[wp-trac] [WordPress Trac] #45146: Wrong use of function current_user_can on check_edit_permission
WordPress Trac
noreply at wordpress.org
Mon Oct 22 13:49:30 UTC 2018
#45146: Wrong use of function current_user_can on check_edit_permission
--------------------------+-----------------------------
Reporter: elvishp2006 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 4.9.8
Severity: critical | Keywords:
Focuses: |
--------------------------+-----------------------------
The function current_user_can is being called with an inexistent second
parameter on check_edit_permission of "class-wp-rest-comments-
controller.php". It's impossibility a logged in user delete their own
comment on REST API.
{{{#!php
<?php
protected function check_edit_permission( $comment ) {
if ( 0 === (int) get_current_user_id() ) {
return false;
}
if ( ! current_user_can( 'moderate_comments' ) ) {
return false;
}
return current_user_can( 'edit_comment', $comment->comment_ID );
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45146>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list