Users: Prevent infinite loop when using capability checks during determine_current_user on multisite.

On multisite, when checking if a user has a certain capability WordPress makes an additional check to see if the user is a super admin. The `is_super_admin()` function contained a call to `wp_get_current_user()` so as the global current user object could be used if it matched the queried user id.

This would cause an infinite loop if a hook attached to the `determine_current_user` filter was itself making a permission check. For example when limiting who can use the Application Passwords feature based on their capabilities.

Since [50790] the `WP_User` instance for the current user is shared between `wp_get_current_user()` and `get_userdata()`. This means we can remove the `wp_get_current_user` call from `is_super_admin()` while still retaining the same behavior.

Props chrisvanpatten, peterwilsoncc.
Fixes #53386.


git-svn-id: https://develop.svn.wordpress.org/trunk@52157 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Timothy Jacobs
2021-11-15 01:08:35 +00:00
parent b609efa519
commit 91c3f80355
2 changed files with 41 additions and 1 deletions

View File

@@ -888,7 +888,7 @@ function get_super_admins() {
* @return bool Whether the user is a site admin.
*/
function is_super_admin( $user_id = false ) {
if ( ! $user_id || get_current_user_id() == $user_id ) {
if ( ! $user_id ) {
$user = wp_get_current_user();
} else {
$user = get_userdata( $user_id );