diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php index 88a92d018e..a027155002 100644 --- a/src/wp-includes/default-filters.php +++ b/src/wp-includes/default-filters.php @@ -300,5 +300,7 @@ add_filter( 'heartbeat_nopriv_send', 'wp_auth_check' ); // Default authentication filters add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 ); add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 ); +add_filter( 'determine_current_user', 'wp_validate_auth_cookie' ); +add_filter( 'determine_current_user', 'wp_validate_logged_in_cookie', 20 ); unset($filter, $action); diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php index 9fe26d518a..1f0723fe7c 100644 --- a/src/wp-includes/pluggable.php +++ b/src/wp-includes/pluggable.php @@ -97,14 +97,23 @@ function get_currentuserinfo() { return false; } - if ( ! $user = wp_validate_auth_cookie() ) { - if ( is_blog_admin() || is_network_admin() || empty( $_COOKIE[LOGGED_IN_COOKIE] ) || !$user = wp_validate_auth_cookie( $_COOKIE[LOGGED_IN_COOKIE], 'logged_in' ) ) { - wp_set_current_user( 0 ); - return false; - } + /** + * Determine the current user based on request data. + * + * The default filters use this to determine the current user from the + * request's cookies, if available. + * + * @since 3.9.0 + * + * @param int|boolean $user_id User ID if determined, or false otherwise. + */ + $user_id = apply_filters( 'determine_current_user', false ); + if ( ! $user_id ) { + wp_set_current_user( 0 ); + return false; } - wp_set_current_user( $user ); + wp_set_current_user( $user_id ); } endif; diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index d4392cd2fa..453eaa75cf 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -219,6 +219,32 @@ function wp_authenticate_spam_check( $user ) { return $user; } +/** + * Validates logged in cookie. + * + * Checks the logged_in cookie if the previous auth cookie could not be + * validated and parsed. + * + * This is a callback for the determine_current_user filter, rather than API. + * + * @since 3.9.0 + * + * @param int|boolean $user The user ID (or false) as received from the determine_current_user filter. + * @return int|boolean User ID if validated, or false otherwise. If it receives a user ID from + * an earlier filter callback, that value is returned. + */ +function wp_validate_logged_in_cookie( $user_id ) { + if ( $user_id ) { + return $user_id; + } + + if ( is_blog_admin() || is_network_admin() || empty( $_COOKIE[LOGGED_IN_COOKIE] ) ) { + return false; + } + + return wp_validate_auth_cookie( $_COOKIE[LOGGED_IN_COOKIE], 'logged_in' ); +} + /** * Number of posts user has written. *