current_user_can('edit_'.$custom_post_type, $post_ID) always returns true
|Reported by:||wpdavis||Owned by:|
When setting up a custom post type and defining capabilities using register_post_type that are different from post, all calls to edit_custom return true. You can see this in the WordPress admin dashboard, as users can get into all posts in that custom post type even if they don't have access to edit_others_custom. I added this as major because it could be a big security issue for some users — I hope that's OK.