WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#15341 closed defect (bug) (invalid)

current_user_can needs to be more defensive

Reported by: OS1 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.1
Component: Warnings/Notices Keywords: reporter-feedback
Focuses: Cc:

Description

If current_user_can() is called for WP_Error, as in a failed login, it causes the following to be output to the viewed page:
Warning: call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'WP_Error::has_cap' was given in /home/httpd-81.171.44.131/www.igennus-an.com/html/wp-includes/capabilities.php on line 1067

The function current_user_can() blindly calls call_user_func_array() without checking the function exists in that object. I think that something like this:
function current_user_can( $capability ) {

$current_user = wp_get_current_user();

if ( empty( $current_user ) )

return false;

$args = array_slice( func_get_args(), 1 );
$args = array_merge( array( $capability ), $args );

Get the class of the user object
$userClass = get_class($current_user);
Get public methods in the class
$methodArr = get_class_methods($userClass);
Check the capability method is supported by the user object
if (in_array("has_cap" , $methodArr))
{

return call_user_func_array( array( &$current_user, 'has_cap' ), $args );

}
return false;

}
needs to be done.

Change History (3)

comment:1 westi3 years ago

  • Cc westi added
  • Component changed from General to Warnings/Notices
  • Keywords reporter-feedback added; current_user_can First argument is expected to be a valid callback removed

Where is the piece of code which calls current_user_can in this scenario?

comment:2 nacin3 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Don't think this is an issue with WordPress. Usually developers see issues like current_user_can() being called before init. In this case the $current_user object is being scrambled.

WP_Error::has_cap -> clearly this should be a WP_User object, i.e. WP_User::has_cap. I can't see an instance where WordPress would ever assign a WP_Error object to $current_user, so it's something in your code.

comment:3 nacin3 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.