WordPress.org

Make WordPress Core

Opened 19 months ago

Last modified 3 months ago

#49639 new enhancement

Add a filter on wp_insert_user function regarding $user_pass

Reported by: stokim Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords: good-first-bug has-patch 2nd-opinion
Focuses: Cc:

Description (last modified by SergeyBiryukov)

/5.3/src/wp-includes/user.php
function wp_insert_user ( $userdata ) 1542 line
Please apply the below filter so that I can add a rule on user typed password before hashing the password.

$pre_user_password = apply_filters(  'pre_user_password', $user_pass );

Thank you.

Best regards,
Jen

Attachments (2)

49639.patch (420 bytes) - added by tomjdevisser 5 months ago.
Added the filter
49639-2.diff (2.2 KB) - added by ilovecats7 3 months ago.

Download all attachments as: .zip

Change History (10)

#1 @SergeyBiryukov
19 months ago

  • Component changed from Formatting to Users

#2 @johnbillion
5 months ago

  • Keywords needs-patch good-first-bug added
  • Version 5.4 deleted

@tomjdevisser
5 months ago

Added the filter

#3 @tomjdevisser
5 months ago

  • Focuses privacy added
  • Keywords has-patch dev-feedback 2nd-opinion added; needs-patch good-first-bug removed

I added the filter and changed the name of the variable to $pre_hash_password as I thought that would be a more descriptive name for a hook.

I would like to know if this goes against any security protocols, as you're giving site and plugin developers access to a non hashed password of users without permission.

Version 0, edited 5 months ago by tomjdevisser (next)

This ticket was mentioned in Slack in #core by tomjdevisser. View the logs.


5 months ago

#5 @jorbin
5 months ago

  • Focuses privacy removed
  • Keywords needs-patch added; has-patch removed

Thanks for the first pass @tomjdevisser. A few notes

All filters need a doc block https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#4-hooks-actions-and-filters

We also need to make sure that the results of the filter are being used. In this pass, $pre_hash_password is set but then goes nowhere. I think it might also be good to check after that it isn't a falsy value and return a wp_error if that is the case.

I also think this needs to take into account updating users and not just inserting them.

As for the privacy concerns, plugins already have access to this from the global $_POST.

#6 @SergeyBiryukov
4 months ago

  • Description modified (diff)

#7 @johnbillion
3 months ago

  • Keywords good-first-bug added; dev-feedback 2nd-opinion removed

@ilovecats7
3 months ago

#8 @ilovecats7
3 months ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Hello,

I submitted my first patch. Not sure if I'm supposed to modify the ticket?

Note: See TracTickets for help on using tickets.