Beacon script is injected to logged-in users

Mai-Saad commented 2 months ago

Before submitting an issue please check that you’ve completed the following steps:

Made sure you’re on the latest version => 3.16.4
Used the search feature to ensure that the bug hasn’t been reported before

Describe the bug While the user cache is enabled, If we visit a page while logged in as admin, the beacon script will be injected and the URL added to the ATF table

To Reproduce Steps to reproduce the behavior:

Enable user cache in addons
Clear critical images
While logged in as admin, visit any page
Check the page source and ATF table => script is injected and data added to DB

Expected behavior The script shouldn't be injected for logged in while user cache is on

Acceptance Criteria (for WP Media team use only) Clear instructions for developers, to be added before the grooming

Miraeld commented 2 months ago

Reproduce the problem

Exactly like explained in the issue itself.

Identify the root cause

It seems like when we are logged-in, and the add-on is disabled, we do no go through rocket_buffer hook. However, we go through it when the add-on is enabled.

Scope a solution

We can bail-out in https://github.com/wp-media/wp-rocket/blob/24751d72bc15ed4ef58371c0caf6c86050207167/inc/Engine/Common/PerformanceHints/Frontend/Processor.php#L51 when the add-on is enabled & if we are logged-in:

        if ( is_user_logged_in() && $this->options->get( 'cache_logged_user', 0 ) ) {
            return $html;
        }

Effort estimation

XS

Khadreal commented 1 month ago

LGTM

wp-media / wp-rocket