From 328284c0865be63b906042be0585a022c4f2f5e1 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Mon, 30 Sep 2024 11:03:51 +0000 Subject: [PATCH] Role/Capability: Introduce the `user_can_for_blog()` function. This complements the existing user capability checking functions and enables checking a capability of any user on any site on a Multisite network. Props tmanoilov, rajinsharwar, n8finch, johnbillion Fixes #45197 git-svn-id: https://develop.svn.wordpress.org/trunk@59123 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/capabilities.php | 48 +++++++++++++++++++ tests/phpunit/tests/user/capabilities.php | 58 +++++++++++++++++++++++ 2 files changed, 106 insertions(+) diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php index dab0067f63858..e0576c6153832 100644 --- a/src/wp-includes/capabilities.php +++ b/src/wp-includes/capabilities.php @@ -1013,6 +1013,54 @@ function user_can( $user, $capability, ...$args ) { return $user->has_cap( $capability, ...$args ); } +/** + * Returns whether a particular user has the specified capability for a given site. + * + * This function also accepts an ID of an object to check against if the capability is a meta capability. Meta + * capabilities such as `edit_post` and `edit_user` are capabilities used by the `map_meta_cap()` function to + * map to primitive capabilities that a user or role has, such as `edit_posts` and `edit_others_posts`. + * + * Example usage: + * + * user_can_for_blog( $user->ID, $blog_id, 'edit_posts' ); + * user_can_for_blog( $user->ID, $blog_id, 'edit_post', $post->ID ); + * user_can_for_blog( $user->ID, $blog_id, 'edit_post_meta', $post->ID, $meta_key ); + * + * @since 6.7.0 + * + * @param int|WP_User $user User ID or object. + * @param int $blog_id Site ID. + * @param string $capability Capability name. + * @param mixed ...$args Optional further parameters, typically starting with an object ID. + * @return bool Whether the user has the given capability. + */ +function user_can_for_blog( $user, $blog_id, $capability, ...$args ) { + if ( ! is_object( $user ) ) { + $user = get_userdata( $user ); + } + + if ( empty( $user ) ) { + // User is logged out, create anonymous user object. + $user = new WP_User( 0 ); + $user->init( new stdClass() ); + } + + // Check if the blog ID is valid. + if ( ! is_numeric( $blog_id ) || $blog_id <= 0 ) { + return false; + } + + $switched = is_multisite() ? switch_to_blog( $blog_id ) : false; + + $can = user_can( $user->ID, $capability, ...$args ); + + if ( $switched ) { + restore_current_blog(); + } + + return $can; +} + /** * Retrieves the global WP_Roles instance and instantiates it if necessary. * diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php index afaf3d54f7e03..7696478026792 100644 --- a/tests/phpunit/tests/user/capabilities.php +++ b/tests/phpunit/tests/user/capabilities.php @@ -1653,6 +1653,9 @@ public function test_set_role_fires_remove_user_role_and_add_user_role_hooks() { $this->assertSame( 2, $add_user_role->get_call_count() ); } + /** + * @group can_for_blog + */ public function test_current_user_can_for_blog() { global $wpdb; @@ -1662,8 +1665,10 @@ public function test_current_user_can_for_blog() { $this->assertTrue( current_user_can_for_blog( get_current_blog_id(), 'edit_posts' ) ); $this->assertFalse( current_user_can_for_blog( get_current_blog_id(), 'foo_the_bar' ) ); + if ( ! is_multisite() ) { $this->assertTrue( current_user_can_for_blog( 12345, 'edit_posts' ) ); + $this->assertFalse( current_user_can_for_blog( 12345, 'foo_the_bar' ) ); return; } @@ -1672,12 +1677,65 @@ public function test_current_user_can_for_blog() { $wpdb->suppress_errors( $suppress ); $blog_id = self::factory()->blog->create( array( 'user_id' => $user->ID ) ); + + $this->assertNotWPError( $blog_id ); $this->assertTrue( current_user_can_for_blog( $blog_id, 'edit_posts' ) ); $this->assertFalse( current_user_can_for_blog( $blog_id, 'foo_the_bar' ) ); + $another_blog_id = self::factory()->blog->create( array( 'user_id' => self::$users['author']->ID ) ); + + $this->assertNotWPError( $another_blog_id ); + + // Verify the user doesn't have a capability + $this->assertFalse( current_user_can_for_blog( $another_blog_id, 'edit_posts' ) ); + + // Add the current user to the site + add_user_to_blog( $another_blog_id, $user->ID, 'author' ); + + // Verify they now have the capability + $this->assertTrue( current_user_can_for_blog( $another_blog_id, 'edit_posts' ) ); + wp_set_current_user( $old_uid ); } + /** + * @group can_for_blog + */ + public function test_user_can_for_blog() { + $user = self::$users['editor']; + + $this->assertTrue( user_can_for_blog( $user->ID, get_current_blog_id(), 'edit_posts' ) ); + $this->assertFalse( user_can_for_blog( $user->ID, get_current_blog_id(), 'foo_the_bar' ) ); + + if ( ! is_multisite() ) { + $this->assertTrue( user_can_for_blog( $user->ID, 12345, 'edit_posts' ) ); + $this->assertFalse( user_can_for_blog( $user->ID, 12345, 'foo_the_bar' ) ); + return; + } + + $blog_id = self::factory()->blog->create( array( 'user_id' => $user->ID ) ); + + $this->assertNotWPError( $blog_id ); + $this->assertTrue( user_can_for_blog( $user->ID, $blog_id, 'edit_posts' ) ); + $this->assertFalse( user_can_for_blog( $user->ID, $blog_id, 'foo_the_bar' ) ); + + $author = self::$users['author']; + + // Verify another user doesn't have a capability + $this->assertFalse( is_user_member_of_blog( $author->ID, $blog_id ) ); + $this->assertFalse( user_can_for_blog( $author->ID, $blog_id, 'edit_posts' ) ); + + // Add the author to the site + add_user_to_blog( $blog_id, $author->ID, 'author' ); + + // Verify they now have the capability + $this->assertTrue( is_user_member_of_blog( $author->ID, $blog_id ) ); + $this->assertTrue( user_can_for_blog( $author->ID, $blog_id, 'edit_posts' ) ); + + // Verify the user doesn't have a capability for a non-existent site + $this->assertFalse( user_can_for_blog( $user->ID, -1, 'edit_posts' ) ); + } + /** * @group ms-required */