Opened 5 years ago
Closed 4 years ago
#5727 closed defect (bug) (worksforme)
Post gets published even though user can't publish_posts
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Administration | Version: | 2.3.3 |
| Severity: | normal | Keywords: | capabilities edit_published_posts publish_posts bug needs-patch |
| Cc: | ffemtcj |
Description
When users don't have the "publish_posts" capability, but DO have the "edit_published_posts" capability, they can publish posts directly. This happens when they press "Submit for Review" AFTER the post has been saved (either manually or autosave). I've located the bug in /wp-admin/includes/post.php, and fixed it (temporarily) by adding the following code after line 71.
// START fix
if ('publish' == $_POST['post_status'] && !current_user_can( 'publish_posts' )) {
$_POST['post_status'] = 'pending';
}
// END fix
This is the piece of code that causes the bug (I think..):
} else {
if ('publish' == $_POST['post_status'] && !current_user_can( 'edit_published_posts' ))
$_POST['post_status'] = 'pending';
}
(line 68-71 in /wp-admin/includes/post.php)
Note: this bug only occures when using a plugin to change roles/capabilities, but that doesn't make it a bug in the plugin I think.
Change History (4)
- Version changed from 2.3.2 to 2.3.3
Bringing this up again:
No, this is not a bug in the plugin, the plugin in question is simply the Role Manager. This is a definite WordPress bug.
To reproduce:
- Make a user who can edit_published_posts but not publish_posts himself. As these are separate capabilities, it's possible to create a user this way.
- Create a new post.
- Save it as draft.
- Submit it for review.
Result: it publishes instead of going to pending.
Desired result: As the user does not have publish_posts, it should not publish.
Fix:
Change this:
`if ('publish' == $_POSTpost_status? && !current_user_can( 'edit_published_posts' ))
$_POSTpost_status? = 'pending';`
to this:
`if ('publish' == $_POSTpost_status? && !current_user_can( 'edit_published_posts' ) && !current_user_can( 'publish_posts' ))
$_POSTpost_status? = 'pending';`
Same with pages just above that.
- Milestone 2.9 deleted
- Resolution set to worksforme
- Status changed from new to closed
Is this still valid?
I copied the Editors role (Which includes edit_published_*), removed the publish_* caps, and submitted a post for review. The post came up as Pending.
Seems to me that it was fixed in the 2.7 UI overhaul? Re-open if problem persists.
Since this works correctly without the plugin and the plugin creates the problem, doesn't that mean that the plugin has the bug and not WP? You could probably pick quite a few things in the WP code and create a plugin to do something that it isn't supposed to do. That doesn't make it a bug in WP.