[wp-trac] [WordPress Trac] #56962: current_user_can( 'read_post' ) not working.
WordPress Trac
noreply at wordpress.org
Tue Nov 15 23:56:05 UTC 2022
#56962: current_user_can( 'read_post' ) not working.
-----------------------------+------------------------------
Reporter: jcorbin | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: 6.1
Severity: major | Resolution:
Keywords: close | Focuses:
-----------------------------+------------------------------
Comment (by peterwilsoncc):
> [53408] / #44591 aimed to address this in a consistent way. Performing
these checks without passing in a post ID is not supported and could only
work by accident.
I'm inclined to close this and the related ticket, #57120, without a fix.
In the past, the `current_user_can()` checks for the post meta
capabilities would default to the global post object if a post ID was not
passed. While this could be appropriate in some circumstances, in other
circumstances it could incorrectly give a user permission to see data they
are not expected to have access to.
Without a post ID been passed to the permission check, it's not possible
to guess the developer's intent so defaulting to disallow access seems the
safest option.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56962#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list