Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#48415 closed defect (bug) (duplicate)

Calling current_user_can( 'publish_post' ) results in Notice on 5.3-RC2-46574

Reported by: johnstonphilip's profile johnstonphilip Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords: close
Focuses: Cc:

Description

The spread operator change which was added to current_user_can in 5.3-RC2 is resulting in notices showing for calls that previously did not.

For example, calling

current_user_can( 'publish_post' );

Triggers this notice:
Notice: Undefined offset: 0 in /app/public/wp-includes/capabilities.php on line 256

Perhaps an isset check should be done prior to attempting usage. Something like this:

$post = isset( $args[0] ) ? $args[0] : false

The code in question is here:
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L256

But that type of call is done in a few places:
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L68
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L141
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L210
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L256
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L285
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L374
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L514

Making this change would follow suit with what is done for some other cap checks, like edit_users:
https://github.com/WordPress/WordPress/blob/66f907b2eb0b7adaa57ecfac0e49535fce63a341/wp-includes/capabilities.php#L55

Change History (5)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Users
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 5.3

#2 @SergeyBiryukov
4 years ago

  • Keywords close added; needs-patch removed

Hi there, thanks for the ticket!

The spread operator was added in [45622], however it seems unrelated to the issue, I can reproduce it on 5.2.4 as well.

If you need to check whether the current user can publish posts in general, current_user_can( 'publish_posts' ) should be used (note the plural posts), which does not require a post ID.

If you need to check whether they can publish a particular post, current_user_can( 'publish_post', $post_id ) should be used, which does require a post ID.

Checking current_user_can( 'publish_post' ) without passing in a post ID seems like a developer error, so the notice is legitimate.

#3 @azaozz
4 years ago

  • Milestone 5.3 deleted
  • Resolution set to invalid
  • Status changed from new to closed

Right. The 'publish_post' capability check requires a post ID. It won't work without it, same as calling a function and not passing a required param. Don't think using the spread operator changes anything here. The same Notice: Undefined offset: 0 is thrown in 5.2.

#4 @johnstonphilip
4 years ago

For whatever reason I wasn't getting it in 5.2, but I understand the sentiment here.

Version 1, edited 4 years ago by johnstonphilip (previous) (next) (diff)

#5 @SergeyBiryukov
4 years ago

  • Resolution changed from invalid to duplicate

Duplicate of #44591.

Note: See TracTickets for help on using tickets.