#54280 closed enhancement (wontfix)
wp_verify_nonce should return a filter
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.9 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Yes I am aware that wp_verify_nonce() is pluggable. However you may simply want to change the return value from false to 1 or 2. Creating a whole new pluggable function for this is not only overkill but also means that solutions that want to change the way nonces are verified (e.g. using different hashing functions) cannot coexist with people who simply want to change the return value.
Adding the filter would mean that as long as whoever was creating the new pluggable function kept the filter then their solution could co exists with other users who simply want to change the return value for specific situations.
e.g.
Invalid nonce.
return apply_filters( 'new_filter_wp_verify_nonce_failed', false, $nonce, $token, $uid);
BTW my use case for this was building a plugin where one user can message another on behalf of another. In a similar way that facebook alows messaging or commenting as a page.
While this is a valid concern, I also think that this is such a narrow use case that overriding the pluggable function would make sense in this case. If you're overriding how nonces are generated and validated then there's not much need to retain the existing logic.
Closing this off. If anyone feels strongly about it feel free to reopen with more info and a patch.