[wp-trac] [WordPress Trac] #19373: wp_insert_post() should not contain current_user_can() checks
WordPress Trac
wp-trac at lists.automattic.com
Tue Nov 29 01:17:37 UTC 2011
#19373: wp_insert_post() should not contain current_user_can() checks
-----------------------------------+-----------------------------
Reporter: alexkingorg | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Taxonomy | Version: 3.0
Severity: major | Resolution:
Keywords: 3.4-early needs-patch |
-----------------------------------+-----------------------------
Comment (by alexkingorg):
Here's the best solution I've come up with that:
1. maintains backward compatibility
2. doesn't open up new security holes
3. generally enables wp_insert_post() to be used programatically outside
of a "current user" scope
I believe there are three places where user permissions are referenced
(tax_input, kses, post_slug). In adding a $user param to the function we
can handle 3 scenarios:
1. nothing passed in - continue working as we do today (assume current
user)
2. $user/$user_ID passed in - perform checks/security on behalf of that
user
3. false passed in - execute with no security checks (assume admin user)
What do you all think about this as a general approach?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19373#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list