[wp-trac] [WordPress Trac] #25240: current_user_can( $capability, $args ) returns true for invalid $args (post ID)
WordPress Trac
noreply at wordpress.org
Fri Sep 6 15:14:37 UTC 2013
#25240: current_user_can( $capability, $args ) returns true for invalid $args (post
ID)
-----------------------------+----------------------
Reporter: akshay_raje | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Role/Capability | Version: 3.6
Severity: normal | Resolution: invalid
Keywords: 2nd-opinion |
-----------------------------+----------------------
Changes (by nacin):
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
If you have a custom capability, that capability needs to properly handle
extra arguments if that's what you want. See also map_meta_cap().
That said, "primitive" capabilities added by something like add_role() or
add_cap() are not meant to be checked against individual arguments. They
are meant to be possessed by a user/role, or not.
You'll see that we pass post IDs to things like 'edit_post' — which is
*not* a capability normally assigned to users or roles. It then maps to
capabilities that users/roles do have, like edit_posts, edit_others_posts,
etc.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25240#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list