Skip to content

Commit

Permalink
Double-check that the user actually has the meta key
Browse files Browse the repository at this point in the history
  • Loading branch information
psrpinto committed Sep 14, 2023
1 parent 7900e19 commit 92cc419
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions src/Storage/AuthorizationCodeStorage.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,16 @@ private function getUserIdByCode( $code ) {
return null;
}

$key = self::META_KEY_PREFIX . '_client_id_' . $code;

$users = get_users(
array(
// Specifying blog_id does nothing for non-MultiSite installs. But for MultiSite installs, it allows you
// to customize users of which site is supposed to be available for whatever sites
// this plugin is meant to be activated on.
'blog_id' => apply_filters( 'oidc_auth_code_storage_blog_id', get_current_blog_id() ),
// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
'meta_key' => self::META_KEY_PREFIX . '_client_id_' . $code,
'meta_key' => $key,
// Using a meta_key EXISTS query is not slow, see https://github.com/WordPress/WordPress-Coding-Standards/issues/1871.
'meta_compare' => 'EXISTS',
)
Expand All @@ -47,7 +49,14 @@ private function getUserIdByCode( $code ) {
return null;
}

return absint( $users[0]->ID );
$user = $users[0];

// Double-check that the user actually has the meta key.
if ( false === get_user_meta( $user, $key, true ) ) {
return null;
}

return absint( $user->ID );
}

public function getAuthorizationCode( $code ) {
Expand Down

0 comments on commit 92cc419

Please sign in to comment.