[wp-hackers] Critical WP Flaw?

[Ryan Boren]

Ryan Duff wrote:
> Ryan Boren wrote:
> 
>> I like to protect all non-idempotent operations with cap checks, even
>> when the umbrella check should protect them.  I'd suggest creating a
>> Subscriber level user on a test blog and then directly enter the URLs
>> that load your plugin.  Make sure the caps are enforced for all entry
>> points to your plugin.
>>
>> Ryan
> 
> 
> 9 emails later... you've wasted a lot of Ryan's time by starting this
> thread while he could have actually been productive at fixing the issue.
> 
> And we wonder why things don't/can't get done around here.

Actually, I had it fixed before the thread was started.  :-) At least I 
think it's fixed.  I was getting a bit confused about which bug we were 
talking about and the exact nature of the bug.  I've now talked to Dave, 
and I think I got it.  I'm to blame in part for confusing the issue.

To recap, there is a bug in core WP involved that I believe I've fixed 
for 2.0.4.  This is the core API bug Dave is talking about on his blog. 
  I was in error before to say that this is a problem to be fixed solely 
by the plugins.  There are some plugins that need help beyond the fix to 
the core, but the core fix should cover most plugins.  Sorry for the 
confusion.

And with that, I really need to get some sleep.  Later all.

Ryan