Contributors can restore posts trashed by editors

[scribu]

Legend:

editor - has the publish_posts capability

contributor - doesn't have the publish_posts capability

If an editor moves a post to trash, the post author is able to republish the post, even if he's a contributor.

Steps to reproduce:

1. contributor: submit a post for review

2. editor: publish post

3. editor: trash post

4. contributor: restore post

So, to prevent a contributor from republishing trashed posts, an editor has the following workarounds:

• permanently delete the post

• set the post status to 'pending' before trashing it

Neither of these is optimal.

[11873] doesn't seem to address this properly.

[scribu]

Ideally, a distinction should be made:

A contributor can restore one of his posts only if it was trashed by himself, not by an editor.

[azaozz]

Contributors shouldn't be able to trash/untrash any published posts, that's not their role. We should be checking current_user_can('publish_posts') and perhaps have an exception when post_status in pending and post_author is a contributor.

[scribu]

Currently a contributor can see the contents of the trash, so I guess that should be addressed too.

How about a new capability: current_user_can('use_trash'). I think it would simplify a lot of the code related to Trash.

[layotte]

Just tested this... it seems to be fixed in Trunk (04.24.2010). A contributor can still see the trash though, but cannot restore the post.

Lew

[scribu]

Yeah, it seems to be fixed now.