Actors: Don't convert non-numeric strings to Blog user id (#1554)

* Add failing test

* Add changelog

* Only convert to int when it's numeric

* Use strict checks in user_can_activitypub

* Revert "Use strict checks in user_can_activitypub"

This reverts commit 8de3516.

* Bail when user_id is not numeric

Author: obenland

.github/changelog/1554-from-description

@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Sites with comments from the Fediverse no longer create uncached extra fields posts that flood the Outbox.

includes/collection/class-actors.php

@@ -46,7 +46,7 @@ class Actors {
 	 * @return User|Blog|Application|WP_Error The Actor or WP_Error if user not found.
 	 */
 	public static function get_by_id( $user_id ) {
-		if ( is_string( $user_id ) || is_numeric( $user_id ) ) {
+		if ( is_numeric( $user_id ) ) {
 			$user_id = (int) $user_id;
 		}
 

includes/functions.php

@@ -329,10 +329,14 @@ function is_post_disabled( $post ) {
 /**
  * This function checks if a user is enabled for ActivityPub.
  *
- * @param int $user_id The user ID.
+ * @param int|string $user_id The user ID.
  * @return boolean True if the user is enabled, false otherwise.
  */
 function user_can_activitypub( $user_id ) {
+	if ( ! is_numeric( $user_id ) ) {
+		return false;
+	}
+
 	switch ( $user_id ) {
 		case Actors::APPLICATION_USER_ID:
 			$enabled = true; // Application user is always enabled.

tests/includes/collection/class-test-actors.php

@@ -27,6 +27,19 @@ public function set_up() {
 		add_user_meta( 1, 'activitypub_user_identifier', 'admin' );
 	}
 
+	/**
+	 * Test get_by_id.
+	 *
+	 * @covers ::get_by_id
+	 */
+	public function test_get_by_id() {
+		// External user.
+		$user_id = '[email protected]';
+
+		$actor = Actors::get_by_id( $user_id );
+		$this->assertWPError( $actor );
+	}
+
 	/**
 	 * Test get_by_various.
 	 *