[wp-trac] [WordPress Trac] #15326: Always check capabilites in admin pages

WordPress Trac wp-trac at lists.automattic.com
Thu Dec 16 09:09:12 UTC 2010

#15326: Always check capabilites in admin pages
 Reporter:  westi        |       Owner:  westi
     Type:  enhancement  |      Status:  new
 Priority:  high         |   Milestone:  3.1
Component:  Security     |     Version:  3.1
 Severity:  normal       |  Resolution:
 Keywords:               |

Comment (by nacin):

 Noticed some issues with how we were still doing things.

 We need to change wp_die() in every check_permissions() method to

 [attachment:15326.diff] kills off check_permissions() entirely.

 The new method is called ajax_user_can(). You return current_user_can()
 through it. In admin-ajax, we then die with -1 if appropriate.

 Renaming it allows us to ensure that no one is using it incorrectly, as
 we'd be returning true/false rather than dying.

 Conservative alternative: die with -1 in each handler. No need to rename
 the function.

Ticket URL: <http://core.trac.wordpress.org/ticket/15326#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list