Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#51651 new defect (bug)

The `read_post` meta capability returns an incorrect result for the inherit post status.

Reported by: peterwilsoncc's profile peterwilsoncc Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.4
Component: Role/Capability Keywords:
Focuses: Cc:

Description

When an attachment is uploaded via an edit post screen, it is given the inherit post status to determine whether it is published, private, etc.

The key definition within the post object are as follows:

post_type: attachment
post_status: inherit
post_parent: 1

The inherit post status is registered as internal, and is therefore not considered public.

As the read_post meta capability gets the post status object without checking if it is inherited, it returns the incorrect result for logged in users able to read the post:

<?php
// $post: attachment attached to a post/page.
$status_obj = get_post_status_object( $post->post_status /* 'inherit' */ );

To correctly determine if a user can read the post, the post status string ought to use get_post_status():

<?php
// $post: attachment attached to a post/page.
$status_obj = get_post_status_object( get_post_status( $post ) );

This potentially applies to other meta capabilities too.

Change History (1)

#1 @peterwilsoncc
4 years ago

[50132] fixed this for read_post but this bug does indeed apply to other meta caps in some circumstances.

Note: See TracTickets for help on using tickets.