[wp-trac] [WordPress Trac] #15159: current_user_can('edit_'.$custom_post_type, $post_ID) always returns true

WordPress Trac wp-trac at lists.automattic.com
Tue Oct 19 21:36:46 UTC 2010


#15159: current_user_can('edit_'.$custom_post_type, $post_ID) always returns true
-----------------------------+----------------------------------------------
 Reporter:  wpdavis          |       Owner:                 
     Type:  defect (bug)     |      Status:  new            
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Role/Capability  |     Version:  3.0.1          
 Severity:  major            |    Keywords:                 
-----------------------------+----------------------------------------------
 When setting up a custom post type and defining capabilities using
 register_post_type that are different from post, all calls to edit_custom
 return true. You can see this in the WordPress admin dashboard, as users
 can get into all posts in that custom post type even if they don't have
 access to edit_others_custom. I added this as major because it could be a
 big security issue for some users — I hope that's OK.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/15159>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list