search

pods-framework / pods

The Pods Framework is a Content Development Framework for WordPress - It lets you create and extend content types that can be used for any project. Add fields of various types we've built in, or add your own with custom inputs, you have total control.
https://pods.io/
GNU General Public License v2.0
1.07k stars 264 forks source link

Frontend Form not respecting access rights for "edit_other_xxx" and "edit_published_xxx" #7353

Open praul opened 3 weeks ago

praul commented 3 weeks ago

Description

When using frontend form for custom posttype / pod the form does not respect the access rights for "edit_other_xxx" and "edit_published_xxx".

Any logged in user with "edit_xxx" capability can edit, update, modify posts that are published or by other authors. In backend, caps work like they should

I think I have set access rights accordingly and my test user only has edit_CUSTOMPOSTTYPE cap: image

Version

3.2.7

Testing Instructions

Fresh install with pod. Create Custom post type with custom permission. Set access rights. Assign edit_CUSTOMPOSTTYPE as the only capability to testuser. Place $pod->form() on page. Switch to testuser. You can edit other authors posts and published post using the form.

Screenshots / Screencast

No response

Possible Workaround

I can add additional checks beforehand that prevent rendering the form. Is this safe, or is the ajax function still vunerable to this?

Site Health Information

praul commented 3 weeks ago

I confirmed this on a completely fresh install with no other plugins. I think this is a critical security problem.

I can share access to the test-wordpress, but I'd rather not post it public here