Opened 3 years ago
#53972 new defect (bug)
Improper capability check when viewing attachment of private custom post type
Reported by: | sccr410 | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.8 |
Component: | Users | Keywords: | |
Focuses: | Cc: |
Description
WP 5.8
Create custom post type:
- Created a unique custom post type (e.g. "sample") with custom capability_type (e.g. "sample")
- Create a new post under this post type, set to private
- Upload attachment as featured image (so it's parent is set to the custom post type post)
Set capabilities:
- Customize subscriber role capabilities to allow "read_private_samples"
Create user:
- Create new Subscriber user
- View the attachment URL
EXPECTED: User to be able to view this URL
ACTUAL: User cannot view the URL, 404 page
From what I can tell, it is checking for the existence of the "read_private_posts" capability for the currently logged in user when it should be checking for the "read_private_samples" capability.
Note: See
TracTickets for help on using
tickets.