[wp-trac] [WordPress Trac] #36376: current_user_can/has_cap fails when user has multiple roles
WordPress Trac
noreply at wordpress.org
Wed Mar 30 17:16:47 UTC 2016
#36376: current_user_can/has_cap fails when user has multiple roles
----------------------------+-----------------------------
Reporter: mikejolley | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
To replicate the issue, install a role editor. Setup a user with primary
role 'author' and secondary role 'customer' (this is a WooCommerce role
which has ONLY 'read' access, nothing else).
https://dl.dropboxusercontent.com/s/xgucqvvh6no3skm/2016-03-30%20at%2017.49.png?dl=0
You can add a role with only:
{{{#!php
'read' => true
}}}
permissions if you don't have WooCommerce installed.
Dump:
{{{#!php
current_user_can( 'edit_posts' )
}}}
It will be false.
During get_role_caps() in class-wp-user.php, each role is retrieved and
merged. The merge itself doesn't look at values, so if multiple roles have
the same 'cap' but different value, these overwrite each other.
In my case, edit_posts was true for the author role, but false for
customer role. Customer role false overwrote author role true.
Since caps only allow access to things if 'true', I think we can safely
discard all 'false' caps when getting roles. If false caps are discarded,
only true caps are left which works around the issue and fixes user
capabilities if they have multiple roles at once.
Fix to follow (added array_filter to discard all 'false' caps, allowing us
to merge only 'true' caps).
Had this reported to us in
https://github.com/woothemes/woocommerce/issues/10612#issuecomment-203518038
but wasn't a WooCommerce issue.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36376>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list