WordPress.org

Ready to get started?Download WordPress

Forums

Password Protected
[resolved] Ability to store unhashed password? (11 posts)

  1. Jason Lemahieu (MadtownLems)
    Member
    Posted 1 year ago #

    I know that storing the md5 is done for security purposes, but I'm looking to find a way to store it in plaintext also.

    (In our multisite network environment, we are letting Site Admins choose and set their passwords, but we need a way for Network Admins to be able to see what the password is as well.)

    I tried looking for $_POST variables when options-privacy.php is submitted, but it appears those don't come through when you use the Settings API. I know you don't want to add this functionality directly, but perhaps you could throw in another hook?

    Perhaps, in admin.php, you could do something like:
    do_action('password_protected_password_updated', $val['new'])

    What do you think?

    http://wordpress.org/extend/plugins/password-protected/

  2. Ben Huson
    Member
    Plugin Author

    Posted 1 year ago #

    Hi, OK is a bit tricky to add in a hook with the WordPress settings API, however I have reworked it a little so that you can intercept the password as plaintext before it is saved.

    You can use the 'pre_update_option_{option}' filter with a priority of less than 10 to intercept the password as plaintext before it is saved. eg
    add_filter( 'pre_update_option_password_protected_password', 'my_function', 10, 2 );

    It will pass the new value and the old value as 2 parameters and expects the new value to be returned. Within this you could use the plaintext password and save as a separate option or something.

    Would that work for you?
    You can download the updated files to test here.

  3. Jason Lemahieu (MadtownLems)
    Member
    Posted 1 year ago #

    Working like a champ. thanks!

  4. Jason Lemahieu (MadtownLems)
    Member
    Posted 1 year ago #

    With one caveat... I'm not getting expected behavior when I click 'Enable' but don't enter a password.

    In this situation, both the hashed password and raw password get saved as the 2b877..... long string.

    Here's some ultra basic code code:

    function cets_password_protected_modifier_save_pw($newvalue, $oldvalue) {
    	update_option('pp_raw_password', $newvalue);
    	return $newvalue;
    }
    add_filter( 'pre_update_option_password_protected_password', 'cets_password_protected_modifier_save_pw', 9, 2 );

    any ideas?

    Note: I changed my filter's priority to 9 so it would run before your hashing filter at priority 10, but it's still giving me this odd behavior in the case of an empty password.

  5. Ben Huson
    Member
    Plugin Author

    Posted 1 year ago #

    Try doing a check before updating the option to test the $newvalue != $oldvalue

  6. Jason Lemahieu (MadtownLems)
    Member
    Posted 1 year ago #

    Sorry, I've thought about what you've said for quite a while, and don't understand the logic here at all.

    You're suggesting I do something like:
    if ($newvalue != $oldvalue) { save_raw_password($newvalue); }
    ?

    I don't actually understand either:
    a) why I care if the new value equals the previous value or not
    b) how this relates to the oddity when the password fields are left blank

    Maybe it's that I haven't had enough coffee... but you'd think 4 cups would do it! :P Cheers

  7. Ben Huson
    Member
    Plugin Author

    Posted 1 year ago #

    Try echoing the $newvalue

    I have a feeling that this might pass through the old hashed value if the new password is blank.

    If so, $newvalue would be equal to $oldvalue, so if these values are the same if means nothing will have changed.

    I might be wrong but I have a vague memory of something like this in my early testing.

  8. Jason Lemahieu (MadtownLems)
    Member
    Posted 1 year ago #

    Finally found some time to come back to this.

    One thing I didn't realize, which I found odd, is that the $oldvalue is in fact the hashed value of the old password, while $newvalue is the UNhashed text that was just entered. This gives me access to the raw password and allows me to save it. Great.

    You're correct that when the passwords are not confirmed correctly, oldvalue == newvalue and my check of
    if ($oldvalue != $newvalue) {save_raw_password($newvalue);}
    works great there.

    There was one condition that I was still struggling with, but I think it's just a case of me not understanding the plugin's expected functionality in regards to someone submitting a form with 'Enabled' checked, but blank passwords entered. It seems that your plugin is simply not updating the password - is that your intended result? (Just confirming. If so, I think my modifier is doing what I want.)

    Thanks again!

  9. Ben Huson
    Member
    Plugin Author

    Posted 1 year ago #

    I think at the moment it doesn't save a blank password (because you obviously can't login with a blank password) but maybe you should be allowed to - it just means no-one will be able to login.

  10. Ben Huson
    Member
    Plugin Author

    Posted 1 year ago #

    Marking this main issue as resolved.

    I have added an issue regarding saving a blank password for future consideration.
    https://github.com/benhuson/password-protected/issues/16

  11. Ben Huson
    Member
    Plugin Author

    Posted 1 year ago #

    Just to clarify, yes, a user can't save a 'blank' password.

    A password will only be saved if it contains at least one character.

    This is partly so that the password will not be reset every time you change the settings on the Privacy (or Reading in WP 3.5) admin page, and partly because it makes no sense to have a blank password - you might as well not have one.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.