Make WordPress Core

Opened 13 years ago

Closed 13 years ago

Last modified 3 years ago

#16986 closed defect (bug) (invalid)

wp.getOptions do'nt have a capability check

Reported by: nprasath002's profile nprasath002 Owned by:
Milestone: Priority: normal
Severity: minor Version: 3.1
Component: XML-RPC Keywords: has-patch
Focuses: Cc:


This won't be a big problem with default options.
If the blog options are extended via a plugin this would be a problem.
Better to have a check,

Attachments (2)

getoptions.diff (583 bytes) - added by nprasath002 13 years ago.
getoptions2.diff (617 bytes) - added by ericmann 13 years ago.
Updated patch file to reference the file it's patching.

Download all attachments as: .zip

Change History (6)

#1 @ericmann
13 years ago

  • Component changed from General to XML-RPC

Considering the default behavior of the options page in WordPress is to check the same permission, I agree.

Updating patch to reference the patched file.

13 years ago

Updated patch file to reference the file it's patching.

#2 @ericmann
13 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Actually, after putting some thought into this, we shouldn't restrict options checking with a capability check. That would disallow remote applications from getting any options values unless the user had permission to manage options.

Think about how many times a site calls get_option() for unauthenticated users or for authors without options management privileges. wp.getOptions serves a similar purpose for remote apps; a capability check here isn't really appropriate.

#3 @nacin
13 years ago

  • Milestone Awaiting Review deleted

Correct - a cap check is inappropriate here.

This ticket was mentioned in Slack in #core-editor by talldanwp. View the logs.

3 years ago

Note: See TracTickets for help on using tickets.