[wp-trac] [WordPress Trac] #17668: Revisions should require same caps as parents for read/edit/delete (was: wp_post_revision_title capabilities)
WordPress Trac
wp-trac at lists.automattic.com
Wed Jun 8 16:19:36 UTC 2011
#17668: Revisions should require same caps as parents for read/edit/delete
-----------------------------------+------------------
Reporter: ejdanderson | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.2
Component: Revisions | Version: 3.2
Severity: minor | Resolution:
Keywords: 2nd-opinion has-patch |
-----------------------------------+------------------
Description changed by aaroncampbell:
Old description:
> wp_post_revision_title is displaying the post edit link based off of a
> user's edit_post capability for the revision post type, not it's parent's
> post type.
>
> The issue resides in the get_edit_post_link method, where it checks on
> the given post type's capability.
>
> I've attached a simple fix.
New description:
wp_post_revision_title is displaying the post edit link based off of a
user's edit_post capability for the revision post type, not it's parent's
post type.
The issue resides in the get_edit_post_link method, where it checks on the
given post type's capability.
I've attached a simple fix.
EDIT: It seems that revisions always use (read|edit|delete)_post for cap
checks even if the post-type of their parent uses something custom. This
results in users that are able to read/edit/delete revisions of posts that
they don't have caps to read/edit/delete
--
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17668#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list