"submit for review" feature checks wrong permission and publishes
|Reported by:||jeremyclarke||Owned by:||anonymous|
The bug relates to the new post submission feature where users who can't publish their own posts can submit them for review rather than just saving them as draft and informing the site admin that they want it published. The worst case scenario has users clicking on a button that says "submit for review" but actually publishing the articles to the blog.
in /wp-admin/edit-form-advanced.php on line 172 the logic checks to see if a user has the publish_posts capability/role and if they do not, it labels the "publish" button as "submit for review" instead.
172 <?php if ( current_user_can('publish_posts') ) : ?>
173 <input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" />
174 <?php else : ?>
175 <input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Submit for Review') ?>" />
176 <?php endif; ?>
This is linked with line 69 of /wp-admin/includes/post.php which processes the post status and sets it to pending based on user capabilities:
As far as I can tell, there is no reason why the processing check should use the "edit_published_posts" role rather than the publish_posts role, especially considering that the publish_posts role was the one originally used to determine the text on the button. In the case of our site, or any where authors need help initially editing their posts but are trusted to make changes once the post is approved (and thus have edit_published_posts but not publish_posts), this results in people seeing the text "submit for review" but actually having their posts published to the blog, which of course can have terrible results.
Any reason why this is this way? Seems like it should be fast-tracked into core and anyone using this functionality should probably patch it for themselves.
NOTE: the edit_published_posts role I think is only available to authors through the role manager plugin, so if you aren't using it you probably aren't at risk, i think that's why this wasn't noticed when it was first implemented, for most installs publish_posts and edit_published_posts are available/unnavailable to the same user types).
This is my first patch, so if there's a problem with the diff please let me know.