Skip Navigation

[Resolved] Access “Edit own” not enforced for update_post_meta() ?

This thread is resolved. Here is a description of the problem and solution.

Question: It seems that Access permissions like Edit Own are not enforced when calling update_post_meta, is that correct?

Answer: Yes, this is correct. Custom code implementations should utilize current_user_can to compare capabilities before calling update_post_meta, etc. directly.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

This topic contains 2 replies, has 2 voices.

Last updated by beatR 2 months, 1 week ago.

Assigned support staff: Christian Cox.

Author
Posts
#2056951

Hi
i'm building a member page where security is very important. can't use CRED in many sections.

i noticed that even though a certain post-type is set to only "edit own", the user get still update other users data when update_post_meta(otheruserid) is in play (for example by changing values in a <form>).

am i correct that access restrictions are not enforced when using update_post_meta()? are they enforced when using wp_update_post()?

Thank you!

#2056969

Christian Cox
Supporter

Languages: English (English )

Timezone: America/New_York (GMT-04:00)

Hi, you are correct in that Access permissions like "edit_own" are not enforced upon update_post_meta or wp_update_post. Access permissions like these are typically enforced by restricting specific features in wp-admin. Generally speaking, when programmatically updating content using custom code, that code should use current_user_can or another comparable method to verify whether or not the current User has capabilities like "edit_own_posts" or "edit_others_posts".

#2056971

My issue is resolved now. Thank you!