[wp-trac] [WordPress Trac] #20991: wp.getPosts doesn't always check cap
WordPress Trac
wp-trac at lists.automattic.com
Sat Jun 16 18:19:15 UTC 2012
#20991: wp.getPosts doesn't always check cap
--------------------------+-----------------------------
Reporter: maxcutler | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version: 3.4
Severity: normal | Keywords: has-patch
--------------------------+-----------------------------
The cap check against 'edit_posts' in the XML-RPC wp.getPosts method does
not fire immediately when querying against the 'post' post type. For other
post types ('page', 'attachment', or CPTs), the cap check will fire early
and short-circuit the method execution with an error.
The cap is checked properly before outputting each post, so at worst a
non-capable user will get an empty array as output. However, by that point
the query will have run.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20991>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list