Changeset 52157

Timestamp:

11/15/2021 01:08:35 AM (3 years ago)

Author:

TimothyBlynJacobs

Message:

Users: Prevent infinite loop when using capability checks during determine_current_user on multisite.

On multisite, when checking if a user has a certain capability WordPress makes an additional check to see if the user is a super admin. The is_super_admin() function contained a call to wp_get_current_user() so as the global current user object could be used if it matched the queried user id.

This would cause an infinite loop if a hook attached to the determine_current_user filter was itself making a permission check. For example when limiting who can use the Application Passwords feature based on their capabilities.

Since [50790] the WP_User instance for the current user is shared between wp_get_current_user() and get_userdata(). This means we can remove the wp_get_current_user call from is_super_admin() while still retaining the same behavior.

Props chrisvanpatten, peterwilsoncc.
Fixes #53386.

Location:

trunk

Files:

• src/wp-includes/capabilities.php (modified) (1 diff)
• tests/phpunit/tests/auth.php (modified) (1 diff)

trunk/src/wp-includes/capabilities.php

@@ -889 +889 @@
  */
 function is_super_admin( $user_id = false ) {
-    if ( ! $user_id || get_current_user_id() == $user_id ) {
+    if ( ! $user_id ) {
         $user = wp_get_current_user();
     } else {

trunk/tests/phpunit/tests/auth.php

@@ -636 +636 @@
         $this->assertNull( wp_validate_application_password( null ) );
     }
+
+    /**
+     * @ticket 53386
+     * @dataProvider data_application_passwords_can_use_capability_checks_to_determine_feature_availability
+     */
+    public function test_application_passwords_can_use_capability_checks_to_determine_feature_availability( $role, $authenticated ) {
+        $user = self::factory()->user->create_and_get( array( 'role' => $role ) );
+
+        list( $password ) = WP_Application_Passwords::create_new_application_password( $user->ID, array( 'name' => 'phpunit' ) );
+
+        add_filter( 'application_password_is_api_request', '__return_true' );
+        add_filter( 'wp_is_application_passwords_available', '__return_true' );
+        add_filter(
+            'wp_is_application_passwords_available_for_user',
+            static function ( $available, WP_User $user ) {
+                return user_can( $user, 'edit_posts' );
+            },
+            10,
+            2
+        );
+
+        $_SERVER['PHP_AUTH_USER'] = $user->user_login;
+        $_SERVER['PHP_AUTH_PW']   = $password;
+
+        unset( $GLOBALS['current_user'] );
+        $current = get_current_user_id();
+
+        if ( $authenticated ) {
+            $this->assertSame( $user->ID, $current );
+        } else {
+            $this->assertSame( 0, $current );
+        }
+    }
+
+    public function data_application_passwords_can_use_capability_checks_to_determine_feature_availability() {
+        return array(
+            'allowed'     => array( 'editor', true ),
+            'not allowed' => array( 'subscriber', false ),
+        );
+    }
 }