Opened 4 years ago
Closed 4 years ago
#45475 closed defect (bug) (fixed)
Use plugin-friendly is_user_logged_in() to determine logged-in/nopriv in admin-post.php
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 5.1 | Priority: | normal |
| Severity: | minor | Version: | 2.6 |
| Component: | Administration | Keywords: | has-patch |
| Focuses: | Cc: |
Description
/wp-admin/admin-post.php was introduced in r8315 and still uses the function wp_validate_auth_cookie() to differentiate between logged-in and nopriv actions today. /wp-admin/admin-ajax.php, introduced in r3660, uses is_user_logged_in() to differentiate between the logged-in and nopriv actions.
Using is_user_logged_in() allows a plugin to provide a different form of authentication to set the user by filtering on determine_current_user in _wp_get_current_user() whereas wp_validate_auth_cookie() does not, even though it is already a default filter on determine_current_user. Both admin-post.php and admin-ajax.php perform a similar role in wp-admin and should have similar authentication paths.
Attachments (1)
Change History (5)
Note: See
TracTickets for help on using
tickets.
I'm not sure why
wp_validate_auth_cookie()was originally used here, as it's definitely not the correct function. Usingis_user_logged_in()as done in admin-ajax.php makes much more sense, as far as I can tell,admin-post.phphas never worked with alternative authentication providers which use their own cookies.