WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#40595 new defect (bug)

wp_authenticate_username_password() should respect WP_Error object generated by higher priorities

Reported by: gilzow Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7.4
Component: Login and Registration Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

If I've read through #19714 but believe this issue should be reopened. This issue affects anyone who needs to alter the normal authentication process by hooking into the authenticate filter at a high priority. Functions in the process flow should respect a WP_Error object if that is what it is handed, including wp_authenticate_username_password().

Expected Behavior
function hooks authenticate filter, assigns priority 10. Function invalidates authentication attempt and returns a WP_Error object. Authentication should fail and error message displayed to user.

Current Behavior
Function hooks authenticate filter, assigns priority 10. Function invalidates authentication attempt and returns a WP_Error object. wp_authenticate_username_password() ignores WP_Error object, attempts authentication and returns its own error message, or goes ahead and authenticates the user.

Functions could assign a priority less than 20 (i.e. 30), but then when will be required to decipher error codes and/or the user object to then determine if authentication should continue, after an authentication attempt has already been processed by wp_authenticate_username_password(), even if no authentication should have been attempted. In additon, if wp_authenticate_username_password() is not going to respect WP_Errors from higher priorities, why not assign it a priority of 1 and make it the very first item in the authentication process?

Change History (1)

#1 @SergeyBiryukov
2 years ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.