WordPress.org

Make WordPress Core

Opened 5 weeks ago

#51651 new defect (bug)

The `read_post` meta capability returns an incorrect result for the inherit post status.

Reported by: peterwilsoncc Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.4
Component: Role/Capability Keywords:
Focuses: Cc:

Description

When an attachment is uploaded via an edit post screen, it is given the inherit post status to determine whether it is published, private, etc.

The key definition within the post object are as follows:

post_type: attachment
post_status: inherit
post_parent: 1

The inherit post status is registered as internal, and is therefore not considered public.

As the read_post meta capability gets the post status object without checking if it is inherited, it returns the incorrect result for logged in users able to read the post:

<?php
// $post: attachment attached to a post/page.
$status_obj = get_post_status_object( $post->post_status /* 'inherit' */ );

To correctly determine if a user can read the post, the post status string ought to use get_post_status():

<?php
// $post: attachment attached to a post/page.
$status_obj = get_post_status_object( get_post_status( $post ) );

This potentially applies to other meta capabilities too.

Change History (0)

Note: See TracTickets for help on using tickets.