WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
11/15/2021 01:08:35 AM (4 years ago)
Author:
TimothyBlynJacobs
Message:

Users: Prevent infinite loop when using capability checks during determine_current_user on multisite.

On multisite, when checking if a user has a certain capability WordPress makes an additional check to see if the user is a super admin. The is_super_admin() function contained a call to wp_get_current_user() so as the global current user object could be used if it matched the queried user id.

This would cause an infinite loop if a hook attached to the determine_current_user filter was itself making a permission check. For example when limiting who can use the Application Passwords feature based on their capabilities.

Since [50790] the WP_User instance for the current user is shared between wp_get_current_user() and get_userdata(). This means we can remove the wp_get_current_user call from is_super_admin() while still retaining the same behavior.

Props chrisvanpatten, peterwilsoncc.
Fixes #53386.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/capabilities.php

    r50490 r52157  
    889889 */
    890890function is_super_admin( $user_id = false ) {
    891     if ( ! $user_id || get_current_user_id() == $user_id ) {
     891    if ( ! $user_id ) {
    892892        $user = wp_get_current_user();
    893893    } else {
Note: See TracChangeset for help on using the changeset viewer.