Opened 14 years ago
Closed 14 years ago
#16129 closed defect (bug) (fixed)
Incorrect cap check in wp-admin/includes/comment.php : edit_comment()
Reported by: | westi | Owned by: | |
---|---|---|---|
Milestone: | 3.1 | Priority: | normal |
Severity: | normal | Version: | 3.1 |
Component: | Administration | Keywords: | has-patch commit |
Focuses: | Cc: |
Description (last modified by )
Checks current_user_can( 'edit_post', $comment_post_ID )
But should be current_user_can( 'edit_comment', (int) $_POST['comment_ID'] )
Attachments (6)
Change History (23)
#3
@
14 years ago
This is my first attempt at helping out with WP, if i did anything wrong, let me know. Thought this would be a nice easy one to learn on :)
Cheers
Ben
#4
@
14 years ago
I haven't tested the patch yet, but at a glance, it should be:
if ( !current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) )
Otherwise you're passing the ID of the post containing the comment.
#5
follow-up:
↓ 6
@
14 years ago
Oops:
with that change, I see no point in the following line:
$comment_post_ID = (int) $_POST['comment_post_ID'];
Safe to remove it?
#6
in reply to:
↑ 5
@
14 years ago
Replying to casben79:
Safe to remove it?
Note the difference between $_POST['comment_ID']
and $_POST['comment_post_ID']
.
#7
@
14 years ago
Yes, comment_post_ID is the post id that is being commented on.
Seeing as we are no longer using $comment_post_ID I see no point in creating the variable in the first place, it is not used anywhere else in the function Nor returned in any way.
#9
@
14 years ago
Also changed wp_die wording ALA: http://core.trac.wordpress.org/ticket/16061 While I was There.
#10
@
14 years ago
We're into release candidate stage, which means we're no longer creating new strings for translators.
Here is a string that already exists for now: "You are not allowed to edit comments on this post."
That, and this needs whitespace: if (!current_user_can( 'edit_comment', (int)$_POST['comment_ID'] ))
should be if ( ! current_user_can( 'edit_comment', (int) $_POST['comment_ID'] ) )
.
Patch looks good with those changes.
#11
@
14 years ago
Not Going to argue , Just out of curiosity, why the need for whitespace?
#12
@
14 years ago
That's our coding standard. http://codex.wordpress.org/WordPress_Coding_Standards#Space_Usage
#13
@
14 years ago
Hmm, Fair enough. Learn about 10 new things every day .
Thank you for persisting, hopefully be a smoother process in the future :)
#14
@
14 years ago
While we have hundreds of contributors, less than a dozen have commit access. A committer will pull the trigger here after a review. :)
In the meantime, if you'd like to refresh the patch just one more time, the opening quote on the line with wp_die() needs a space before it. Also, you have some trailing whitespace on the blank line that needs to be removed.
Changed