search

tao-software / tao-schedule-update

Wordpress Plugin to Schedule Content Updates
https://wordpress.org/plugins/tao-schedule-update/
MIT License
16 stars 14 forks source link

security fix; prevent users from stealing other users' posts #31

Open jnorell opened 5 years ago

jnorell commented 5 years ago

fixes #20

rktyt commented 5 years ago

https://github.com/tao-software/tao-schedule-update/blob/849b5e5306882ea74a0f536ff45c0696ce4662a6/tao-schedule-update.php#L280

Needs add exit;.

wp_redirect( admin_url( 'post.php?action=edit&post=' . $publishing_id ) );
+ exit;
rktyt commented 5 years ago

https://github.com/tao-software/tao-schedule-update/blob/849b5e5306882ea74a0f536ff45c0696ce4662a6/tao-schedule-update.php#L694-L697

publish_post() is will be called from wp-cron. So... you should check it only in admin_action_workflow_publish_now().

jnorell commented 5 years ago

Thanks for the feedback, @rktyt, patch is updated accordingly.