Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#24564 closed defect (bug) (duplicate)

wp_insert_post checks permissions of the current user, not the author

Reported by: rmccue's profile rmccue Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

In wp_insert_post(), current_user_can() is called twice to check permissions (publish_posts for setting the slug and the assign terms capability for taxonomies.

This global state should be removed from wp_insert_post() in favour of user_can() using the post's author.

Change History (3)

#1 @rmccue
10 years ago

(From a quick look, this also applies to wp_insert_attachment() as well.)

#2 @dd32
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #19373.

#3 @nacin
10 years ago

#19373 (as a new level of API, realistically) is the preferred path forward. The change proposed here actually has security issues with it.

Note: See TracTickets for help on using tickets.