WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#8941 closed defect (bug) (fixed)

XML-RPC should use User returned from wp_authenticate

Reported by: wnorris Owned by: josephscott
Milestone: 2.8 Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords: has-patch
Focuses: Cc:

Description

The WordPress XML-RPC class currently makes use of wp_authenticate indirectly to test the validity of the username and password included in requests. It then calls set_current_user( 0, $username ) separately, using the username that was included in the request. This works in most cases, except those in which the user returned by wp_authenticate does not match the username that was in the XML-RPC request. Specifically, I'm thinking about requests that are authenticated using OAuth. For those requests, the username and password in the XML-RPC request will be empty, but wp_authenticate will still be able to return the correct user based on the OAuth request headers.

The included patch makes the following changes:

  • adds new login() function that mimics login_pass_ok(), but passes back the user object from wp_authenticate rather than a simple boolean. It also calls set_current_user(). All functions have been updated to use login() instead of login_pass_ok(), and the latter has been marked @deprecated
  • standardize on 'username' and 'password' as variable names. Some functions still used 'user_login' and 'user_pass'.

It's important to note that while this patch is part of the same overall effort as #8938 (that is, to allow for OAuth-authenticated XML-RPC requests), this patch is in no way dependent on #8938. It should work just fine on its own, with introducing any backward compatibility issues.

Attachments (1)

xmlrpc.diff (24.3 KB) - added by wnorris 5 years ago.

Download all attachments as: .zip

Change History (4)

wnorris5 years ago

comment:1 redsweater5 years ago

  • Cc redsweater added

I applied this patch to my trunk test and cursory testing reveals no backward compatibility problem with authentication from MarsEdit.

comment:2 josephscott5 years ago

This patch has been working fine in my tests so far. I'd like to see this get into -trunk.

comment:3 ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [10456]) Use user returned from auth for XML-RPC logins. Props wnorris. fixes #8941

Note: See TracTickets for help on using tickets.