I’m setting up a site where I don’t want people with just author-level permission to be able to set co-authors. The plugin documentation says that this is the case, and only editor or higher can. However, that’s not true. An author role is able to change authors on their own posts.
This is because:
a) The check in your plugin is done by current_user_can_set_authors which checks if the edit_others_posts capability is set
b) This hooks into the user_can_cap filter which calls add_coauthor_cap
c) This determines I am the author of the post, so adds the edit_others_posts capability, therefore making the whole thing return true.
I believe I can get around this anyway by hooking into the coauthors_plus_edit_authors filter, which is probably a good idea anyway, but there’s messages and todos around the place saying you want to integrate this into a future version – it’s already there? What am I missing?