WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#45146 closed defect (bug) (invalid)

Wrong use of function current_user_can on check_edit_permission

Reported by: elvishp2006 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: REST API Keywords:
Focuses: Cc:

Description

The function current_user_can is being called with an inexistent second parameter on check_edit_permission of "class-wp-rest-comments-controller.php". It's impossibility a logged in user delete their own comment on REST API.

<?php
protected function check_edit_permission( $comment ) {
    if ( 0 === (int) get_current_user_id() ) {
        return false;
    }

    if ( ! current_user_can( 'moderate_comments' ) ) {
        return false;
    }

    return current_user_can( 'edit_comment', $comment->comment_ID );
}

Change History (3)

#1 @knutsp
3 years ago

  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.9.8 deleted

current_user_can may take a second parameter, $object_id. It's just not documented in the function signature. See documentationhttps://developer.wordpress.org/reference/functions/current_user_can/.

#2 @SergeyBiryukov
3 years ago

  • Milestone Awaiting Review deleted

#3 @SergeyBiryukov
3 years ago

  • Severity changed from critical to normal
Note: See TracTickets for help on using tickets.