WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
07/21/2025 05:58:11 PM (10 months ago)
Author:
SergeyBiryukov
Message:

Role/Capability: Ensure that logged-out users cannot edit themselves.

Follow-up to [3846], [6697], [14189], [21152].

Props dd32, peterwilsoncc, johnbillion, mukesh27, swissspidy, SergeyBiryukov.
Fixes #63684.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/capabilities.php

    r60364 r60491  
    6161        case 'edit_user':
    6262        case 'edit_users':
     63            // Non-existent users can't edit users, not even themselves.
     64            if ( $user_id < 1 ) {
     65                $caps[] = 'do_not_allow';
     66                break;
     67            }
     68
    6369            // Allow user to edit themselves.
    6470            if ( 'edit_user' === $cap && isset( $args[0] ) && $user_id === (int) $args[0] ) {
Note: See TracChangeset for help on using the changeset viewer.