Make WordPress Core

Changeset 32173


Ignore:
Timestamp:
04/20/2015 07:26:05 AM (10 years ago)
Author:
pento
Message:

In Multisite, prevent plugins from unintentionally switching sites.

Props mdawaffe.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/capabilities.php

    r31673 r32173  
    14041404 */
    14051405function current_user_can_for_blog( $blog_id, $capability ) {
    1406     if ( is_multisite() )
    1407         switch_to_blog( $blog_id );
     1406    $switched = is_multisite() ? switch_to_blog( $blog_id ) : false;
    14081407
    14091408    $current_user = wp_get_current_user();
    14101409
    1411     if ( empty( $current_user ) )
     1410    if ( empty( $current_user ) ) {
     1411        if ( $switched ) {
     1412            restore_current_blog();
     1413        }
    14121414        return false;
     1415    }
    14131416
    14141417    $args = array_slice( func_get_args(), 2 );
     
    14171420    $can = call_user_func_array( array( $current_user, 'has_cap' ), $args );
    14181421
    1419     if ( is_multisite() )
     1422    if ( $switched ) {
    14201423        restore_current_blog();
     1424    }
    14211425
    14221426    return $can;
  • trunk/tests/phpunit/tests/user/capabilities.php

    r31190 r32173  
    696696    }
    697697
     698    function test_borked_current_user_can_for_blog() {
     699        if ( ! is_multisite() ) {
     700            $this->markTestSkipped( 'Test only runs in multisite' );
     701            return;
     702        }
     703
     704        $orig_blog_id = get_current_blog_id();
     705        $blog_id = $this->factory->blog->create();
     706
     707        $nullify_current_user = function() {
     708            // Prevents fatal errors in ::tearDown()'s and other uses of restore_current_blog()
     709            $function_stack = wp_debug_backtrace_summary( null, 0, false );
     710            if ( in_array( 'restore_current_blog', $function_stack ) ) {
     711                return;
     712            }
     713            $GLOBALS['current_user'] = null;
     714        };
     715
     716        $nullify_current_user_and_keep_nullifying_user = function() use ( $nullify_current_user ) {
     717            $nullify_current_user();
     718
     719            add_action( 'set_current_user', $nullify_current_user );
     720        };
     721
     722        $nullify_current_user();
     723
     724        add_action( 'switch_blog', $nullify_current_user_and_keep_nullifying_user );
     725
     726        current_user_can_for_blog( $blog_id, 'edit_posts' );
     727
     728        $this->assertEquals( $orig_blog_id, get_current_blog_id() );
     729    }
     730
    698731    /**
    699732     * @ticket 28374
Note: See TracChangeset for help on using the changeset viewer.