[wp-trac] [WordPress Trac] #31518: WP_User::has_cap and 'map_meta_cap' filter

[WordPress Trac]

#31518: WP_User::has_cap and 'map_meta_cap' filter
---------------------------+-----------------------------
 Reporter:  dugi digitaly  |      Owner:
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Users          |    Version:  2.0
 Severity:  normal         |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 {{{
         add_filter('map_meta_cap', function(){return array();}, 1,0 );
 //<-backdor virus or any plugin
         var_dump( user_can( $admin_user_id = 1, 'unavailable cap' ) );
 //return true
         var_dump( user_can( $Subscriber_user_id = 3, 'remove_users' ) );
 //return true

          //The alternative I propose:
         // insert if(!in_array($cap,$caps)) return false; inside
 WP_User::has_cap( $cap ) after 'map_meta_cap' filter
         // OR
         // inside if(empty((array)$caps)) return false; inside
 WP_User::has_cap( $cap ) before the foreach

 }}}
 [https://core.trac.wordpress.org/browser/tags/4.1.1/src/wp-
 includes/capabilities.php#L965]
 [https://www.diffchecker.com/9cjznf39]

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31518>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform