Opened 5 years ago
Last modified 3 months ago
#49639 new enhancement
Add a filter on wp_insert_user function regarding $user_pass
Reported by: | stokim | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Users | Keywords: | good-first-bug has-patch 2nd-opinion has-unit-tests |
Focuses: | Cc: |
Description (last modified by )
/5.3/src/wp-includes/user.php
function wp_insert_user ( $userdata )
1542 line
Please apply the below filter so that I can add a rule on user typed password before hashing the password.
$pre_user_password = apply_filters( 'pre_user_password', $user_pass );
Thank you.
Best regards,
Jen
Attachments (2)
Change History (12)
#3
@
4 years ago
- Focuses privacy added
- Keywords has-patch dev-feedback 2nd-opinion added; needs-patch good-first-bug removed
I added the filter and changed the name of the variable to $pre_hash_password as I thought that would be a more descriptive name for a hook.
I would like to know if this goes against any security protocols, as you're giving site and plugin developers access to a non-hashed password of users without permission.
This ticket was mentioned in Slack in #core by tomjdevisser. View the logs.
4 years ago
#5
@
4 years ago
- Focuses privacy removed
- Keywords needs-patch added; has-patch removed
Thanks for the first pass @tomjdevisser. A few notes
All filters need a doc block https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#4-hooks-actions-and-filters
We also need to make sure that the results of the filter are being used. In this pass, $pre_hash_password
is set but then goes nowhere. I think it might also be good to check after that it isn't a falsy value and return a wp_error if that is the case.
I also think this needs to take into account updating users and not just inserting them.
As for the privacy concerns, plugins already have access to this from the global $_POST.
#8
@
3 years ago
- Keywords has-patch 2nd-opinion added; needs-patch removed
Hello,
I submitted my first patch. Not sure if I'm supposed to modify the ticket?
This ticket was mentioned in PR #7384 on WordPress/wordpress-develop by @mklute101.
3 months ago
#9
- Keywords has-unit-tests added
This PR adds filter on user typed password before hashing the password.
It also includes error check for empty password and a backslash. Unit test included for both.
Trac ticket: 49639
@TimothyBlynJacobs commented on PR #7384:
3 months ago
#10
Thanks for the pr @mklute101! We need to fix the PHPCS issues. You should be able to run something like this:
./vendor/bin/phpcbf src/wp-includes/user.php
Added the filter