Users: Lazy load user capabilities in WP_User object.

spacedmonkey · spacedmonkey · commit 2de7ed3bbc72 · 2025-10-08T19:59:28.000Z
Convert the WP_User object properties caps, roles, and allcaps to protected, and introduce lazy loading for capabilities. These properties are now populated only when first accessed. The existing magic methods (__get, __set, and __unset) have been updated to maintain backward compatibility, ensuring that reading or modifying these formerly public properties continues to work as expected. Ensure that these properties are initialised when calling remove_all_caps(), remove_cap(), has_cap(), add_role(), and set_role() methods. Props spacedmonkey, flixos90, peterwilsoncc, mukesh27, westonruter, swissspidy, prettyboymp. Fixes #58001. git-svn-id: https://develop.svn.wordpress.org/trunk@60915 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/class-wp-user.php b/src/wp-includes/class-wp-user.php
@@ -37,6 +37,9 @@
  * @property string $rich_editing
  * @property string $syntax_highlighting
  * @property string $use_ssl
+ * @property array<string, bool> $caps
+ * @property string[] $roles
+ * @property array<string, bool> $allcaps
  */
 #[AllowDynamicProperties]
 class WP_User {
@@ -60,10 +63,10 @@ class WP_User {
 	 * Capabilities that the individual user has been granted outside of those inherited from their role.
 	 *
 	 * @since 2.0.0
-	 * @var bool[] Array of key/value pairs where keys represent a capability name
-	 *             and boolean values represent whether the user has that capability.
+	 * @var array<string, bool>|null Array of key/value pairs where keys represent a capability name
+	 *                               and boolean values represent whether the user has that capability.
 	 */
-	public $caps = array();
+	protected $caps = null;
 
 	/**
 	 * User metadata option name.
@@ -79,16 +82,16 @@ class WP_User {
 	 * @since 2.0.0
 	 * @var string[]
 	 */
-	public $roles = array();
+	protected $roles = array();
 
 	/**
 	 * All capabilities the user has, including individual and role based.
 	 *
 	 * @since 2.0.0
-	 * @var bool[] Array of key/value pairs where keys represent a capability name
-	 *             and boolean values represent whether the user has that capability.
+	 * @var array<string, bool> Array of key/value pairs where keys represent a capability name
+	 *                          and boolean values represent whether the user has that capability.
 	 */
-	public $allcaps = array();
+	protected $allcaps = array();
 
 	/**
 	 * The filter context applied to user data fields.
@@ -288,6 +291,10 @@ public function __isset( $key ) {
 			$key = 'ID';
 		}
 
+		if ( in_array( $key, array( 'caps', 'allcaps', 'roles' ), true ) ) {
+			return true;
+		}
+
 		if ( isset( $this->data->$key ) ) {
 			return true;
 		}
@@ -321,6 +328,11 @@ public function __get( $key ) {
 			return $this->ID;
 		}
 
+		if ( in_array( $key, array( 'caps', 'allcaps', 'roles' ), true ) ) {
+			$this->load_capability_data();
+			return $this->$key;
+		}
+
 		if ( isset( $this->data->$key ) ) {
 			$value = $this->data->$key;
 		} else {
@@ -363,6 +375,13 @@ public function __set( $key, $value ) {
 			return;
 		}
 
+		// Ensure capability data is loaded before setting related properties.
+		if ( in_array( $key, array( 'caps', 'allcaps', 'roles' ), true ) ) {
+			$this->load_capability_data();
+			$this->$key = $value;
+			return;
+		}
+
 		$this->data->$key = $value;
 	}
 
@@ -386,6 +405,10 @@ public function __unset( $key ) {
 			);
 		}
 
+		if ( in_array( $key, array( 'caps', 'allcaps', 'roles' ), true ) ) {
+			$this->$key = null;
+		}
+
 		if ( isset( $this->data->$key ) ) {
 			unset( $this->data->$key );
 		}
@@ -515,6 +538,11 @@ public function get_role_caps() {
 
 		$wp_roles = wp_roles();
 
+		// Edge case: In case someone calls this method before lazy initialization, we need to initialize on demand.
+		if ( ! isset( $this->caps ) ) {
+			$this->caps = $this->get_caps_data();
+		}
+
 		// Filter out caps that are not role names and assign to $this->roles.
 		if ( is_array( $this->caps ) ) {
 			$this->roles = array_filter( array_keys( $this->caps ), array( $wp_roles, 'is_role' ) );
@@ -548,6 +576,7 @@ public function add_role( $role ) {
 		if ( empty( $role ) ) {
 			return;
 		}
+		$this->load_capability_data();
 
 		if ( in_array( $role, $this->roles, true ) ) {
 			return;
@@ -577,6 +606,7 @@ public function add_role( $role ) {
 	 * @param string $role Role name.
 	 */
 	public function remove_role( $role ) {
+		$this->load_capability_data();
 		if ( ! in_array( $role, $this->roles, true ) ) {
 			return;
 		}
@@ -609,6 +639,7 @@ public function remove_role( $role ) {
 	 * @param string $role Role name.
 	 */
 	public function set_role( $role ) {
+		$this->load_capability_data();
 		if ( 1 === count( $this->roles ) && current( $this->roles ) === $role ) {
 			return;
 		}
@@ -710,6 +741,7 @@ public function update_user_level_from_caps() {
 	 * @param bool   $grant Whether to grant capability to user.
 	 */
 	public function add_cap( $cap, $grant = true ) {
+		$this->load_capability_data();
 		$this->caps[ $cap ] = $grant;
 		update_user_meta( $this->ID, $this->cap_key, $this->caps );
 		$this->get_role_caps();
@@ -724,6 +756,7 @@ public function add_cap( $cap, $grant = true ) {
 	 * @param string $cap Capability name.
 	 */
 	public function remove_cap( $cap ) {
+		$this->load_capability_data();
 		if ( ! isset( $this->caps[ $cap ] ) ) {
 			return;
 		}
@@ -742,10 +775,10 @@ public function remove_cap( $cap ) {
 	 */
 	public function remove_all_caps() {
 		global $wpdb;
-		$this->caps = array();
+		$this->caps = null;
 		delete_user_meta( $this->ID, $this->cap_key );
 		delete_user_meta( $this->ID, $wpdb->get_blog_prefix() . 'user_level' );
-		$this->get_role_caps();
+		$this->load_capability_data();
 	}
 
 	/**
@@ -776,6 +809,8 @@ public function remove_all_caps() {
 	 *              the given capability for that object.
 	 */
 	public function has_cap( $cap, ...$args ) {
+		$this->load_capability_data();
+
 		if ( is_numeric( $cap ) ) {
 			_deprecated_argument( __FUNCTION__, '2.0.0', __( 'Usage of user levels is deprecated. Use capabilities instead.' ) );
 			$cap = $this->translate_level_to_cap( $cap );
@@ -877,10 +912,7 @@ public function for_site( $site_id = 0 ) {
 		}
 
 		$this->cap_key = $wpdb->get_blog_prefix( $this->site_id ) . 'capabilities';
-
-		$this->caps = $this->get_caps_data();
-
-		$this->get_role_caps();
+		$this->caps    = null;
 	}
 
 	/**
@@ -911,4 +943,17 @@ private function get_caps_data() {
 
 		return $caps;
 	}
+
+	/**
+	 * Loads capability data if it has not been loaded yet.
+	 *
+	 * @since 6.9.0
+	 */
+	private function load_capability_data() {
+		if ( isset( $this->caps ) ) {
+			return;
+		}
+		$this->caps = $this->get_caps_data();
+		$this->get_role_caps();
+	}
 }
diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php
@@ -992,6 +992,42 @@ public function test_add_role() {
 		$this->assertFalse( $wp_roles->is_role( $role_name ) );
 	}
 
+	/**
+	 * Test adding capabilities, roles, and allcaps manually to a user.
+	 *
+	 * @ticket 58001
+	 *
+	 * @dataProvider data_add_user_properties_manually
+	 *
+	 * @param string $property_name  The property name to set.
+	 * @param array  $property_value The property value to set.
+	 * @param bool   $check_null     Whether to check that the property is null after unsetting it.
+	 */
+	public function test_add_user_properties_manually( $property_name, $property_value, $check_null ) {
+		$id                     = self::factory()->user->create();
+		$user                   = new WP_User( $id );
+		$user->{$property_name} = $property_value;
+
+		$this->assertSameSets( $property_value, $user->{$property_name}, "User property {$property_name} was not set correctly." );
+		unset( $user->{$property_name} );
+		if ( $check_null ) {
+			$this->assertNull( $user->{$property_name}, "User property {$property_name} should be null after unsetting it." );
+		}
+	}
+
+	/**
+	 * Data provider for test_add_user_properties_manually.
+	 *
+	 * @return array<string, array{0:string,1:array}>
+	 */
+	public function data_add_user_properties_manually() {
+		return array(
+			'caps'    => array( 'caps', array( 'foo' => true ), false ),
+			'roles'   => array( 'roles', array( 'foo' => true ), true ),
+			'allcaps' => array( 'allcaps', array( 'foo' => true ), true ),
+		);
+	}
+
 	/**
 	 * Test add_role with implied capabilities grant successfully grants capabilities.
 	 *
@@ -1100,6 +1136,41 @@ public function test_role_remove_cap() {
 		$this->assertFalse( $wp_roles->is_role( $role_name ) );
 	}
 
+	/**
+	 * @ticket 58001
+	 */
+	public function test_get_role_caps() {
+		$id_1   = self::$users['contributor']->ID;
+		$user_1 = new WP_User( $id_1 );
+
+		$role_caps = $user_1->get_role_caps();
+		$this->assertIsArray( $role_caps, 'User role capabilities should be an array' );
+		$this->assertArrayHasKey( 'edit_posts', $role_caps, 'User role capabilities should contain the edit_posts capability' );
+	}
+
+	/**
+	 * @ticket 58001
+	 */
+	public function test_user_lazy_capabilities() {
+		$id_1   = self::$users['contributor']->ID;
+		$user_1 = new WP_User( $id_1 );
+
+		$this->assertTrue( isset( $user_1->roles ), 'User roles should be set' );
+		$this->assertTrue( isset( $user_1->allcaps ), 'User all capabilities should be set' );
+		$this->assertTrue( isset( $user_1->caps ), 'User capabilities should be set' );
+		$this->assertIsArray( $user_1->roles, 'User roles should be an array' );
+		$this->assertSame( array( 'contributor' ), $user_1->roles, 'User roles should match' );
+		$this->assertIsArray( $user_1->allcaps, 'User allcaps should be an array' );
+		$this->assertIsArray( $user_1->caps, 'User caps should be an array' );
+
+		$caps = $this->getAllCapsAndRoles();
+		foreach ( $caps as $cap => $roles ) {
+			if ( in_array( 'contributor', $roles, true ) ) {
+				$this->assertTrue( $user_1->has_cap( $cap ), "User should have the {$cap} capability" );
+			}
+		}
+	}
+
 	/**
 	 * Add an extra capability to a user.
 	 */
diff --git a/tests/phpunit/tests/user/multisite.php b/tests/phpunit/tests/user/multisite.php
@@ -369,12 +369,13 @@ public function test_add_user_to_blog_subscriber() {
 
 		switch_to_blog( $site_id );
 		$user = get_user_by( 'id', $user_id );
+		$this->assertContains( 'subscriber', $user->roles, 'User should have subscriber role' );
 		restore_current_blog();
 
 		wp_delete_site( $site_id );
 		wpmu_delete_user( $user_id );
 
-		$this->assertContains( 'subscriber', $user->roles );
+		$this->assertContains( 'subscriber', $user->roles, 'User should still have subscriber role' );
 	}
 
 	/**
diff --git a/tests/phpunit/tests/user/query.php b/tests/phpunit/tests/user/query.php
@@ -162,13 +162,21 @@ public function test_get_all_primed_users() {
 		$filter = new MockAction();
 		add_filter( 'update_user_metadata_cache', array( $filter, 'filter' ), 10, 2 );
 
-		new WP_User_Query(
+		$query = new WP_User_Query(
 			array(
 				'include' => self::$author_ids,
 				'fields'  => 'all',
 			)
 		);
 
+		$users = $query->get_results();
+		foreach ( $users as $user ) {
+			$this->assertIsArray( $user->roles );
+			foreach ( $user->roles as $role ) {
+				$this->assertIsString( $role );
+			}
+		}
+
 		$args      = $filter->get_args();
 		$last_args = end( $args );
 		$this->assertIsArray( $last_args[1] );
