[wp-trac] [WordPress Trac] #19373: wp_insert_post() should not contain current_user_can() checks
WordPress Trac
noreply at wordpress.org
Wed Feb 12 19:51:23 UTC 2014
#19373: wp_insert_post() should not contain current_user_can() checks
-------------------------+-----------------------------
Reporter: alexkingorg | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Taxonomy | Version: 3.0
Severity: major | Resolution:
Keywords: has-patch | Focuses:
-------------------------+-----------------------------
Changes (by danielbachhuber):
* keywords: has-patch 3.8-early => has-patch
Comment:
I dig 19373.2.diff, but it doesn't really solve my problem when coming at
this from a slightly different angle: creating new nav menu items without
a user context.
`wp_update_nav_menu_item()` uses the `tax_input` argument to associate a
new menu item with the menu term id. Without a user context, the
capability check fails and the new menu item isn't associated with the
menu.
If the proposed patch were to go in, I don't think calling
`wp_insert_post()` inside of `wp_update_nav_menu_item()` with `$sanitize =
false` is the right way to go. It'd solve my immediate problem, but isn't
a global solution.
I don't have a good suggestion otherwise at this point, other than:
* Sanitization should probably be treated separately from capability
checks.
* Capability checks should always be implemented higher up the stack, and
probably are for the needs of `wp_insert_post()`. I don't think there are
many people depending on the capability check around `tax_input`. However,
intentionally removing the capability check could unintentionally open
permissions holes in third-party code
I created #27113 for my use case though.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/19373#comment:39>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list