#14024 closed defect (bug) (fixed)
Insufficient permissions error after activating plugins
Reported by: | SergeyBiryukov | Owned by: | |
---|---|---|---|
Milestone: | 3.4 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | I18N | Keywords: | has-patch |
Focuses: | Cc: |
Description
If a plugin like WP-DB-Backup or BuddyPress calls wp_get_current_user()
on a localized install before wp-content/languages/$locale.php
is included (for example, on plugins_loaded
action) and default secret keys are not changed, it results in “You do not have sufficient permissions to manage plugins for this site” error, because $wp_default_secret_key
is not redefined yet (see #12081 for details).
What is the best way to fix it? For now I have posted the instructions on the support forums to change the default keys and I'm going to translate the string in default-constants.php
.
Attachments (3)
Change History (25)
#2
@
14 years ago
Or at 'set_current_user' perhaps, for users that actually exist.
Thanks for tracing this, SergeyBiryukov. I've been holding off minor updates on WP-DB-Backup while working on a major rewrite, but this is probably good enough reason for a point release.
#3
@
14 years ago
Thanks for your feedback. When users receive this error message, they blame the localized version author because en_US version works fine in this case, and it's really uncomfortable. At first I thought this only looks like a solution in an ideal world, but Austin's reply gave me some hope :) Should the ticket for BuddyPress also be created?
I'd like to add that both WP-DB-Backup and BuddyPress call wp_get_current_user()
indirectly by using wp_create_nonce()
. It's not mentioned in Codex that we should not use wp_create_nonce()
or wp_get_current_user()
before init
.
#4
@
14 years ago
It's dangerously a cart-before-the-horse situation. I'm not sure why either of them need to create a nonce so early. I imagine it's a legitimate use case that they can get away with pushing off until init.
I wish it didn't work in en_US.
Let me contact the BP guys.
#5
@
14 years ago
It would be good to know what certain kind of functionality is needed before init.
Otherwise I think it's wise that the function in question should return an error if it's not in a useable state.
Related: #14047
#6
@
14 years ago
- Milestone changed from Awaiting Review to Future Release
What's needed here? Better docs?
#7
@
14 years ago
- I guess at least WP-DB-Backup and BuddyPress as highly popular plugins need to be fixed. Has this been reported to the BuddyPress team?
- Better docs are needed on this specific problem so that plugin authors could be directed there.
- Localization authors should probably translate the string in
default-constants.php
anyway to prevent the admin area from breaking after installing some untested plugin. This is especially important for site owners whose web host doesn't provide FTP access.
#8
@
14 years ago
I've added a note in Codex for wp_create_nonce()
и wp_get_current_user()
about this.
Perhaps we should show a warning in a future release instead of wp_die()
?
#12
@
13 years ago
- Milestone changed from Future Release to 3.3
Let's issue a _doing_it_wrong() for the en_US case.
#13
@
13 years ago
- Keywords has-patch added; needs-patch removed
Looks like we can't check if did_action( 'init' )
here, since $wp->init()
is called before init
.
after_setup_theme
is the closest appropriate action.
#15
follow-up:
↓ 16
@
13 years ago
- Milestone changed from Future Release to 3.4
did_action('init')
is fine, as it returns true the moment init fires (rather than only after it completes).
I don't think return false is acceptable. We might just need to fire the _doing_it_wrong() and let it continue.
#19599 should fix the issue. All we need is _doing_it_wrong().
#16
in reply to:
↑ 15
@
13 years ago
Replying to nacin:
did_action('init')
is fine, as it returns true the moment init fires
I've tried to use did_action('init')
, but in that case the message is displayed even without any plugins, because $wp->init()
calls wp_get_current_user()
exactly before init fires:
http://core.trac.wordpress.org/browser/tags/3.3/wp-settings.php#L294
http://core.trac.wordpress.org/browser/tags/3.3/wp-includes/class-wp.php#L442
Part of $wp_actions
stack:
[after_setup_theme] => 1 [auth_cookie_valid] => 1 [set_current_user] => 1 [init] => 1
Refreshed the patch to continue after showing _doing_it_wrong()
.
#17
@
13 years ago
Would "Current user information is only available on set_current_user
action or later" be the more exact message? Or is it better to recommend to use init
for that?
#19
@
13 years ago
- Component changed from I18N to Plugins
Changing component as this is no longer an i18n issue, but a "best practice" issue. With #19599 fixed, I am not sure if anything else can break if you calculate the current user prior to init.
#20
in reply to:
↑ 18
@
13 years ago
Replying to nacin:
See #19599, [19771]. This will no longer break in localized builds.
Confirmed.
Is a
_doing_it_wrong()
worth it at this point?
It would be consistent with the messages added in #11526. However, if there are no more issues with calling wp_get_current_user()
too early, maybe it's not really necessary.
Sounds like plugins should wait until we run this code, which is well after plugins_loaded and immediately before init: