
     79
     80        if ( empty($password) )
     81            $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
     82
     83        return $error;
     84    }
     85
     86    $userdata = get_userdatabylogin($username);
     87
     88    if ( !$userdata || ($userdata->user_login != $username) ) {
     89        return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Invalid username.'));
     90    }
     91
     92    $user = apply_filters('wp_authenticate_user', $user, $password);
     93    if ( is_wp_error($user) ) {
     94        return $user;
     95    }
     96
     97    if ( !wp_check_password($password, $userdata->user_pass, $userdata->ID) ) {
     98        return new WP_Error('incorrect_password', __('<strong>ERROR</strong>: Incorrect password.'));
     99    }
     100
     101    $user =  new WP_User($userdata->ID);
     102    return $user;
     103}
     104
     105/**
     106 * Authenticate the user using the WordPress auth cookie.
     107 */
     108function wp_authenticate_cookie($user, $username, $password) {
     109    if ( is_a($user, 'WP_User') ) { return $user; }
     110
     111    if ( empty($username) && empty($password) ) {
     112        $user_id = wp_validate_auth_cookie();
     113        if ( $user_id )
     114            return new WP_User($user_id);
     115
     116        global $auth_secure_cookie;
     117
     118        if ( $auth_secure_cookie )
    56119            $auth_cookie = SECURE_AUTH_COOKIE;
    57120        else
     
    62125
    63126        // If the cookie is not set, be silent.
    64         return new WP_Error();
    65     }
    66 
    67     if ( empty($credentials['user_login']) || empty($credentials['user_password']) ) {
    68         $error = new WP_Error();
    69 
    70         if ( empty($credentials['user_login']) )
    71             $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
    72         if ( empty($credentials['user_password']) )
    73             $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
    74         return $error;
    75     }
    76 
    77     $user = wp_authenticate($credentials['user_login'], $credentials['user_password']);
    78     if ( is_wp_error($user) )
    79         return $user;
    80 
    81     wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
    82     do_action('wp_login', $credentials['user_login']);
     127    }
     128
    83129    return $user;
    84130}
Note: See TracChangeset for help on using the changeset viewer.