[wp-trac] [WordPress Trac] #15159: current_user_can('edit_'.$custom_post_type, $post_ID) always returns true
WordPress Trac
wp-trac at lists.automattic.com
Tue Oct 19 21:36:46 UTC 2010
#15159: current_user_can('edit_'.$custom_post_type, $post_ID) always returns true
-----------------------------+----------------------------------------------
Reporter: wpdavis | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: 3.0.1
Severity: major | Keywords:
-----------------------------+----------------------------------------------
When setting up a custom post type and defining capabilities using
register_post_type that are different from post, all calls to edit_custom
return true. You can see this in the WordPress admin dashboard, as users
can get into all posts in that custom post type even if they don't have
access to edit_others_custom. I added this as major because it could be a
big security issue for some users — I hope that's OK.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/15159>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list