Skip Navigation
Buy Now

Home Toolset Professional Support [Resolved] Access “Edit own” not enforced for update_post_meta() ?

[Resolved] Access “Edit own” not enforced for update_post_meta() ?

This thread is resolved. Here is a description of the problem and solution.

Question: It seems that Access permissions like Edit Own are not enforced when calling update_post_meta, is that correct?

Answer: Yes, this is correct. Custom code implementations should utilize current_user_can to compare capabilities before calling update_post_meta, etc. directly.

This support ticket is created 2 years, 11 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 - -
13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 - -

Supporter timezone: America/New_York (GMT-04:00)

This topic contains 2 replies, has 2 voices.

Last updated by beatR 2 years, 11 months ago.

Assisted by: Christian Cox.

Author
Posts
#2056951

beatR

Hi
i'm building a member page where security is very important. can't use CRED in many sections.

i noticed that even though a certain post-type is set to only "edit own", the user get still update other users data when update_post_meta(otheruserid) is in play (for example by changing values in a <form>).

am i correct that access restrictions are not enforced when using update_post_meta()? are they enforced when using wp_update_post()?

Thank you!

#2056969

Christian Cox

Hi, you are correct in that Access permissions like "edit_own" are not enforced upon update_post_meta or wp_update_post. Access permissions like these are typically enforced by restricting specific features in wp-admin. Generally speaking, when programmatically updating content using custom code, that code should use current_user_can or another comparable method to verify whether or not the current User has capabilities like "edit_own_posts" or "edit_others_posts".

#2056971

beatR

My issue is resolved now. Thank you!

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.

Known issues and solutions

Frequently asked support questions

Support tickets archive

Get help from experienced contractors

Meet Toolset support team

Toolset Customer Support Policy

Need to tell us something about the quality of support

How to remove personal information from your database for support