XML-RPC should use User returned from wp_authenticate
|Reported by:||wnorris||Owned by:||josephscott|
The WordPress XML-RPC class currently makes use of wp_authenticate indirectly to test the validity of the username and password included in requests. It then calls set_current_user( 0, $username ) separately, using the username that was included in the request. This works in most cases, except those in which the user returned by wp_authenticate does not match the username that was in the XML-RPC request. Specifically, I'm thinking about requests that are authenticated using OAuth. For those requests, the username and password in the XML-RPC request will be empty, but wp_authenticate will still be able to return the correct user based on the OAuth request headers.
The included patch makes the following changes:
- adds new login() function that mimics login_pass_ok(), but passes back the user object from wp_authenticate rather than a simple boolean. It also calls set_current_user(). All functions have been updated to use login() instead of login_pass_ok(), and the latter has been marked @deprecated
- standardize on 'username' and 'password' as variable names. Some functions still used 'user_login' and 'user_pass'.
It's important to note that while this patch is part of the same overall effort as #8938 (that is, to allow for OAuth-authenticated XML-RPC requests), this patch is in no way dependent on #8938. It should work just fine on its own, with introducing any backward compatibility issues.