Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Frontend Form not respecting access rights for "edit_other_xxx" and "edit_published_xxx" #7353

Open
praul opened this issue Sep 6, 2024 · 1 comment

Comments

@praul
Copy link

praul commented Sep 6, 2024

Description

When using frontend form for custom posttype / pod the form does not respect the access rights for "edit_other_xxx" and "edit_published_xxx".

Any logged in user with "edit_xxx" capability can edit, update, modify posts that are published or by other authors.
In backend, caps work like they should

I think I have set access rights accordingly and my test user only has edit_CUSTOMPOSTTYPE cap:
image

Version

3.2.7

Testing Instructions

Fresh install with pod. Create Custom post type with custom permission. Set access rights. Assign edit_CUSTOMPOSTTYPE as the only capability to testuser. Place $pod->form() on page. Switch to testuser. You can edit other authors posts and published post using the form.

Screenshots / Screencast

No response

Possible Workaround

I can add additional checks beforehand that prevent rendering the form. Is this safe, or is the ajax function still vunerable to this?

Site Health Information

@praul praul added the Type: Bug label Sep 6, 2024
@praul
Copy link
Author

praul commented Sep 6, 2024

I confirmed this on a completely fresh install with no other plugins.
I think this is a critical security problem.

I can share access to the test-wordpress, but I'd rather not post it public here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant