Opened 16 years ago
Closed 16 years ago
#8941 closed defect (bug) (fixed)
XML-RPC should use User returned from wp_authenticate
Reported by: | wnorris | Owned by: | josephscott |
---|---|---|---|
Milestone: | 2.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | XML-RPC | Keywords: | has-patch |
Focuses: | Cc: |
Description
The WordPress XML-RPC class currently makes use of wp_authenticate indirectly to test the validity of the username and password included in requests. It then calls set_current_user( 0, $username ) separately, using the username that was included in the request. This works in most cases, except those in which the user returned by wp_authenticate does not match the username that was in the XML-RPC request. Specifically, I'm thinking about requests that are authenticated using OAuth. For those requests, the username and password in the XML-RPC request will be empty, but wp_authenticate will still be able to return the correct user based on the OAuth request headers.
The included patch makes the following changes:
- adds new login() function that mimics login_pass_ok(), but passes back the user object from wp_authenticate rather than a simple boolean. It also calls set_current_user(). All functions have been updated to use login() instead of login_pass_ok(), and the latter has been marked @deprecated
- standardize on 'username' and 'password' as variable names. Some functions still used 'user_login' and 'user_pass'.
It's important to note that while this patch is part of the same overall effort as #8938 (that is, to allow for OAuth-authenticated XML-RPC requests), this patch is in no way dependent on #8938. It should work just fine on its own, with introducing any backward compatibility issues.
I applied this patch to my trunk test and cursory testing reveals no backward compatibility problem with authentication from MarsEdit.