Make WordPress Core


Ignore:
Timestamp:
10/12/2023 02:59:09 PM (8 months ago)
Author:
joemcgill
Message:

Grouped backports to the 6.0 branch.

  • REST API: Limit search_columns for users without list_users.
  • Comments: Prevent users who can not see a post from seeing comments on it.
  • Application Passwords: Prevent the use of some pseudo protocols in application passwords.
  • Restrict media shortcode ajax to certain type
  • REST API: Ensure no-cache headers are sent when methods are overriden.
  • Prevent unintended behavior when certain objects are unserialized.

Merges [56833], [56834], [56835], [56836], [56837], and [56838] to the 6.0 branch.
Props xknown, jorbin, Vortfu, joehoyle, timothyblynjacobs, peterwilsoncc, ehtis, tykoted, martinkrcho, paulkevan, dd32, antpb, rmccue.

Location:
branches/6.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/6.0

  • branches/6.0/src/wp-admin/includes/class-wp-comments-list-table.php

    r52957 r56870  
    640640
    641641        $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID );
     642
     643        $edit_post_cap = $post ? 'edit_post' : 'edit_posts';
     644        if (
     645            current_user_can( $edit_post_cap, $comment->comment_post_ID ) ||
     646            (
     647                empty( $post->post_password ) &&
     648                current_user_can( 'read_post', $comment->comment_post_ID )
     649            )
     650        ) {
     651            // The user has access to the post
     652        } else {
     653            return false;
     654        }
    642655
    643656        echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>";
Note: See TracChangeset for help on using the changeset viewer.