[wp-trac] [WordPress Trac] #33453: Redundant checks in _wp_translate_postdata()
WordPress Trac
noreply at wordpress.org
Thu Aug 20 00:38:25 UTC 2015
#33453: Redundant checks in _wp_translate_postdata()
-------------------------------+-----------------------------
Reporter: loboyle | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 4.2.4
Severity: normal | Keywords:
Focuses: |
-------------------------------+-----------------------------
_wp_translate_postdata() checks whether the current user can edit_post for
updates, then explicitly checks whether the current user can
edit_others_posts if they're not the author of that post.
This checking is redundant, as the edit_post meta capability is already
mapped to the appropriate edit_other_posts capability by map_meta_cap.
Generally this double handling is probably not harmful, but it does make
it difficult to add additional checking around capabilities - the
edit_post meta capability passes through the ID of the post being checked,
while the generic edit_others_posts capability lacks this information.
In my case I'm allowing certain users to edit posts that don't belong to
them, but not all - so I don't want to give them edit_others_posts, which
would allow editing all of them, instead selectively edit the required
capabilities using the map_meta_cap filter. This works in most places
(e.g. they get an edit link in the list of posts, they can go to the edit
screen) but they cannot save changes because the double handling here
makes it impossible to determine whether they have permission to edit that
specific post or not.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33453>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list