WordPress.org
Get WordPress

Make WordPress Core

Changeset 60491

Timestamp:
07/21/2025 05:58:11 PM (3 months ago)
Author:
SergeyBiryukov
Message:

Role/Capability: Ensure that logged-out users cannot edit themselves.

Follow-up to [3846], [6697], [14189], [21152].

Props dd32, peterwilsoncc, johnbillion, mukesh27, swissspidy, SergeyBiryukov.
Fixes #63684.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/capabilities.php

    r60364 r60491  
    6161        case 'edit_user':
    6262        case 'edit_users':
     63            // Non-existent users can't edit users, not even themselves.
     64            if ( $user_id < 1 ) {
     65                $caps[] = 'do_not_allow';
     66                break;
     67            }
     68
    6369            // Allow user to edit themselves.
    6470            if ( 'edit_user' === $cap && isset( $args[0] ) && $user_id === (int) $args[0] ) {

  • trunk/tests/phpunit/tests/user/capabilities.php

    r60364 r60491  
    18311831    }
    18321832
    1833     public function test_user_can_edit_self() {
    1834         foreach ( self::$users as $role => $user ) {
    1835             wp_set_current_user( $user->ID );
    1836             $this->assertTrue( current_user_can( 'edit_user', $user->ID ), "User with role {$role} should have the capability to edit their own profile" );
    1837         }
     1833    /**
     1834     * Test if a user can edit their own profile based on their role.
     1835     *
     1836     * @ticket 63684
     1837     *
     1838     * @dataProvider data_user_can_edit_self
     1839     *
     1840     * @param string $role          The role of the user.
     1841     * @param bool   $can_edit_self Whether the user can edit their own profile.
     1842     */
     1843    public function test_user_can_edit_self( $role, $can_edit_self = true ) {
     1844        $user = self::$users[ $role ];
     1845        wp_set_current_user( $user->ID );
     1846
     1847        if ( $can_edit_self ) {
     1848            $this->assertTrue(
     1849                current_user_can( 'edit_user', $user->ID ),
     1850                "User with role '{$role}' should have the capability to edit their own profile"
     1851            );
     1852        } else {
     1853            $this->assertFalse(
     1854                current_user_can( 'edit_user', $user->ID ),
     1855                "User with role '{$role}' should not have the capability to edit their own profile"
     1856            );
     1857        }
     1858    }
     1859
     1860    /**
     1861     * Data provider for test_user_can_edit_self.
     1862     *
     1863     * @return array[] Data provider.
     1864     */
     1865    public static function data_user_can_edit_self() {
     1866        return array(
     1867            'anonymous'     => array( 'anonymous', false ),
     1868            'administrator' => array( 'administrator', true ),
     1869            'editor'        => array( 'editor', true ),
     1870            'author'        => array( 'author', true ),
     1871            'contributor'   => array( 'contributor', true ),
     1872            'subscriber'    => array( 'subscriber', true ),
     1873        );
    18381874    }
    18391875
Note: See TracChangeset for help on using the changeset viewer.