Always check capabilites in admin pages
|Reported by:||westi||Owned by:||ryan|
WP_List_Table introduces a check_permissions() function which hides away the capabilities check inside the list table class so that it is easy to write a generic AJAX handler.
We should still have current_user_can() checks in the normal admin pages as it makes it easier to review for security holes.
Still doing it in the table classes is good defence in depth.
Change History (18)
comment:15 @nacin — 4 years ago
- Owner changed from westi to ryan
- Status changed from new to assigned