Make WordPress Core

Opened 3 years ago

Closed 3 months ago

Last modified 3 months ago

#54280 closed enhancement (wontfix)

wp_verify_nonce should return a filter

Reported by: shawfactor's profile shawfactor Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.9
Component: Security Keywords:
Focuses: Cc:

Description

Yes I am aware that wp_verify_nonce() is pluggable. However you may simply want to change the return value from false to 1 or 2. Creating a whole new pluggable function for this is not only overkill but also means that solutions that want to change the way nonces are verified (e.g. using different hashing functions) cannot coexist with people who simply want to change the return value.

Adding the filter would mean that as long as whoever was creating the new pluggable function kept the filter then their solution could co exists with other users who simply want to change the return value for specific situations.

e.g.

Invalid nonce.

return apply_filters( 'new_filter_wp_verify_nonce_failed', false, $nonce, $token, $uid);

BTW my use case for this was building a plugin where one user can message another on behalf of another. In a similar way that facebook alows messaging or commenting as a page.

Change History (2)

#1 @johnbillion
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

While this is a valid concern, I also think that this is such a narrow use case that overriding the pluggable function would make sense in this case. If you're overriding how nonces are generated and validated then there's not much need to retain the existing logic.

Closing this off. If anyone feels strongly about it feel free to reopen with more info and a patch.

#2 @johnbillion
3 months ago

#60824 was marked as a duplicate.

Note: See TracTickets for help on using tickets.