AJAX delete-page/post permission check uses wrong variable
|Reported by:||jhalderm||Owned by:||anonymous|
The AJAX interface on the Manage Posts admin panel has a bug in the routine for deleting posts. Users who don't have the edit-others-posts capability are never able to delete posts using this interface, even if the posts belong to them and they have the edit-posts capability.
The cause seems to be a bug in list-manipulation.php. Line 33 is:
if ( !current_user_can('edit_post', $post_id) )
However, the variable $post_id isn't defined. I think the line should be:
if ( !current_user_can('edit_post', $id) )