Frontend Form not respecting access rights for "edit_other_xxx" and "edit_published_xxx"

[praul]

Description

When using frontend form for custom posttype / pod the form does not respect the access rights for "edit_other_xxx" and "edit_published_xxx".

Any logged in user with "edit_xxx" capability can edit, update, modify posts that are published or by other authors.
In backend, caps work like they should

I think I have set access rights accordingly and my test user only has edit_CUSTOMPOSTTYPE cap:

Version

3.2.7

Testing Instructions

Fresh install with pod. Create Custom post type with custom permission. Set access rights. Assign edit_CUSTOMPOSTTYPE as the only capability to testuser. Place $pod->form() on page. Switch to testuser. You can edit other authors posts and published post using the form.

Screenshots / Screencast

No response

Possible Workaround

I can add additional checks beforehand that prevent rendering the form. Is this safe, or is the ajax function still vunerable to this?

Site Health Information

[praul]

I confirmed this on a completely fresh install with no other plugins.
I think this is a critical security problem.

I can share access to the test-wordpress, but I'd rather not post it public here