WordPress.org

Make WordPress Core

Opened 11 months ago

Closed 11 months ago

Last modified 10 months ago

#38056 closed enhancement (fixed)

Allow custom authentication checks for post passwords

Reported by: rmccue Owned by: jorbin
Milestone: 4.7 Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords: needs-dev-note
Focuses: Cc:

Description

In order to implement post passwords for non-web contexts (such as a REST API), it'd be really nice to allow custom authentication checks for whether a post password is required.

All of the password checking is abstracted nicely away into post_password_required(), but this checks the cookie and is not filterable at all. By making this filterable, we can allow custom handling in the REST API.

As a side-effect, this can make it easier to implement custom access controls for post content. For example, a filter on post_password_required could check if the user has paid for the content. get_the_password_form is already filterable, and these two could be combined nicely. This brings the advantage of working with other parts of core without needing a tonne of filters everywhere. It also allows more custom access controls, such as allowing super admins access to passworded posts.

Attachments (1)

38056.diff (1.6 KB) - added by rmccue 11 months ago.
Filter the return value of post_password_required

Download all attachments as: .zip

Change History (7)

@rmccue
11 months ago

Filter the return value of post_password_required

This ticket was mentioned in Slack in #core by kadamwhite. View the logs.


11 months ago

#3 @jorbin
11 months ago

  • Owner set to jorbin
  • Resolution set to fixed
  • Status changed from new to closed

In 38603:

Posts: Add filter to allow overriding post_password_required return

Post Passwords are incredibly inflexible. One Password per site at a time and other limitations that can't really be changed without a backwards compatibility break. This adds the ability for sites to change the password behavior such as doing per post passwords or allowing multiple passwords to be set in a browser. The possibilities are YUGE.

Additionally, it allows for a behavior other than returning a html form when a password is needed. This is important for non website use cases (such as in a restful API).

Fixes #38056. See #16483.
Props rmccue.

#4 @SergeyBiryukov
11 months ago

In 38604:

Docs: Add a @since entry for the post_password_required filter introduced in [38603].

Use a third-person singular verb for the filter description.

See #38056.

This ticket was mentioned in Slack in #core by rmccue. View the logs.


10 months ago

#6 @helen
10 months ago

  • Keywords needs-dev-note added

Would like to see a dev note on how this is used in the REST API, and how it can be used to implement true per-post passwords (or, if #16483 ends up going in, how to get back that old behavior).

Note: See TracTickets for help on using tickets.