WordPress.org

Make WordPress Core

Opened 5 months ago

Last modified 5 months ago

#40950 new defect (bug)

wp_terms_checklist() does not pass $post_id to current_user_can()

Reported by: anigel Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch
Focuses: administration Cc:

Description

An incorrect post_id gets passed in $args to a filter on map_meta_cap, when wp_terms_checklist() does a capability check to see if category checkboxes should get a disabled attribute.

$args['disabled'] = ! current_user_can( $tax->cap->assign_terms );

We had an issue where we were checking the post type in a map_meta_cap filter and it was always showing a standard post type instead of the appropriate custom post type leading to category checkboxes being disabled.

Expected behaviour: The post_id passed in $args to the map_meta_cap callback should relate to the post being edited / created

How to recreate:

  1. Create a custom Post Type
  2. Add a filter on map_meta_cap
  3. Create or edit a post
  4. Check the value passed in $args to your filter when wp_terms_checklist does a capability check to see if categories should get a disabled attribute.

Workaround: Use the global $post variable instead of the passed post_id

Attachments (1)

wp_terms_checklist-cap_check.patch (525 bytes) - added by anigel 5 months ago.
Patch

Download all attachments as: .zip

Change History (6)

#1 @ocean90
5 months ago

  • Version trunk deleted

#2 @anigel
5 months ago

  • Keywords has-patch added

This ticket was mentioned in Slack in #core by anigel. View the logs.


5 months ago

#4 @swissspidy
5 months ago

Hey there,

Thanks for your ticket & patch!

This doesn't seem to be the only place where current_user_can( $tax->cap->assign_terms ) is used.

Usually, there are "meta" capabilities (e.g. edit_post + post ID) and "primitive" capabilities (e.g. edit_posts) in core for such checks.

Looking at [38698], we should probably use assign_term here instead of $tax->cap->assign_terms.

#5 @swissspidy
5 months ago

  • Component changed from Administration to Role/Capability
  • Focuses administration added
Note: See TracTickets for help on using tickets.