Opened 4 years ago
Closed 4 years ago
#52439 closed defect (bug) (duplicate)
'authenticate' filters ignore WP_Error case
Reported by: | joyously | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | |
Focuses: | Cc: |
Description
The core functions hooked by default to the 'authenticate' filter do not check the filtered object for WP_Error
before overwriting with the authenticated user object.
This means a filter added with the default priority of 10 that passes a WP_Error
is ignored, and the user is logged in anyway.
Noticed in forum topic: https://wordpress.org/support/topic/creating-an-authenticate-filter/
Default filters are
add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_email_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_application_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 );
and user.php has
add_filter( 'authenticate', 'wp_authenticate_cookie', 30, 3 );
Change History (1)
Note: See
TracTickets for help on using
tickets.
Thanks for the ticket @joyously, this is being tracked already in #46748.