enable-media-replace plugin checks user access too early

  • sun

    (@tha_sun)


    8 months, 1 week ago

    We discovered that the enable-media-replace plugin is checking the user’s access privileges too early in the request – before the authentication system has been initialized. See stack trace below.

    This can be a problem for other plugins, because it causes the determine_current_user hook to get invoked too early, before the WordPress Core bootstrap actually reached the user authentication phase.

    In addition, gettext translations are not loaded yet, so any strings that are output are appearing untranslated in English.

    According to the WordPress Action Reference, if you rely on the currently logged-in user, you should move the invocation of EnableMediaReplacePlugin::runtime() from plugins_loaded to init.

    Stack trace:

    URL: /wp-json/wc-admin/options?options=woocommerce_revenue_report_date_tour_shown&_locale=user

    #0 /wp-includes/class-wp-hook.php(324): wp_validate_auth_cookie(false)
    #1 /wp-includes/plugin.php(205): WP_Hook->apply_filters(false, Array)
    #2 /wp-includes/user.php(3753): apply_filters('determine_curre...', false)
    #3 /wp-includes/pluggable.php(70): _wp_get_current_user()
    #4 /wp-includes/capabilities.php(911): wp_get_current_user()
    #5 /wp-content/plugins/enable-media-replace/classes/emr-plugin.php(46): current_user_can('upload_files')
    #6 /wp-includes/class-wp-hook.php(324): EnableMediaReplace\EnableMediaReplacePlugin->runtime('')
    #7 /wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(NULL, Array)
    #8 /wp-includes/plugin.php(517): WP_Hook->do_action(Array)
    #9 /wp-settings.php(578): do_action('plugins_loaded')
    #10 /wp-config.php(76): require_once('...')
    #11 /wp-load.php(50): require_once('...')
    #12 /wp-blog-header.php(13): require_once('...')
    #13 /index.php(17): require('...')

    Pretty much every request is affected by this issue, but the above is one of the most direct stack traces exposing the symptom.

    In plugins_loaded, you cannot call current_user_can().

    You can only call current_user_can() after the action set_current_user has run. You should use the init hook like all other plugins, or remove all code depending on user permissions from plugins_loaded.

The topic ‘enable-media-replace plugin checks user access too early’ is closed to new replies.