[wp-trac] [WordPress Trac] #38705: Store user ID with setting change written into changeset and restore user when setting is saved

WordPress Trac noreply at wordpress.org
Tue Nov 8 04:56:48 UTC 2016 

#38705: Store user ID with setting change written into changeset and restore user
when setting is saved
--------------------------+-----------------
 Reporter:  westonruter   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  4.7
Component:  Customize     |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------
 In researching how best to accommodate Jetpack (#38672) being able to
 allow users who cannot `unfiltered_css` to be able to edit Custom CSS by
 adding additional sanitizing filters, I realized a deficiency in
 changesets (#30937). A supderadmin user user may write a change into a
 changeset, such as `post_content`, and this may include unsafe HTML as
 intended by the superadmin user. If non-super admin user comes along and
 makes a change to a different setting and updates the changeset, then if
 that non-super admin publishes the changes, the kses filters will
 unexpectedly strip out the unsafe markup content that the superadmin had
 written in their changeset update. This likewise will happen when a
 superadmin schedules their changeset for publishing later: when WP Cron
 runs there is no current user, and so the kses filters would apply then as
 well.

 What is needed is for the user who modified a setting to have their
 `user_id` associated with the setting in the changeset. Then when the
 changeset is published with the settings being saved/persisted to the DB,
 then the associated user should be logged-in temporarily so that the
 setting will save with the expected user context. For normal user updates
 to changesets, this means that settings would no longer need to have their
 associated `capability` temporarily overridden to be `exist`.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38705>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list