[wp-trac] [WordPress Trac] #15326: Always check capabilites in admin pages
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 16 09:09:12 UTC 2010
#15326: Always check capabilites in admin pages
-------------------------+--------------------
Reporter: westi | Owner: westi
Type: enhancement | Status: new
Priority: high | Milestone: 3.1
Component: Security | Version: 3.1
Severity: normal | Resolution:
Keywords: |
-------------------------+--------------------
Comment (by nacin):
Noticed some issues with how we were still doing things.
We need to change wp_die() in every check_permissions() method to
die('-1').
[attachment:15326.diff] kills off check_permissions() entirely.
The new method is called ajax_user_can(). You return current_user_can()
through it. In admin-ajax, we then die with -1 if appropriate.
Renaming it allows us to ensure that no one is using it incorrectly, as
we'd be returning true/false rather than dying.
Conservative alternative: die with -1 in each handler. No need to rename
the function.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/15326#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list