Context Navigation

← Previous Ticket
Next Ticket →

#15159 closed defect (bug) (duplicate)

current_user_can('edit_'.$custom_post_type, $post_ID) always returns true

Reported by:	wpdavis	Owned by:
Milestone:		Priority:	normal
Severity:	major	Version:	3.0.1
Component:	Role/Capability	Keywords:
Focuses:		Cc:

Description

When setting up a custom post type and defining capabilities using register_post_type that are different from post, all calls to edit_custom return true. You can see this in the WordPress admin dashboard, as users can get into all posts in that custom post type even if they don't have access to edit_others_custom. I added this as major because it could be a big security issue for some users — I hope that's OK.

Attachments (1)

post-type-edit.jpg (54.0 KB) - added by wpdavis 13 years ago.: The list posts view for a user with author permissions

Download all attachments as: .zip

Change History (2)

@wpdavis
13 years ago

Attachment post-type-edit.jpg added

The list posts view for a user with author permissions

#1 @nacin
13 years ago

Milestone Awaiting Review deleted
Resolution set to duplicate
Status changed from new to closed

#14122

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core