WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 18 months ago

Last modified 18 months ago

#18932 closed defect (bug) (fixed)

WP_User::set_role leaves user object without any caps when role does not change

Reported by: jammitch Owned by: ryan
Milestone: 3.5 Priority: normal
Severity: minor Version: 3.1
Component: Role/Capability Keywords: has-patch
Focuses: Cc:

Description

The first thing WP_User::set_role does is clears out the user's existing caps array. Then it checks to see if the passed-in role is the user's current role, and quits the function if so. This is great if the role actually changes. If it does not, this leaves the user with the same role, but without any caps whatsoever for the remainder of the current page.

Core WordPress code may not use the function in this way, but plugins may.

Workaround:
Plugins calling set_role should wrap the call in the same-role check found inside the function.

Fix:
Do the same-role check prior to unsetting the caps.

Attachments (1)

18932.diff (629 bytes) - added by scribu 3 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 jammitch3 years ago

  • Summary changed from WP_User::set_role to WP_User::set_role leaves user object without any caps when role does not change

scribu3 years ago

comment:2 scribu3 years ago

  • Component changed from General to Role/Capability
  • Keywords has-patch added
  • Severity changed from normal to minor

Confirmed:

add_action( 'admin_notices', function() {
	$user = new WP_User( 2 ); // 2 being the id of a user with the 'subscriber' role

	print_r( $user->caps );

	$user->set_role( 'subscriber' );

	print_r( $user->caps );
});
Last edited 3 years ago by scribu (previous) (diff)

comment:3 follow-up: blueyed2 years ago

  • Version changed from 3.2.1 to 3.4

comment:4 in reply to: ↑ 3 duck_2 years ago

  • Version changed from 3.4 to 3.1

Replying to blueyed:

The version number is earliest version in which the bug is confirmed and shouldn't normally be changed on existing tickets.

This code was introduced in 3.1 for #14708.

comment:5 wonderboymusic20 months ago

  • Milestone changed from Awaiting Review to 3.5

This is small and useful

comment:6 ryan18 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22418:

When using WP_User::set_role() to set the role, don't unset all caps when the requested role matches the current role.

Props scribu, jammitch
fixes #18932

Note: See TracTickets for help on using tickets.