Opened 3 years ago
Closed 3 years ago
#8459 closed defect (bug) (fixed)
Audit user_can() and 'exist' cap usages, related to anonymous users
Reported by: | johnjamesjacoby | Owned by: | |
---|---|---|---|
Milestone: | 8.0.0 | Priority: | high |
Severity: | normal | Version: | |
Component: | Core | Keywords: | dev-reviewed |
Cc: | peterwilsoncc |
Description (last modified by )
See: #WP52076, [WP50490].
WordPress 5.8 will ensure current_user_can()
, current_user_can_for_blog()
, and user_can()
return the same results for anonymous (logged out) users.
I have not yet identified any incompatibilities with this upstream change, but I am expecting at least a single something somewhere to be adversely affected. 🤣
Change History (8)
#3
@
3 years ago
- Milestone changed from Awaiting Review to 8.0.0
Thanks a lot for bringing this to our attention 👍. I've just ran PHPUnit Test against WP 5.8/trunk and no tests failed.
I agree we should follow the steps you're recommanding. I'll do it for BP Core. @espellcaste, can you have a look at the BP REST API ?
#4
@
3 years ago
@imath Also tested against WordPress master/trunk and saw no issues with the unit tests. Here is one pull request as an example: https://github.com/buddypress/BP-REST/pull/389
#5
@
3 years ago
Thanks a lot @espellcaste 👍. I'll work on the BuddyPress Core part asap 😉
#6
@
3 years ago
Here's what I've checked so far about the user_can( 0, 'exist' )
change in WP 5.8
user_can()
is used twice in BP Core code:
- In
bp_core_login_redirect()
to check the'edit_posts'
cap. - In
bp_user_can()
to possibly check any caps.
bp_user_can()
is used 15 times in BP Core code:
- by
bp_current_user_can()
to possibly check any caps. - directly 14 times. The
exist
cap is never checked, it is used twice to check for the user ID0
inBP_Members_Invitation_Manager->allow_invitation()
and inBP_Members_Invitation_Manager->allow_request()
- The 'exist' cap is checked twice in BP Core code:
- In
BP_Members_Admin->user_profile_menu()
to generate a WP Admin menu. - In
bp_xprofile_map_meta_caps()
as the default capability to return. This cap is always checked withbp_current_user_can()
except once inbp_xprofile_grant_bp_xprofile_change_field_visibility_for_logged_out_users()
which filtersbp_user_can()
to allow a logged out user to customize the field visibility (probably during signup)
- Unit tests are not failing with WP Master which is containing the WP changeset since march 4th
Next steps are to:
- Ensure that code expecting false or a mock/empty WP_User object continues to return the correct type of value
- Ensure hooks continue to pass in correctly typed variable values related to roles/capabilities
Here's the brief outline as I imagine it, that may or may not be 100% accurate:
user_can()
function callsexist
false
or a mock/emptyWP_User
object continues to return the correct type of value