[wp-trac] [WordPress Trac] #52076: Checking anonymous user's exist capability returns inconsistent results across functions.

WordPress Trac noreply at wordpress.org
Mon Jan 18 05:11:32 UTC 2021


#52076: Checking anonymous user's exist capability returns inconsistent results
across functions.
-------------------------------------------------+-------------------------
 Reporter:  peterwilsoncc                        |       Owner:  (none)
     Type:  defect (bug)                         |      Status:  new
 Priority:  normal                               |   Milestone:  5.7
Component:  Role/Capability                      |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  early has-patch needs-unit-tests     |     Focuses:
  needs-dev-note                                 |
-------------------------------------------------+-------------------------

Comment (by TimothyBlynJacobs):

 So I suppose the obvious risk here is someone writing a `map_meta_cap`
 filter that doesn't handle `user_id = 0` properly. Some bad code like `if
 ( ! $user_id ) { return []; }`. But I imagine there are more plausible
 scenarios you could end up writing code that would wind up having the same
 effect.

 To alleviate this, I wonder if it makes sense to ''require'' `exists` to
 be listed in the response from `map_meta_cap` if the user ID is `0`. Ie
 something like this at the end of `::has_cap()`.

 {{{#!php
 if ( ! $this->exists() && ! in_array( 'exist', $caps, true ) ) {
     return false;
 }
 }}}

 That way we can do things like use `read_post` for both logged-in and
 logged out users. But there'd be a much smaller risk of a developer
 accidentally giving a logged out user permission to do something.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52076#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list