WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#15159 closed defect (bug) (duplicate)

current_user_can('edit_'.$custom_post_type, $post_ID) always returns true

Reported by: wpdavis Owned by:
Milestone: Priority: normal
Severity: major Version: 3.0.1
Component: Role/Capability Keywords:
Focuses: Cc:

Description

When setting up a custom post type and defining capabilities using register_post_type that are different from post, all calls to edit_custom return true. You can see this in the WordPress admin dashboard, as users can get into all posts in that custom post type even if they don't have access to edit_others_custom. I added this as major because it could be a big security issue for some users — I hope that's OK.

Attachments (1)

post-type-edit.jpg (54.0 KB) - added by wpdavis 4 years ago.
The list posts view for a user with author permissions

Download all attachments as: .zip

Change History (2)

wpdavis4 years ago

The list posts view for a user with author permissions

comment:1 nacin4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.