WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/24/2009 10:38:19 PM (11 years ago)
Author:
westi
Message:

Make authentication more pluggable than ever before. See #8938 props wnorris.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/user.php

    r10150 r10437  
    3333    }
    3434
    35     if ( !empty($credentials['user_login']) )
    36         $credentials['user_login'] = sanitize_user($credentials['user_login']);
    37     if ( !empty($credentials['user_password']) )
    38         $credentials['user_password'] = trim($credentials['user_password']);
    3935    if ( !empty($credentials['remember']) )
    4036        $credentials['remember'] = true;
     
    4238        $credentials['remember'] = false;
    4339
     40    // TODO do we deprecate the wp_authentication action?
    4441    do_action_ref_array('wp_authenticate', array(&$credentials['user_login'], &$credentials['user_password']));
    4542
     
    4744        $secure_cookie = is_ssl() ? true : false;
    4845
    49     // If no credential info provided, check cookie.
    50     if ( empty($credentials['user_login']) && empty($credentials['user_password']) ) {
    51         $user = wp_validate_auth_cookie();
    52         if ( $user )
    53             return new WP_User($user);
    54 
    55         if ( $secure_cookie )
     46    global $auth_secure_cookie; // XXX ugly hack to pass this to wp_authenticate_cookie
     47    $auth_secure_cookie = $secure_cookie;
     48
     49    add_filter('authenticate', 'wp_authenticate_cookie', 30, 3);
     50
     51    $user = wp_authenticate($credentials['user_login'], $credentials['user_password']);
     52
     53    if ( is_wp_error($user) )
     54        return $user;
     55
     56    wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
     57    do_action('wp_login', $credentials['user_login']);
     58    return $user;
     59}
     60
     61
     62/**
     63 * Authenticate the user using the username and password.
     64 */
     65add_filter('authenticate', 'wp_authenticate_username_password', 20, 3);
     66function wp_authenticate_username_password($user, $username, $password) {
     67    if ( is_a($user, 'WP_User') ) { return $user; }
     68
     69    // XXX slight hack to handle initial load of wp-login.php
     70    if ( (empty($username) && empty($password)) && $GLOBALS['pagenow'] == 'wp-login.php' ) {
     71        return $user;
     72    }
     73
     74    if ( empty($username) || empty($password) ) {
     75        $error = new WP_Error();
     76
     77        if ( empty($username) )
     78            $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
     79
     80        if ( empty($password) )
     81            $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
     82
     83        return $error;
     84    }
     85
     86    $userdata = get_userdatabylogin($username);
     87
     88    if ( !$userdata || ($userdata->user_login != $username) ) {
     89        return new WP_Error('invalid_username', __('<strong>ERROR</strong>: Invalid username.'));
     90    }
     91
     92    $user = apply_filters('wp_authenticate_user', $user, $password);
     93    if ( is_wp_error($user) ) {
     94        return $user;
     95    }
     96
     97    if ( !wp_check_password($password, $userdata->user_pass, $userdata->ID) ) {
     98        return new WP_Error('incorrect_password', __('<strong>ERROR</strong>: Incorrect password.'));
     99    }
     100
     101    $user =  new WP_User($userdata->ID);
     102    return $user;
     103}
     104
     105/**
     106 * Authenticate the user using the WordPress auth cookie.
     107 */
     108function wp_authenticate_cookie($user, $username, $password) {
     109    if ( is_a($user, 'WP_User') ) { return $user; }
     110
     111    if ( empty($username) && empty($password) ) {
     112        $user_id = wp_validate_auth_cookie();
     113        if ( $user_id )
     114            return new WP_User($user_id);
     115
     116        global $auth_secure_cookie;
     117
     118        if ( $auth_secure_cookie )
    56119            $auth_cookie = SECURE_AUTH_COOKIE;
    57120        else
     
    62125
    63126        // If the cookie is not set, be silent.
    64         return new WP_Error();
    65     }
    66 
    67     if ( empty($credentials['user_login']) || empty($credentials['user_password']) ) {
    68         $error = new WP_Error();
    69 
    70         if ( empty($credentials['user_login']) )
    71             $error->add('empty_username', __('<strong>ERROR</strong>: The username field is empty.'));
    72         if ( empty($credentials['user_password']) )
    73             $error->add('empty_password', __('<strong>ERROR</strong>: The password field is empty.'));
    74         return $error;
    75     }
    76 
    77     $user = wp_authenticate($credentials['user_login'], $credentials['user_password']);
    78     if ( is_wp_error($user) )
    79         return $user;
    80 
    81     wp_set_auth_cookie($user->ID, $credentials['remember'], $secure_cookie);
    82     do_action('wp_login', $credentials['user_login']);
     127    }
     128
    83129    return $user;
    84130}
Note: See TracChangeset for help on using the changeset viewer.