[wp-trac] [WordPress Trac] #63684: 'edit_user' capability returns true for user_id = 0 when logged out.
WordPress Trac
noreply at wordpress.org
Fri Jul 11 00:55:10 UTC 2025
#63684: 'edit_user' capability returns true for user_id = 0 when logged out.
-----------------------------+------------------------------------------
Reporter: dd32 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version:
Severity: minor | Keywords: needs-patch needs-unit-tests
Focuses: |
-----------------------------+------------------------------------------
Unexpectedly the `edit_user` capability returns truthful for `$user_id =
0` when the user is not logged in.
This is visualised by wp-cli, but is unrelated to the cli-nature:
{{{
wp> is_user_logged_in();
bool(false)
wp> get_current_user_id();
int(0)
wp> current_user_can( 'edit_user', 0 );
bool(true)
}}}
This can cause some unexpected side-effects for some code that is checking
whether the current user can edit themselves, and has foregone a logged in
check in favour of the capability check.
The root-cause of this appears to be https://github.com/WordPress
/wordpress-develop/blob/trunk/src/wp-includes/capabilities.php#L63-L66
which could be enhanced with `&& $user_id` or `&& $user_id > 0`.
''This has been run past the security team for posting publicly as a
hardening ticket''
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63684>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list