WordPress.org

Make WordPress Core

Opened 22 months ago

Last modified 22 months ago

#43043 new defect (bug)

WP Customizer checks current_user_can() too early

Reported by: jamesmehorter Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.1
Component: Customize Keywords:
Focuses: Cc:
PR Number:

Description

Hi all :)

On WordPress VIP, the only user role which may use Customizer is an Administrator. This is due to when the current_user_can() checks occur.

WP Customizer currently checks capabilities on the setup_theme action. https://core.trac.wordpress.org/browser/trunk/src/wp-includes/class-wp-customize-manager.php#L510

This means the only way to create a role/capabilities to manage Customizer settings is with one of the few hooks which run before setup_theme, i.e. muplugins_loaded or maybe plugins_loaded. However, if, like us, you're on WordPress VIP, the earliest hook to do anything is after_setup_theme, since any/all functionality must live in themes.

I would like to propose that any Customizer current_user_can() checks be moved to the after_setup_theme action. Of course this would benefit us, but more importantly, Customizer specifically allows 'theme_mod' settings (setting specific to the current theme), which infers that a theme_mod setting is registered by the theme. If a setting is registered by a theme, the theme should then also be able to determine who may view/edit that setting.

Change History (3)

#1 @westonruter
22 months ago

You must be using VIP Cloud Hosting and not VIP Go. In the latter case, you could add a full-on plugin. In the former case, I seem to recall that VIP can arrange for adding site-specific mu-plugin code.

#2 @mauteri
22 months ago

@westonruter This would effect anyone trying to do the same thing in a theme. Shouldn't the current_user_can( 'customize' ) checks fall in the after_theme_setup hook rather than the theme_setup to give the theme code a chance to set role/capabilities for this?

#3 @dlh
22 months ago

See previously #24169.

Note: See TracTickets for help on using tickets.