WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 23 months ago

#45475 closed defect (bug) (fixed)

Use plugin-friendly is_user_logged_in() to determine logged-in/nopriv in admin-post.php

Reported by: jmdodd Owned by: pento
Milestone: 5.1 Priority: normal
Severity: minor Version: 2.6
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

/wp-admin/admin-post.php was introduced in r8315 and still uses the function wp_validate_auth_cookie() to differentiate between logged-in and nopriv actions today. /wp-admin/admin-ajax.php, introduced in r3660, uses is_user_logged_in() to differentiate between the logged-in and nopriv actions.

Using is_user_logged_in() allows a plugin to provide a different form of authentication to set the user by filtering on determine_current_user in _wp_get_current_user() whereas wp_validate_auth_cookie() does not, even though it is already a default filter on determine_current_user. Both admin-post.php and admin-ajax.php perform a similar role in wp-admin and should have similar authentication paths.

Attachments (1)

45475.diff (478 bytes) - added by jmdodd 2 years ago.

Download all attachments as: .zip

Change History (5)

@jmdodd
2 years ago

#1 @dd32
2 years ago

  • Type changed from enhancement to defect (bug)
  • Version changed from trunk to 2.6

I'm not sure why wp_validate_auth_cookie() was originally used here, as it's definitely not the correct function. Using is_user_logged_in() as done in admin-ajax.php makes much more sense, as far as I can tell, admin-post.php has never worked with alternative authentication providers which use their own cookies.

#2 @SergeyBiryukov
2 years ago

  • Milestone changed from Awaiting Review to 5.1
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#3 @pento
23 months ago

  • Owner changed from SergeyBiryukov to pento
  • Status changed from reviewing to accepted

#4 @pento
23 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 44615:

Admin: Use is_user_logged_in() instead of wp_validate_auth_cookie() in admin-post.php.

This matches the authentication check in admin-ajax.php, and allows the authentication method to be filtered.

Props jmdodd.
Fixes #45475.

Note: See TracTickets for help on using tickets.