Make WordPress Core

Opened 6 months ago

Last modified 5 months ago

#60748 new defect (bug)

auth_redirect() login check doesn't exist or doesn't work

Reported by: kratosgemini's profile kratosgemini Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:

Description

The auth_redirect() documentation states:

"Checks if a user is logged in, if not it redirects them to the login page."
https://developer.wordpress.org/reference/functions/auth_redirect/

However, unless a call to auth_redirect() is wrapped inside a is_user_logged_in() check, then it always sends people to the login page (even if a user is already logged in).

I don't know if the documentation is incorrect or if there is a bug in the code.

To reproduce, all you need to do is something like this:

<?php
add_action( 'wp', function() {
        if ( is_page( 2 ) ) {
                auth_redirect();
        }
} );

Change History (2)

#1 @mujuonly
6 months ago

+1

<?php
add_action( 'wp', function() {
        if ( is_cart() ) {
                auth_redirect();
        }
} );

Just checked this as logged in and reloaded the cart page, it logs out and redirect to login page.

This is the function doc

<?php
        /**
         * Checks if a user is logged in, if not it redirects them to the login page.
         *
         * When this code is called from a page, it checks to see if the user viewing the page is logged in.
         * If the user is not logged in, they are redirected to the login page. The user is redirected
         * in such a way that, upon logging in, they will be sent directly to the page they were originally
         * trying to access.
         *
         * @since 1.5.0
         */

#2 @rajinsharwar
5 months ago

Hi @kratosgemini, thanks for opening the ticket! Well, it's a default behavior for WordPress I believe to show a logged-in page when the user is still logged in. So, even if you are logged in to the Admin Dashboard if you try to go under /wp-login.php, it will show the login form. So, I believe, the auth_redirect() should always be encapsulated by the is_user_logged_in() function to avoid this behavior.

What we can do is, update this behavior in the code doc for future reference.

Note: See TracTickets for help on using tickets.