[wp-trac] [WordPress Trac] #22415: media-upload.php should check whether current user can edit a particular post type
WordPress Trac
noreply at wordpress.org
Sun Nov 11 23:59:35 UTC 2012
#22415: media-upload.php should check whether current user can edit a particular
post type
-----------------------------+--------------------------
Reporter: danielbachhuber | Type: defect (bug)
Status: new | Priority: normal
Milestone: Awaiting Review | Component: General
Version: | Severity: normal
Keywords: |
-----------------------------+--------------------------
In /wp-admin/media-upload.php, there are a few checks for:
{{{
if ( ! empty( $_REQUEST['post_id'] ) && ! current_user_can( 'edit_post' ,
$_REQUEST['post_id'] ) )
wp_die( __( 'Cheatin’ uh?' ) );
}}}
These should instead be (something like):
{{{
$obj = get_post_type_object( get_post_type( $_REQUEST['ID'] ) );
if ( ! current_user_can( $obj->cap->edit_post, $_REQUEST['ID' ) )
wp_die( __( 'Cheatin’ uh?' ) );
}}}
Although `$obj->cap->edit_post` can map to 'edit_post', sometimes
map_meta_cap is bypassed in which case uploading media doesn't work.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22415>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list