Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#15341 closed defect (bug) (invalid)

current_user_can needs to be more defensive

Reported by: OS1 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.1
Component: Warnings/Notices Keywords: reporter-feedback
Focuses: Cc:


If current_user_can() is called for WP_Error, as in a failed login, it causes the following to be output to the viewed page: Warning: call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'WP_Error::has_cap' was given in /home/httpd- on line 1067

The function current_user_can() blindly calls call_user_func_array() without checking the function exists in that object. I think that something like this: function current_user_can( $capability ) {

$current_user = wp_get_current_user();

if ( empty( $current_user ) )

return false;

$args = array_slice( func_get_args(), 1 ); $args = array_merge( array( $capability ), $args );

Get the class of the user object $userClass = get_class($current_user); Get public methods in the class $methodArr = get_class_methods($userClass); Check the capability method is supported by the user object if (in_array("has_cap" , $methodArr)) {

return call_user_func_array( array( &$current_user, 'has_cap' ), $args );

} return false;

} needs to be done.

Change History (3)

#1 @westi
8 years ago

  • Cc westi added
  • Component changed from General to Warnings/Notices
  • Keywords reporter-feedback added; current_user_can First argument is expected to be a valid callback removed

Where is the piece of code which calls current_user_can in this scenario?

#2 @nacin
8 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Don't think this is an issue with WordPress. Usually developers see issues like current_user_can() being called before init. In this case the $current_user object is being scrambled.

WP_Error::has_cap -> clearly this should be a WP_User object, i.e. WP_User::has_cap. I can't see an instance where WordPress would ever assign a WP_Error object to $current_user, so it's something in your code.

#3 @nacin
8 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.