WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 18 months ago

#23377 closed defect (bug) (duplicate)

map_meta_cap() throws error from has_cap() from current_user_can()

Reported by: wpsmith Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch dev-feedback
Focuses: Cc:

Description

Based on the current documentation, current_user_can() only requires one argument, a capability. However, if I call it from the save_post hook with WP_DEBUG turned on, I will receive the following errors:

Notice: Undefined offset: 0 in /var/www/XXXX/htdocs/wp-includes/capabilities.php on line 1067
Notice: Undefined offset: 0 in /var/www/XXXX/htdocs/wp-includes/capabilities.php on line 1067
Notice: Undefined offset: 0 in /var/www/XXXX/htdocs/wp-includes/capabilities.php on line 1067
Warning: Cannot modify header information - headers already sent by (output started at /var/www/XXXX/htdocs/wp-includes/capabilities.php:1067) in /var/www/XXXX/htdocs/wp-includes/pluggable.php on line 876

As a result, the admin save post will die.

Basic Sample Code:

if ( ( 'page' == $post->post_type && ! current_user_can( 'edit_page' ) ) || ! current_user_can( 'edit_post' ) )
    return;

As a result, in my opinion map_meta_cap() should ensure that $args[0] exists.

Attachments (1)

23377.patch (577 bytes) - added by wpsmith 2 years ago.
First pass.

Download all attachments as: .zip

Change History (4)

@wpsmith2 years ago

First pass.

comment:1 @GaryJ2 years ago

Your patch would provide a graceful fallback - but if anyone's using current_user_can() to check permissions for a different $post, and also forgets the second argument, then it hides the notice, and may actually give incorrect permissions, which may be considered worse than a PHP Notice.

comment:2 @jb5102 years ago

  • Cc jbrown510@… added

comment:3 @nacin18 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

current_user_can( 'edit_page' ) is wrong. edit_page and edit_post require a second argument.

Duplicate of #13905.

Note: See TracTickets for help on using tickets.