WordPress.org

Make WordPress Core

Ticket #10677: admin-ajax.patch

File admin-ajax.patch, 586 bytes (added by scribu, 6 years ago)

fixes logical error when checking permissions

  • wp-admin/admin-ajax.php

     
    348348                $x->send(); 
    349349        } 
    350350 
    351         if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) ) 
     351        if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments' ) ) 
    352352                die('-1'); 
    353         if ( !current_user_can( 'moderate_comments' ) ) 
    354                 die('-1'); 
    355353 
    356354        $current = wp_get_comment_status( $comment->comment_ID ); 
    357355        if ( $_POST['new'] == $current )