mirror of
git://develop.git.wordpress.org/
synced 2025-01-17 21:08:44 +01:00
Users: Prevent infinite loop when using capability checks during determine_current_user on multisite.
On multisite, when checking if a user has a certain capability WordPress makes an additional check to see if the user is a super admin. The `is_super_admin()` function contained a call to `wp_get_current_user()` so as the global current user object could be used if it matched the queried user id. This would cause an infinite loop if a hook attached to the `determine_current_user` filter was itself making a permission check. For example when limiting who can use the Application Passwords feature based on their capabilities. Since [50790] the `WP_User` instance for the current user is shared between `wp_get_current_user()` and `get_userdata()`. This means we can remove the `wp_get_current_user` call from `is_super_admin()` while still retaining the same behavior. Props chrisvanpatten, peterwilsoncc. Fixes #53386. git-svn-id: https://develop.svn.wordpress.org/trunk@52157 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Timothy Jacobs
parent
b609efa519
commit
91c3f80355
@ -888,7 +888,7 @@ function get_super_admins() {
|
||||
* @return bool Whether the user is a site admin.
|
||||
*/
|
||||
function is_super_admin( $user_id = false ) {
|
||||
if ( ! $user_id || get_current_user_id() == $user_id ) {
|
||||
if ( ! $user_id ) {
|
||||
$user = wp_get_current_user();
|
||||
} else {
|
||||
$user = get_userdata( $user_id );
|
||||
|
||||
@ -635,4 +635,44 @@ class Tests_Auth extends WP_UnitTestCase {
|
||||
|
||||
$this->assertNull( wp_validate_application_password( null ) );
|
||||
}
|
||||
|
||||
/**
|
||||
* @ticket 53386
|
||||
* @dataProvider data_application_passwords_can_use_capability_checks_to_determine_feature_availability
|
||||
*/
|
||||
public function test_application_passwords_can_use_capability_checks_to_determine_feature_availability( $role, $authenticated ) {
|
||||
$user = self::factory()->user->create_and_get( array( 'role' => $role ) );
|
||||
|
||||
list( $password ) = WP_Application_Passwords::create_new_application_password( $user->ID, array( 'name' => 'phpunit' ) );
|
||||
|
||||
add_filter( 'application_password_is_api_request', '__return_true' );
|
||||
add_filter( 'wp_is_application_passwords_available', '__return_true' );
|
||||
add_filter(
|
||||
'wp_is_application_passwords_available_for_user',
|
||||
static function ( $available, WP_User $user ) {
|
||||
return user_can( $user, 'edit_posts' );
|
||||
},
|
||||
10,
|
||||
2
|
||||
);
|
||||
|
||||
$_SERVER['PHP_AUTH_USER'] = $user->user_login;
|
||||
$_SERVER['PHP_AUTH_PW'] = $password;
|
||||
|
||||
unset( $GLOBALS['current_user'] );
|
||||
$current = get_current_user_id();
|
||||
|
||||
if ( $authenticated ) {
|
||||
$this->assertSame( $user->ID, $current );
|
||||
} else {
|
||||
$this->assertSame( 0, $current );
|
||||
}
|
||||
}
|
||||
|
||||
public function data_application_passwords_can_use_capability_checks_to_determine_feature_availability() {
|
||||
return array(
|
||||
'allowed' => array( 'editor', true ),
|
||||
'not allowed' => array( 'subscriber', false ),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user