VIP-Coding-Standards icon indicating copy to clipboard operation
VIP-Coding-Standards copied to clipboard
verified publisher icon Automattic

Catch `setup_post_data` call without checking user capabilities in templates

Open david-binda opened this issue 8 years ago • 3 comments

eg:

$post_id = get_query_var( 'post_id', null );
$post = get_post( $post_id );
setup_post_data( $post );

david-binda avatar Feb 20 '17 13:02 david-binda

@david-binda Do you mind explaining the reasoning behind why we need to check user capabilities when calling setup_post_data()?

rebeccahum avatar Oct 24 '18 18:10 rebeccahum

Closing for lack of feedback. Can be re-opened if feedback arrives and it's still something that should be flagged.

GaryJones avatar Jan 06 '19 19:01 GaryJones

Sorry for being late here, and sorry for not being clear. The problem with the code above is following:

$post_id = get_query_var( 'post_id', null ); // Reads the `post_id` value from `$_GET` param.
$post = get_post( $post_id ); // Gets post data from DB.
setup_post_data( $post ); // Populates the data for usage in template (eg.: `the_title()`, `the_content()`).

The problem is that there is no check for whether the post_id passed via query string is visible to the current user (eg: private post ID is passed via GET param by non-logged in user). IMHO, current_user_can check would be appropriate here.

david-binda avatar Jan 08 '19 10:01 david-binda