Fix view_stats capability check for users with multiple roles#47991
Open
yaswanthkumar1995 wants to merge 1 commit intoAutomattic:trunkfrom
Open
Fix view_stats capability check for users with multiple roles#47991yaswanthkumar1995 wants to merge 1 commit intoAutomattic:trunkfrom
yaswanthkumar1995 wants to merge 1 commit intoAutomattic:trunkfrom
Conversation
The view_stats meta-cap mapping only checked the first role in the user's roles array via array_shift(). Users with multiple roles (e.g. customer + administrator) could be denied stats access if their first role wasn't in the stats roles allowlist. Use array_intersect() to check all user roles against the allowed stats roles instead of only the first. Fixes Automattic#47258
Contributor
Author
|
/assign |
Contributor
Author
|
@coderabbitai review |
Contributor
|
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 |
github-actions
bot
added
the
OSS Citizen
jeherve
added
Bug
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #47258
Proposed changes
view_statsmeta-capability mapping to check all user roles instead of only the first one.array_shift()+in_array()witharray_intersect()so multi-role users (e.g.customer+administrator) are correctly granted stats access.administratoris not the first role.Other information
The bug occurs because
array_shift($user_roles)only returns the first role in the array. For users who were assigned a non-admin role before being promoted to administrator, the first role (e.g.customer) isn't in the stats allowlist, so they're denied access.Related product discussion/links
Does this pull request change what data or activity we track or use?
No.
Testing instructions
subscriberroleadministratoras a second role:$user->add_role('administrator')user_can($user_id, 'view_stats')returnstruefalsebecause only the first role (subscriber) was checked