[buddypress-trac] [BuddyPress Trac] #8459: Audit user_can() and 'exist' cap usages, related to anonymous users

buddypress-trac noreply at wordpress.org
Sun May 9 04:09:58 UTC 2021 

#8459: Audit user_can() and 'exist' cap usages, related to anonymous users
-----------------------------+---------------------
 Reporter:  johnjamesjacoby  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  high             |   Milestone:  8.0.0
Component:  Core             |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  needs-testing    |
-----------------------------+---------------------

Comment (by imath):

 Here's what I've checked so far about the `user_can( 0, 'exist' )` change
 in WP 5.8

 1. `user_can()` is used twice in BP Core code:
 - In `bp_core_login_redirect()` to check the `'edit_posts'` cap.
 - In `bp_user_can()` to possibly check any caps.

 2. `bp_user_can()` is used 15 times in BP Core code:
 - by `bp_current_user_can()` to possibly check any caps.
 - directly 14 times. The `exist` cap is never checked, it is used twice to
 check for the user ID `0` in
 `BP_Members_Invitation_Manager->allow_invitation()` and in
 `BP_Members_Invitation_Manager->allow_request()`

 3. The 'exist' cap is checked twice in BP Core code:
 - In `BP_Members_Admin->user_profile_menu()` to generate a WP Admin menu.
 - In `bp_xprofile_map_meta_caps()` as the default capability to return.
 This cap is always checked with `bp_current_user_can()` except once in
 `bp_xprofile_grant_bp_xprofile_change_field_visibility_for_logged_out_users()`
 which filters `bp_user_can()` to allow a logged out user to customize the
 field visibility (probably during signup)

 4. Unit tests are not failing with WP Master which is containing the
 [https://core.trac.wordpress.org/changeset/50490 WP changeset] since march
 4th

 Next steps are to:
 > - Ensure that code expecting false or a mock/empty WP_User object
 continues to return the correct type of value
 > - Ensure hooks continue to pass in correctly typed variable values
 related to roles/capabilities

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8459#comment:6>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list