[buddypress-trac] [BuddyPress Trac] #7658: User is de-authenticated when making REST API request

buddypress-trac noreply at wordpress.org
Tue May 7 16:37:46 UTC 2024 

#7658: User is de-authenticated when making REST API request
--------------------------+---------------------
 Reporter:  dcavins       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  14.0.0
Component:  Core          |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+---------------------

Comment (by dcavins):

 I revisited this issue and made the following notes to refresh my memory:
 Update on how this works as of BP 12:

 `$bp->loggedin_user->id` is populated via `wp_get_current_user()` in
 `BP_Core::setup_globals()`.
 `$bp->loggedin_user->userdata` is mostly populated via
 `bp_core_get_core_userdata()` which is actually a call to
 `BP_Core_User::get_core_userdata( $user_id )` which relies on
 `WP_User::get_data_by( 'id', $user_id )`. Note that
 `WP_User::get_data_by()` doesn't return a user object; it returns the user
 data from the match in the users database table. The related WP wrapper
 function `get_user_by()` also uses `WP_User::get_data_by()` internally but
 initializes and returns a `WP_User` object.

 Adding a logger to
 `BP_REST_Members_Endpoint::get_item_permissions_check()` yields the
 following when not passing a valid nonce:
 bp_loggedin_user_id: 1, get_current_user_id: 0 (BP stores the user based
 on early cookie validation; WP's idea of the user is changed at
 `rest_cookie_check_errors()`)
 This is true for BP 12 and BP 12 + BP Classic, in WP 6.3+.

 I've come up with a pretty simple outline of a solution that I'll attach a
 patch for that introduces a new class `BP_LoggedIn_User` which uses a
 magic `__get()` to fetch property values from WP as needed. I think it's
 what John was hinting at above. Anyway, it seems to work, though I'm not
 currently able to run our unit tests, so don't know what that will
 uncover.

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7658#comment:11>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list