From 91c3f80355ce465c3f5427b17f14c8039dccd084 Mon Sep 17 00:00:00 2001
From: Timothy Jacobs <timothyblynjacobs@git.wordpress.org>
Date: Mon, 15 Nov 2021 01:08:35 +0000
Subject: [PATCH] Users: Prevent infinite loop when using capability checks
 during `determine_current_user` on multisite.

On multisite, when checking if a user has a certain capability WordPress makes an additional check to see if the user is a super admin. The `is_super_admin()` function contained a call to `wp_get_current_user()` so as the global current user object could be used if it matched the queried user id.

This would cause an infinite loop if a hook attached to the `determine_current_user` filter was itself making a permission check. For example when limiting who can use the Application Passwords feature based on their capabilities.

Since [50790] the `WP_User` instance for the current user is shared between `wp_get_current_user()` and `get_userdata()`. This means we can remove the `wp_get_current_user` call from `is_super_admin()` while still retaining the same behavior.

Props chrisvanpatten, peterwilsoncc.
Fixes #53386.


git-svn-id: https://develop.svn.wordpress.org/trunk@52157 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/capabilities.php |  2 +-
 tests/phpunit/tests/auth.php     | 40 ++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
index 3ff0481fd4..5ee344b390 100644
--- a/src/wp-includes/capabilities.php
+++ b/src/wp-includes/capabilities.php
@@ -888,7 +888,7 @@ function get_super_admins() {
  * @return bool Whether the user is a site admin.
  */
 function is_super_admin( $user_id = false ) {
-	if ( ! $user_id || get_current_user_id() == $user_id ) {
+	if ( ! $user_id ) {
 		$user = wp_get_current_user();
 	} else {
 		$user = get_userdata( $user_id );
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index 3567a8bba5..3936f0772d 100644
--- a/tests/phpunit/tests/auth.php
+++ b/tests/phpunit/tests/auth.php
@@ -635,4 +635,44 @@ class Tests_Auth extends WP_UnitTestCase {
 
 		$this->assertNull( wp_validate_application_password( null ) );
 	}
+
+	/**
+	 * @ticket 53386
+	 * @dataProvider data_application_passwords_can_use_capability_checks_to_determine_feature_availability
+	 */
+	public function test_application_passwords_can_use_capability_checks_to_determine_feature_availability( $role, $authenticated ) {
+		$user = self::factory()->user->create_and_get( array( 'role' => $role ) );
+
+		list( $password ) = WP_Application_Passwords::create_new_application_password( $user->ID, array( 'name' => 'phpunit' ) );
+
+		add_filter( 'application_password_is_api_request', '__return_true' );
+		add_filter( 'wp_is_application_passwords_available', '__return_true' );
+		add_filter(
+			'wp_is_application_passwords_available_for_user',
+			static function ( $available, WP_User $user ) {
+				return user_can( $user, 'edit_posts' );
+			},
+			10,
+			2
+		);
+
+		$_SERVER['PHP_AUTH_USER'] = $user->user_login;
+		$_SERVER['PHP_AUTH_PW']   = $password;
+
+		unset( $GLOBALS['current_user'] );
+		$current = get_current_user_id();
+
+		if ( $authenticated ) {
+			$this->assertSame( $user->ID, $current );
+		} else {
+			$this->assertSame( 0, $current );
+		}
+	}
+
+	public function data_application_passwords_can_use_capability_checks_to_determine_feature_availability() {
+		return array(
+			'allowed'     => array( 'editor', true ),
+			'not allowed' => array( 'subscriber', false ),
+		);
+	}
 }