[wp-trac] [WordPress Trac] #53386: Multisite is_super_admin call during app password validation can lead to infinite loop
WordPress Trac
noreply at wordpress.org
Mon Nov 15 01:08:50 UTC 2021
#53386: Multisite is_super_admin call during app password validation can lead to
infinite loop
----------------------------------------+--------------------------------
Reporter: chrisvanpatten | Owner: TimothyBlynJacobs
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 5.9
Component: Users | Version: 5.6
Severity: normal | Resolution: fixed
Keywords: needs-unit-tests has-patch | Focuses: rest-api
----------------------------------------+--------------------------------
Changes (by TimothyBlynJacobs):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"52157" 52157]:
{{{
#!CommitTicketReference repository="" revision="52157"
Users: Prevent infinite loop when using capability checks during
`determine_current_user` on multisite.
On multisite, when checking if a user has a certain capability WordPress
makes an additional check to see if the user is a super admin. The
`is_super_admin()` function contained a call to `wp_get_current_user()` so
as the global current user object could be used if it matched the queried
user id.
This would cause an infinite loop if a hook attached to the
`determine_current_user` filter was itself making a permission check. For
example when limiting who can use the Application Passwords feature based
on their capabilities.
Since [50790] the `WP_User` instance for the current user is shared
between `wp_get_current_user()` and `get_userdata()`. This means we can
remove the `wp_get_current_user` call from `is_super_admin()` while still
retaining the same behavior.
Props chrisvanpatten, peterwilsoncc.
Fixes #53386.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53386#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list