[wp-trac] [WordPress Trac] #43043: WP Customizer checks current_user_can() too early
WordPress Trac
noreply at wordpress.org
Mon Jan 8 18:56:16 UTC 2018
#43043: WP Customizer checks current_user_can() too early
---------------------------+-----------------------------
Reporter: jamesmehorter | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.9.1
Severity: normal | Keywords:
Focuses: |
---------------------------+-----------------------------
Hi all :)
On WordPress VIP, the only user role which may use Customizer is an
Administrator. This is due to when the current_user_can() checks occur.
WP Customizer currently checks capabilities on the setup_theme action.
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/class-wp-
customize-manager.php#L510
This means the only way to create a role/capabilities to manage Customizer
settings is with one of the few hooks which run before setup_theme, i.e.
muplugins_loaded or maybe plugins_loaded. However, if, like us, you're on
WordPress VIP, the earliest hook to do anything is after_setup_theme,
since any/all functionality must live in themes.
I would like to propose that any Customizer current_user_can() checks be
moved to the after_setup_theme action. Of course this would benefit us,
but more importantly, Customizer specifically allows 'theme_mod' settings
(setting specific to the current theme), which infers that a theme_mod
setting is registered by the theme. If a setting is registered by a theme,
the theme should then also be able to determine who may view/edit that
setting.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43043>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list