Changeset 32174

Timestamp:

04/20/2015 07:29:01 AM (11 years ago)

Author:

pento

Message:

In Multisite, prevent plugins from unintentionally switching sites. Merge of [32173] to the 4.1 branch.

Props mdawaffe.

Location:

branches/4.1

Files:

• src/wp-includes/capabilities.php (modified) (2 diffs)
• tests/phpunit/tests/user/capabilities.php (modified) (1 diff)

branches/4.1/src/wp-includes/capabilities.php

@@ -1375 +1375 @@
  */
 function current_user_can_for_blog( $blog_id, $capability ) {
-    if ( is_multisite() )
-        switch_to_blog( $blog_id );
+    $switched = is_multisite() ? switch_to_blog( $blog_id ) : false;
 
     $current_user = wp_get_current_user();
 
-    if ( empty( $current_user ) )
+    if ( empty( $current_user ) ) {
+        if ( $switched ) {
+            restore_current_blog();
+        }
         return false;
+    }
 
     $args = array_slice( func_get_args(), 2 );
@@ -1388 +1391 @@
     $can = call_user_func_array( array( $current_user, 'has_cap' ), $args );
 
-    if ( is_multisite() )
+    if ( $switched ) {
         restore_current_blog();
+    }
 
     return $can;

branches/4.1/tests/phpunit/tests/user/capabilities.php

@@ -661 +661 @@
         $author->remove_cap( 'foo' );
         $this->assertFalse ( isset( $author->caps['foo'] ) );
+    }
+
+    function test_borked_current_user_can_for_blog() {
+        if ( ! is_multisite() ) {
+            $this->markTestSkipped( 'Test only runs in multisite' );
+            return;
+        }
+
+        $orig_blog_id = get_current_blog_id();
+        $blog_id = $this->factory->blog->create();
+
+        $nullify_current_user = function() {
+            // Prevents fatal errors in ::tearDown()'s and other uses of restore_current_blog()
+            $function_stack = wp_debug_backtrace_summary( null, 0, false );
+            if ( in_array( 'restore_current_blog', $function_stack ) ) {
+                return;
+            }
+            $GLOBALS['current_user'] = null;
+        };
+
+        $nullify_current_user_and_keep_nullifying_user = function() use ( $nullify_current_user ) {
+            $nullify_current_user();
+
+            add_action( 'set_current_user', $nullify_current_user );
+        };
+
+        $nullify_current_user();
+
+        add_action( 'switch_blog', $nullify_current_user_and_keep_nullifying_user );
+
+        current_user_can_for_blog( $blog_id, 'edit_posts' );
+
+        $this->assertEquals( $orig_blog_id, get_current_blog_id() );
     }