WordPress.org

Make WordPress Core

Opened 13 months ago

Last modified 10 months ago

#51651 new defect (bug)

The `read_post` meta capability returns an incorrect result for the inherit post status.

Reported by: peterwilsoncc Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.4
Component: Role/Capability Keywords:
Focuses: Cc:

Description

When an attachment is uploaded via an edit post screen, it is given the inherit post status to determine whether it is published, private, etc.

The key definition within the post object are as follows:

post_type: attachment
post_status: inherit
post_parent: 1

The inherit post status is registered as internal, and is therefore not considered public.

As the read_post meta capability gets the post status object without checking if it is inherited, it returns the incorrect result for logged in users able to read the post:

<?php
// $post: attachment attached to a post/page.
$status_obj = get_post_status_object( $post->post_status /* 'inherit' */ );

To correctly determine if a user can read the post, the post status string ought to use get_post_status():

<?php
// $post: attachment attached to a post/page.
$status_obj = get_post_status_object( get_post_status( $post ) );

This potentially applies to other meta capabilities too.

Change History (1)

#1 @peterwilsoncc
10 months ago

[50132] fixed this for read_post but this bug does indeed apply to other meta caps in some circumstances.

Note: See TracTickets for help on using tickets.