I’d like to allow my users to send their WordPress login credentials along with their comment, as opposed to having to log in first, and then post their comment. I’m not really sure where to hook into here, and any help would be much appreciated.
My basic plan is to get the user’s login and pass (and comment), log the user in (maybe during preprocess_comment), then supply the user id etc to the comment object, then let everything run as usual. But I’m wondering if I’m opening myself up to some kind of exploit by doing so. I understand that WordPress has a login form for a reason, and I’m hesitant to log the user in without going through the official form.
You can log a user in securely by simply calling wp_signon with the proper credentials. This has to be done before any output is produced, so that WP can set the users cookie properly.
Example:
$user = wp_signon(array('user_login'=>'example', 'user_password' = > 'swordfish'));That will do a proper login from the front end of the site, set cookies, and return the user object. Then you can set the $commentdata[‘user_id’] = $user->ID and return, and the comment will be dealt with accordingly.
An auth failure will make that return a WP_Error object instead, so use is_wp_error on the result to see if it’s a WP_Error or a WP_User object that you get back.