Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#28374 closed defect (bug) (fixed)

Calling WP_User::add_cap does not flush capabilities

Reported by: rmccue Owned by: rachelbaker
Milestone: 4.2 Priority: normal
Severity: normal Version: 2.0
Component: Users Keywords: has-patch dev-feedback
Focuses: Cc:


After calling $user->add_cap(), both $user->get_role_caps() and $user->update_user_level_from_caps() need to be called to update $user->allcaps. Ditto $user->remove_cap().

Both $user->add_role() and $user->remove_role() do this automatically.

Steps to reproduce:

$user = wp_get_current_user();

// -> false

Possibly related to #19747.

Attachments (1)

28374.patch (1.4 KB) - added by rachelbaker 7 years ago.
patch with unit test

Download all attachments as: .zip

Change History (9)

#1 @jdgrimes
7 years ago

  • Version set to 2.0

Related: #10201

I'm surprised that (what seems like) such a simple bug hasn't received any attention. However, given #10201, this could one day be moot.

7 years ago

patch with unit test

#2 @rachelbaker
7 years ago

  • Keywords has-patch dev-feedback added
  • Milestone changed from Awaiting Review to 4.2

#3 @rachelbaker
7 years ago

  • Owner set to rachelbaker
  • Status changed from new to accepted

Related #19747

#4 @wonderboymusic
7 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 31190:

In WP_User, ->get_role_caps() and ->update_user_level_from_caps() must be called inside ->add_cap() and ->remove_cap() after updating user meta. ->has_cap() checks are currently failing directly after calling ->add_cap().

Adds unit test.

Props rachelbaker.
Fixes #28374.

This ticket was mentioned in Slack in #core by lgladdy. View the logs.

7 years ago

#6 @lgladdy
7 years ago

#19747 was marked as a duplicate.

#7 @rmccue
7 years ago

Found another instance of this one: adding a cap to a role that the current user has. Requires a page reload for it to kick in.

Not sure how to get around that; maybe allcaps needs to be deprecated and replaced with a __get accessor instead?

This ticket was mentioned in Slack in #core by sergey. View the logs.

3 years ago

Note: See TracTickets for help on using tickets.