#16986 closed defect (bug) (invalid)
wp.getOptions do'nt have a capability check
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | minor | Version: | 3.1 |
| Component: | XML-RPC | Keywords: | has-patch |
| Focuses: | Cc: |
Description
This won't be a big problem with default options.
If the blog options are extended via a plugin this would be a problem.
Better to have a check,
Attachments (2)
Change History (6)
#2
@
13 years ago
- Resolution set to invalid
- Status changed from new to closed
Actually, after putting some thought into this, we shouldn't restrict options checking with a capability check. That would disallow remote applications from getting any options values unless the user had permission to manage options.
Think about how many times a site calls get_option() for unauthenticated users or for authors without options management privileges. wp.getOptions serves a similar purpose for remote apps; a capability check here isn't really appropriate.
This ticket was mentioned in Slack in #core-editor by talldanwp. View the logs.
3 years ago
Note: See
TracTickets for help on using
tickets.
Considering the default behavior of the options page in WordPress is to check the same permission, I agree.
Updating patch to reference the patched file.