Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#49639 new enhancement

Add a filter on wp_insert_user function regarding $user_pass

Reported by: stokim's profile stokim Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords: good-first-bug has-patch 2nd-opinion
Focuses: Cc:

Description (last modified by SergeyBiryukov)

function wp_insert_user ( $userdata ) 1542 line
Please apply the below filter so that I can add a rule on user typed password before hashing the password.

$pre_user_password = apply_filters(  'pre_user_password', $user_pass );

Thank you.

Best regards,

Attachments (2)

49639.patch (420 bytes) - added by tomjdevisser 3 years ago.
Added the filter
49639-2.diff (2.2 KB) - added by ilovecats7 3 years ago.

Download all attachments as: .zip

Change History (10)

#1 @SergeyBiryukov
4 years ago

  • Component changed from Formatting to Users

#2 @johnbillion
3 years ago

  • Keywords needs-patch good-first-bug added
  • Version 5.4 deleted

3 years ago

Added the filter

#3 @tomjdevisser
3 years ago

  • Focuses privacy added
  • Keywords has-patch dev-feedback 2nd-opinion added; needs-patch good-first-bug removed

I added the filter and changed the name of the variable to $pre_hash_password as I thought that would be a more descriptive name for a hook.

I would like to know if this goes against any security protocols, as you're giving site and plugin developers access to a non-hashed password of users without permission.

Last edited 3 years ago by tomjdevisser (previous) (diff)

This ticket was mentioned in Slack in #core by tomjdevisser. View the logs.

3 years ago

#5 @jorbin
3 years ago

  • Focuses privacy removed
  • Keywords needs-patch added; has-patch removed

Thanks for the first pass @tomjdevisser. A few notes

All filters need a doc block

We also need to make sure that the results of the filter are being used. In this pass, $pre_hash_password is set but then goes nowhere. I think it might also be good to check after that it isn't a falsy value and return a wp_error if that is the case.

I also think this needs to take into account updating users and not just inserting them.

As for the privacy concerns, plugins already have access to this from the global $_POST.

#6 @SergeyBiryukov
3 years ago

  • Description modified (diff)

#7 @johnbillion
3 years ago

  • Keywords good-first-bug added; dev-feedback 2nd-opinion removed

3 years ago

#8 @ilovecats7
3 years ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed


I submitted my first patch. Not sure if I'm supposed to modify the ticket?

Note: See TracTickets for help on using tickets.