#61161 closed defect (bug) (duplicate)
current_user_can fatal error
Reported by: | kkmuffme | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.0.3 |
Component: | Role/Capability | Keywords: | |
Focuses: | Cc: |
Description
current_user_can
uses https://developer.wordpress.org/reference/functions/wp_get_current_user/ internally, however this function is only loaded only much after current_user_can
is declared. This means using current_user_can
on e.g. mu_plugins_loaded
or plugin_loaded
hook will result in a fatal error.
Changing the wp_get_current_user()
call in there to _wp_get_current_user()
fixes that issue, but then it fails on wp_set_current_user()
which is pluggable too.
Change History (5)
#2
@
4 months ago
I know, but the problem is that this can accidentally make a plugin break another plugin or WP core alltogether with a fatal error.
e.g. plugin A:
<?php function my_cb_a( $value ) { if ( isset( $_GET['foo'] ) && current_user_can( 'administrator' ) ) { return 'UTF-8'; } return $value; } add_filter( 'pre_option_blog_charset', 'my_cb_a' );
plugin B:
<?php function my_cb_b() { $example = get_option( 'blog_charset' ); } add_action( 'plugins_loaded', 'my_cb_b' );
#3
@
2 weeks ago
- Version changed from 6.6 to 2.0.3
Changing the version that introduced this code. It was introduced WP 2.0.3 via [3566] (18 years ago).
#4
@
2 weeks ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Severity changed from major to normal
- Status changed from new to closed
Hello @kkmuffme,
Welcome back to WordPress Core Trac.
This has been discussed multiple times throughout the years. The first discussion and reasoning for it as well as using init
was in #5265. More recently, it was discussed in #59000.
I'm closing this ticket as a duplicate of #5265. Doing so shifts the discussion into 1 ticket. After reviewing #5265, if there are new reasonings or concerns, please share those in that ticket and consider reopening it to restart and renew the discussion and considerations. Thanks.
Note that it has always been documented that the earliest you can access the current user is in the
init
action.https://developer.wordpress.org/apis/hooks/action-reference/#actions-run-during-a-typical-request
So I would not expect it to work before
init
. (But it might make more sense to display a useful error message instead of crashing due to a missing function.)