[wp-trac] [WordPress Trac] #52076: Checking anonymous user's exist capability returns inconsistent results across functions.
WordPress Trac
noreply at wordpress.org
Mon Jan 18 05:11:32 UTC 2021
#52076: Checking anonymous user's exist capability returns inconsistent results
across functions.
-------------------------------------------------+-------------------------
Reporter: peterwilsoncc | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 5.7
Component: Role/Capability | Version:
Severity: normal | Resolution:
Keywords: early has-patch needs-unit-tests | Focuses:
needs-dev-note |
-------------------------------------------------+-------------------------
Comment (by TimothyBlynJacobs):
So I suppose the obvious risk here is someone writing a `map_meta_cap`
filter that doesn't handle `user_id = 0` properly. Some bad code like `if
( ! $user_id ) { return []; }`. But I imagine there are more plausible
scenarios you could end up writing code that would wind up having the same
effect.
To alleviate this, I wonder if it makes sense to ''require'' `exists` to
be listed in the response from `map_meta_cap` if the user ID is `0`. Ie
something like this at the end of `::has_cap()`.
{{{#!php
if ( ! $this->exists() && ! in_array( 'exist', $caps, true ) ) {
return false;
}
}}}
That way we can do things like use `read_post` for both logged-in and
logged out users. But there'd be a much smaller risk of a developer
accidentally giving a logged out user permission to do something.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52076#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list