WordPress.org

Make WordPress Core

Changeset 10437


Ignore:
Timestamp:
01/24/09 22:38:19 (7 years ago)
Author:
westi
Message:

Make authentication more pluggable than ever before. See #8938 props wnorris.

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/pluggable.php

    r10395 r10437  
    423423function wp_authenticate($username, $password) { 
    424424    $username = sanitize_user($username); 
    425  
    426     if ( '' == $username ) 
    427         return new WP_Error('empty_username', __('<strong>ERROR</strong>: The username field is empty.')); 
    428  
    429     if ( '' == $password ) 
    430         return new WP_Error('empty_password', __('<strong>ERROR</strong>: The password field is empty.')); 
    431  
    432     $user = get_userdatabylogin($username); 
    433  
    434     if ( !$user || ($user->user_login != $username) ) { 
    435         do_action( 'wp_login_failed', $username ); 
    436         return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Invalid username.')); 
    437     } 
    438  
    439     $user = apply_filters('wp_authenticate_user', $user, $password); 
    440     if ( is_wp_error($user) ) { 
    441         do_action( 'wp_login_failed', $username ); 
    442         return $user; 
    443     } 
    444  
    445     if ( !wp_check_password($password, $user->user_pass, $user->ID) ) { 
    446         do_action( 'wp_login_failed', $username ); 
    447         return new WP_Error('incorrect_password', __('<strong>ERROR</strong>: Incorrect password.')); 
    448     } 
    449  
    450     return new WP_User($user->ID); 
     425    $password = trim($password); 
     426 
     427    $user = apply_filters('authenticate', null, $username, $password); 
     428 
     429    if ($user == null) { 
     430        // TODO what should the error message be? (Or would these even happen?) 
     431        // Only needed if all authentication handlers fail to return anything. 
     432        $user = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.')); 
     433    } 
     434 
     435    if (is_wp_error($user)) { 
     436        do_action('wp_login_failed', $username); 
     437    } 
     438 
     439    return $user; 
    451440} 
    452441endif; 
  • trunk/wp-includes/user.php

    r10150 r10437  
    3333    } 
    3434 
    35     if ( !empty($credentials['user_login']) ) 
    36         $credentials['user_login'] = sanitize_user($credentials['user_login']); 
    37     if ( !empty($credentials['user_password']) ) 
    38         $credentials['user_password'] = trim($credentials['user_password']); 
    3935    if ( !empty($credentials['remember']) ) 
    4036        $credentials['remember'] = true; 
     
    4238        $credentials['remember'] = false; 
    4339 
     40    // TODO do we deprecate the wp_authentication action? 
    4441    do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password'])); 
    4542 
     
    4744        $secure_cookie = is_ssl() ? true : false; 
    4845 
    49     // If no credential info provided, check cookie. 
    50     if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) { 
    51         $user = wp_validate_auth_cookie(); 
    52         if ( $user ) 
    53             return new WP_User($user); 
    54  
    55         if ( $secure_cookie ) 
     46    global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie 
     47    $auth_secure_cookie = $secure_cookie; 
     48 
     49    add_filter('authenticate', 'wp_authenticate_cookie', 30, 3); 
     50 
     51    $user = wp_authenticate($credentials['user_login'], $credentials['user_password']); 
     52 
     53    if ( is_wp_error($user) ) 
     54        return $user; 
     55 
     56    wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie); 
     57    do_action('wp_login', $credentials['user_login']); 
     58    return $user; 
     59} 
     60 
     61 
     62/** 
     63 * Authenticate the user using the username and password. 
     64 */ 
     65add_filter('authenticate', 'wp_authenticate_username_password', 20, 3); 
     66function wp_authenticate_username_password($user, $username, $password) { 
     67    if ( is_a($user, 'WP_User') ) { return $user; } 
     68 
     69    // XXX slight hack to handle initial load of wp-login.php 
     70    if ( (empty($username) && empty($password)) && $GLOBALS['pagenow'] == 'wp-login.php' ) { 
     71        return $user; 
     72    } 
     73 
     74    if ( empty($username) || empty($password) ) { 
     75        $error = new WP_Error(); 
     76 
     77        if ( empty($username) ) 
     78            $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.')); 
     79 
     80        if ( empty($password) ) 
     81            $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.')); 
     82 
     83        return $error; 
     84    } 
     85 
     86    $userdata = get_userdatabylogin($username); 
     87 
     88    if ( !$userdata || ($userdata->user_login != $username) ) { 
     89        return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Invalid username.')); 
     90    } 
     91 
     92    $user = apply_filters('wp_authenticate_user', $user, $password); 
     93    if ( is_wp_error($user) ) { 
     94        return $user; 
     95    } 
     96 
     97    if ( !wp_check_password($password, $userdata->user_pass, $userdata->ID) ) { 
     98        return new WP_Error('incorrect_password', __('<strong>ERROR</strong>: Incorrect password.')); 
     99    } 
     100 
     101    $user =  new WP_User($userdata->ID); 
     102    return $user; 
     103} 
     104 
     105/** 
     106 * Authenticate the user using the WordPress auth cookie. 
     107 */ 
     108function wp_authenticate_cookie($user, $username, $password) { 
     109    if ( is_a($user, 'WP_User') ) { return $user; } 
     110 
     111    if ( empty($username) && empty($password) ) { 
     112        $user_id = wp_validate_auth_cookie(); 
     113        if ( $user_id ) 
     114            return new WP_User($user_id); 
     115 
     116        global $auth_secure_cookie; 
     117 
     118        if ( $auth_secure_cookie ) 
    56119            $auth_cookie = SECURE_AUTH_COOKIE; 
    57120        else 
     
    62125 
    63126        // If the cookie is not set, be silent. 
    64         return new WP_Error(); 
    65     } 
    66  
    67     if ( empty($credentials['user_login']) || empty($credentials['user_password']) ) { 
    68         $error = new WP_Error(); 
    69  
    70         if ( empty($credentials['user_login']) ) 
    71             $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.')); 
    72         if ( empty($credentials['user_password']) ) 
    73             $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.')); 
    74         return $error; 
    75     } 
    76  
    77     $user = wp_authenticate($credentials['user_login'], $credentials['user_password']); 
    78     if ( is_wp_error($user) ) 
    79         return $user; 
    80  
    81     wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie); 
    82     do_action('wp_login', $credentials['user_login']); 
     127    } 
     128 
    83129    return $user; 
    84130} 
Note: See TracChangeset for help on using the changeset viewer.