Make WordPress Core

Opened 6 years ago

Last modified 6 years ago

#44972 new defect (bug)

wp_get_current_user() misbehavior

Reported by: tazotodua's profile tazotodua Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

You might say that the problem is coming from plugins, but wanted to mention this:

Sometimes, I've found that some plugins use:

$smth = get_bloginfo('language'...);

1) directly in plugin php file (i mean out of the hook, just directly as a new line),

2) or sometimes that code is used in class __construct method (not different than first one - you know, constructor is executed directly too).

to reproduce the problem, just place that line in any plugin/functions.php, then enter WP dashboard, and you get:

Sorry, you are not allowed to access this page.

yes, just using that code in XYZ plugin (without any further action, just that code), causes you to be blocked out from wp.

I've researched and the chain goes like -> get_bloginfo()->get_user_locale() ->wp_get_current_user()----> wp_set_current_user( $user_id ); <---- this one makes the issue i think.

so, i dont know, but i think get_bloginfo function (or get_current user function) which may be EVEN fired incorrectly, shouldnt cause that problem.

Change History (2)

#1 @tazotodua
6 years ago

Please ignore above post, Here is simplified steps to reproduce that:

in clean WP installation,enter admin dashbord, then just use this code in plugin or fuctions.php

require_once(ABSPATH . 'wp-includes/pluggable.php');
get_user_locale() ; // or directly wp_get_current_user();

refresh dashboard page. you will see the error:

"Sorry, you are not allowed to access this page."

(here full error screen: )

so, i think, many plugins are calling get_user_locate, get_bloginfo('language'), load_default_textdomain (or many many other functions, that call wp_get_current_user finally), thus, also, many other plugins seems to use:

require_once(ABSPATH . 'wp-includes/pluggable.php');

in their constructors (or directly in plain-code if not CLASS).

so, that breaks admin dashboards.

Last edited 6 years ago by tazotodua (previous) (diff)

#2 @SergeyBiryukov
6 years ago

  • Component changed from General to Users
  • Description modified (diff)

Related: #14024, #43869.

Note: See TracTickets for help on using tickets.