Harden live update preference authorization#1918
Merged
Merged
Conversation
Enforce the view capability and always target the current user in the stream_enable_live_update AJAX handler so a user can only change their own live update preference. Drop the client-supplied user field from the markup and AJAX payload, and add PHPUnit coverage for the authorization behavior. Co-authored-by: Cursor <cursoragent@cursor.com>
The ondrej/php PPA added by setup-php changed its repository Label, which caused the apt-get update run by `playwright install --with-deps` to abort with exit code 100. Refresh apt metadata with --allow-releaseinfo-change first so browser dependency installation succeeds. Co-authored-by: Cursor <cursoragent@cursor.com>
PatelUtkarsh
approved these changes
Jul 6, 2026
PatelUtkarsh
left a comment
Member
There was a problem hiding this comment.
Looks good! Left 1 comment.
Pin the JSON success flag in both the denial and current-user tests so a future refactor cannot silently return success without writing the expected user meta. Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced Jul 6, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening for the
stream_enable_live_updateAJAX handler that toggles the per-user "Live updates" screen option.view_cap) before processing the request.get_current_user_id()instead of a client-supplieduservalue, so a user can only ever change their own live update preference.classes/class-list-table.php) and the AJAX payload (src/js/admin.js).wp_stream_filter_input()for thechecked/heartbeatparams for consistent request handling.Tests
Adds
tests/phpunit/test-class-live-update.php:test_enable_live_update_only_updates_current_user()— a user with view access cannot modify another user's preference by supplying a forgeduserid.test_enable_live_update_denies_users_without_view_cap()— a user without view access is denied.Notes
build/admin.jsis gitignored and regenerated at build time; onlysrc/js/admin.jsis committed.Made with Cursor