Use plugin-friendly is_user_logged_in() to determine logged-in/nopriv in admin-post.php

[jmdodd]

/wp-admin/admin-post.php was introduced in r8315 and still uses the function wp_validate_auth_cookie() to differentiate between logged-in and nopriv actions today. /wp-admin/admin-ajax.php, introduced in r3660, uses is_user_logged_in() to differentiate between the logged-in and nopriv actions.

Using is_user_logged_in() allows a plugin to provide a different form of authentication to set the user by filtering on determine_current_user in _wp_get_current_user() whereas wp_validate_auth_cookie() does not, even though it is already a default filter on determine_current_user. Both admin-post.php and admin-ajax.php perform a similar role in wp-admin and should have similar authentication paths.

[dd32]

I'm not sure why wp_validate_auth_cookie() was originally used here, as it's definitely not the correct function. Using is_user_logged_in() as done in admin-ajax.php makes much more sense, as far as I can tell, admin-post.php has never worked with alternative authentication providers which use their own cookies.

[pento]

In 44615:

Admin: Use is_user_logged_in() instead of wp_validate_auth_cookie() in admin-post.php.

This matches the authentication check in admin-ajax.php, and allows the authentication method to be filtered.

Props jmdodd.
Fixes #45475.