Merge pull request #64 from wp-graphql/bug/#45-tokens-identical-for-n…

…on-admins #45 - auth and refresh token are same for non-admins
wp-graphql · Feb 13, 2020 · d77da3f · d77da3f
2 parents 0ad0481 + 61f26fb
commit d77da3f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/Auth.php b/src/Auth.php
@@ -216,10 +216,10 @@ public static function get_user_jwt_secret( $user_id ) {
 		$capability = apply_filters( 'graphql_jwt_auth_edit_users_capability', 'edit_users', $user_id );
 
 		/**
-		 * If the request is not from the current_user or the current_user doesn't have the proper capabilities, don't return the secret
+		 * If the request is not from the current_user AND the current_user doesn't have the proper capabilities, don't return the secret
 		 */
 		$is_current_user = ( $user_id === get_current_user_id() ) ? true : false;
-		if ( ! $is_current_user || ! current_user_can( $capability ) ) {
+		if ( ! $is_current_user && ! current_user_can( $capability ) ) {
 			return new \WP_Error( 'graphql-jwt-improper-capabilities', __( 'The JWT Auth secret for this user cannot be returned', 'wp-graphql-jwt-authentication' ) );
 		}