Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#15159 closed defect (bug) (duplicate)

current_user_can('edit_'.$custom_post_type, $post_ID) always returns true

Reported by: wpdavis's profile wpdavis Owned by:
Milestone: Priority: normal
Severity: major Version: 3.0.1
Component: Role/Capability Keywords:
Focuses: Cc:


When setting up a custom post type and defining capabilities using register_post_type that are different from post, all calls to edit_custom return true. You can see this in the WordPress admin dashboard, as users can get into all posts in that custom post type even if they don't have access to edit_others_custom. I added this as major because it could be a big security issue for some users — I hope that's OK.

Attachments (1)

post-type-edit.jpg (54.0 KB) - added by wpdavis 13 years ago.
The list posts view for a user with author permissions

Download all attachments as: .zip

Change History (2)

13 years ago

The list posts view for a user with author permissions

#1 @nacin
13 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.