Move the per-room peer limit check from the response body
(read_only flag) into check_permissions(), returning HTTP 429
when a room is full. The client detects this in the catch block
and emits connection-limit-exceeded through the existing provider
status event system.

Also incorporates wp_user_id tracking and client ID verification
from PR #76056, and deduplicates by WordPress user so multiple
tabs from the same user do not count as separate peers.

* Verify client ID to avoid awareness mutation

* Add to backport log

* Update backport changelog

…update.

Using the built-in HTTP polling sync server, awareness state is accepted and stored after the user is authorized. This state is keyed against their sync client ID, which is randomly generated.

However, nothing prevents a user from spoofing another client's client ID, which is discoverable by inspecting network responses. By replaying a sync request with a different client ID, they could temporarily overwrite another client's awareness state.

This change prevents this spoofing by storing and checking the user's WordPress user ID to ensure it matches the initial update.

Developed in: #11120.
Syncs: WordPress/gutenberg#76056.

Fixes #64782.
Props czarate.

git-svn-id: https://develop.svn.wordpress.org/trunk@61838 602fd350-edb4-49c9-b593-d223f7449a82

…update.

Using the built-in HTTP polling sync server, awareness state is accepted and stored after the user is authorized. This state is keyed against their sync client ID, which is randomly generated.

However, nothing prevents a user from spoofing another client's client ID, which is discoverable by inspecting network responses. By replaying a sync request with a different client ID, they could temporarily overwrite another client's awareness state.

This change prevents this spoofing by storing and checking the user's WordPress user ID to ensure it matches the initial update.

Developed in: WordPress/wordpress-develop#11120.
Syncs: WordPress/gutenberg#76056.

Fixes #64782.
Props czarate.
Built from https://develop.svn.wordpress.org/trunk@61838


git-svn-id: http://core.svn.wordpress.org/trunk@61125 1a063a9b-81f0-0310-95a4-ce76da25c4cd

Move the per-room peer limit check from the response body
(read_only flag) into check_permissions(), returning HTTP 429
when a room is full. The client detects this in the catch block
and emits connection-limit-exceeded through the existing provider
status event system.

Also incorporates wp_user_id tracking and client ID verification
from PR #76056, and deduplicates by WordPress user so multiple
tabs from the same user do not count as separate peers.

CI run: #11167.

See #64595.

---

I've included a log of the Gutenberg changes with the following command:

git log --reverse --format="- %s" 022d8dd3d461f91b15c1f0410649d3ebb027207f..e499abfb843a43ac88455ca319220c5f181e1cf3 | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy

- Add documentation for contentRole and listView block supports (WordPress/gutenberg#75903)
- Interactivity Router: fix back and forward navigation after refresh (WordPress/gutenberg#75927)
- Real-time collaboration: Fix disconnect dialog on navigate (WordPress/gutenberg#75886)
- Real Time Collab: Throttle syncing for inactive tabs. (WordPress/gutenberg#75843)
- Components: Specify line-height to avoid inheriting default values (WordPress/gutenberg#75880)
- Pattern Editing: Fix sibling blocks to edited pattern not being disabled (WordPress/gutenberg#75994)
- Sync connector PHP behavior with Core backport changes (WordPress/gutenberg#75968)
- Connectors: Avoid manual string concatenation (WordPress/gutenberg#75997)
- DataForm: fix field label for panel (should not be uppercase) (WordPress/gutenberg#75944)
- Views: add support for more overrides (all developer-defined config) (WordPress/gutenberg#75971)
- Use homeUrl instead of siteUrl for link badge evaluations (WordPress/gutenberg#75978)
- DataViews: Right-align `integer` and `number` fields (WordPress/gutenberg#75917)
- Navigation Link: Compare internal links by host instead of origin (WordPress/gutenberg#76015)
- Fix: Skip scaled image sideload for images below big image threshold (WordPress/gutenberg#75990)
- Client side media cherry pick for 7.0 (WordPress/gutenberg#75998)
- Show transform dropdown previews on focus as well as hover (WordPress/gutenberg#75940) (WordPress/gutenberg#75992)
- RTC: Fix syncing of emoji / surrogate pairs (WordPress/gutenberg#76049)
- [Real-time Collaboration] Fix sync issue on refresh (WordPress/gutenberg#76017)
- Real-time collaboration: Improve disconnect dialog (WordPress/gutenberg#75970)
- DataViews: Fix filter toggle flickering when there are locked or primary filters (WordPress/gutenberg#75913) (WordPress/gutenberg#76068)
- Connectors: Dynamically register providers from WP AI Client registry (WordPress/gutenberg#76014)
- PHP-only Blocks: Reflect bound attribute values in inspector controls (WordPress/gutenberg#76040)
- Fix: Set quality and strip metadata in client-side image resize (WordPress/gutenberg#76029)
- RTC: Prevent duplicate poll cycles (WordPress/gutenberg#76059)
- RTC: Fix stale CRDT document persisted on save (WordPress/gutenberg#75975)
- RTC: Disable multiple collaborators if meta boxes are present (WordPress/gutenberg#75939)
- Directly inject styles in overlay to make styles stay consistently mounted (WordPress/gutenberg#75700)
- Real-time collaboration: Fix comment syncing on site editor (WordPress/gutenberg#75746)
- Real-time Collaboration: Bug fix for CRDT user selection and add tests (WordPress/gutenberg#75075)
- RTC: Updates from backport PR (WordPress/gutenberg#75711)
- RTC: Fix undefined array_first() call in sync storage (WordPress/gutenberg#75869)
- RTC: Fix fallthrough for sync update switch statement (WordPress/gutenberg#76060)
- Real-time collaboration: Remove block client IDs from Awareness, fix "Show Template" view (WordPress/gutenberg#75590)
- RTC: Add session activity notifications (WordPress/gutenberg#76065)
- Prevent non-reproducible Sass/CSS builds. (WordPress/gutenberg#76098)
- Block toolbar and context menu: hide pattern actions in Revisions UI (WordPress/gutenberg#76066)
- Try enabling style variation transforms for blocks in contentOnly mode (WordPress/gutenberg#75761)
- Block toolbar: hide styles dropdown in Revisions UI (WordPress/gutenberg#76119)
- Image block: fix lightbox srcset size (WordPress/gutenberg#76092)
- Fix writing flow navigation for annotation style, or any other block with border radius (WordPress/gutenberg#76072)
- Image: Hide 'Set as featured image' for in-editor revisions (WordPress/gutenberg#76123)
- Connectors: Gate unavailable install actions behind install capability (WordPress/gutenberg#75980)
- build: Exclude experimental pages from Core builds (WordPress/gutenberg#76038)
- HTML & Shortcode: Disable viewport visibility support (WordPress/gutenberg#76138)
- RTC: Verify client ID to avoid awareness mutation (WordPress/gutenberg#76056)
- wp-build: Do not remove Core's default script modules registration (WordPress/gutenberg#75705)
- wp-build: Deregister script modules before re-registering (WordPress/gutenberg#75909)
- Remove `! function_exists()` checks from PHP templates (WordPress/gutenberg#76062)
- Connectors: Update page identifier to options-connectors (WordPress/gutenberg#76156)
- Connectors: Align init hook priorities with Core overrides (WordPress/gutenberg#76161)
- Icon Block: Clean up selectors config (WordPress/gutenberg#75786)
- Icons: Fix incorrect icon slug (WordPress/gutenberg#76165)
- RTC: Enable RTC by default (WordPress/gutenberg#75739)
- Rename and visibility modals: gate shortcuts behind canEditBlock to prevent triggering in revisions UI (WordPress/gutenberg#76168)
- Fix: Block style variations not rendering in Site Editor Patterns page (WordPress/gutenberg#76122)
- Client-side media processing: only use media upload provider when not in preview mode (WordPress/gutenberg#76124)
- Notes: Disable for in-editor revisions (WordPress/gutenberg#76180)
- Core Data: Support reading revision data in useEntityProp (fixes footnotes in revisions UI) (WordPress/gutenberg#76106)
- Client-side media processing: Try plumbing invalidation to the block-editor's mediaUpload onSuccess callback (WordPress/gutenberg#76173)
- Connectors: Improve responsive layout on small screens (WordPress/gutenberg#76186)
- Interactivity API: Fix router initialization race condition on Safari/Firefox (WordPress/gutenberg#76053) (WordPress/gutenberg#76191)
- Interactivity: Fix crypto.randomUUID crash in non-secure contexts (WordPress/gutenberg#76151)


git-svn-id: https://develop.svn.wordpress.org/trunk@61843 602fd350-edb4-49c9-b593-d223f7449a82

CI run: WordPress/wordpress-develop#11167.

See #64595.

---

I've included a log of the Gutenberg changes with the following command:

git log --reverse --format="- %s" 022d8dd3d461f91b15c1f0410649d3ebb027207f..e499abfb843a43ac88455ca319220c5f181e1cf3 | sed 's|#\([0-9][0-9]*\)|https://github.com/WordPress/gutenberg/pull/\1|g; /github\.com\/WordPress\/gutenberg\/pull/!d' | pbcopy

- Add documentation for contentRole and listView block supports (WordPress/gutenberg#75903)
- Interactivity Router: fix back and forward navigation after refresh (WordPress/gutenberg#75927)
- Real-time collaboration: Fix disconnect dialog on navigate (WordPress/gutenberg#75886)
- Real Time Collab: Throttle syncing for inactive tabs. (WordPress/gutenberg#75843)
- Components: Specify line-height to avoid inheriting default values (WordPress/gutenberg#75880)
- Pattern Editing: Fix sibling blocks to edited pattern not being disabled (WordPress/gutenberg#75994)
- Sync connector PHP behavior with Core backport changes (WordPress/gutenberg#75968)
- Connectors: Avoid manual string concatenation (WordPress/gutenberg#75997)
- DataForm: fix field label for panel (should not be uppercase) (WordPress/gutenberg#75944)
- Views: add support for more overrides (all developer-defined config) (WordPress/gutenberg#75971)
- Use homeUrl instead of siteUrl for link badge evaluations (WordPress/gutenberg#75978)
- DataViews: Right-align `integer` and `number` fields (WordPress/gutenberg#75917)
- Navigation Link: Compare internal links by host instead of origin (WordPress/gutenberg#76015)
- Fix: Skip scaled image sideload for images below big image threshold (WordPress/gutenberg#75990)
- Client side media cherry pick for 7.0 (WordPress/gutenberg#75998)
- Show transform dropdown previews on focus as well as hover (WordPress/gutenberg#75940) (WordPress/gutenberg#75992)
- RTC: Fix syncing of emoji / surrogate pairs (WordPress/gutenberg#76049)
- [Real-time Collaboration] Fix sync issue on refresh (WordPress/gutenberg#76017)
- Real-time collaboration: Improve disconnect dialog (WordPress/gutenberg#75970)
- DataViews: Fix filter toggle flickering when there are locked or primary filters (WordPress/gutenberg#75913) (WordPress/gutenberg#76068)
- Connectors: Dynamically register providers from WP AI Client registry (WordPress/gutenberg#76014)
- PHP-only Blocks: Reflect bound attribute values in inspector controls (WordPress/gutenberg#76040)
- Fix: Set quality and strip metadata in client-side image resize (WordPress/gutenberg#76029)
- RTC: Prevent duplicate poll cycles (WordPress/gutenberg#76059)
- RTC: Fix stale CRDT document persisted on save (WordPress/gutenberg#75975)
- RTC: Disable multiple collaborators if meta boxes are present (WordPress/gutenberg#75939)
- Directly inject styles in overlay to make styles stay consistently mounted (WordPress/gutenberg#75700)
- Real-time collaboration: Fix comment syncing on site editor (WordPress/gutenberg#75746)
- Real-time Collaboration: Bug fix for CRDT user selection and add tests (WordPress/gutenberg#75075)
- RTC: Updates from backport PR (WordPress/gutenberg#75711)
- RTC: Fix undefined array_first() call in sync storage (WordPress/gutenberg#75869)
- RTC: Fix fallthrough for sync update switch statement (WordPress/gutenberg#76060)
- Real-time collaboration: Remove block client IDs from Awareness, fix "Show Template" view (WordPress/gutenberg#75590)
- RTC: Add session activity notifications (WordPress/gutenberg#76065)
- Prevent non-reproducible Sass/CSS builds. (WordPress/gutenberg#76098)
- Block toolbar and context menu: hide pattern actions in Revisions UI (WordPress/gutenberg#76066)
- Try enabling style variation transforms for blocks in contentOnly mode (WordPress/gutenberg#75761)
- Block toolbar: hide styles dropdown in Revisions UI (WordPress/gutenberg#76119)
- Image block: fix lightbox srcset size (WordPress/gutenberg#76092)
- Fix writing flow navigation for annotation style, or any other block with border radius (WordPress/gutenberg#76072)
- Image: Hide 'Set as featured image' for in-editor revisions (WordPress/gutenberg#76123)
- Connectors: Gate unavailable install actions behind install capability (WordPress/gutenberg#75980)
- build: Exclude experimental pages from Core builds (WordPress/gutenberg#76038)
- HTML & Shortcode: Disable viewport visibility support (WordPress/gutenberg#76138)
- RTC: Verify client ID to avoid awareness mutation (WordPress/gutenberg#76056)
- wp-build: Do not remove Core's default script modules registration (WordPress/gutenberg#75705)
- wp-build: Deregister script modules before re-registering (WordPress/gutenberg#75909)
- Remove `! function_exists()` checks from PHP templates (WordPress/gutenberg#76062)
- Connectors: Update page identifier to options-connectors (WordPress/gutenberg#76156)
- Connectors: Align init hook priorities with Core overrides (WordPress/gutenberg#76161)
- Icon Block: Clean up selectors config (WordPress/gutenberg#75786)
- Icons: Fix incorrect icon slug (WordPress/gutenberg#76165)
- RTC: Enable RTC by default (WordPress/gutenberg#75739)
- Rename and visibility modals: gate shortcuts behind canEditBlock to prevent triggering in revisions UI (WordPress/gutenberg#76168)
- Fix: Block style variations not rendering in Site Editor Patterns page (WordPress/gutenberg#76122)
- Client-side media processing: only use media upload provider when not in preview mode (WordPress/gutenberg#76124)
- Notes: Disable for in-editor revisions (WordPress/gutenberg#76180)
- Core Data: Support reading revision data in useEntityProp (fixes footnotes in revisions UI) (WordPress/gutenberg#76106)
- Client-side media processing: Try plumbing invalidation to the block-editor's mediaUpload onSuccess callback (WordPress/gutenberg#76173)
- Connectors: Improve responsive layout on small screens (WordPress/gutenberg#76186)
- Interactivity API: Fix router initialization race condition on Safari/Firefox (WordPress/gutenberg#76053) (WordPress/gutenberg#76191)
- Interactivity: Fix crypto.randomUUID crash in non-secure contexts (WordPress/gutenberg#76151)

Built from https://develop.svn.wordpress.org/trunk@61843


git-svn-id: http://core.svn.wordpress.org/trunk@61130 1a063a9b-81f0-0310-95a4-ce76da25c4cd