Make WordPress Core


Ignore:
Timestamp:
05/17/2022 06:59:24 PM (3 years ago)
Author:
SergeyBiryukov
Message:

Users: Fail gracefully when checking mapped capabilities without providing the required object ID.

This avoids an Undefined array key 0 PHP warning for current_user_can() capability checks that require a specific object to check against but an object ID was not passed.

A _doing_it_wrong() notice is also added, so that developers and site administrators are aware that the capability mapping is failing in the absence of the required object ID.

The list of mapped capabilities that require an object ID:

  • delete_post / delete_page
  • edit_post / edit_page
  • read_post / read_page
  • publish_post
  • edit_(post|comment|term|user)_meta / delete_*_meta / add_*_meta
  • edit_comment
  • edit_term / delete_term / assign_term

Follow-up to [34091], [34113], [47178].

Props jeherve, peterwilsoncc, henry.wright, johnbillion, mattheweppelsheimer, hellofromTonya, JeffPaul, azouamauriac, Ninos Ego, TobiasBg, wpsmith, GaryJ, nacin, johnstonphilip, azaozz, SergeyBiryukov.
Fixes #44591.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/user/mapMetaCap.php

    r52010 r53408  
    44 * @group user
    55 * @group capabilities
     6 * @covers ::map_meta_cap
    67 */
    78class Tests_User_MapMetaCap extends WP_UnitTestCase {
     
    411412        $this->assertSame( array( 'manage_options' ), $caps );
    412413    }
     414
     415    /**
     416     * @dataProvider data_meta_caps_throw_doing_it_wrong_without_required_argument_provided
     417     * @ticket 44591
     418     *
     419     * @param string $cap The meta capability requiring an argument.
     420     */
     421    public function test_meta_caps_throw_doing_it_wrong_without_required_argument_provided( $cap ) {
     422        $admin_user = self::$user_id;
     423        $this->setExpectedIncorrectUsage( 'map_meta_cap' );
     424        $this->assertContains( 'do_not_allow', map_meta_cap( $cap, $admin_user ) );
     425    }
     426
     427    /**
     428     * Data provider.
     429     *
     430     * @return array[] Test parameters {
     431     *     @type string $cap The meta capability requiring an argument.
     432     * }
     433     */
     434    public function data_meta_caps_throw_doing_it_wrong_without_required_argument_provided() {
     435        return array(
     436            array( 'delete_post' ),
     437            array( 'delete_page' ),
     438            array( 'edit_post' ),
     439            array( 'edit_page' ),
     440            array( 'read_post' ),
     441            array( 'read_page' ),
     442            array( 'publish_post' ),
     443            array( 'edit_post_meta' ),
     444            array( 'delete_post_meta' ),
     445            array( 'add_post_meta' ),
     446            array( 'edit_comment_meta' ),
     447            array( 'delete_comment_meta' ),
     448            array( 'add_comment_meta' ),
     449            array( 'edit_term_meta' ),
     450            array( 'delete_term_meta' ),
     451            array( 'add_term_meta' ),
     452            array( 'edit_user_meta' ),
     453            array( 'delete_user_meta' ),
     454            array( 'add_user_meta' ),
     455            array( 'edit_comment' ),
     456            array( 'edit_term' ),
     457            array( 'delete_term' ),
     458            array( 'assign_term' ),
     459        );
     460    }
    413461}
Note: See TracChangeset for help on using the changeset viewer.