[wp-trac] [WordPress Trac] #16847: Capability check fails for custom post type revision edit
WordPress Trac
wp-trac at lists.automattic.com
Mon Mar 14 09:46:28 UTC 2011
#16847: Capability check fails for custom post type revision edit
-------------------------------+------------------------------
Reporter: anmari | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: 3.1
Severity: minor | Resolution:
Keywords: reporter-feedback |
-------------------------------+------------------------------
Comment (by anmari):
Hello,
I worked out that the problem was that (in my plugin) while the admin user
had plural capabilities "view_events", "edit_events", they did not have
singular capabilities "view_event", "edit_event".
I had also recreated problem with another post type using brad's custom
post type UI plugin (to rule out my code) and then justin's members plugin
to add the custom capabilities to admin.
Using the CPT UI with default capability 'post' all is fine, can access
revisions.
Change to custom capability, then one MUST add plural and singular of the
capabilities. Plural not adequate access.
I then looked at edit.php to see what it was checking.
it does this:
{{{
if ( !current_user_can($post_type_object->cap->edit_posts) )
}}}
while revision.php does not use the post type object and is also a
singular check:
{{{
if ( !current_user_can( 'read_post', $revision->ID ) || !current_user_can(
'read_post', $post->ID ) )
}}}
SO anyway immediate fix is:
make sure that the user has the singular capability at the very least, not
just plural.
Philosophically should a user who has the plural capability be allowed to
access the post even if they do not have the singular capability. This
would make it functions same as edit screens etc?
Your debug code would have revealed this I think - do you need me to do
anymore?
regards, anmari
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16847#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list