WordPress.org

Make WordPress Core

Opened 10 months ago

Closed 10 months ago

Last modified 10 months ago

#24564 closed defect (bug) (duplicate)

wp_insert_post checks permissions of the current user, not the author

Reported by: rmccue Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

In wp_insert_post(), current_user_can() is called twice to check permissions (publish_posts for setting the slug and the assign terms capability for taxonomies.

This global state should be removed from wp_insert_post() in favour of user_can() using the post's author.

Change History (3)

comment:1 rmccue10 months ago

(From a quick look, this also applies to wp_insert_attachment() as well.)

comment:2 dd3210 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #19373.

comment:3 nacin10 months ago

#19373 (as a new level of API, realistically) is the preferred path forward. The change proposed here actually has security issues with it.

Note: See TracTickets for help on using tickets.