[wp-trac] [WordPress Trac] #16847: Capability check fails for custom post type revision edit (& map_meta_cap no good)

WordPress Trac noreply at wordpress.org
Fri Jan 25 16:34:05 UTC 2013 

#16847: Capability check fails for custom post type revision edit (& map_meta_cap
no good)
-----------------------------------------+------------------
 Reporter:  anmari                       |       Owner:
     Type:  defect (bug)                 |      Status:  new
 Priority:  normal                       |   Milestone:  3.6
Component:  Revisions                    |     Version:  3.0
 Severity:  minor                        |  Resolution:
 Keywords:  reporter-feedback has-patch  |
-----------------------------------------+------------------
Changes (by adamsilverstein):

 * keywords:  reporter-feedback => reporter-feedback has-patch


Comment:

 i have been re-reading the ticket again trying to understand it. the root
 of the issue is that the edit screen makes a different check for
 capabilities before allowing access than the revisions review screen.

 its pointed out above, but worth repeating with current links --

 edit.php checks current_user_can( $post_type_object->cap->edit_posts )  -
 [http://core.trac.wordpress.org/browser/trunk/wp-admin/edit.php#L21 At
 line 21]

 revisions.php checks if ( !current_user_can( 'read_post', $revision->ID )
 || !current_user_can( 'read_post', $post->ID ) )
 [http://core.trac.wordpress.org/browser/trunk/wp-admin/revision.php#L111
 At Line 111]

 the difference in the check apparently lead to the (difficult to
 reproduce) bug in this ticket.

 if i understand it correctly the bug is still there and probably best
 would be solved by replacing the check in revisions to match the edit.php.

 i have attached a patch for review that changes each of several calls in
 revisions.php to the same check used in edit.php, this should lead to
 better expected behavior, that is same capabilities required for editing a
 post than for editing a revision, which wasn't _quite_ the case before.

 along the way i noticed the same calls repeating several times in
 different parts of the switch loop (you will see that in my patch).
 shouldn't we just move these common checks to the top of the switch loop.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/16847#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list