#24564 closed defect (bug) (duplicate)
wp_insert_post checks permissions of the current user, not the author
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
In wp_insert_post()
, current_user_can()
is called twice to check permissions (publish_posts
for setting the slug and the assign terms capability for taxonomies.
This global state should be removed from wp_insert_post()
in favour of user_can()
using the post's author.
Change History (3)
Note: See
TracTickets for help on using
tickets.
(From a quick look, this also applies to
wp_insert_attachment()
as well.)