Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#45146 closed defect (bug) (invalid)

Wrong use of function current_user_can on check_edit_permission

Reported by: elvishp2006's profile elvishp2006 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: Cc:


The function current_user_can is being called with an inexistent second parameter on check_edit_permission of "class-wp-rest-comments-controller.php". It's impossibility a logged in user delete their own comment on REST API.

protected function check_edit_permission( $comment ) {
    if ( 0 === (int) get_current_user_id() ) {
        return false;

    if ( ! current_user_can( 'moderate_comments' ) ) {
        return false;

    return current_user_can( 'edit_comment', $comment->comment_ID );

Change History (3)

#1 @knutsp
5 years ago

  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.9.8 deleted

current_user_can may take a second parameter, $object_id. It's just not documented in the function signature. See documentation

#2 @SergeyBiryukov
5 years ago

  • Milestone Awaiting Review deleted

#3 @SergeyBiryukov
5 years ago

  • Severity changed from critical to normal
Note: See TracTickets for help on using tickets.