[wp-trac] [WordPress Trac] #31518: WP_User::has_cap and 'map_meta_cap' filter
WordPress Trac
noreply at wordpress.org
Wed May 30 09:53:45 UTC 2018
#31518: WP_User::has_cap and 'map_meta_cap' filter
----------------------------------------------+--------------------------
Reporter: dugi digitaly | Owner: johnbillion
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Role/Capability | Version: 2.0
Severity: normal | Resolution: wontfix
Keywords: needs-patch has-unit-tests early | Focuses:
----------------------------------------------+--------------------------
Changes (by johnbillion):
* status: accepted => closed
* resolution: => wontfix
* milestone: Future Release =>
Comment:
I believe this change has too high a chance to break something that is
relying on the user cap check returning true when the cap check is an
empty array. If some malicious code can affect the return value of the
`map_meta_cap` filter, then it can effectively allow anything on the site
anyway.
Thanks for the report @dugi digitaly. It lead to a few improvements in the
core code and in the unit tests.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31518#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list