Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#2265 closed defect (bug) (duplicate)

AJAX delete-page/post permission check uses wrong variable

Reported by: jhalderm Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.0
Component: Administration Keywords:
Focuses: Cc:


The AJAX interface on the Manage Posts admin panel has a bug in the routine for deleting posts. Users who don't have the edit-others-posts capability are never able to delete posts using this interface, even if the posts belong to them and they have the edit-posts capability.

The cause seems to be a bug in list-manipulation.php. Line 33 is:

if ( !current_user_can('edit_post', $post_id) )

However, the variable $post_id isn't defined. I think the line should be:

if ( !current_user_can('edit_post', $id) )

Change History (1)

#1 @ryan
10 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #2173

Note: See TracTickets for help on using tickets.