[wp-trac] [WordPress Trac] #25240: current_user_can( $capability, $args ) returns true for invalid $args (post ID)

WordPress Trac noreply at wordpress.org
Fri Sep 6 15:14:37 UTC 2013


#25240: current_user_can( $capability, $args ) returns true for invalid $args (post
ID)
-----------------------------+----------------------
 Reporter:  akshay_raje      |       Owner:
     Type:  defect (bug)     |      Status:  closed
 Priority:  normal           |   Milestone:
Component:  Role/Capability  |     Version:  3.6
 Severity:  normal           |  Resolution:  invalid
 Keywords:  2nd-opinion      |
-----------------------------+----------------------
Changes (by nacin):

 * status:  new => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Comment:

 If you have a custom capability, that capability needs to properly handle
 extra arguments if that's what you want. See also map_meta_cap().

 That said, "primitive" capabilities added by something like add_role() or
 add_cap() are not meant to be checked against individual arguments. They
 are meant to be possessed by a user/role, or not.

 You'll see that we pass post IDs to things like 'edit_post' — which is
 *not* a capability normally assigned to users or roles. It then maps to
 capabilities that users/roles do have, like edit_posts, edit_others_posts,
 etc.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25240#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list