Opened 21 months ago
Last modified 5 months ago
#49639 new enhancement
Add a filter on wp_insert_user function regarding $user_pass
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Users | Keywords: | good-first-bug has-patch 2nd-opinion |
| Focuses: | Cc: |
Description (last modified by )
/5.3/src/wp-includes/user.php
function wp_insert_user ( $userdata ) 1542 line
Please apply the below filter so that I can add a rule on user typed password before hashing the password.
$pre_user_password = apply_filters( 'pre_user_password', $user_pass );
Thank you.
Best regards,
Jen
Attachments (2)
Change History (10)
#3
@
7 months ago
- Focuses privacy added
- Keywords has-patch dev-feedback 2nd-opinion added; needs-patch good-first-bug removed
I added the filter and changed the name of the variable to $pre_hash_password as I thought that would be a more descriptive name for a hook.
I would like to know if this goes against any security protocols, as you're giving site and plugin developers access to a non-hashed password of users without permission.
This ticket was mentioned in Slack in #core by tomjdevisser. View the logs.
7 months ago
#5
@
7 months ago
- Focuses privacy removed
- Keywords needs-patch added; has-patch removed
Thanks for the first pass @tomjdevisser. A few notes
All filters need a doc block https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#4-hooks-actions-and-filters
We also need to make sure that the results of the filter are being used. In this pass, $pre_hash_password is set but then goes nowhere. I think it might also be good to check after that it isn't a falsy value and return a wp_error if that is the case.
I also think this needs to take into account updating users and not just inserting them.
As for the privacy concerns, plugins already have access to this from the global $_POST.
Added the filter