Opened 8 years ago
Last modified 4 years ago
#40950 new defect (bug)
wp_terms_checklist() does not pass $post_id to current_user_can()
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Role/Capability | Keywords: | has-patch |
| Focuses: | administration | Cc: |
Description
An incorrect post_id gets passed in $args to a filter on map_meta_cap, when wp_terms_checklist() does a capability check to see if category checkboxes should get a disabled attribute.
$args['disabled'] = ! current_user_can( $tax->cap->assign_terms );
We had an issue where we were checking the post type in a map_meta_cap filter and it was always showing a standard post type instead of the appropriate custom post type leading to category checkboxes being disabled.
Expected behaviour: The post_id passed in $args to the map_meta_cap callback should relate to the post being edited / created
How to recreate:
- Create a custom Post Type
- Add a filter on map_meta_cap
- Create or edit a post
- Check the value passed in $args to your filter when wp_terms_checklist does a capability check to see if categories should get a disabled attribute.
Workaround: Use the global $post variable instead of the passed post_id
Attachments (1)
Change History (7)
This ticket was mentioned in Slack in #core by anigel. View the logs.
8 years ago
#4
@
8 years ago
Hey there,
Thanks for your ticket & patch!
This doesn't seem to be the only place where current_user_can( $tax->cap->assign_terms ) is used.
Usually, there are "meta" capabilities (e.g. edit_post + post ID) and "primitive" capabilities (e.g. edit_posts) in core for such checks.
Looking at [38698], we should probably use assign_term here instead of $tax->cap->assign_terms.
Patch