[wp-trac] [WordPress Trac] #52076: Checking anonymous user's exist capability returns inconsistent results across functions.

WordPress Trac noreply at wordpress.org
Mon Apr 19 00:35:12 UTC 2021 

#52076: Checking anonymous user's exist capability returns inconsistent results
across functions.
-------------------------------------------------+-------------------------
 Reporter:  peterwilsoncc                        |       Owner:
                                                 |  peterwilsoncc
     Type:  defect (bug)                         |      Status:  reopened
 Priority:  normal                               |   Milestone:  5.8
Component:  Role/Capability                      |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  early has-patch needs-dev-note has-  |     Focuses:
  unit-tests                                     |
-------------------------------------------------+-------------------------

Comment (by peterwilsoncc):

 > The comment says "User is logged out, create anonymous user object." but
 what about a non existing user? Before the function could return "false",
 but now it's impossible to get a false with "exist".

 This has been the case with `current_user_can()` for a while. An invalid
 ID is treated as an anonymous user in all instances. Both before and after
 the change above the following code would return `true`, so `user_can()`
 is changing to match the more common permission check.

 {{{#!php
 <?php
 wp_set_current_user( 99999 ); // invalid user id
 var_dump( current_user_can( 'exist' ) );
 // dumps `true`.
 }}}


 As @jjj mentions above, BuddyPress will be changing this to account for
 the now consistent results between the two functions. I'm unable to find
 the ticket on the BuddyPress trac, I'm afraid. I'll reach out to John and
 ask.

 A [https://wpdirectory.net/search/01EWC6K8QZ8D4S5GWM1M7NH6VZ search of the
 plugin repo for the string exist] didn't reveal any matches either.

 > I would like to suggest [... checking the object is a `WP_User` object
 to avoid a fatal error]

 Testing with prior to the commit above, the following code has caused a
 fatal error for some time.

 {{{#!php
 <?php
 $user = new stdClass();
 user_can( $user, 'any_capability' );
 // Fatal error.
 }}}


 I agree it's worth discussing defensive coding to avoid this but think
 it's best to go on a follow up ticket as it's not a new issue following
 the changes on this ticket.

 Are you able to create a the follow up ticket (so you can be properly
 credited with the idea). Please mention me on the ticket and I will put it
 on the 5.8 milestone.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52076#comment:27>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list