Opened 5 years ago
Closed 5 years ago
#45475 closed defect (bug) (fixed)
Use plugin-friendly is_user_logged_in() to determine logged-in/nopriv in admin-post.php
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 5.1 | Priority: | normal |
Severity: | minor | Version: | 2.6 |
Component: | Administration | Keywords: | has-patch |
Focuses: | Cc: |
Description
/wp-admin/admin-post.php was introduced in r8315 and still uses the function wp_validate_auth_cookie() to differentiate between logged-in and nopriv actions today. /wp-admin/admin-ajax.php, introduced in r3660, uses is_user_logged_in() to differentiate between the logged-in and nopriv actions.
Using is_user_logged_in() allows a plugin to provide a different form of authentication to set the user by filtering on determine_current_user in _wp_get_current_user() whereas wp_validate_auth_cookie() does not, even though it is already a default filter on determine_current_user. Both admin-post.php and admin-ajax.php perform a similar role in wp-admin and should have similar authentication paths.
Attachments (1)
Change History (5)
Note: See
TracTickets for help on using
tickets.
I'm not sure why
wp_validate_auth_cookie()
was originally used here, as it's definitely not the correct function. Usingis_user_logged_in()
as done in admin-ajax.php makes much more sense, as far as I can tell,admin-post.php
has never worked with alternative authentication providers which use their own cookies.