Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#22698 closed defect (bug) (duplicate)

Broken capability checks with current_user_can() + map_meta_cap()

Reported by: veraxus's profile Veraxus Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.0
Component: Role/Capability Keywords: needs-patch
Focuses: Cc:

Description

Running the latest cutting-edge nightly of WordPress 3.5...

When calling current_user_can(), if the second optional argument is not provided, then map_meta_cap() breaks since certain capability checks (delete_page, edit_post, etc) assume that $args[] is provided, despite being optional.

Here is the error when attempting current_user_can('edit_post'):
Undefined offset: 0 in stuff/wp-includes/capabilities.php on line 1067

The code in question is:

$args = array_slice( func_get_args(), 2 );

...

case 'edit_page':
	$post = get_post( $args[0] );

Change History (3)

#1 @nacin
12 years ago

  • Component changed from Validation to Role/Capability
  • Severity changed from critical to normal
  • Version changed from trunk to 2.0

The argument is not optional for the capability checks you are specifying: edit_post, delete_post, etc.

These are "meta" capabilities and get mapped to primitive capabilities, like edit_posts, edit_others_posts, edit_published_posts, edit_private_posts, based on the object being selected.

#2 @nacin
12 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #13905.

#3 @Veraxus
12 years ago

I thought that might be the case. I'll add some documentation to the codex to clarify.

Note: See TracTickets for help on using tickets.