Make WordPress Core

Opened 3 years ago

#53972 new defect (bug)

Improper capability check when viewing attachment of private custom post type

Reported by: sccr410's profile sccr410 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.8
Component: Users Keywords:
Focuses: Cc:

Description

WP 5.8

Create custom post type:

  • Created a unique custom post type (e.g. "sample") with custom capability_type (e.g. "sample")
  • Create a new post under this post type, set to private
  • Upload attachment as featured image (so it's parent is set to the custom post type post)

Set capabilities:

  • Customize subscriber role capabilities to allow "read_private_samples"

Create user:

  • Create new Subscriber user
  • View the attachment URL

EXPECTED: User to be able to view this URL
ACTUAL: User cannot view the URL, 404 page

From what I can tell, it is checking for the existence of the "read_private_posts" capability for the currently logged in user when it should be checking for the "read_private_samples" capability.

Change History (0)

Note: See TracTickets for help on using tickets.