Security Bug: Allows to edit posts from another author

I found a solution!

Change file gravityforms-update-post.php on line 1189:

Before:

$capability = ( 'page' == $post_type ) ? 'edit_pages' : 'edit_posts';

After:
$capability = ( 'page' == $post_type ) ? 'edit_page' : 'edit_post';

When you are checking if the current user can edit posts, you use the capability “edit_posts“:

if ( current_user_can( 'edit_posts' ) ) { }

But, if you want to check if the current user can edit a defined post, you use the capability “edit_post“:

if ( current_user_can( 'edit_posts', 123 ) ) { }

You can see another example here:
http://codex.wordpress.org/Function_Reference/current_user_can#Examples

if ( current_user_can('edit_post', 123) ) {
 echo 'The current user can edit post 123';
}

Can you please include this fix in the next version of the plugin?

Hello Jeremy,

When I started the topic I realized the 2 problems and I thought it was for the same bug.

After fixing the bug that let’s an author edit the posts of another author, I realized that the image bug is a different one and even a more dangerous one, as this allows an anonymous user to delete any file from the WordPress installation (even WordPress core files like wp-config.php).

I don’t want to make public how you can exploit this bug. How can we talk private about this to help you fix it? I’m in love with this plugin so I want to keep using it, I’d love to help you fix this security bug.