$conf, $runtime; function_exists('chdir') AND chdir(APP_PATH); $r = 'mysql' == $conf['cache']['type'] ? website_set('runtime', $runtime) : cache_set('runtime', $runtime); } function runtime_truncate() { global $conf; 'mysql' == $conf['cache']['type'] ? website_set('runtime', '') : cache_delete('runtime'); } register_shutdown_function('runtime_save'); ?>security - Best practices to assert current_user_can() with guests|Programmer puzzle solving

Programmer puzzle solving

    最新消息:Welcome to the puzzle paradise for programmers! Here, a well-designed puzzle awaits you. From code logic puzzles to algorithmic challenges, each level is closely centered on the programmer's expertise and skills. Whether you're a novice programmer or an experienced tech guru, you'll find your own challenges on this site. In the process of solving puzzles, you can not only exercise your thinking skills, but also deepen your understanding and application of programming knowledge. Come to start this puzzle journey full of wisdom and challenges, with many programmers to compete with each other and show your programming wisdom! Translated with DeepL.com (free version)
    你的位置: HOME>matter>security - Best practices to assert current_user_can() with guests

    security - Best practices to assert current_user_can() with guests

    matteradmin11PV0评论

    In WordPress, a guest can do a lot of things, such as reading posts.

    However, this always returns false for guests:

    add_action('wp', function() {
    global $post;

    /** @var WP_Post_Type $pto */
    $pto = get_post_type_object(get_post_type($post->ID));

    /** @var bool $cap */
    $cap = current_user_can($pto->cap->read_post);
});

    I see that current_user_can() triggers this piece of code for guests:

    // wp-includes/user.php @ line 2613 (WordPress 5.0.0)
wp_set_current_user( 0 );
return $current_user;

    Thus running assertions on this WP_User object:

    WP_User Object
(
    [data] => stdClass Object
        (
        )

    [ID] => 0
    [caps] => Array
        (
        )

    [cap_key] => 
    [roles] => Array
        (
        )

    [allcaps] => Array
        (
        )

    [filter] => 
    [site_id:WP_User:private] => 0
)

    Which means it has no capability at all, probably why it's failing.

    Given that a guest can actually read a post, why this returns false?

    Being such assertions critical for security, how can I assert if a guest is allowed to do something in WordPress, such as reading a post type, or a post ID?

    Articles related to this article

    Post a comment

    comment list (0)

    1. No comments so far