[wp-trac] [WordPress Trac] #36056: When saving a post for an other author, the current_user_can() check is not passing the post ID with the edit_others_posts capability
WordPress Trac
noreply at wordpress.org
Fri Mar 4 00:54:38 UTC 2016
#36056: When saving a post for an other author, the current_user_can() check is not
passing the post ID with the edit_others_posts capability
-----------------------------+------------------------------
Reporter: GunGeekATX | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: 4.4.2
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------+------------------------------
Comment (by dd32):
In some cases you don't want to give the `edit_others_pages` cap, as you
don't want to allow the user to edit other users posts, just a select few
you grant through `edit_posts`.
IMHO the checking of `edit_others_pages` looks, at first, to be not
actually needed.. as that should really be checked through
`map_meta_cap()` on the `edit_post` capability.
I ran into this exact issue yesterday, and was going to open this ticket
myself. I'm unable to determine what these permission caps are for though,
as the conditional `post_author != user_ID` means that you can take
ownership of a post and skip those checks. The real checks for `can this
user edit this post` happen higher in the chain in `edit_post()` (and
again in `_wp_translate_postdata()` further up).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36056#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list