Saltar navegación
Comprar ahora

Inicio Toolset Professional Support [Resuelto] Access “Edit own” not enforced for update_post_meta() ?

[Resuelto] Access “Edit own” not enforced for update_post_meta() ?

Este hilo está resuelto. Aquí tiene una descripción del problema y la solución.

Question: It seems that Access permissions like Edit Own are not enforced when calling update_post_meta, is that correct?

Answer: Yes, this is correct. Custom code implementations should utilize current_user_can to compare capabilities before calling update_post_meta, etc. directly.

This support ticket is created 4 years, 7 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 - -
13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 - -

Zona horaria del colaborador: America/New_York (GMT-04:00)

Este tema contiene 2 respuestas, tiene 2 mensajes.

Última actualización por beatR 4 years, 7 months ago.

Asistido por: Christian Cox.

Autor
Mensajes
#2056951

beatR

Hi
i'm building a member page where security is very important. can't use CRED in many sections.

i noticed that even though a certain post-type is set to only "edit own", the user get still update other users data when update_post_meta(otheruserid) is in play (for example by changing values in a <form>).

am i correct that access restrictions are not enforced when using update_post_meta()? are they enforced when using wp_update_post()?

Thank you!

#2056969

Christian Cox

Hi, you are correct in that Access permissions like "edit_own" are not enforced upon update_post_meta or wp_update_post. Access permissions like these are typically enforced by restricting specific features in wp-admin. Generally speaking, when programmatically updating content using custom code, that code should use current_user_can or another comparable method to verify whether or not the current User has capabilities like "edit_own_posts" or "edit_others_posts".

#2056971

beatR

My issue is resolved now. Thank you!

Problemas conocidos y soluciones

Preguntas frecuentes de soporte

Archivo de tickets de soporte

Reciba ayuda de contratistas con experiencia

Conozca al equipo de soporte de Toolset

Política de atención al cliente de Toolset

Necesita decirnos algo sobre la calidad del soporte

Cómo eliminar información personal de su base de datos para el soporte