Skip to content

Harden live update preference authorization#1918

Merged
bartoszgadomski merged 3 commits into
developfrom
fix/live-update-user-meta-authz
Jul 6, 2026
Merged

Harden live update preference authorization#1918
bartoszgadomski merged 3 commits into
developfrom
fix/live-update-user-meta-authz

Conversation

@bartoszgadomski

Copy link
Copy Markdown
Member

Summary

Security hardening for the stream_enable_live_update AJAX handler that toggles the per-user "Live updates" screen option.

  • Enforce the Stream view capability (view_cap) before processing the request.
  • Always target get_current_user_id() instead of a client-supplied user value, so a user can only ever change their own live update preference.
  • Remove the now-unused user field from the screen-option markup (classes/class-list-table.php) and the AJAX payload (src/js/admin.js).
  • Switch the handler to wp_stream_filter_input() for the checked/heartbeat params for consistent request handling.

Tests

Adds tests/phpunit/test-class-live-update.php:

  • test_enable_live_update_only_updates_current_user() — a user with view access cannot modify another user's preference by supplying a forged user id.
  • test_enable_live_update_denies_users_without_view_cap() — a user without view access is denied.

Notes

  • No behavior change for legitimate use: an authorized user still toggles their own preference from the Screen Options panel exactly as before.
  • build/admin.js is gitignored and regenerated at build time; only src/js/admin.js is committed.

Made with Cursor

bartoszgadomski and others added 2 commits July 6, 2026 10:30
Enforce the view capability and always target the current user in the
stream_enable_live_update AJAX handler so a user can only change their
own live update preference. Drop the client-supplied user field from the
markup and AJAX payload, and add PHPUnit coverage for the authorization
behavior.

Co-authored-by: Cursor <cursoragent@cursor.com>
The ondrej/php PPA added by setup-php changed its repository Label, which
caused the apt-get update run by `playwright install --with-deps` to abort
with exit code 100. Refresh apt metadata with --allow-releaseinfo-change
first so browser dependency installation succeeds.

Co-authored-by: Cursor <cursoragent@cursor.com>
@bartoszgadomski bartoszgadomski marked this pull request as ready for review July 6, 2026 08:59

@PatelUtkarsh PatelUtkarsh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Left 1 comment.

Comment thread tests/phpunit/test-class-live-update.php
Pin the JSON success flag in both the denial and current-user tests so a
future refactor cannot silently return success without writing the
expected user meta.

Co-authored-by: Cursor <cursoragent@cursor.com>
@bartoszgadomski bartoszgadomski merged commit 504d8cd into develop Jul 6, 2026
3 checks passed
@bartoszgadomski bartoszgadomski deleted the fix/live-update-user-meta-authz branch July 6, 2026 11:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants