This repository has been archived by the owner on Sep 24, 2018. It is now read-only.
use proper checks in update_meta_value etc #2801
Comments
|
When I looked at it a bit more in depth, I ended up with this explanation of the core issue: https://core.trac.wordpress.org/ticket/38303 I think I was a little unclear before -- what I meant to say was that comment meta, term meta and user meta can't be updated using the REST API due to the issue in core. This is what the fix looks like: edit: no, if need be, filters can be added to add_metadata etc in lieu of the current_user_can checks I think. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently when you update a meta value, it checks
current_user_can('edit_post_meta')regardless of the actual object type. It needs to use object type dependent capability checks. These aren't in core yet but there's a ticket here:https://core.trac.wordpress.org/ticket/38284
A workaround for the time being would be to check
edit_{$object_type}I suppose.The text was updated successfully, but these errors were encountered: