[wp-hackers] [Patch] Propagating password change in an action

Nathaniel Taintor goldenapplesdesign at gmail.com
Sat Oct 6 20:00:05 UTC 2012


I'm going to guess that the potential for evil this patch would introduce,
if it were in core, outweighs any possible usefulness.

I, for one, would not want plugins to be able to access user's plaintext
passwords.

If you're running a system where you need to access plaintext passwords,
you probably will have to either hack the core functions or override the
login page to provide your own password reset function. But... there must
be a better way of doing whatever you're trying to do?


Nathaniel Taintor, Designer/Developer
*Golden Apples Design*
http://goldenapplesdesign.com

@GoldenApples | 717.434.3226
goldenapplesdesign at gmail.com



On Fri, Oct 5, 2012 at 2:27 PM, Chloé Desoutter <
chloe.desoutter+wphackers at gmail.com> wrote:

> Hi folks,
>
> I'm new on this list, my name is Chloé Desoutter, I work as a freelance
> contractor to provide my customers with great WordPress-based solutions.
>
> I'm currently working on using WordPress as an "accounts manager" for a
> bigger back-end. This implies updating profile infos, password, and stuff
> and reporting that to the big backend in real time.
>
> I've hit a difficulty when it comes to updating the password, as the
> profile_update hook does not allow me to get the new plaintext password.
>
> So I've come up with a patch in wp_update_user()
> chloe at ayodhya:~/opidev$ diff -uprN wordpress/wp-includes/user.php
> web/wp-includes/user.php
> --- wordpress/wp-includes/user.php      2012-04-27 17:57:51.000000000 +0200
> +++ web/wp-includes/user.php    2012-10-04 17:36:12.382154680 +0200
> @@ -1427,6 +1427,8 @@ function wp_update_user($userdata) {
>         $current_user = wp_get_current_user();
>         if ( $current_user->ID == $ID ) {
>                 if ( isset($plaintext_pass) ) {
> +      // call password_updated to reflect that change elsewhere if needed
> +      do_action('password_updated', $ID, $plaintext_pass);
>                         wp_clear_auth_cookie();
>                         wp_set_auth_cookie($ID);
>                 }
>
> pastebin: http://pastebin.com/FZfuLbxC
>
> It's used quite simply:
> add_action('password_updated', 'my_password_updated', 1, 2);
>
> function my_password_update($id, $newpass)
> {
> file_put_contents("/tmp/log", "Password for user #${id} is now $newpass");
> }
>
> I've found no other way to retrieve that non-hashed password (I usually
> hate touching the core, but this time, there's no choice)
>
> Would be nice if that came up into the main source tree.
>
> Any feedback on that?
>
> Hope this helps
>
> Yours
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list