Role/Capability: Introduce the user_can_for_blog() function.

This complements the existing user capability checking functions and enables checking a capability of any user on any site on a Multisite network. Props tmanoilov, rajinsharwar, n8finch, johnbillion Fixes #45197 git-svn-id: https://develop.svn.wordpress.org/trunk@59123 602fd350-edb4-49c9-b593-d223f7449a82
dd32 · Sep 30, 2024 · 328284c · 328284c
1 parent 0780447
commit 328284c
Show file tree

Hide file tree

Showing 2 changed files with 106 additions and 0 deletions.
diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
@@ -1013,6 +1013,54 @@ function user_can( $user, $capability, ...$args ) {
 	return $user->has_cap( $capability, ...$args );
 }
 
+/**
+ * Returns whether a particular user has the specified capability for a given site.
+ *
+ * This function also accepts an ID of an object to check against if the capability is a meta capability. Meta
+ * capabilities such as `edit_post` and `edit_user` are capabilities used by the `map_meta_cap()` function to
+ * map to primitive capabilities that a user or role has, such as `edit_posts` and `edit_others_posts`.
+ *
+ * Example usage:
+ *
+ *     user_can_for_blog( $user->ID, $blog_id, 'edit_posts' );
+ *     user_can_for_blog( $user->ID, $blog_id, 'edit_post', $post->ID );
+ *     user_can_for_blog( $user->ID, $blog_id, 'edit_post_meta', $post->ID, $meta_key );
+ *
+ * @since 6.7.0
+ *
+ * @param int|WP_User $user       User ID or object.
+ * @param int         $blog_id    Site ID.
+ * @param string      $capability Capability name.
+ * @param mixed       ...$args    Optional further parameters, typically starting with an object ID.
+ * @return bool Whether the user has the given capability.
+ */
+function user_can_for_blog( $user, $blog_id, $capability, ...$args ) {
+	if ( ! is_object( $user ) ) {
+		$user = get_userdata( $user );
+	}
+
+	if ( empty( $user ) ) {
+		// User is logged out, create anonymous user object.
+		$user = new WP_User( 0 );
+		$user->init( new stdClass() );
+	}
+
+	// Check if the blog ID is valid.
+	if ( ! is_numeric( $blog_id ) || $blog_id <= 0 ) {
+		return false;
+	}
+
+	$switched = is_multisite() ? switch_to_blog( $blog_id ) : false;
+
+	$can = user_can( $user->ID, $capability, ...$args );
+
+	if ( $switched ) {
+		restore_current_blog();
+	}
+
+	return $can;
+}
+
 /**
  * Retrieves the global WP_Roles instance and instantiates it if necessary.
  *

diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php
@@ -1653,6 +1653,9 @@ public function test_set_role_fires_remove_user_role_and_add_user_role_hooks() {
 		$this->assertSame( 2, $add_user_role->get_call_count() );
 	}
 
+	/**
+	 * @group can_for_blog
+	 */
 	public function test_current_user_can_for_blog() {
 		global $wpdb;
 
@@ -1662,8 +1665,10 @@ public function test_current_user_can_for_blog() {
 
 		$this->assertTrue( current_user_can_for_blog( get_current_blog_id(), 'edit_posts' ) );
 		$this->assertFalse( current_user_can_for_blog( get_current_blog_id(), 'foo_the_bar' ) );
+
 		if ( ! is_multisite() ) {
 			$this->assertTrue( current_user_can_for_blog( 12345, 'edit_posts' ) );
+			$this->assertFalse( current_user_can_for_blog( 12345, 'foo_the_bar' ) );
 			return;
 		}
 
@@ -1672,12 +1677,65 @@ public function test_current_user_can_for_blog() {
 		$wpdb->suppress_errors( $suppress );
 
 		$blog_id = self::factory()->blog->create( array( 'user_id' => $user->ID ) );
+
+		$this->assertNotWPError( $blog_id );
 		$this->assertTrue( current_user_can_for_blog( $blog_id, 'edit_posts' ) );
 		$this->assertFalse( current_user_can_for_blog( $blog_id, 'foo_the_bar' ) );
 
+		$another_blog_id = self::factory()->blog->create( array( 'user_id' => self::$users['author']->ID ) );
+
+		$this->assertNotWPError( $another_blog_id );
+
+		// Verify the user doesn't have a capability
+		$this->assertFalse( current_user_can_for_blog( $another_blog_id, 'edit_posts' ) );
+
+		// Add the current user to the site
+		add_user_to_blog( $another_blog_id, $user->ID, 'author' );
+
+		// Verify they now have the capability
+		$this->assertTrue( current_user_can_for_blog( $another_blog_id, 'edit_posts' ) );
+
 		wp_set_current_user( $old_uid );
 	}
 
+	/**
+	 * @group can_for_blog
+	 */
+	public function test_user_can_for_blog() {
+		$user = self::$users['editor'];
+
+		$this->assertTrue( user_can_for_blog( $user->ID, get_current_blog_id(), 'edit_posts' ) );
+		$this->assertFalse( user_can_for_blog( $user->ID, get_current_blog_id(), 'foo_the_bar' ) );
+
+		if ( ! is_multisite() ) {
+			$this->assertTrue( user_can_for_blog( $user->ID, 12345, 'edit_posts' ) );
+			$this->assertFalse( user_can_for_blog( $user->ID, 12345, 'foo_the_bar' ) );
+			return;
+		}
+
+		$blog_id = self::factory()->blog->create( array( 'user_id' => $user->ID ) );
+
+		$this->assertNotWPError( $blog_id );
+		$this->assertTrue( user_can_for_blog( $user->ID, $blog_id, 'edit_posts' ) );
+		$this->assertFalse( user_can_for_blog( $user->ID, $blog_id, 'foo_the_bar' ) );
+
+		$author = self::$users['author'];
+
+		// Verify another user doesn't have a capability
+		$this->assertFalse( is_user_member_of_blog( $author->ID, $blog_id ) );
+		$this->assertFalse( user_can_for_blog( $author->ID, $blog_id, 'edit_posts' ) );
+
+		// Add the author to the site
+		add_user_to_blog( $blog_id, $author->ID, 'author' );
+
+		// Verify they now have the capability
+		$this->assertTrue( is_user_member_of_blog( $author->ID, $blog_id ) );
+		$this->assertTrue( user_can_for_blog( $author->ID, $blog_id, 'edit_posts' ) );
+
+		// Verify the user doesn't have a capability for a non-existent site
+		$this->assertFalse( user_can_for_blog( $user->ID, -1, 'edit_posts' ) );
+	}
+
 	/**
 	 * @group ms-required
 	 */