Make WordPress Core


Ignore:
Timestamp:
01/24/2021 02:56:18 AM (4 years ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Extract Basic Auth check into a reusable filterable function.

In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.

This commit extracts the Basic Auth check into a reusable function, wp_is_site_protected_by_basic_auth(), which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.

In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a WWW-Authenticate header to make this detection more robust out of the box.

Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.
Fixes #52066.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/user-edit.php

    r49752 r50006  
    740740            }
    741741
    742             if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
     742            if ( ! wp_is_site_protected_by_basic_auth( 'front' ) ) {
    743743                ?>
    744744            <div class="create-application-password form-wrap">
Note: See TracChangeset for help on using the changeset viewer.