[wp-trac] [WordPress Trac] #16847: Capability check fails for custom post type revision edit (& map_meta_cap no good)
WordPress Trac
noreply at wordpress.org
Fri Jan 25 12:16:23 UTC 2013
#16847: Capability check fails for custom post type revision edit (& map_meta_cap
no good)
-------------------------------+------------------
Reporter: anmari | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Revisions | Version: 3.0
Severity: minor | Resolution:
Keywords: reporter-feedback |
-------------------------------+------------------
Changes (by SergeyBiryukov):
* version: 3.2.1 => 3.0
Old description:
> I am using nightly build (1 day old).
>
> Steps to reproduce:
>
> 1. Register post type with capability 'event'.
>
> 2. Edit custom post type till you have some revisions.
>
> 3. Attempt to view a revision. One gets sent to the normal posts
> edit.php screen.
>
> I looked at revision.php and managed to work out that it was failing at
>
> {{{
> if ( !current_user_can( 'read_post', $revision->ID ) ||
> !current_user_can( 'read_post', $post->ID ) )
>
> }}}
>
> I tried
>
> {{{
> if ( !current_user_can( 'read_'.$post->post_type, $revision->ID )
> || !current_user_can( 'read_'.$post->post_type, $post->ID ) )
> }}}
>
> but that still failed.
>
> I commented out the check and was then able to view the revision.
>
> I think this affects the autosave too as that was how I started looking
> at it.
>
> So it looks like the problem is in the current_user_can check somehow not
> working out that the author or admin user is allowed to view or edit the
> revision ?
>
> Ticket 14122 may be relevant :
> http://core.trac.wordpress.org/ticket/14122 (detailed discussion about
> meta-caps?)
>
> I found also Ticket 14749 says it fixed something similar, but that was
> not a capability problem, so not relevant :
> http://core.trac.wordpress.org/changeset/14749
>
> I back tested and behaviour occurs in 3.0, 3.1 and the nightly build
New description:
I am using nightly build (1 day old).
Steps to reproduce:
1. Register post type with capability 'event'.
2. Edit custom post type till you have some revisions.
3. Attempt to view a revision. One gets sent to the normal posts edit.php
screen.
I looked at revision.php and managed to work out that it was failing at
{{{
if ( !current_user_can( 'read_post', $revision->ID ) ||
!current_user_can( 'read_post', $post->ID ) )
}}}
I tried
{{{
if ( !current_user_can( 'read_'.$post->post_type, $revision->ID )
|| !current_user_can( 'read_'.$post->post_type, $post->ID ) )
}}}
but that still failed.
I commented out the check and was then able to view the revision.
I think this affects the autosave too as that was how I started looking at
it.
So it looks like the problem is in the current_user_can check somehow not
working out that the author or admin user is allowed to view or edit the
revision ?
Ticket #14122 may be relevant (detailed discussion about meta-caps?)
I found also Ticket #14749 says it fixed something similar, but that was
not a capability problem, so not relevant.
I back tested and behaviour occurs in 3.0, 3.1 and the nightly build
--
--
Ticket URL: <http://core.trac.wordpress.org/ticket/16847#comment:10>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list