Ticket #6838 (closed defect: fixed)

Opened 6 months ago

Last modified 6 months ago

Any user is able to edit attachments

Reported by: xknown Assigned to: anonymous
Priority: normal Milestone: 2.5.1
Component: Security Version: 2.5
Severity: normal Keywords:
Cc:

Description

Any user that knows the ID of an attachment is able to edit some attributes of it.

Steps to reproduce the problem:

  1. Log in as an unprivileged user.
  2. Access directly to the following URL:

http://site/wp/wp-admin/media.php?action=edit&attachment_id=ATTACHMENT_ID

  1. Press "Save Changes" button.

Attachments

6838.patch (408 bytes) - added by xknown on 04/25/08 11:29:08.
Check upload_files capability
6838.diff (0.6 kB) - added by mdawaffe on 04/25/08 15:18:33.

Change History

04/25/08 11:29:08 changed by xknown

  • attachment 6838.patch added.

Check upload_files capability

04/25/08 15:01:03 changed by ryan

(In [7827]) Add cap checks. see #6838

04/25/08 15:01:34 changed by ryan

(In [7828]) Add cap checks. see #6838

04/25/08 15:02:07 changed by ryan

I tried it with an edit_post check.

04/25/08 15:18:33 changed by mdawaffe

  • attachment 6838.diff added.

04/25/08 15:23:12 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [7829]) Move cap check up. Props mdawaffe. fixes #6838 for trunk

04/25/08 15:23:24 changed by ryan

(In [7830]) Move cap check up. Props mdawaffe. fixes #6838 for trunk