Opened 2 years ago
Closed 2 years ago
#16129 closed defect (bug) (fixed)
Incorrect cap check in wp-admin/includes/comment.php : edit_comment()
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.1 |
| Component: | Administration | Version: | 3.1 |
| Severity: | normal | Keywords: | has-patch commit |
| Cc: | westi, bcasey@… |
Description (last modified by ocean90)
Checks current_user_can( 'edit_post', $comment_post_ID )
But should be current_user_can( 'edit_comment', (int) $_POST['comment_ID'] )
Attachments (6)
Change History (23)
This is my first attempt at helping out with WP, if i did anything wrong, let me know. Thought this would be a nice easy one to learn on :)
Cheers
Ben
I haven't tested the patch yet, but at a glance, it should be:
if ( !current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) )
Otherwise you're passing the ID of the post containing the comment.
Oops:
with that change, I see no point in the following line:
$comment_post_ID = (int) $_POST['comment_post_ID'];
Safe to remove it?
comment:6
in reply to:
↑ 5
SergeyBiryukov — 2 years ago
Replying to casben79:
Safe to remove it?
Note the difference between $_POST['comment_ID'] and $_POST['comment_post_ID'].
Yes, comment_post_ID is the post id that is being commented on.
Seeing as we are no longer using $comment_post_ID I see no point in creating the variable in the first place, it is not used anywhere else in the function Nor returned in any way.
comment:8
SergeyBiryukov — 2 years ago
Yep, safe to remove then, I guess.
Also changed wp_die wording ALA: http://core.trac.wordpress.org/ticket/16061 While I was There.
comment:10
nacin — 2 years ago
We're into release candidate stage, which means we're no longer creating new strings for translators.
Here is a string that already exists for now: "You are not allowed to edit comments on this post."
That, and this needs whitespace: if (!current_user_can( 'edit_comment', (int)$_POST['comment_ID'] )) should be if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) ).
Patch looks good with those changes.
comment:11
casben79 — 2 years ago
Not Going to argue , Just out of curiosity, why the need for whitespace?
Also do I hit commit or is that not my place?
comment:12
nacin — 2 years ago
That's our coding standard. http://codex.wordpress.org/WordPress_Coding_Standards#Space_Usage
comment:13
casben79 — 2 years ago
Hmm, Fair enough. Learn about 10 new things every day .
Thank you for persisting, hopefully be a smoother process in the future :)
comment:14
nacin — 2 years ago
While we have hundreds of contributors, less than a dozen have commit access. A committer will pull the trigger here after a review. :)
In the meantime, if you'd like to refresh the patch just one more time, the opening quote on the line with wp_die() needs a space before it. Also, you have some trailing whitespace on the blank line that needs to be removed.
comment:15
casben79 — 2 years ago
I think Thats It :)
comment:16
nacin — 2 years ago
- Keywords commit added
comment:17
ryan — 2 years ago
- Resolution set to fixed
- Status changed from new to closed
Changed