Opened 11 years ago
Closed 11 years ago
#2366 closed defect (bug) (fixed)
Sticky escalation for non-moderators
Reported by: | johnjamesjacoby | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.4 | Priority: | normal |
Severity: | major | Version: | 2.1 |
Component: | Component - Topics | Keywords: | has-patch |
Cc: |
Description
Non-moderators are able to escalate the sticky-status of a new topic by spoofing the 'bbp_stick_topic' $_POST parameter, as the _new_ and _edit_ handlers are missing a 'moderator' capability check.
iirc, the long term plan was to use a dedicated 'stick_topics' capability, and map it to moderate (this is how bbPress 1.x handled this) though it seems overkill for core to map this, as a plugin would need to remap it to change the behavior anyways.
Patch imminent, adds cap checks to the _new_ and _edit_ handlers.
In 5019: